Case studies may concern an in-depth examination of

Methodology

Abstract

Understanding specific details of how technology is used, or might be used, often requires in-depth examination of activities conducted in context. Case studies use extensive examination of individuals and groups facing specific challenges to understand real and potential impacts of computing technology. Case studies involve in-depth, in-context examination of a small number of cases, using multiple data sources analyzed through qualitative methods to build nuanced descriptions capturing the complexities of the environments in question. Possible goals of case studies include exploration of design opportunities; explanation of activities in context; descriptions of systems, contexts, or processes, and demonstration of the successful use of novel tools. Case studies may be intrinsic—only of interest to a specific situation—or instrumental, hoping to generate insights of more general interest. Challenges in case study research include selection of cases, development of research questions, applying qualitative analysis techniques to relevant observations, and developing clear and sound presentations of case study results.

Introduction

Just as there is a time for surgery rather than an autopsy, there is a need for live forensic inspection of a potentially compromised computer rather than an in-depth examination of a forensic duplicate of the disk. Preserving data from a live system is often necessary to ascertain whether it has malicious code installed, and the volatile data gathered at this initial stage of a malware incident can provide valuable leads, including remote servers the malware is communicating with.

There are various native Linux commands that are useful for collecting volatile data from a live computer. Since the commands on a compromised system can be undermined by malware and cannot be trusted, it is necessary to use a toolkit of utilities for capturing volatile data that have minimal interaction with the subject operating system. Using such trusted binaries is a critical part of any live examination, and can reveal information that is hidden by a rootkit. However, when a loadable kernel module (LKM) rootkit is involved, even statically compiled binaries that do not rely on components of the subject system are ineffective, making it necessary to explore creative countermeasures and rely on memory forensics and file system forensics.

This chapter provides an overall methodology for preserving volatile data on a Linux machine in a forensically sound manner, and uses case examples to demonstrate the strengths and shortcomings of the information that is available through the operating system.

4.2.9 Treatment

Treatment begins with recognition and prevention, identifying the problem, and recognizing its signs and symptoms. Spotting it in oneself and others is crucial to prevention and remediation. Work-life balance needs in-depth examination. The work of medicine is intense and demanding. The life of a physician has its personal and professional sides where both routine and unexpected events happen. Family accidents, sickness, and crises cannot be predicted and are unfortunate realities. Physicians are conscientious but often not taught relaxation skills and stress management early in training. These considerations are part of the background building effective interventions.

Engagement is mindfulness of being aware and involved in the activities of daily living from the simplest to those needing greater focus, concentration, and skill. Mindful self-awareness can be preventive but also can detect signs and symptoms of emerging burnout—disengagement. When burnout is present at any stage, two levels of intervention work best: individual and organizational. The entire challenge of “burnout syndrome” is complex. The ensuing suggestions outline and hint at a few relevant strategies needed for effectiveness in this contemporary problem. Chapter 6 adds to this by discussing enhanced physician engagement strategies and organizational wellness alignments.

The individual level of intervention has traditionally been a variety of approaches focusing on stress reduction and lifestyle improvements (Goren, 2018; Krasner et al., 2010). Attention to exercise and a better diet are common strategies first used. To these, Learned Mindfulness accentuates the presence of a fundamental difficulty: impaired emotional awareness. This gap in a sound grasp on one's emotionality is part of not having sufficient integration of feelings easily accessed. Both physicians and the organizational systems in which they work have this vulnerability. On concrete levels, it shows up as a work environment that fails because work design does not reduce the physical and psychological burden. Burnout and human error arise in environments that are not “mistake proof” and do not facilitate realistic, even intuitive, workflows. Therefore, Learned Mindfulness as an emotional intelligence performance enhancer may be a substantial contribution to preventing and remediating burnout.

There are many facets of the Learned Mindfulness approach. Mindfulness not only requires but insists on slowing down one's usual pace of mental and physical activity—at least intermittently. Pausing is a fundamental principle, the platform needed for all other mindful and stress reduction practices to proceed. The decisive intervention, therefore, is to “Slow Down”!

It is in one's ability—right now—to heal by slowing down thinking and behavior. The term “heal” is used because burnout challenge protocols see burnout as real psychological trauma requiring therapeutic attention, a healing process. Thus, the decompensation caused by burnout needs a gradual body-mind recompensation toward wellness. Some have used analogies such as managing this pausing, by advising “to put on your protective life vest” of mindful awareness before making choices and deciding on plans to implement. This recommendation provides a program, at least a preliminary approach, to begin the process of lifestyle change.

Burnout management on an individual level comprises stress reduction, dietary upgrades, exercise, and time management reassessment. To counteract stress, one of the first approaches involves increased body awareness. This focus may include changing one's perspective on oneself: a shift from passive to active, an alert assessment of weight, size, and shape. This survey further entails getting laboratory parameters such as metabolic, lipid, and hepatic profiles. Checking thyroid function by a routine thyroid-stimulating hormone test can be part of this.

Enhanced attention to the psychological regulation of both thought processes and emotional status is essential. During this self-assessment, acknowledging limitations and areas needing improvement is central to note. Writing them for reference and measurement now and later keeps one on track by pointing toward the right vision. Learned Mindfulness is learning the resources preventing and protecting from exposure and negative engagement in stressful events. Examining what one can and cannot do is decisive. This perspective means saying “no” and dividing work tasks. In addition, mindful people endure unforeseen stressors with coping strategies for quick recoveries.

Preliminary guidelines about emotions and emotional regulation are helpful. One cannot eliminate emotions, mainly fear and anger. Metaphorically speaking, fear is negative energy; anger is positive energy. To modulate fear and anger with their considerable strengths, understanding them comes first. This understanding is therapeutic and tempers their extremes by recasting them in a less volatile form. From this understanding, one can constructively and consciously work with them because their attendant disruptive anxieties then diminish. Learned Mindfulness provides learning, coping, and adaptation skills for (1) protection against exposure to inevitable stressors and (2) for recovery once affected by stress, e.g., bouncing back with quicker recovery time. This approach to mindfulness is a lifetime orientation. Learned Mindfulness establishes a baseline of mindful awareness.

Primary stress management interventions target exhaustion, cynicism, and inefficacy. Stress management techniques vary. They are accessible in books, the media, the Internet, and through professional guidance. Stress management has been shown unquestionably to optimize health and well-being. Experts in burnout research say exhaustion is easily treatable with most stress management techniques. Cynicism and inefficacy are harder to change. Work engagement is most useful in helping cynicism and inefficacy to ease. Promoting engagement halts the cynicism, depersonalization, and callousness cycle. Issues needing attention are self-perceptions, reasonable self-efficacy, problem-solving skills, self-esteem, and learned helpfulness skills.

Because cynicism and a sense of prudent self-efficacy are the emotional challenges hardest to improve, Learned Mindfulness may be preferred at managing them. Cynicism is mixtures of emotional and cognitive doubt, if not disbelief in the integrity of the truth and goodness of oneself, efforts, and approaches to others. Cynicism erodes empathy and blunts perspective-taking, both of which are essential to mental health and the successful practice of good medicine. All intentions toward expanding mindful emotional awareness enhance empathy and insight. These reboot self-esteem and effectiveness as a person and a physician engaged in helping others. This book delivers a self-activism and self-entrepreneurship model empowering emotional awareness and resilience in the face of life's challenges. Strategies to identify and break the burnout cycle such as Learned Mindfulness emphasized here offer useful real-time interventions.

Resilience builds itself on in-depth executive functioning along with enhanced social supports. Enhancing emotional intelligence by improving emotional awareness and refining emotional literacy as detailed in Chapter 3 assimilates itself into cognitive functions. Critical thinking improves. When novel events arise, executive functions and their associated relevant emotional drivers evoke emotion performance utilization. This learned coherence powers adaptive behaviors in real life.

A few words about the organizational level of treatment will precede details of the individual level of applying Learned Mindfulness as a clinical tool. Covered are burnout, stress, and enhanced well-being.

2 Why Study the Single Case?

The intensive analysis of the case study is premised on the special advantages that it furnishes. First, the study of single cases enables the researcher to probe a particular question, or phenomenon, in great detail. Such in-depth examinations ultimately permit the researcher to acquire a degree of knowledge about the case that is typically impossible through the examination of a large number of cases. Moreover, such in-depth work also enables the researcher to pursue the examination of alternative theoretical ideas, thus ultimately arriving not merely at a thorough understanding of the empirical facts, but ideally a careful and correct appreciation of the most germane and effective theoretical argument to fit these facts (Campbell 1975).

Second, by studying a single case the researcher is able to take full account of the social, or historical, context of the phenomenon in question. Students of case studies regard context as essential to understanding the nature of the phenomenon. Take, for example, the study of children who are unruly in the classroom. The investigator may believe that such unruliness is the product of how the child relates both to his peers and teacher in the context of classroom activity. In order to appreciate and to fully understand the nature of the child's reactions, the investigator is compelled to study the child in the classroom situation (Stake 1995).

Third, the study of the single case permits the researcher to probe comprehensively into the empirical data at hand. In the study of the workings of a single community, for example, the case study researcher can explore a variety of dimensions of the community and can thereby create a multidimensional, or holistic, sense of the community rather than, let us say, a unidimensional one based upon its size or territorial breadth. In so doing the researcher can also emerge with a fuller understanding of the case in question by fashioning an integrated portrait of the case into which the various pieces, or dimensions, fit. Fourth, the case study provides boundaries to the nature of the phenomenon under investigation. The case is chosen because it represents a self-contained unit that will permit the researcher to investigate the phenomenon in isolation from other forces. Thus, educational researchers will often investigate a single classroom or school because such a case represents some unusual qualities in which they are interested (Stake 1995).

Finally, the single case is sometimes chosen because it represents a special illustration of the phenomenon under investigation. Sometimes it is portrayed as the exception to the rule, or deviant case, thereby permitting the observer to understand some more general phenomenon in greater depth.

1.2.2 Type of first partnership

The UN ECE Fertility and Family surveys carried out in the main during the first half of the 1990s included a full partnership history that incorporated dates of marriages and any other co-residential heterosexual intimate relationships. Such histories permit more in-depth examinations of partnership formation and dissolution than can be gleaned from vital registration data or cross-sectional surveys that only include current status information.

In many Western nations there have been large increases in the proportions of couples cohabiting, and nowadays cohabitation rather than marriage marks the formation of a union. Evidence on this can be seen in Table 1, which shows for two recent cohorts of women the proportions who entered their first partnership at marriage. It is clear from these data that the younger women, those aged 25–9, were much less likely to have commenced their first partnership at marriage than the older women. There are marked reductions to be seen in the proportions of women who married directly without cohabiting in most countries; for example, in France 55 percent of the older women but only 21 percent of the younger women married directly, a pattern that is repeated across many of the nations. The main exceptions are Sweden and the southern European countries. In Sweden, cohabiting rather than marrying was already well established among the older women whereas in Italy and Spain there are indications of a rise in cohabitation; but for the majority of women marriage still heralds the start of the first partnership. This is in contrast with the Scandinavian and other Western European nations where it is a minority practice.

Table 1. Percentage of women marrying directly among those who had had a first partnership according to current age group

Source: Analysis UN ECE Fertility and Family Surveys and British Household Panel Study, Kiernan 1999

It is also the case that in many European countries cohabiting unions have simply replaced the marriages of yesteryear, in that compared with the recent past there has been little change in the proportions of men and women who have formed a residential partnership by their mid-20s, whereas in other countries (most noticeably the southern European states) cohabitation is only part of the story in the decline in marriage rates (Kiernan 1999). Here, young people have been spending longer periods of time as solos than in the recent past; living with their parents (in the main), on their own, or sharing with others (European Commission 1998).

Global Information Assurance Certifications

The Global Information Assurance Certification (GIAC) is offered by the SANS (derived from sys-admin, audit, networking, and security) Institute [5]. This set of over 20 certifications closely connects to the SANS training offerings, but extends the content with requirements for a more in-depth examination, practicum, and report generation. A timespan of approximately four months is cited as the level of effort associated with a GIAC. In general, the topics of this certification are more hands-on, direct activity associated with secure administration, forensics, audit, and management. The SANS courses have a strong reputation in the field, and these certifications derive their respect (and the advantage of possessing them) from the affiliated SANS courses.

One difficulty with the GIAC is the breadth of certification available. While the certifications allow a range of individuals to be certified at the skill levels they possess, the large number of them makes it difficult for any one certification to be widely recognized. As such, employers may find it more difficult to connect these certifications to the required expertise of candidates or current personnel.

Recovering Process Memory

▸ In addition to obtaining metadata and executable code associated with a malicious process, it is generally desirable to extract all data in memory associated with that process.

The entire memory of a particular process can be dumped using the linux_dump_map plugin in Volatility using the -p options and specifying the PID. Specific memory regions can be saved to a file on disk using the Volatility linux_dump_address_range plugin.

In SecondLook, the Data tab has the option to save specific memory regions to a file on disk for further analysis as shown in Figure 2.27.

More in-depth examination of specific areas of memory is facilitated by SecondLook under the ‘Disassembly’ tab, enabling forensic analysts to view disassembled portions of memory as shown in Figure 2.28 using the Adore rootkit.

Transfer to the archive

Alongside ‘destroy’ and ‘review’, the retention schedule includes a third option: transfer to archive. It is important to examine what this entails in the context of electronic records management. Paper records are vulnerable to physical compromise, but if stored appropriately can last for hundreds of years with limited intervention and still remain accessible. The situation in an electronic environment is very different. The preservation of electronic records creates issues from the outset. Problems of technological obsolescence, media fragility and authenticity, if not taken into account at the time of creation, will quickly render the record inaccessible. Securing the permanent preservation of records in this context is complex: it represents perhaps the most challenging issue ever to face the archive profession. An in-depth examination of the subject is not within the intended scope of this book. However, it is worth bearing in mind the following important facts.

Be aware that the term ‘archiving’ when used in an IT environment has a completely different meaning to the term as understood by the archive profession. (Briefly, in IT terms ‘archiving’ simply refers to the offline storage of information – normally for back-up purposes. It is not concerned with securing the comprehensive preservation and accessibility of information over the long term.)

Migration (transferring records from one generation of computer software to the next), replication (refreshing digital records by copying them on to new media) and emulation (developing archive emulators of software which allow the contents of e-records to be viewed in their original format) are all options for securing digital sustainability, but they require a great deal of consideration and detailed planning – from the point of record creation – to execute successfully.

Some institutions still operate a ‘print-to-paper policy’ for archival records. However, advances in technology – the proliferation of e-mail, for instance – means this is fast becoming unrealistic, if not undesirable. In addition, some dynamic records (e.g. databases or CAD systems) cannot be adequately replicated in a paper environment. For these reasons, it is important to begin addressing the situation. This does not need to be on a grand scale: the first stage may simply involve raising awareness.

The issues surrounding digital sustainability are unavoidable. As the amount of data increases, more and more core business is undertaken in an e-environment; as institutions embrace new technologies, the problem will only be compounded. There are relatively simple ways of reducing future problems; for example, ensuring the institution employs the minimum number of file formats necessary to support business and restricts data creation in non-recognised formats.

The issues are undoubtedly complex, and while answers are unlikely to be readily forthcoming, the problems must not be ignored. For museums, which are often under-resourced and do not have the funds or staff required to develop comprehensive solutions, a sensible approach might involve developing a digital sustainability strategy/programme. This can include an investigation of the issues within the particular operating environment, identification of high-risk areas/records and establishment of possible steps forward. The process of compiling this document will raise awareness, promote understanding and help to ensure a consistent approach across all areas of business.

This chapter has explored how to develop the two essential tools that sit at the heart of records management: the file plan and records retention schedule. It has also examined how a programme might be realised in both paper and electronic environments. It is important to bear in mind, however, that records management is an organic discipline that should be continuously monitored and reviewed. Tools, policies and best practice procedures that have been put in place may need to be altered to reflect any changes in business practice. For records management to reap the rewards outlined – supporting business, managing risk, saving money and resources – it must always remain sensitive to the business needs of the museum.

Risk Assessment

This process comprises three subprocesses, namely risk identification, risk analysis and risk evaluation. The process receives as input the output of the context establishment process. It identifies, quantifies or qualitatively describes risks and prioritizes them against the risk evaluation criteria established within the course of the context establishment process and according to objectives relevant to the organization. It is often conducted in more than one iterations, the first being a high-level assessment aiming at identifying potentially high risks that warrant further assessment, whereas the second and possibly subsequent iterations entail further in-depth examination of potentially high risks revealed in the first iteration. The output of the process is a list of assessed risks prioritized according to risk evaluation criteria.30

Risk identification seeks to determine what could happen to cause a potential loss and to gain insight into how, where, and why the loss might happen. It involves a number of steps, namely identification of assets; identification of threats; identification of existing security measures; identification of vulnerabilities; and identification of consequences. Input to the subprocess is the scope and boundaries for the risk assessment to be conducted, an asset inventory, information on possible threats, documentation of existing security measures, possibly preexisting risk treatment implementation plans, and the list of business processes. The output of the subprocess is a list of assets to be risk-managed together with a list of business processes related to these assets; a list of threats on these assets; a list of existing and planned security measures, their implementation and usage status; a list of vulnerabilities related to assets, threats and already installed security measures; a list of vulnerabilities that do not relate to any identified threat; and a list of incident scenarios with their consequences, related to assets and business processes.31

Two kinds of assets can be distinguished, namely primary assets, which include business processes and activities and information, and supporting assets, which include hardware, software, network, personnel, site, and the organization’s structure. Hardware assets comprise data-processing equipment (transportable and fixed), peripherals, and media. Software assets comprise the operating system; service, maintenance or administration software; and application software. Network assets comprise medium and supports, passive or active relays, and communication interfaces. Personnel assets comprise decision makers, users, operation/maintenance staff, and developers. The site assets comprise the location (and its external environment, premises, zone, essential services, communication and utilities characteristics) and the organization (and its authorities, structure, the project or system organization and its subcontractors, suppliers and manufacturers).32

Threats are classified according to their type and to their origin. Threat types are physical damage (fire, water, pollution); natural events (climatic phenomenon, seismic phenomenon, volcanic phenomenon); loss of essential services (failure of air-conditioning, loss of power supply, failure of telecommunication equipment); disturbance due to radiation (electromagnetic radiation, thermal radiation, electromagnetic pulses); compromise of information (eavesdropping, theft of media or documents, retrieval of discarded or recycled media); technical failures (equipment failure, software malfunction, saturation of the information system); unauthorized actions (fraudulent copying of software, corruption of data, unauthorized use of equipment); and compromise of functions (error in use, abuse of rights, denial of actions).33 Threats are classified according to origin into deliberate, accidental or environmental. A deliberate threat is an action aiming at information assets (remote spying, illegal processing of data); an accidental threat is an action that can accidentally damage information assets (equipment failure, software malfunction); and an environmental threat is any threat that is not based on human action (a natural event, loss of power supply). Note that a threat type may have multiple origins.

Vulnerabilities are classified according to the asset class they relate to. Therefore, vulnerabilities are classified as hardware (susceptibility to humidity, dust, soiling; unprotected storage); software (no or insufficient software testing, lack of audit trail); network (unprotected communication lines, insecure network architecture); personnel (inadequate recruitment processes, lack of security awareness); site (location in an area susceptible to flood, unstable power grid); and organization (lack of regular audits, lack of continuity plans).34

Risk analysis is done either quantitatively or qualitatively. Qualitative analysis uses a scale of qualifying attributes to describe the magnitude of potential consequences (low, medium or high) and the likelihood that these consequences will occur. Quantitative analysis uses a scale with numerical values for both consequences and likelihood. In practice, qualitative analysis is used first, to obtain a general indication of the level of risk and to reveal the major risks. It is then followed by a quantitative analysis on the major risks identified.

Risk analysis involves a number of steps, namely assessment of consequences (through valuation of assets); assessment of incident likelihood (through threat and vulnerability valuation); and determination of the risk level. We discussed valuation of assets, threats, and vulnerabilities in an earlier section. Input to the subprocess is the output of the risk identification subprocess. Its output is a list of risks with value levels assigned.

Having valuated assets, threats, and vulnerabilities, we should be able to calculate the resulting risk, if the function relating these to risk is known. Establishing an analytic function for this purpose is probably impossible and certainly ineffective. This is why, in practice, an empirical matrix is used for this purpose35. Such a matrix, an example of which is shown in Table 53.2, links asset values and threat and vulnerability levels to the resulting risk. In this example, asset values are expressed on a 0–10 scale, whereas threat and vulnerability levels are expressed on a Low-Medium-High scale. The risk values are expressed on a scale of 1 to 7. When linking the asset values and the threats and vulnerabilities, consideration needs to be given to whether the threat/vulnerability combination could cause problems to confidentiality, integrity, and/or availability. Depending on the results of these considerations, the appropriate asset value(s) should be chosen, that is, the one that has been selected to express the impact of a loss of confidentiality, or the one that has been selected to express the loss of integrity, or the one chosen to express the loss of availability. Using this method can lead to multiple risks for each of the assets, depending on the particular threat/vulnerability combination considered.36

Table 53.2. Example Risk Calculation Matrix.

Finally, the risk evaluation process receives as input the output of the risk analysis process. It compares the levels of risk against the risk evaluation criteria and risk acceptance criteria that were established within the context establishment process. The process uses the understanding of risk obtained by the risk assessment process to make decisions about future actions. These decisions include whether an activity should be undertaken and setting priorities for risk treatment. The output of the process is a list of risks prioritized according to the risk evaluation criteria, in relation to the incident scenarios that lead to those risks.