Facilities Management Recycling Web Application; An Analysis to How the Cybersecurity Has Been Shaped by Humans

Weng, Jane, School of Engineering and Applied Science, University of Virginia
McBurney, Paul, EN-Comp Science Dept, University of Virginia
JACQUES, RICHARD, EN-Engineering and Society, University of Virginia

For my senior technical capstone project, I joined two others (my colleagues, Dwij Gandhi and Shivani Surti) in building a website for the University of Virginia’s Facilities Management(FM) Department. It’s purpose is to allow FM to to gather and store data regarding their day to day operations, allowing them to generate the reports and manage logistics on the fly. We were tasked with building an information system from the ground up with tiered privileges and developing an easy to use platform for the FM employees to easily and securely enter information. We met with FM’s IT Department to discuss security measures and how to enforce the tiered privileges. The answer we received was interesting. They wanted us to build all the functionality that was requested, but leave the authentications and other security measures to them. This led to me to start thinking about information security in general and ultimately led me to the topic of my STS Research paper, An Analysis On the Existence of Information Security Subcultures in the Workplace, where I tried to look for significant differences between the level of information security(IS) knowledge, beliefs, and values that a subgroup holds in comparison against a more dominant group.
The technical portion of my project focused on the design of the database and website. Our design of the database is centered around making sure that all the information was stored in a way that was easy to maintain and simple enough to perform any and all necessary calculations efficiently. The major design of the website was making sure that our website looked like the other websites that FM owns. The rest was making sure that everything was still accessible and easy to navigate on both a screen and a mobile device.
In my STS research, I found a few subcultures that existed in the people that I surveyed. The main categories that I looked at were whether or not the employee had worked in IT, what job level they had, and whether or not the employee was remote. A driving force for my desire to investigate the subgroup of remote workers was also largely inspired by the effects of COVID-19, where many workers were forced to work from home rather than from their offices. In revealing that these cultures exist to a significant degree, it is evident that employers will need to reconsider how they train their employees in such a way that the entire group will perform and uphold the highest possible IS standards.
Overall, I feel that my experience with my projects was very fulfilling in that I was able to apply my knowledge and experience into building a scalable project. I have built class projects and projects that have a probability of never deploying, but this project forced me to really understand on a much lower level how everything flows into each other and how they would work with each other to prevent bugs and other issues. In addition, I was able to conduct my own research and gain a better understanding of statistics and what goes into a good statistical analysis. I’ve judged the efficacy and power of statistical analysis of other papers without fully understanding that there were a lot of constraints and limitations to each one. Good statistical analysis requires a large number of respondents of all categories and I underestimated the difficulty of reaching a good amount of them. Without this technical project, I don’t believe I would have ever pursued this topic for my STS research. Without my STS research, I wouldn’t have understood just how much I needed to secure my technical project. I had an ethical obligation to secure the technical project as much as I could without overstepping boundaries with FM’s IT Department. On top of that, I also had an ethical obligation to make sure that I am able to survey sensitive information without asking for so much information that respondents would be identifiable and ensuring that I was able to accurately determine whether or not I had significant enough differences between subgroups.
Looking back, I should have started sending out my survey when I was still in STS 4500. Since this information that I surveyed is really sensitive, I overestimated the general comfortability of current and past employees to disclose security information that pertained to their work. In addition to that, I had failed to consider the multitude of different types of workplaces when I released the survey. Not all workplaces were the same, so I should have adapted my survey to allow them to select if a certain question or topic does not pertain to them. I had finished my analysis before realizing that I needed to throw questions and responses out. I was also not anticipating the number of requests to throw out entire responses because they were no longer comfortable sharing the information that they did. In the end, I was still able to finish my analysis. My statistical tests were not very strong, but still proved to show adequate significance. My ambitions when I was writing my prospectus were too high as well. There was no way I could gather enough responses for each category regardless of how much earlier I could have started. I should have better considered the feasibility of my project in all its aspects. Going forward, I recognize that quite a bit of bias is unavoidable, but I could have tailored my research questions better and gotten better responses that would have been more indicative of what I intended to find out.

BS (Bachelor of Science)
Computer Science, Information Security, Information Security Subcultures, Facilities Management

School of Engineering and Applied Science
Bachelor of Science in Computer Science
Technical Advisor: Paul McBurney
STS Advisor: Richard Jacques
Technical Team Members: Dwij Gandhi, Shivani Surti

Issued Date: