Research paper abstract summary – discussion

Subject: Business Network Systems Management – 03478 – Sp22


— Write small summary 10-15 lines of each classmate research paper. No reference or other details.

— There are total 12 classmate research paper.

ClassmateResearchPaper/BIT 575 Final Paper Maleeha Latif.docx












The Impact of Standardization and Small Batches on Performance and Output

Maleeha Latif

BIT 575 – Final Paper

Dr. Andrew Aken


The Impact of Standardization and Small Batches on Performance and Output

Throughout history, humankind has continuously tried to create things and innovate with what they had in order to make their lives easier. The world is constantly evolving, and we have had exponential increases in technological advancements. To continue this innovation and improvement, incorporating the concept of standardization and the process of small batches is extremely important. In order to allow ease, less waste, less mistakes, easy maintenance, and faster results, we must allow newer and better processes to replace our current ones. This paper will delve into what exactly standardization and small batches do to tasks and how they impact the performance and output of projects, professional or academic as mentioned in the Appendix.


Standardization is the process of ensuring that the different machines or systems one would use to complete a task are similar in build, concept, and function (Limoncelli et al., 2017). What standardization does is ensure that commonly performed tasks are written up as a process and done the exact same way every time, regardless of who is doing them. These standard guidelines can make the lives of staff much easier and avoid confusion and chaos (Brandall, 2018). Common tasks could include dealing with customer complaints, onboarding new hires, sending out a supply request, certificate renewal and other such often repeated work. The IT industry has constantly made use of standardization, and which has allowed increased efficiencies in production and productivity (Lee et al., 2019).

Any work done in an organization that has been done before should be written down, coded, and recorded so that there are rules and guidelines in place. This ensures that no matter who takes on what task, they are able to perform is exactly as another (Brandall, 2018). It does not even have to be IT or systems administration based. Standardization can be used in any situation where it fits. For example, having a standard at home for doing laundry can help. Light colored clothing and dark colored clothing are washed separately. That is a standard. Whether mom, dad, brother, or sister decides to do laundry, they all could be told this standard that they must maintain. Similarly, in college, professors and instructors could have their standards that are set. If the instructions clearly state that you must submit a one-page, double spaced paper and the instructor will only count content as a part of the one-page, students should understand that in order to get a good grade, they need to meet that standard.

Standardization can decrease the amount of time employees take during the trial-and-error phase (Brandall, 2018). A set process that is laid out for everyone means that employees do not need to figure out the best or fastest way to do a certain task. Standards are usually set based on the best way to do a task so quality control becomes less of an issue as well (Brandall, 2018). Basically, standardization makes everyone’s life easier. It helps employees do their jobs correctly with minimal mistakes, allows easy maintenance, decreases waste, and encourages uniformity. Of course, when the organization is presented with an issue or problem that it has not had experience with before, standardization cannot work, and the trial-and-error process must take place. Standardization of IT processes have been quite common for a while and different data models and software processes have been created for organizations to ease into standardization (Laakso & Kiviniemi, 2012).

Impact of Standardization on Performance and Output

One of the main benefits standardizations has is that it clears up any confusion and clearly lays out how a process should be performed (Brandall, 2018). There is no need for employees to test and figure out the best way to do something because a standard has been created. This increases performance and output because less time and less waste occur while performing commonly occurring tasks.

Along with confusion comes the risk of losing quality (Brandall, 2018). When employees do not know the correct instructions or processes to use, they try different things. Some of these things work while others do not. The ones that do not work, negatively impact quality and produce even more issues down the road.

Once a process is standardized and the process is understood, the organization can go forward and standardize other processes. This creates a benefit to the organization in terms of time and resources. When an organization is not busy trying to fix mistakes or avoid quality issues, it can focus on new problems and innovation (Brandall, 2018). This in turn can improve employee morale which boosts productivity and output.

When you standardize processes and employees know what they are doing, they are happier (Brandall, 2018). Often ambiguous tasks or vague direction can result in employees being frustrated and not knowing what to do. Standardization helps avoid this frustration and negative association with tasks at one’s job.

Productivity and output can generally be shown in how customers are handled. If an organization is productive, it can usually be seen in how they handle customer complaints, requests, and questions. Standardization allows organizations to understand how best common complaints can be handled and it means that everyone is treated and informed correctly and uniformly (Brandall, 2018). Being able to understand and rectify customer complaints is one of the main ways organizations can prove their commitment to their customers. Standard procedures, canned replies, and written out guidelines can help any employee ensure that customers are taken care of.

Small Batches

Small batches are a concept defined as doing work in smaller chunks in order to avoid mistakes, waste, and time loss (Limoncelli et al., 2017). For a software development team this may mean writing small amounts of code and publishing it rather than spending copious amounts of time on writing a very lengthy and complicated full software (Kenig, 2020). Working in small batches can help in performance, morale, work time, mistake reduction, and easy changes. The small batches concept can be described as cutting up your work into smaller chunks. If you choose to do a big project, then you must plan, conceptualize, and organize your project which takes time and resources. Then you will have to sit down and write out all the code and procedures for this big project which could take ages. Then in the testing phase, figuring out glitches or bugs and which lines of code they are attributed to take even longer (Kenig, 2020). Often this process results in going over budget and over time. Using small batches, however, allows you to create a smaller, more succinct programs, test any mistakes you have, easily detect that code that you need to change, and publish it within a much shorter amount of time. This also allows one to easily make changes and pivot when needed. Manufacturing companies make small batch processing machinery which have been shown to improve both productivity and output (Schuh et al., 2019).

Impact of Small Batches on Performance and Output

When applying small batches to projects, it can significantly improve performance and output. Testing changes or identifying mistakes/bugs in larger projects takes a lot of time and effort (Kenig, 2020). However, working in small batches allow quicker tests, changes, and identifying mistakes which significantly improve the quality and speed of getting products out the door. Running tests becomes easier on smaller batches and can be handled better (Kenig, 2020). Similarly, making changes to a large project can prove to be extremely time consuming and frustrating. Making changes to smaller batches is much less arduous.

Increased amounts of output can also come from small batches. Customers appreciate something rather than nothing. So, producing and publishing systems for customers to use immediately rather than waiting for a large system and eventually realizing many glitches and bugs is much more appreciated (Kenig, 2020). Working in smaller batches allows you to produce quicker and more quality content for your customers to use.

Working in smaller batches can also be useful if teams are smaller (Kenig, 2020). Smaller teams can comfortably produce small batches of work and still maintain quality and standards. This allows the organization to remit less resources to one project. Lean startup which encourages immediate feedback is also a benefit of small batches as it allows immediate testing and feedback (Kenig, 2020).


Initially, encouraging the adoption of standardization might be easier than small batches. Standardization can easily be implemented by ensuring that certain tasks are performed by the most experienced workers and then those same workers can be asked to detail their process, so it is recorded and used by others. Small batches, however, can be a significant change in habit. Change intervention is a great way to encourage this adoption. First, employees can go through the unfreezing stage where the need to change is explained and taught. Then, change intervention can occur and small batches can be implemented. Finally, the refreezing stage can occur, and employees can be monitored to ensure small batches is being used effectively.

A resistance to change may occur at organizations. Employees may assume that small batches mean more work in the long run. They may be hesitant to take on the responsibility of ensuring that all their work is mistake free and low waste. While that is not true and in the long run it would be beneficial and better for morale, these issues may arise. Additionally, experienced workers may feel pressured to disclose the best way to do tasks which in turn may give them the idea of internal competition. While competition is important for innovation, workers should not feel that they need to hide or suppress their skills. As a matter of fact, applying standardization will free those workers up as they will not have to correct mistakes or deal with waste as much. It allows the organization to explore many different new ideas and allows workers to push themselves creatively.


When it comes to standardization, a form of job security may open up experienced workers to sharing their knowledge and expertise. Allowing them their time and giving them the comfort they need to share valuable information with others will ease the process. Educating them on the benefits of spending less time editing, fixing, and correcting processes will be beneficial. Managers can explain that with time freed up by employing standardization, workers can focus on other endeavors and push their creativity to innovate and take the company further. A certain comradery and connection to the organization is important as well. Giving applicable rewards to employees who help with the standardization process can give them incentive and motivation but also help them realize that they are a valuable part of the company, and their input/expertise is acknowledged and appreciated.

Examples of small batches successfully being used in companies can help change the minds of those who may be resistant to change. Explaining the cause and effect of small batches and how they will not be more work and tougher deadlines but rather ease the process of producing content would also be a big help. Knowledge is power and in imparting knowledge, employees can gain a sense of what small batches are about and fear the change it brings less.

Incorporating any new process or procedure will have growing pains in the beginning. Employees and workers will have a hard time changing the way they do their work, and it will be a lot of trial and error. However, both standardization and small batches will eventually become habit and employees will be able to see the time and resource benefits it can bring. Case studies are also a great way to explain the potential benefits of these processes. Additionally, bringing in professionals that understand how to jumpstart the standardization process or how to incorporate small batches is a valuable alternative. Sometimes managers are not equipped with the knowledge to enact change or the knowledge of the benefits of a certain system. A professional can help bring credibility and maximization to whatever new process you want to implement.


In conclusion, small batches and standardization can do wonders for an organization’s productivity and output. Incorporating small batches can reduce the work, time, resources, effort, testing time, and mistakes when producing content. Small batches can allow developers to push out content and software to customers quicker with easier changes and fixes as opposed to customers having to wait long periods of time before even having access to software. Standardization can help increase uniformity, reduce mistakes, increase morale, and give an organization time to focus on other endeavors. Employing the skills and expertise of workers who know the best method to perform a task and asking them to record it is very important. Any other employee in the future doing the same job can use that information as a guideline and ensure uniformity between work.

As a whole, both of these concepts can be applied with relative ease as long as correct education and information is given to employees. It is important to understand and work with employees who might feel uncomfortable with certain areas of change. Also, some problems may arise in the beginning when implementing small batches and standardization, but these are simply growing pains and will benefit the organization as a whole in the long run. The investment into these concepts is worth any risk that comes with it.






Brandall, B. (2018). Why Process Standardization Improves Quality, Productivity, and Morale.

Kenig, E. (2020). Working in small batches is the one single thing you should care about. Yotpo Engineering.

Laakso, M. & Kiviniemi, A. (2012). The IFC Standard – A Review of History, Development, and Standardization. ITcon, 17.

Lee, B. N., Pei, E., & Um, J. (2019). An overview of information technology standardization activities related to additive manufacturing. Progress in Additive Manufacturing, 4(3).

Limoncelli, T. A., Hogan, C. J., & Chalup, S. R. (2017). The Practice of System and Network Administration (3rd ed.). Lumeta Corporation.

Schuh, G., Kelzenberg, C., Wiese, J., & Ochel T. (2019). Data Structure of the Digital Shadow for Systematic Knowledge Management Systems in Single and Small Batch Production. Procedia CIRP, 84.



Initial Topic Proposal

The Impact of Standardization and Small Batches on Performance and Output

This research paper will mention the different impacts that standardization and the incorporation of small batches has on organizational performance and output. Standardization or using generic machines have been known to increase efficiency in situations where a failure, outage, or addition needs to take place. Similarly, small batches are shown to reduce the amount of waste, mistakes, and time it takes for a task to be completed. I will be delving into these topics by using information I find by different authors and real-life examples.

Feedback Received

Topic is sufficiently narrow in scope. Topic is on an appropriate subject.

ClassmateResearchPaper/BIT 575 Research Paper Nabeeha Latif.docx

How Can a Company’s Reputation Be Impacted by a Security/Data Breach?

Nabeeha Latif

Minot State University

BIT 575

Dr. Andrew Aken

May 1st, 2022





How Can a Company’s Reputation Be Impacted by a Security/Data Breach?

Security breaches are incidents that involve unauthorized access to a company’s records or data by intruders (What is a security breach?, 2021). A security breach means the intruders have gotten through the firewall whereas a data breach is when the intruders have not only gotten through the system but stolen the information they wanted to steal (What is a security breach?, 2021). The information that is stolen can be bank details or it can be information that can be sold for identity theft (What is a security breach?, 2021). A data breach is anything that exposes confidential information to an unauthorized user (How data breaches happen, 2021). A breach can not only be towards companies but towards individuals as well. For individuals, it happens when proper controls or stronger passwords are not in play. This means that the individuals have not done much to protect themselves. This paper dives into how companies are affected by breaches and what customers go through as well as how companies can restore their reputation as mentioned in the Appendix.

Causes of Data/Security Breaches

Data breaches are not always caused by outside sources but also by people on the inside. Data breaches can occur through:

· An Accidental Insider: This is when coworker A gives their login information to coworker B to use without realizing that coworker B may not have the authorization to see anything else but given access, they saw it and now that data is considered breached (How data breaches happen, 2021).

· Malicious insider: This is when someone intentionally and maliciously uses the information, they have access to. The first one is unintentional that someone got access when they shouldn’t have. This breach is when someone either intends to access or abuses the access they already have to take the information they want (How data breaches happen, 2021).

· Lost or stolen devices: The breach occurs when a laptop, computer, or hard drive either goes missing or is stolen (How data breaches happen, 2021).

· Malicious Outside criminals: This is when hackers try to gain access by attacking someone’s or a company’s device to gain control over their information (How data breaches happen, 2021).

Types of Security Breaches

There are different kinds of security breaches:

· Phishing: These attacks are designed to fool you by portraying to be organizations or causes you trust. Hackers send you an email using those trusted organizations for you to just click on it and give them access to your computer and all the information with it (Kaspersky2).

· Brute force attacks: Hackers try to force their way into an individual or company’s system by trying to crack their passwords (How data breaches happen, 2021). This takes time however if your password is not strong then it would not take long.

· Malware: These attacks occur when proper security controls are not put in place. This allows hackers to ease in undetected and steal whatever they want without getting caught and it is too late by the time you realize there was a breach (How data breaches happen, 2021). I think it is too late as soon as the breach occurs.


Impact on Customers

Schaffer (2021) talks about how the LinkedIn breach affected a lot of users but there was significantly nothing that users could do about it. She also mentions that since so many people went through the same thing it helped lower the anxiety of everyone. Why? because first there is nothing you can do when a breach occurs and your information is taken through social media, the only thing to be done is to panic however that panic can be less when you know other people are going through the same thing. For example, when you don’t know there was an exam in school, and you walk in to find out about it, and you look at your friend who is just as confused. Knowing you are not alone helps you keep calm.

Companies that have been breached; their consumers do live in constant fear that they will be a victim of identity fraud. These fears make it harder for people to put in their information as they trust companies less now. People also believe that this is happening because companies are not doing their job by keeping their information safe (Schaffer, 2021).

Post-Breach Impact on Company

Sometimes negative attention can be beneficial. Why? because for a smaller business, any kind of press or attention is good whereas for a larger business even the smallest inconvenience can result in a downfall (Makridis, 2021). When companies encounter a data or security breach, they are likely going to have a decline in the amount of profit they are going to receive (Makridis, 2021). This is because customers will be unwilling to support a company that has had a security breach. As I mentioned earlier, because smaller businesses receive attention, some businesses are unlikely to invest in proper cybersecurity tools to ensure no breaches (Makridis, 2021).

People end up finding out when a company has been breached. The word is out and that means the company’s reputation is not at the same level it once was. This drops the stock prices for publicly traded companies by five percent (The Impact of Data Breaches on Reputation & Share Value, 2017). However, if companies were to self-report themselves and respond immediately to try the fix the damage then they are likely to have their stock value back up in about a week (The Impact of Data Breaches on Reputation & Share Value, 2017). This kind of response to a data breach shows consumers that companies are prepared and that they care about their consumers to have the best possible recovery process at hand. According to (Makridis, 2021) smaller companies get the press by having a breach, this does not mean that it is good because for smaller companies the decline lasts about 90 days since they don’t have a proper security system in place (The Impact of Data Breaches on Reputation & Share Value, 2017).

The more money that is allocated to safeguarding the information of consumers, the less likely you are to be breached and the more likely that your consumers will stay loyal and trust to do business with you (The Impact of Data Breaches on Reputation & Share Value, 2017).

We all believe what we hear most of the time without doing the necessary research to ensure if our claims are true or not. Consumers believe that health care organizations will keep their information more protected than banks (The Impact of Data Breaches on Reputation & Share Value, 2017). However, healthcare organizations account for 34 percent of data breaches while financial organizations account for 4.8 percent (The Impact of Data Breaches on Reputation & Share Value, 2017). That is because financial organizations allocate costs towards cybersecurity to protect their customers while healthcare organizations do not (The Impact of Data Breaches on Reputation & Share Value, 2017).

Companies face reputable damage, financial consequences, and customer loss when a breach occurs (The Impact of Data Breaches on Reputation & Share Value, 2017). Employees also become less productive after a breach when they see that their company is not held to a higher standard or does not allocate costs towards ensuring the company’s safety (The Impact of Data Breaches on Reputation & Share Value, 2017). I know employees get unproductive because there was a breach at one of the companies my coworkers used to work for, and it showed that employees did not want to continue working and switched jobs. They are now hiring a lot of people for that company. This shows that even when employees do not want to work then why would customers trust that business to provide the best possible service when they sign up.

Prevention of Reputational Damage

According to Taylor (2020), the way companies can prevent reputational damage depends on how they respond to a breach. If their response time is quick and they consult experts immediately to ensure the best possible strategy shows consumers that the company is working towards making better protection and taking responsibility for their actions.

The best way to prevent reputational damage is to have the best offensive strategy ready for an attack (Taylor, 2021). The more prepared one is for a breach the less likely they are to be breached. Companies can invest in software that controls and monitors any suspicious activity (Taylor, 2021). They can also implement Zero Trust Network Architecture which means the company trusts no one to have unlimited access for a long period. This software gives access once the individual is approved and only for the given amount of time till the work is done.

As soon as a company finds out they have been breached, they should alert their employees and customers so they can prepare or protect themselves (Sheil, 2021). Hiding this information will only make it worse because if customers find out that their information was hacked, they will be upset but on top of that, the company lied about it? that is not a good look for any organization. The next thing a company should do is figure out what information was breached and what the hackers got access to (Sheil, 2021). Once you find out what has happened and fixed it then it is time to update security protocols to ensure the same thing never happens again.

A brand’s reputation is what makes consumers either fall in love with it or hate it. This all depends on how the company, product, or service was marketed. Therefore, when a breach occurs, it is up to the marketers of the company to give their input on how best to serve the consumers without losing brand reputation. Breaches will keep happening but knowing how to first make your customers feel secure that you are doing something seems to be the main priority (Whitler & Farris, 2017).

Companies That Faced Breaches

On March 31st, 2020, the hotel chain Marriott disclosed a security breach that impacted the data of more than 5.2 million hotel guests who used their company’s loyalty application (Gupta, 2020). Hackers obtained login credentials of two accounts of Marriott employees who had access to customer information regarding the loyalty scheme of the hotel chain. They used the information to siphon off the data approximately a month before the breach was discovered. The data accessed in the breach involved personal details such as names, birthdates, telephone numbers, travel information, and loyalty program information. According to Marriot, hackers might have obtained credentials of their employees either by credential stuffing or phishing. Previously, the hotel giant announced a data breach in late 2018 in which up to 500 million guests were impacted.

Although Marriot faced a large-scale breach, they were able to repair its reputation by incentivizing loyalty, owning its mistakes, and taking a proactive approach to fixing its reputation (Wadsworth, 2019). There will always be a risk of a breach no matter the preparation, which is why companies should not only invest in cybersecurity but also in reputational protection.

In 2019, MGM Resorts suffered a massive data breach. The news of the breach incident started to circulate in February 2020 when hackers leaked the personal details of 10.6 million hotel guests for free download (Escobar, 2020). But in the later findings, the number increased by 14 times (nearly 142 million) than the number recorded in February 2020 (Escobar, 2020).

The personal information published on the hacking forum included the name, home address, phone number, email address, and DOB of guests. The leaked files of guests included Justin Bieber, Twitter CEO Jack Dorsey, and many major government agency officials.

According to an ad, the hacker was selling the details of 142,479,937 MGM hotel guests for a price of just over $2,900 on the dark web a weekend after (Escobar, 2020). Imagine the cost MGM had to pay and the PR nightmare they went through after this. We are taught to evaluate our property, but we can’t put a price on digital property or customer relationships.


Companies suffer immense financial losses when they experience a data or security breach (Gwebu et al., 2018). Data breaches not only cause distress between an organization and customers but also between the organization and its stakeholders (Gwebu et al., 2018). Extra money is spent to ensure that the breach is taken care of and never happens again and towards maintaining the negative image that has been set. This image also reflects badly towards the investors. The more information that is saved online the more likely it is for it to get hacked. However, when customers give their information to a business, they trust the company to safeguard it. When a breach occurs, companies should first inform the parties affected and take steps to fixing the problem to ensure minimal reputational damage. There will be negative consequences but nothing that can not be fixed with the proper strategies involved by cybersecurity teams and the marketing department.



Escobar, M. C. (2020). MGM Data Breach 14x Higher than Initially Thought. Hospitality Technology.,its%20cloud%20servers%20was%20hacked.

Gupta, D. (2020). Marriott Data Breach 2020: 5.2 Million Guest Records Were Stolen. Loginradius.

Gwebu, K. L., Wang, J., & Wang, L. (2018). The role of corporate reputation and crisis response strategies in Data Breach Management. Journal of Management Information Systems, 35(2), 683–714.

How Data Breaches Happen. (2021). Kaspersky.

The Impact of Data Breaches on Reputation & Share Value. (2017). Centrify.

Makridis, C. A. (2021). Corrigendum to: do data breaches damage reputation? Evidence from 45 companies between 2002 and 2018. Journal of Cybersecurity, 7(1).

Schaffer, P. (2021). Data Breaches’ Impact on Consumers. InsuranceThoughtLeadership.Com.

Sheil, J. (2021). What Should A Company Do After a Data Breach? Electric.

Taylor, T. (2020). How Cyber Attacks & Data Breaches Damage Reputation. SecureLink.

Wadsworth, S. (2019). Counting the reputational cost of data breach – Marriott’s global data disaster. Igniyte.

What is a security breach? (2021). Kaspersky.

Whitler, K. A., & Farris, P. W. (2017). The Impact of Cyber Attacks On Brand Image. Journal of Advertising Research, 57(1), 3–9.




Initial Topic Proposal

How can a company’s reputation be impacted by a security breach?

I will talk about how customers view the organization impacted and how the company tries to restore their image. How their revenue is impacted and how the world of social media makes it possible for everyone to find out and make it worse. I will also talk about how companies try and restore their reputation or if they even can at certain times.

Feedback Received

It would be even better if you can cite specific case studies regarding how organizations’ reputations have suffered subsequent to a breach (Target, Mariott, etc.) Topic is sufficiently narrow in scope. Topic is on an appropriate subject.

ClassmateResearchPaper/BIT-575 Research Paper_Caleb Steinborn.docx












Research Paper

Covid’s Impact on Burnout in WFH System Admins





Caleb Steinborn

Minot State University BIT-575: Business Network Systems Management Andrew Aken

May 1st, 2022






How do you get someone to do what you want? Sometimes you ask nicely. Sometimes you bribe or cajole them. Other times, you trade with them. That trade could be time, advice, bartering, or renumeration – a.k.a., paying them. This last option is very popular, and the entire business world is built around it. A company’s owners want to accomplish something, but they need help to make their dream a reality, so they hire people to do the job for them, and some of the most important employees are the system administrators. System administrators are the backbone of any corporate organization since nearly every aspect of business is conducted digitally these days and requires hardware, software, infrastructure, and a support system in order to conduct business without disruption. This is one reason why the recent Covid pandemic threw the business world into a tailspin, and suddenly the entire workforce was no longer in the office but working from home (WFH) for days, weeks, and months on end while the world was on lockdown. This affected business professionals in different ways across a wide spectrum of emotions, but specifically within the system administrator sphere there were two noteworthy categories of reactions. For some, the WFH transition was rejuvenating, and resulted in peaks of performance unlike any time before. For others, the WFH dynamic led to chronic burnout and exhaustion. This begs the question: why did some system administrators find WFH refreshing during the pandemic while others suffered severe burnout?

In order to answer this question we must first start at the beginning. The first factor for any productive employee is also the simplest – it is the happiness of the worker. Employers learned over the decades that unhappy people do not work well, no matter how hard you try to make them work. Unhappy people do only what is absolutely demanded from them and nothing more, and in many cases would even subtly sabotage or otherwise hinder their employer’s goals. A recent Gallup poll has estimated that the average cost of disengaged or unhappy employees equates to approximately $300 billion in lost productivity per year. (Amabile & Kramer, 2011) Happy employees, on the other hand, are more likely to have new ideas and feel a greater sense of fulfillment. Simply by feeling happy at work breeds an environment of positivity that spreads infectiously. These happy employees share their passion with others while looking out for their employer’s best interests, and regularly end up finding some new and innovative way to raise the standard of work even higher.

Since employers know that happy employees work better, the best company’s go out of their way to make sure the employee feels taken care of, have their needs met, and provide rewards and other incentives to retain these folks and keep them motivated. (Itri et. al, 2018) However, despite knowing this, most companies still don’t quite get it. The conventional wisdom passed down to us says that pressure enhances performance, and this pressure is not uncommon. One way that companies inadvertently apply pressure is by not having enough folks to accomplish the volume of work that is demanded. Most companies tend to keep their headcount to a minimum, which means that employees need to work harder or be more creative in order to keep their heads above water. (Hyacinth, 2020)

The practice for businesses to limit their headcount leads to an interesting quandary where most employers seem to have productivity and efficiency confused. To most managers, as long as you are “butts in seats” working for your eight hours a day you must be being “productive.” (George et. al, 2021) Nothing could be further from the truth. An system administrator could be a “good employee” and work their full eight hour shift without any complaining, but they could be spending all of that time going through their emails and writing gold-plated documentation that no one will ever read. It doesn’t matter how “productive” or “efficient” an system administrator is at processing their emails if they never deliver any value to their employer or their customers. This then leads to the dilemma of employees who need to look busy in order to be recognized, gain promotions, climb the corporate ladder, etc., vs the employees who simply want to take pride in their work.

If delivering value is what is truly important, then the system administrator needs to feel that they have the freedom to do their job, which many employees do not feel. Instead, the constant pressures of needing to get more and more done with less and less support leads to an unhealthy lifestyle that results in various degrees of burnout. Such burnout is common in those who shoulder heavy workload, and especially if they have to work long hours without sufficient breaks. This is exacerbated in those who feel like they have little control over their work. (Putra et. al, 2021) The burden leads to a sense of helplessness. This lack of time then translates into less time spent in healthy activities, such spending time with friends and family or participating in sports and hobbies, which furthers the cycle until the work-life balance is dangerously skewed. All of these factors combined result in excessive stress, fatigue, insomnia, sadness, anger or irritability, and often times alcohol or other substance misuse. (Mayo Clinic, 2021) If delivering value is what is important, then burnout is anti-value.

Since value deliver is what earns the company money, and happy employees do better work, the optimal balance will be finding employees who are motivated to do a good job without allowing themselves to feel overwhelmed. system administrators who strike this balance have found an environment that supports their intrinsic motivation to do good work, and that motivation is built around three factors: the feelings of autonomy, mastery and purpose. (Pink, 2010)

When knowledge workers such as system administrator’s work in an environment that supports their autonomy, they have the freedom to be creative, to explore what is possible, and to “make mistakes and get messy” as Miss Frizzle so eloquently put it. This freedom is necessary for innovation, because the road that leads to success is laced with failures – each building upon each other as learnings progress towards ever deeper understanding, and ever richer discoveries. Mastery is a part of this journey where the knowledge worker is ever striving to better master themselves and their environment while they bend their ambitious goals to their will. Doing work poorly not only does not appeal to a knowledge worker, but it sucks the joy out of their lives. And lastly purpose is key. There must be meaning behind the effort. The goal must be worth achieving and the prize worth winning. The combination of these factors is what inspires knowledge workers like system administrator’s to be the best that they can be, and to go above and beyond for the employers who gift them with this opportunity to do good work that they can take pride in. This is the environment that breed success, and this is also an underlying reason for the disparate results in WFH performance for system administrators throughout the Covid pandemic.

Before Covid most system administrators worked in person, interacting with their teams face to face (although the quintessential “movie-hacker-esk” figures were still often more isolated than not due to the nature of their work). While help desk was often still over the phone and sometimes provided with screen sharing services, most system administrator tasks were performed on company property in the presence of fellow employees. Work hours were most often strictly observed and any tardiness or early departures were publicly noticed. Commute time would depend on traffic, and rush hour traffic would be the times of day when most employees were entering or exiting their office locations. Due to the travel time, or physical location of the office, it could be difficult for system administrator’s to eat from their home supplies without ordering food out at cafe’s or fast food, or working out over their lunch breaks due to the amount of time it would take to leave the office to go to the gym, change, workout, shower, and return to the office before meetings or the need to clock back in. This was the norm for the past several decades, and Covid upended all of this.

There was global upheaval when the Covid pandemic struck and quarantine mandates were enacted in ever continent on the planet. Abruptly system administrators were no longer seeing their coworkers in person. They were no longer commuting, and they were constrained to their living quarters along with any immediate family members. The dining room table, couch, kitchen island or bedroom bean bag became their new place of working, and this space often needed to be shared with any working age adults or children in school as their learning likewise switched to being remote. (Cserháti, 2021) This rapid transition caught most people unprepared, and required them to pivot faster than they ever had before in their lives. Business leadership and their IT teams needed to enable 100% remote connectivity for 100% of their employees yesterday, and system administrator’s suddenly needed to operate without their desks, monitors and peripherals and instead work solely from their work laptops. However, there was a silver lining to this transitional time of turbulence — it bred creativity.

Abruptly the old working conditions were gone, and with them went the traditional ways of working. (Kumar, 2020) 9am to 5pm working shifts were suddenly unsupervised. Commuting in traffic was no longer a thing, and the employees found themselves with the opportunity to seize something they did not expect — control. With no one watching their every move and instead seeing only the quantity and quality of work being delivered, various freedoms revealed themselves. Employees could now sleep in a bit longer if they wished or take lunch at a more convenient time – or for two or three times as long if they wished. As long they showed up for the meetings they were required to attend, responded to messages and emails in a timely manner, and delivered their work on time at the expected quality without the necessity for a higher level of rework than previously, the remote worker was now in control of their day for the first time in their professional lives! (Bick, 2021)

This newfound freedom was not entirely free, however. Since commuting to the office was a thing of the past, people started working at the time they would normally commute, which pushed meetings earlier in the morning. Remote group call applications like Zoom (or their competitors like Webex, GoToMeeting, or Microsoft Teams) were integrated for the majority of companies early on and resulted in a lot of meetings with the front-facing camera on. Employees now had to share their camera so that the rest of the team could see their faces and “be assured” that they were not goofing off. Additionally, since meetings were regularly scheduled in 30-minute blocks and everyone was equally accessible, death-by-meetings nearly became a reality for many poor souls who found themselves scheduled in back-to-back meetings not only for their entire workday, but often for an additional hour or two before and after their previous 9am to 5pm start and end times. Add the fact that for many system administrators their workplace had to be shared with loud, distractible, and often stir-crazy school aged children, this was a recipe for disaster. (Putra et. al, 2021)

The health concerns from these working conditions quickly became evident, even separate from the chronic anxiety the globe was experiencing throughout 2020. Since everyone was fully accessible during work hours and did not physically leave, employees continued to have the same accessibility throughout their evenings. This further blurred the lines between work and home, and resulted in many system administrators feeling trapped by their work and unable to escape or turn their brains off. Staring as screens also resulted in two common health problems — eye strain and physical pain from working for days on end in non-ergonomic positions. Between these various negative conditions, WFH brought in many significant challenges that were not present in their traditional work environments. (Subramaniam, 2021)

These sharply negative problems were not unnoticed, however. Most companies quickly adjusted their expectations on employees and took measures to make sure employees were disconnecting from work, were spending time with family, and were not being not suffering continuous back to back meetings. With these changes the system administrators working from home were given freedom in how they choose to work, and how that control was exercised ultimately determined whether that specific individual ended up experiencing chronic burnout or a never before experienced level of rejuvenation at work.

Despite the health concerns, it quickly became apparent that the move to work from home did not diminish work quality or performance. Instead, for many performance increased. According to a recent study, 56% of survey respondents said that “working from home had been permanently transformative in a positive way,” and 70% said that being able to work from home gave them more freedom and creativity in how they performed their jobs. (George et. al, 2021) Only 24% said that their work-life balance did not improve, which seems to correspond to the stat that only 25% of WFH workers did not have other housemates to share their lives with, while 52% of respondents had children under 12yrs old at home.

For the system admins the choice of their happiness or discomfort became theirs, but some factors of their environments were noteworthy in contributing towards success in those who found WFH to be rejuvenating. These “WFH requirements” are effectively summed up by crafting the working environment in such as way that that enables the worker to healthily engage with work in the most effective ways possible while minimizing or eliminating the unhealthy aspects and establishing hard boundaries between home life and work life. Some of these factors include designing a functional workspace with ergonomic furniture (such as a standing desk, an ergonomic chair, and monitor raised to eye level), a reliable high speed internet connection, a workable schedule that promotes self-care (such as appropriate fueling of brain-supportive foods and regular exercise such as at-home-calisthenics), the ability to connect with others frequently after work (whether that be in person or virtually, such as playing online games), and a means to work out conflicts and distractions with kids, pets, or other potential distractions. (Mikus & Grant-Smith, 2021)

The system admins who were successfully able to implement these WFH requirements found the transition to be a breath of fresh air that enabled them to be more creative and innovative in how they engaged with their work tasks while taking even better care of themselves than ever before. The system admins who suffered the most were those who could not (or did not) implement these changes, which were especially compounded if they did not have a separate working space or had small children in their immediate working vicinity. Those employees, they did not gain a feeling of control, but instead lost more than they already had. This is the key factor that set apart those who felt rejuvenated by the WFH environment vs those who did not. It was their control. Their freedom. Their ability to either sculpt their world to their will, or be sculpted by it. (Villanueva, 2021) Covid was a driver of digital transformation in many ways, and the permanent shift towards an interconnected world and the ability to successfully work from anywhere will be two of the most lasting changes brought on by the pandemic for system administrators.




Amabile, T., & Kramer, S. (2011). Do happier people work harder. New York Times, 4(7), 32-45.

Cserháti, I. (2021, January 1). “business is unusual” – remote work after covid-19. Corvinus. Retrieved May 1, 2022, from

George, T. J., Atwater, L. E., Maneethai, D., & Madera, J. M. (2021, July 23). Supporting the productivity and wellbeing of Remote Workers: Lessons from covid-19. Organizational Dynamics. Retrieved May 1, 2022, from

Hyacinth, B. (2020, June 2). A bad job with a good boss is better than a good job with a bad boss. Thrive. Retrieved April 22, 2022, from

Itri, J. N., Bruno, M. A., Lalwani, N., Munden, R. F., & Tappouni, R. (2018, October 30). The incentive dilemma: Intrinsic Motivation and workplace performance. Journal of the American College of Radiology. Retrieved April 29, 2022, from

Kumar, D. S. (2020). Employee’s Percieved Benefits and Drawbacks from “Work From Home” During Covid-19. PalArch’s Journal of Archaeology of Egypt/Egyptology, 17(6), 2943-2957.

Mayo Clinic, S. (2021, June 5). Know the signs of Job Burnout. Mayo Clinic. Retrieved April 8, 2022, from,no%20control%20over%20your%20work

Mikus, J., Rieger, J., & Grant-Smith, D. (2021, January 1). Eudaemonic design to achieve well-being at work, wherever that may be. IGI Global. Retrieved May 1, 2022, from

Pink, D. (2021, March 22). Motivation – pink (three elements of intrinsic motivation). tutor2u. Retrieved April 29, 2022, from


Putra, W. T. G., Hakim, A. L., & Kartasudjana, T. (2021). Working virtually, exhausting in reality: Virtual cause of burnout in the age of a pandemic. In Dynamics of Industrial Revolution 4.0: Digital Technology Transformation and Cultural Evolution (pp. 119-124). Routledge.

Subramaniam, R., Singh, S. P., Padmanabhan, P., Gulyás, B., Palakkeel, P., & Sreedharan, R. (2021). Positive and Negative Impacts of COVID-19 in Digital Transformation. Sustainability, 13(16), 9470.

Villanueva, L. L. (2021) Post Covid-19: Towards Human Leadership and New Work Modalities.



Proposed Topic:

During the Covid WFH mandate two trends arose for SA’s and other remote knowledge workers. Some found the WFH dynamics to be the most refreshing change and saw a significant peak in the happiness and performance of these individuals. Others however suffered extreme burnout. Since employees are the power behind any company it is important to understand what caused these polar opposite results for SA’s, and to glean what learnings we can about how to maximize the effectiveness and happiness of SA’s while preventing burnout.

At the end of the day any company’s primary objective is to make money and be successful. By extension, the company should be ensuring that they are doing everything possible to set their employees up for success so that they can be as effective as possible. Ironically, most company’s get this wrong and treat their employees based on workplace practices from prior decades that have not aged well with the digital age. The Covid pandemic and the mandated work from home – WFH (and following work from anywhere – WFA) brought this into sharp focus when the world had to rapidly adjust to the new pandemic paradigm or go out of business. This paper will explore the various WFA dynamics brought on by the pandemic that make SA’s happy and effective (or conversely, miserable and ineffective) at their jobs, such as the operating environment, working hours, home/life balance and boundaries, and how individuals successfully achieve a sustainable state of flow rather than descending into chronic burnout.


Topic is sufficiently narrow in scope. Topic is on an appropriate subject.










Customer Service in Online Curricular Design

Linda D. Conn

Minot State University

BIT 575, Dr. Andrew Aken




The purpose of this study is to explore customer service in the field of online curricular design. My aim is to take what we know now as nine steps and see how it works, and if there are any ways it can be improved upon.


Customer Service in Online Curricular Design

Connections can be made in so many ways in our lives. Connection can lead to collaboration, and collaboration can lead to discovery, change, and implementation of new ideas. As someone who has worked in customer service for most of my life, I have noticed the connection between technology customer service and teaching. Different technology customers have different styles of preferences in taking in information. Some technology customers are in a hurry or perhaps don’t like technology, and would like the service representative to just implement the change or fix the technology issue for them. Others technology customers may want to learn how to complete the task themselves. Perhaps there is a third customer who would have some balance between the two methods. Those who would like to learn the technology are the technology customers who we may think of as lifelong learners.

In a way, we aren’t just performing customer service, but we are teaching these technology customers to become self-sufficient. We are enabling them to have autonomy in their own practice (in the case of this research paper, online curriculum design). I’m not the first person to link customer service and curriculum. In fact, the University of Maryland Library has created a curriculum on customer service for their employees, taking on the “challenging task of creating a customer service training curriculum for all staff” (Ippoliti, 2014, p. 178)

I’ve recently started a new career as an Online Instructional Designer as of April 1st , 2021. In this role, I will be servicing faculty in the design, testing, and running of their courses. I have thought about a couple research methods that would lead me to findings corresponding to customer service and learning in online curricular design. Autocriticism (Uhrmacher et al., 2017) is a methodology in which one attempts to notice nuances within one’s educational context in order improve educational conditions and render new understandings that add to the larger conversation about curriculum and teaching. Using this method, I would use the nine different steps (including, “Greeting, Problem classification, Problem statement, Problem verification, Solution proposals, Solution selection, Execution, Craft verification, Customer verification/closing”,) as a tool with every interaction I have with online curriculum customers (Limoncelli, Hogan, & Chalup, 2017, p. 156). The other research method which may be explored with this topic is Complimentary Curriculum (Moroye, 2009) I’ve long thought about the connection of mindfulness and customer service. As we all know, patience is key when it comes to customer service in technology. One thing I learned in my yoga/mindfullness training is altruism, or in layman terms, the practice of selfless concern for the well-being of others. This comes in very handy when dealing with human error. Dr. Christy McConnell-Moroye studied the complimentary curriculum of ecologically minded teachers (Moroye, 2009). She begins by using the definition of the curriculum by He et al. (2008: 223): “Curriculum for us is a dynamic interplay between experiences of students, teachers, parents, administrators, policy-makers, and other stakeholders; content knowledge and pedagogical premises and practices; and cultural, linguistic, sociopolitical, and geographical contexts.” She then defined complementary curriculum as being “situated in the kinds of experiences teachers provide for students, as well as in the ‘pedagogical premises and practices’ that result from the teachers’ beliefs.” (Moroye, 2009, p.791). In the study, she noted this same complimentary curriculum could be “applied to other beliefs or passions.” (p. 805). In this case the other belief or passion would be customer service in online curricular design.

Purpose of the Study

This study explored the experiences of and online curriculum designer who followed the nine steps and also contemplated implementing a complimentary curriculum to customer service in online design. I once had a professor who said we “build off the shoulders of giants” in our research. Building from the shoulders of Eisner (2002), Flinders, Noddings, and Thornton (1986), McConnell-Moroye (2009) and others, I agree curriculum is expressed, and not expressed, in distinct ways. Curricula are expressed explicitly and implicitly, and it can be helpful to think about practices of customer service (or teaching) in online curricular design while noting these types of curricula. (Eisner, 2002), Flinders, Noddings, and Thornton (1986) found that understanding what is not taught, or null, can also be useful. McConnell-Moroye (2009) noticed that teacher beliefs and passions can manifest into a complementary curriculum. Noddings (2003) refers to teaching as “a practice,” which includes the interconnected relationship between teachers and students

Research Questions

In order to make more specific the research paper describing the online curricular designer, I have developed the following questions:

Q1 In what ways do online curricular designers use the nine steps to provide customer service to their customers?

Q2 In what ways could online curricular designers use complimentary curriculum to empathetically provide customer service to their customers?


To expound on the customer service of the online curriculum designer, I decided to use a qualitative method of inquiry. This way, I could view the interactions as they happened without surveys. I used educational connoisseurship and criticism (Eisner, 1991). Although this is referred to as educational criticism at times, I did not want to remove the connoisseurship as I found it a valuable tool for the observations of my interactions in customer service.

Need for the Study

I was unable to find any research about online curricular design customer service. Using the nine steps from the text to observe how they work in my own working environment, perhaps we can put this topic out there for future researchers to expound on. Also, although we have past research on the complimentary curriculum of the Eco-Minded Teacher (Moroye, 2009), the research is lacking in the description of the complementary curriculum of the customer service and teaching of an online curricular designer.

Types of Curriculum

As noted earlier, I made the connection between customer service and teaching and curriculum. There are three types of curriculum as defined by Eisner: the explicit, implicit, and null curriculum (2002). Explicit Curriculum refers to the publicly announced programs of study (Flinders, Noddings, Thorton, 1986). So in the case of online curriculum instruction, this would refer to Blackboard and it’s components. The Implicit Curriculum is sometimes referred to as the hidden curriculum. It “includes the values and expectations generally not included in the formal curriculum, but nevertheless learned by students as part of their school experience.” (Flinders, Noddings, Thorton, 1986 p. 34). Most who teach (or in this case, serve customers) are not aware of the “hidden curriculum”. An example with online curriculum design could be the way our offices are set up. Are they a welcoming place for those who come for help? My own office is very nature inspired: a tapestry of a lake with trees, butterflies on the walls, a fully-stocked coffee bar and snack station for those who may be hungry or thirsty. I noticed my colleague has his setup equally personal with giant plants, Star Wars knick knacks (including a Yoda welcome mat), and an East Asian table made by a family member with dragons to complement. Perhaps these personal touches add a little personal flair for the customer to interact with. Sometimes, regular discussion with the customer aside from what the problem is can put them at ease.

The third curriculum is the Null Curriculum (defined as what is not taught). Why does it matter what is not taught? Sometimes in online curricular design, we might take on the ADA because we think it is too big a task for our faculty. However, perhaps they should know it, and know how to best do it for their students. If it all falls on us, we may not have time to do it as carefully as we should.

Moroye (2009) puts forth yet another curriculum, the complementary curriculum. She says it is most closely associated with the implicit (hidden) curriculum. However, she argues two key differences between the two,

First, the hidden curriculum has its origins in something more ominous, or at the very least more negative; that is, in Jackson’s original definition, it referred to the processes of schooling that were not explicitly taught but were required for success. In contrast, the complementary curriculum is an addition that may enhance or hinder the school experience, and students are not required to master any related skills. The second difference between the hidden and the complementary curriculum is the source. The hidden curriculum emerges from a variety of places in the infrastructure of the process. However, the complementary curriculum has one source: the teacher, or in this study, curriculum customer service representative. (Moroye, 2009, p.791).

One item I thought might go well with this study is verbal language. When it comes to complimentary curriculum, language has a huge part of customer service. Could we add to our patience and altruism by using transformational language. As a learner of Yogafit, I was introduced to transformational language (Shaw, B. 2017). As a complementary curriculum, university online curriculum designers can include this language in their curriculum. Some examples of transformational language can include these five components: inclusive, affirmative, action-oriented, process-oriented, and awareness oriented (Shaw, 2017). She also put forth the idea of PEP feedback. “PEP (performance excellence process) provides us with a framework for effective communication with others so that our words are always constructive” (Shaw, 2017). She talks about listening openly without excuses and/or judgment of yourself or others. This is something that could work in any situation, especially customer service. An example of PEP in the online instruction customer service sector can be to complement the instructor on something they created well, give them a constructive criticism, and then give them some more positive feedback. Since the constructive criticism is sandwiched between two positive feedback statements, perhaps the customer will feel more positive about the interaction.

Shaw also added tips for giving constructive feedback, including, “our intention is to be helpful, supportive and encouraging, ask permission before providing feedback, Focus first on the positive and second on how the person can improve, Deal only with specific behavior that can be changed, Describe the skill/technique, rather than evaluating it, Let the recipient know the impact the skill/technique has on students, Avoid labels (unprofessional, irresponsible, etc.), Relate objectively about what is specifically seen or heard, Facts about skill/technique are exact and without exaggeration, Use “I” statements to accept responsibility for our own perceptions and emotions, Check to make sure the recipient understood the message in the way it was intended.” In looking at this language, some correlations can be found which connect with the nine steps. For example, the nine steps use verification at the end where the PEP feedback as a last step checks to ensure the recipient understood the message as it was intended.


This research took place in the Center for Extended Learning (CEL) at a Midwestern State University.

Researcher Background

My background relevant to this study comes in the form of my past customer service and learning experiences, both received and given out. I have received many effective learning experiences from past teachers and customer service representatives. These experiences have taught me what to do. Perhaps these experiences were effective for my own learning style, and I won’t discount some of the ineffective learning experiences I have had in these areas. They too, taught me what I personally will not do when it comes to customer service and teaching. In my own experience as a customer service provider and teacher, I have years of experience. I have worked in the restaurant industry at both a sandwich shop and as a waitress. I have worked with troubled youth at a treatement center and students with learning disabilities in the classroom. I have worked with stakeholder’s of a school library including faculty, students, town residents, and board members. I have been an administrative assistant and coordinator for everything ranging from an oilfield repair/cnc shop to a university helpdesk, helping faculty, staff, and students. Another huge part of customer service and teaching is empathy for those you serve and work with. Like many people, I have somewhat of a troubled background, experiencing everything from childhood trauma to severe illness and even the loss of a child. These experiences gave me resilience to handle upset customers and also empathy. Resilience are great tools for someone who teaches or provides customer service. For example, in the text, there is a whole section on helping the customer save face.


Four Phases and Nine Steps

Customer service is an incredibly important aspect of Blackboard, the online curricular design platform. As noted by Limoncelli, Hogan, and Chalup, ideal customer service consist of a friendly personality, reflection of corporate culture, the correct amount of staff, defining scope of support, specifying how to get help, defining processes for staff, establishing escalation process, defining emergency and having a written policy, supplying request-tracking software, statistical improvements, after hours coverage, advertising, and different helpdesk for different needs (2017). In looking at the services we provide at CEL, most of those boxes are ticked. However, our local office does not have after hours and 24/7 coverage. There is a helpdesk for Blackboard that can be utilized for this. Our written policies can also be improved. We are advertised via email when something goes down on the back end, and after asking, I realized we send out notifications via my superviser when something goes down that effects the end user.

Limoncelli, Hogan, and Chalup noted four phases and nine steps. The four phases include greeting, problem identification, planning and execution, and verification. The greeting phase is straightforward as it consist of welcoming the customer and asking how we can help. Phase two, problem identification, consists of steps two through four; problem classification, problem statement, and problem verification. Examples of these would be what kind of problem, taking down details, and then trying to duplicate the problem. The third phase, planning and execution, consists of steps five through seven of the nine steps; solution proposals, solution selection, and executions. There may be more than one solution, and in this case, this is when the customer service personnel use solution selection. Phase four, verification is made up of steps eight and nine. You revisit trying to duplicate the problem in step eight, craft verification. Step nine is customer verification and closing. This is where the tech would have the customer verify one more time the solution was successful. Step nine is a step I hadn’t used in the past. I assumed if I didn’t hear from them, the solution was successful. However, I see how this is an important step as noted in my observations from using the nine steps.


Data Collection

To answer my research questions, I collected data from these main sources: a participant interview with my fellow staff member (who has worked at the college in this role for six years), observations from my time serving those using the online curriculum platform, other research, and artifacts. In Moroye’s (2013) study on Complementary Curriculum, she studied teachers who used complimentary curriculum of ecology-mindedness. Although she studied complementary ecological curriculum, she noted how this idea might be applied to other beliefs or passions — in this case, customer service in online curriculum. Customer service in online curriculum is truly a passion of mine, and I hope this research can lead to more.

The interview with my fellow staff member was non-structured, but I observed and did ask him some questions. One question I asked him was if he used the nine steps after sending them to him. He did indeed use the nine steps, but he said sometimes he did it in a different order. I observed my coworker helping a student who could not log into Blackboard to take a test. He tried logging in with her username and password and was able to log in (duplicating the problem). Therefore, we knew it was on her end. Eventually, we found out she was using a dash instead of a period in her username.

For the most part, I was able to use the nine steps in my own observations. However, there were a couple times where I forgot the extra verification step at the end. One example was a faculty member needing me to open a test back up for one of their students. This was my first time doing this on my own, and I proudly figured it out. I then emailed them to let them know, forgetting the last verification step. The next day, I received an email from the student informing me the test was not open for them. In reaching out to my co-worker, I found out there was a small box I forgot to check to enable students to take the test after the test date. Therefore, when I forgot that last verification step, in this particular case, it was actually needed (appendix A). Juxtaposed with that is a time I did verify on the same day with a faculty member who needed some items unhidden from her view. Like mentioned in the book, about unclear customer requests, she didn’t know she needed them unhidden, just knew she didn’t see the students test scores. There were actually two versions of this particular test. One was unhidden, but the one they actually took was hidden. When I verified the solution with her, she was able to confirm the solution was found (appendix B).

Research Questions Revisited

As noted earlier in the study, I came up with two research questions to lead the study:

Q1 In what ways do online curricular designers use the nine steps to provide customer service to their customers?

Q2 In what ways could online curricular designers use complimentary curriculum to empathetically provide customer service to their customers?

Question number one can be answered from both my autocrit and my observation of my collegue. In the case of my collegue, the nine steps can be used by online curricular designers to provide customer service, but may not necessarily need to be in the order they are in the book. However, in doing my own observation, I strictly stuck to the order from the book and deemed the customer service I provided successful when I followed it. As noted earlier, when I missed the final step, the student had to wait until the next day to take their test.

Question number two may need further research. The nine steps can be effectively used as a complimentary curriculum, but the empathetic customer service may need to be another question or future research.

Limitations and Future Research

The limitations of this research included not having a control example as I was a new employee in this position. Limitation also included the short amount of time for the study as it was procured during an eight week class. For further research, I would like to look at some ways transformational language and mindfullness could be a complimentary curriculum to online instructional design curriculum customer service.


Eisner, E.W. (1976). Educational connoisseurship and criticism: Their form and functions in educational evaluation. Journal of Aesthetic Education, 10 (3/4), 135-150.

Eisner, E.W. (2017). The enlightened eye: Qualitative inquiry and the enhancement of educational practice. New York, NY: Macmillan Publishing Company.

Flinders, D.J., Noddings, N., & Thornton, S.J. (1986). The null curriculum: Its theoretical basis and practical implications. Curriculum Inquiry, 16(1), 33-42.

Friere, P. (2006). Teachers as cultural workers: Letters to those who dare teach (Expanded ed.). Boulder, CO: Westview Press.

Ippoliti, C. (2014). Are you being served? Designing the customer service curriculum. Public Services Quarterly, 10(3), 177-192.

Limoncelli, T., Hogan, C. J., & Chalup, S. R. (2017). The practice of System and Network Administration: DevOps and other Best Practices for Enterprise it. Addison-Wesley.

Moroye, C. M. (2009). Complementary curriculum: The work of ecologically minded


Journal of Curriculum Studies, 41(6), 789-811.

Shaw, B. (2016). Beth Shaw’s YogaFit. Champaign, IL: Human Kinetics.

Uhrmacher, P. B., Moroye, C. M., & Flinders, D. J. (2016). Using educational criticism and

connoisseurship for qualitative research. Routledge.











Appendix A

(forgetting step nine)

Appendix B

(using step nine)


ClassmateResearchPaper/Cybersecurity Principles and the 2015 Ukraine Power Grid Attack – Hart Andes.docx









Cybersecurity Principle and Ukraine Power Grid Attack

Final Research Paper

Submitted in Partial Fulfillment

of the Requirements for the

Degree of


Masters of Science – Information Systems



Hart Andes

1 May 2022

Dr. Andrew Aken



Department of Business Information Technology

College of Business


Minot State University

Minot, ND




Spring 2022





Table of Contents Introduction 3 Execution of the attack 4 Cybersecurity principles to Prevent Similar Attacks on Power Grids 5 Employee Cybersecurity Awareness 5 Contingency Planning 6 Configure ICS Network Securely 6 Figure 1 – ICS Network Configuration 7 Reduce Remote Access Operations 8 Monitoring of Credentials 8 Monitoring of Network Security 8 Monitoring of Credentials 8 Multi-factor Authentication 9 Firmware Driver Signing and Application Allowance 9 Stuxnet Cyber-attack and 2015 Ukrainian Power Grid Cyber-Attack 10 Conclusion 10 References 12



The present-day developed countries have invested heavily in upgrading the electrical power grid, which has provided them with reliability, proficiency, and distant control. Conversely, modernization and use of innovative power plant technologies from generating to transmittance to supply have let loose an epidemic of largely IP-based modern know-how cluttered with safety liabilities. These computerized and wireless technologies increase boundless chances to maximize the power grid’s risk.

This paper will widely talk about the 2015 Ukraine Power Grid cybersecurity attack and the necessary cybersecurity principles that could have been used to curb and prevent this and similar attacks. The regional distribution power grid corporate was the first hit by this spell that caused power outages. Over 200,000 hosted clients lost power. The attack affected extras sections of the distribution grid, and the attack compelled administrators to shift to physical mode. This research will look at the tactics, procedures, and techniques employed in this attack and its execution to the best of public knowledge. It will also walk through the cybersecurity principles that should be used to prevent similar attacks. Furthermore, the research will explain how the attack was notably different from the Stuxnet, the comparisons, and the conclusions that can be made between the two episodes.

A cybersecurity attack uses different forms of malicious activities that target Information Technology systems or their operators to get access to unauthorized systems and the information they store. The attack on the Ukraine power grid was to deprive Ukraine’s industrial sector of the energy to continue with their day-to-day operations and get access to the unauthorized data of the power grid.

Execution of the attack

The investigation was initiated when several cybersecurity teams from within and outside of Ukraine obtained important information on how the hackers could hold captive the power grid system in Ukraine (shehod, 2016). The attack was well calculated and tactically planned. According to the Cybersecurity teams, the original entry into the system network was through spear-phishing emails and the opening of malicious Microsoft attachments. The most exciting part is that the intruders did not get into the system through the susceptibility in the program that operated the system but via the weakness in the “Microsoft Office.” That was the ultimate entry into the network (Shehod, 2016). There was a communication channel created by using the BlackEnergy 3 malware. This provided command and control of the system. Through the attack, the hackers collected data from the affected devices.

According to what has been alleged, the attackers stayed in the system for six months before they launched a denial of service attack. The Supervisory Control and Data Acquisition system, referred to as SCADA, was manipulated by the hackers and dispatched present computer units and servers. The Supervisory Control and Data Acquisition were fixed with firewall protection that alone could no longer hold the hackers’ assault. Adversaries gained access to user accounts management, windows Domain Controllers (Yang and Ten, 2017). They could collect credentials for a Virtual Private Network (VPN) from then. Therefore, they were able to access the SCADA network remotely. Their access made them initiate a coordinated attack on the power grid. The adversaries’ main intentions wanted to ensure that power was cut off from the customers and make it hard for the administrators to access the system.

The hackers altered the UPS responsible for generating standby power to the central operation room and gained complete control of the system. In the reconnaissance phase, the adversaries understood the distribution management network for the power grid. They programmed harmful firmware to substitute valid software on Serial To Ethernet Module over twelve mini-stations. There is a high possibility that hackers acquired other proper authorizations in the systems and utilized them to install harmful firmware versions into the system (Shehod, 2016). The adversaries intended to remove the inverters to hold administrators from sending instructions remotely to re-close breakers when the service denial occurs. The intruders’ altered necessary plans, so legitimate system users were denied access to the system during recovery. The hackers maintained the theme, making it hard for the managers to regain control of the power grid.

The most devastating attack was one launched against the customer care call centers. The telephony denial services (TDoS) resemble a spell that relays data pool to web servers. The adversaries filled the systems with countless counterfeit calls to deny the valid callers, from raising power outages complaints to the system’s operators (Yang and Ten, 2017). The TDoS raised eyebrows in public, and it became clear that the power grid system was in the hands of the unknown intruders. The incident was strategically plotted to cover all eventualities. The attack on the UPS, converters, and call centers reflected the coordination of the attack. Several cybersecurity experts echoed this opinion in their reports.

Cybersecurity principles to Prevent Similar Attacks on Power Grids

The following are some mitigations and solutions to curb and prevent such attacks from occurring in the future. The mitigation principles are as follows.

Employee Cybersecurity Awareness

From the cybersecurity attacks on the power grid, operators’ cybersecurity awareness was missing from the solutions drawn in the notification. Since spear phishing depends on tapping the human factor, it is significant to train corporate personnel and operators not to be lured into opening emails and attachments lest they are sure and assertive to trust the data in the emails. If the operators had been equipped with this knowledge would have lessened the degree of assault, or the adversaries might have been detected.

Contingency Planning

The Ukraine power grid lacked an emergency plan in place. However, they could make the power grid run because of their ease with manual setup. On the contrary, infrastructure is more reliant on automation, an all-inclusive emergency plan must be created to consent to the secure closure of operations if a cyber-attack happens.

Companies should prepare to tackle a similar situation to prevent “telephony denial of service attacks” that deny communication services to customers, Ukraine power utilities operators, and internal communication (Shehod, 2016). The companies should contact telephony service providers to offer procedural controls, which may reduce the effect of a similar attack. A company should think through suitable logging and voice recordings during a forensic examination. The network diagram flow should appropriately have documented and secured. Companies should contemplate all the gadgets in the system and those connected to the network. It is a cooperative principle to take inventory of devices, ingenious devices, and look into the security features of those gadgets.

Configure ICS Network Securely

Regrettably, several ICS networks connect digital devices to their network, minus seeing the effect the gadgets could cause on the system. Before adding these gadgets to the network, utilities should segregate ICS networks from untrusted networks. The diagram shows the company and command systems networks on distinct systems.

Figure 1 – ICS Network Configuration

Figure1 also shows a demilitarized zone that should be established for the company infrastructure constituents like the email and web server. A separate network needs to be installed for the control system. Unexploited communication channels have to be kept engaged and unutilized services switched off. The aim is to minimize access points that adversaries can employ to disrupt the network (Shehod, 2016). Specific authorizations should be developed for both ICS and corporate networks to not repeat what occurred in the power grid plant in Ukraine. Intruders gained access to certificates from the corporate network to launch an attack on the web.

Reduce Remote Access Operations

Conversely, the ICS corporate and the general public are heading toward modernization, which can easily be converted to comfort. The technology increases system vulnerabilities and remote access, giving intruders leeway into the corporate systems (Sorini and Staroswiecki,2017). The only recommended solution is to reduce remote entry operations. Remote access should be manually operated, and the time for logging into the system should be limited.

Monitoring of Credentials

If the Ukrainian utilities employed the principle of credential monitoring, the intruders in the network might have been discovered. Monitoring of credentials should detect compromised credentials being utilized by unauthorized intruders (Shehod, 2016). The primary task for the Ukrainian attackers was making illegitimate user accounts and giving way privileges to manipulate the system. If certificates were kept tabs on and the network was carefully monitored for unusual activities, the network proprietors would be notified before the attack occurred.

Monitoring of Network Security

The only way to prevent similar attacks in the era of new technology, corporates should contemplate any new connected devices on the network and ascertain the dealer has performed the required infiltration testing to certify precarious susceptibility does not occur. In Ukraine’s case, the absence of network monitoring motivated the intruders to retain the system’s access without being identified. The system operators should consider creating a trusted profile of the system traffic and employing it to identify uncommon operations on the network (Yang and Ten, 2017). If unusual processes and traffic occur on the I.P. address at weird times, consideration should be paid to removing the access. The invasion recognition system should be coded to identify and recognize anomalies in usual operations, and the right person should be notified of the inconsistencies in processes.

Multi-factor Authentication

The absence of a multi-factor authentication mechanism in Ukraine’s power grid systems allowed the intruders to access critical systems easily (Sorini and Staroswiecki,2017). Sound Cybersecurity principles recommend setting up robust multi-factor authentication in the design, particularly on external connections. The tokens implemented should be of different categories. Though it is an incomplete solution, it is difficult for intruders to take over the system because they require generating two authorization forms.

Firmware Driver Signing and Application Allowance

One of the strong cybersecurity principles is to implement firmware driver signing. It gives a significant layer of shield counter to malicious drives and erases the existing data from the firmware. If the Ukrainian systems could request signed drivers, it would prevent negative drivers from being installed in the system. Furthermore, application safe listing can identify and avoid running of malware such as the “ BlackEnergy 3″ employed in the power grid attack. The method can be utilized on catalog servers and HMI PCs (Sorini and Staroswiecki,2017). If the AWL system had been implemented in the power grid, the spear phishing email would have been dissuaded because the system would have raised notifications if the malware had been identified.


Stuxnet Cyber-attack and 2015 Ukrainian Power Grid Cyber-Attack

The attack on the grid significantly differed from the Stuxnet cyber-attack. The differences are reflected in the way they were executed. Stuxnet was a multi-part malware carried into USB drives and spread on Microsoft Windows platforms. The virus was explored for siemens step 7 software signs in the infected computer. The software is one industrial PLC serving as PLC computers used for systematizing and observing electro-mechanical equipment ( Halloway, 2015). If the virus finds a PLC computer, the worm attack upgrades its program over the internet and commences directing damage prompting programs to the computer-controlled electro-mechanical apparatus. The nature of the cyberattack is different from the Ukrainian, in which the intruders got into the system through spear phishing.

However, the mode of attack completely differs from each other. Still, the intention of the attack is the same: to deny the operator access to the system and gain access to unauthorized information. The two episodes are similar in how they send commands to the system to control it (Clayton, 2010). The operators of the two methods did not know what was happening until the system started failing. The operators had been denied the right to automatically shut down the two plants until they were manually shut down.


To safeguard power plants from cybersecurity attacks, the corporates of the utilities should minimize matters of employing legacy communication practices that do not affirm authentication. The corporates should set cybersecurity regulations and principles that should be imposed, examined, and incessantly modernized to sustain the development of attacks. The power utilities need to ensure they keep their operators of the plant aware of cybersecurity attacks, limit remote access of the plant systems, implement multi-factor authentication, Serial-to-Ethernet communication devices, and eventually, to reduce TDoS attacks needs coordination between the power plant corporates with communication, electricity and financial sectors. Also, before adding intelligent devices to the corporate networks, utilities should segregate ICS networks from untrusted networks. Corporates should contemplate any new connected devices on the web and ascertain that the vendor has performed the required penetration testing to certify that precarious susceptibility does not occur.

The above cybersecurity principles, mitigation, and solution can prevent this attack and similar ones if they are put in place. And the regulations should be kept updated to sustain the maturity of attacks. With the advancement of technology, different tricks and approaches are developing to launch attacks on the power plants. Therefore, the operators should be vigilant and updated on technological advances.











Clayton, M. (2010).The Christian Science Monitor. (2010, September 21). Stuxnet malware is a ‘weapon’ out to destroy … Iran’s Bushehr nuclear plant? Retrieved from

Halloway, M. (2015).Stuxnet worm attack on Iranian nuclear facilities. (2015). Retrieved from

Shehod, A. (2016). Ukraine power grid cyberattack and U.S. susceptibility: Cybersecurity implications of intelligent grid advancements in the U.S. Cybersecurity Interdisciplinary Systems Laboratory, MIT22, 2016-22.

Sorini, A., & Staroswiecki, E. (2017). Cybersecurity for the smart grid. The Power Grid, 233-252. doi:10.1016/b978-0-12-805321-8.00008-2

Yang, Z., & Ten, C. (2017). undefined. 2017 IEEE Power & Energy Society Innovative Smart Grid Technologies Conference (ISGT). doi:10.1109/isgt.2017.8085978




The Evolution of the Data Center







A Thesis

Submitted in Partial Fulfillment of

the Requirements of the Master’s Degree in

Information Systems








Eliki Q. Damuni







College of Business

Information Systems Department

BIT575: Business Network Systems Management

Dr. Andrew Aken









Graduate School

Minot State University

Minot, North Dakota






Spring, 2022

In this final term paper, I discuss the evolution of the Computer Data Center, from the early days with the first computer to what it is now and then discuss the future of Data Centers, pulling in the consensus of experts in the field.


To understand the importance and the necessity of data centers to businesses and institutions alike, we first need to understand the nature of computers, specifically their physical characteristics as well as the need to have them securely contained. By their physical attributes, large computer servers are heat generating sources, and having a large number of these servers clustered together, coupled with network peripherals and hard drives all occupying the same space, results in a very warm untenable environment. High temperature environments negatively impact servers and other I.T. equipment, and devices have a tendency to shut down when over-heated to protect internal components. Confidential and private company data are also contained within the data center so anyone with a key can walk in and ‘steal’ company information so keeping the data housed in a secure location was imperative.


Data centers date back to the mid 1940s when the first computer was developed. The ENIAC, short for Electronic Numerical Integrator and Computer, was introduced by the United States Department of Defense and was designed to compute firing tables for artilleries for the Ballistic Research Laboratory. ENIAC was later commissioned to perform a feasibility study of thermonuclear weapons.


(4) Figure 3. Remnants of the ENIAC.



The ENIAC weighed almost thirty tons and occupied 2,000 square feet of office space. It required a half dozen full-time employees to keep it running at optimal efficiency. This first computer utilized 200 kilowatts of energy running 20,000 vacuum tubes and 1500 relays and it generated enough heat to keep it isolated to a special room with its own military grade air conditioner. To compare, a typical family consumes 800 kW of electricity in a month. This “special room” would later transform to what we know today as the data center. The hardware equipment required to operator the ENIAC consisted of racks for individual components, cabling trays, coolers and physical security access (or restrictions). The image below is of that first data center housing the ENIAC:


(4) ENIAC at the Ballistic Research Laboratory ca. 1947-1955


On a side note, we have come leaps-and-bounds from the ENIAC-era that the modern-day mobile device you carry with you is almost 15 times more powerful than the ENIAC but costs 17,000 times less, uses 0.00025% less power and best of all, fits comfortably in the palm of your hand and is mobile!


Through the next couple of decades, computers were still large behemoths and were only built, stored and utilized by the United States government, which is not the least surprising considering the exorbitant cost it took to build these computers, as well as the technology that only the government possessed. Eventually, vacuum tubes in computers were replaced by smaller transistors and this paved the way for engineers to start shrinking their computer designs. The use of transistors also meant that computers using them were more reliable and efficient than the previous generation. Computers like the UNIVAC, built in 1951, could now fit in a garage-sized data center (compared to the 2,000 square feet of space that the first ENIAC occupied).



In a few short years, the footprint of mainframe computers decreased significantly when IBM, in conjunction with American Airlines, designed, built and eventually housed two IBM 7090 mainframe computers at the airlines new data center in the heart of New York city. These mainframes were the size of a car, instead of a whole garage. Data centers were shrinking in size with the introduction of this airline reservation system and this became the catalyst for other manufacturers to start building smaller and faster computers.


In 1971, Intel came out with the first microprocessor and this allowed computers to become even smaller than the previous generations, as well as causing a significant drop in the price of computers. Here too is when air-cooled computers started to make its way into the business realm, enticing companies to buy a piece of the pie so to speak. Businesses could not only afford to purchase advanced computers but allocate space for them as well, and they didn’t require as much cooling as the previous range of computers.


Ten years later, there was another big leap in the technology and data center sector as IBM released the first personal computer to the world; the 5150. With this advancement, the game was rapidly changing and the 5105 meant that the size of data centers could shrink even more. This PC changed the data center landscape, gone were the days that required computers to cost upwards of $9 million and needing air-conditioned, quarter-acre of data center space with 60 people to have it running and keeping it loaded with instructions. (5)




The dot-com bubble of the 1990s, when U.S. technology stocks capitulated due to massive investments in internet-based companies and business stretched data centers to the breaking point. The huge demand for super-fast computers as well as faster internet placed by these businesses which seemingly flourished overnight had put a strangle-hold on data center facilities as did cooling technologies that was needed. While it was still possible to pack more servers into a space, cooling this pack data center would be inefficient, and server reliability would eventually be compromised.


Data centers are energy-sapping facilities, and it’s common for “a cooling system to use as much as, if not more, of the computers it is intended to cool”. (1). The following graph of heat-load per production depicts the challenges in the mid 2000’s brought about by the dot-com bubble (1):


Figure 1. ASHRAE New Datacom Equipment Power Chart, published February 1, 2005


Cooling data centers was becoming such a huge issue in the mid-1990’s that the U.S. Congress stepped in and quickly ordered the Environmental Protection Agency (EPA) to study and rectify this impending problem of vast energy consumption. Laws were eventually enacted to force manufacturers to produce more efficient computer servers and cooling appliances. Below is the exploding graph of 2006 depicting annual energy usage as well as future predictions (2);


Figure 2. Chart ES-1 from EPA report dated (August 2, 2007)



While “not technically an office that houses people” (3), data centers are facilities which businesses utilize to store (as well as manage and disseminate) their computer operations and network equipment’s. Network and business-critical systems are contained all within the data center as it is secured as well as temperate controlled. Because of the importance of data to any organization, it is imperative that this information is kept secure while at the same time easily accessible to those ‘in-the-know’ so they can make decisions which positively influences their growth.


Data Centers fall into one of the following four categories;

· Enterprise

· Multi-tenant data center and colocation facilities

· Hyperscale and Cloud

· Carrier and Service Providers


Cloud data centers came to prominence in the mid-200’s and a study showed that about 3 in 4 companies at the time utilized some or all of the cloud to house their computing, network and storage needs.


As for the future of data centers, the consensus is on software-led infrastructure or SLI. Similar to a virtual data center, SLI uses software to deploy, configure and provision data centers and will be a heave-sent for System Administrators. In this scenario, the physical server farms comprising the company’s technology can be anywhere in the world, all the SA has to do is pull up a management console and start allocating and managing the servers. The best part about this is that the environment can also be controlled by SLI, including increasing or decreasing cooling to the racks where servers are located.


(1) Heslin, K. (2015, July 30). A look at Data Center Cooling Technologies. Uptime Institute Blog. Retrieved May 2, 2022, from

(2) Kant, K. (2009). Data Center Evolution. Computer Networks53(17), 2939–2965.

(3) Limoncelli, T. A., Hogan, C., & Chalup, S. R. (2017). The practice of system and Network Administration: Volume 1. Addison-Wesley.

(4) Shaffer, Paul W. 2005. University of Pennsylvania

(5) The IBM PC’s debut. IBM Archives: The IBM Personal Computer. (n.d.). Retrieved May 2, 2022, from








Final Paper Topic Proposal: The evolution of the Data Center.



I am proposing this topic because I find it fascinating that the shift from large-mainframe computers of yester-years to cloud based architecture have caused a remarkable pivot in hardware storage strategies of almost all of today’s businesses. What once was sizable computers like IBM AS/400’s and DEC Alphas and VAX that required temperature-controlled warehouses to cloud-based hosting business to SaaS which fit in an office space and even to individuals who today can mine cryptocurrency in the own garages with much more powerful machines naturally possess the question of “what is the future of data centers?”


Let me know if this is an acceptable research topic which has a specific and defined goal to address.


Thank you, Professor




Professor Aken’s comment: Topic is sufficiently narrow in scope. Topic is on an appropriate subject.



Dominick Parkhurst


BIT 575

Research Topic

How to build a better systems administration team.

As a system administrator, it is your job to be an information technology, IT, and professional. Servers, networks, and other computer systems are installed, maintained, configured, and repaired by system administrators, SA.’ They experiment with both hardware and software, learning a little programming and scripting to conduct jobs and activities throughout their apps and infrastructure (Splunk, 2021). More people with a hybrid Sysadmin/Developer competence have emerged because of the advent of DevOps and cloud computing. The rise of the digital age has given light to System Administrators and the value they bring to a company. The notion of IT professionals sitting in a dark room, being unsociable, and spending all day on their computers is just untrue. IT professionals and SA attend meetings, give status update presentations, and have their teams to run. You can be one of the sharpest people in your area and have a lot of IT expertise, but no one can do it alone. It is your responsibility as a SA to be knowledgeable about a wide range of issues; you cannot be an expert in everything. The greatest way to form a well-rounded group is to form a team. Forming a team is not as easy as picking people to be on your team like you are on the playground picking teams. Planning, collaboration, chemistry, trust, respect, cooperation, and diversity must all be considered.

When considering applicants for joining your team you must know what you are looking for. Setting out what it is you want in an applicant and how they can help you create the right culture creates hiring easier. There are several key attributes one looks for within an applicant, Long-Term Prospects, Capacity to Produce Outcome, Enthusiasm, a fervent desire to succeed, Putting Knowledge into Practice, adapting to the Workplace, Collaborator, Aspiration, Giving Others Credit, and Adaptability (Qualities to look for when hiring an employee: Scranton Online 2022). Hiring the proper individuals who value working toward a shared purpose, are purposeful, and appreciate the hierarchical structure that most organizations demand is the first step toward building a successful team. Recruiters should search for commitment and longevity attributes in a potential employee’s résumé – such as a desire to study, grow professionally and succeed eventually. Given the investment in training new workers, turnover may be costly, and firms do not want to recruit someone who does not have the potential to be long-term employment. Operations management, enterprise resource planning, and healthcare management are all skills that good applicants have (Haber, 2008). People that are talkative and sociable will be beneficial to a company since they are more likely to remain longer than those who work for a wage. To further demonstrate their skill set, some recruiting managers may ask potential recruits to execute a job or work on a project. Candidates who maintain their cool while demonstrating their problem-solving abilities are more likely to perform well under pressure.

An employer is looking for someone who is initiative-taking, enthusiastic about being a part of the company’s efforts, and prepared to go beyond to achieve success. When conducting a job interview, it is critical to assess a candidate’s “fit” in two ways. First, assess their suitability for the job based on their knowledge, skillset, and general ability to perform the needed responsibilities. Second, assess their overall fit with the firm by imagining how they might fit into the corporate culture (Haber, 2008). Employees who feel successful in their jobs and have a sense of belonging at their workplace are more likely to remain longer. Even though most of a job’s activities can be accomplished alone, there will be moments when employees must collaborate. Recruiters and hiring managers frequently inquire about a candidate’s ability to work well with others. Applicants may be brought in for a group interview by some employers. Businesses want to recruit individuals that are motivated and will go beyond what is expected of them. Ambitious individuals strive to do their best in their jobs and are constantly thinking of ways to improve and be more efficient, making it an excellent attribute for an online HR graduate to possess. When the opportunity arises, an employee with these characteristics is more likely to be selected for more demanding roles. Managers should search for workers that are self-assured and confident in their job while also acknowledging the contributions of the entire team (Haber, 2008). Appreciating other employees boosts group and individual morale, which helps to create and maintain a trusting atmosphere. During the interview, hiring supervisors will search for honesty and integrity. Being attentive to the hiring managers demonstrates respect and civility. Candidates who attentively react to questions, greet people properly, and say, “thank you” and “you’re welcome” will stand out from those who lack social interaction skills (Why managers should do team-building exercises 2019). In every facet of a firm, treating people with respect will deliver superior business results. Having the tools to make an informative decision on who to hire you can now move on and investigate being a leader for your newly created group.

Everyone has a different perception when it comes to being a leader. past experiences and cultural background there may be different/conflicting ideologies of what a leader must do. most people expect leaders to be dynamic consensus and hold a superior intellectual social and have motivational skills (Forsyth & Nye, 2008). Excluding the biases that some people have about having a woman or a person of color oversee them, a person who is a good leader is easy to spot. Kissinger, a known doubter of the newly elected president Nixon, comments on his thoughts after having a sit-down meeting with President Nixon, “I was struck by his perceptiveness and knowledge so at variance with my previous image” (Forsyth & Nye, 2008). Never judge someone before you get to meet them. It is a two-way street, do not judge your employees based on anything except their character and knowledge they have. Strong leaders are confident, strong-willed, knowledgeable, resolute, and consistent. Make others feel comfortable speaking out. When leaders enter a room, their status and influence can terrify their subordinates.

Leaders that are successful redirect focus away from themselves and urge others to speak up. They are experts at making people feel comfortable speaking out and boldly sharing their ideas and thoughts. They employ their executive presence to create a welcoming atmosphere. Expert decision-makers are the hallmarks of successful leaders. They either guide the conversation so that their colleagues may reach a strategic decision on their own, or they do it themselves. They are always focused on “making things happen” — decision-making actions that ensure development (Llopis, 2022). Successful leaders have mastered the art of politicking and, as a result, do not spend their time on it. Successful leaders are excellent communicators, which is especially important when discussing “performance expectations.” They do so by reminding their coworkers of the organization’s basic principles and mission statement, ensuring that their vision is correctly translated, and concrete goals are appropriately conducted. This methodology creates enhanced performance and helps identify people on the team who could not keep up with the standards she expected of us by clearly stating expectations. Inspire others to think. The most effective leaders are aware of their subordinates’ perspectives, talents, and motivations. Successful leaders delegate authority to their subordinates (Llopis, 2022). This does not imply that they are enabling others to dominate them, but that they are taking responsibility for ensuring that they are anticipating the requirements of their coworkers. Being accountable to others, in addition to mentoring and sponsoring chosen workers, shows that your boss is more concerned with your success than with their own. Although leading by example appears to be simple, few leaders follow through. Successful leaders are aware of their actions and preach what they teach (Llopis, 2022). They are extremely perceptive at spotting people who are watching their every move, waiting to find a performance deficiency, since they are aware that everyone is watching them.

Successful leaders are aware of their talent pool and how to make the most of it. They are professionals at bringing out the best in their coworkers and determining when to use their own distinct skill sets depending on the situation. Successful leaders are always asking questions and seeking advice (Llopis, 2022). They are know-it-alls on the surface, but on the inside, they have a great hunger for knowledge and are continuously on the lookout for the latest information as part of their dedication to improving themselves via the wisdom of others. Successful leaders foster a good and motivating work environment. They understand how to set the tone and adopt an attitude that encourages their coworkers to behave. As a result, they are likable, respected, and determined (Llopis, 2022). They do not let setbacks derail their progress. Many employees will tell you that their bosses have lost their ability to instruct. Because they are so initiative-taking to learn, successful leaders never stop teaching. They utilize statistics, trends, and other newsworthy events to keep their colleagues well-informed and aware. Successful leaders devote time and resources to mentoring and sponsoring colleagues who have demonstrated their ability and desire to grow. Instead, then focusing on maintaining their domain, successful leaders engage in mutually beneficial connections to grow it. Successful leaders spend time together with “lifters and other leaders” — individuals who can help them expand their sphere of influence. Not just for their benefit, but also the benefit of others. Leaders share the fruits of their labor to assist people around them gain momentum. Successful leaders like being in positions of authority, not for the sake of power, but for the significant and purposeful impact they can have. When you reach an elevated level of leadership, it is all about your capacity to assist people, which you cannot do unless you like what you are doing. You have found the right candidates and have the skills to be a great leader, however, things happen, and people can change.

Preforming when this is going your way is where you truly show the type of manager you are. Making emotional comments, over-generalizations, and using profanity are never welcome in a professional environment. One of the biggest obstacles for technical people is the inability to self-edit. Not every thought that enters our heads needs to translate into words, texts, or social media posts. Practice saying difficult things in an inoffensive and in an unemotional way (Khess, 2019). Firing someone is never easy and but a requirement in the workplace. “Firing is a necessary evil,” says Jodi Glickman, author, and founder of the communication consulting firm Great on the Job. “As the manager, you have to bear in mind what’s right for the company.” (Knight, 2016). Firing should be the last stage in a fair and open process that started well before the termination conversation. Managers seldom regret terminating employees too early, but they have regretted waiting too long (Knight, 2016). To begin, make sure that an HR representative is available to attend the meeting since it is both legally and more pleasant to have someone else there. HR is your ally in filling in the blanks in today’s litigious world. The words you use to terminate an employee should be simple and to the point. Go somewhere private and then lead with the punch line. If the employee tries to argue or lashes out at you, try not to get caught up in responding (Knight, 2016). Schedule a termination at the end of a workday. Be short and to the point. Do not reveal details as per your decision to your group members. The reasons are confidential and stay between HR, you, and the person who was fired. Your team is now down one member of the team. Picking up some of the slack yourself is an option or conversing with your team to receive detail about moving forward. Human Resources, HR, is your friend and is there to help, especially in this situation.

Talented individuals want to be involved in meaningful work, and if they do not have a connection or love for what they do, their dedication to the organization may diminish. Through the development of organizational competence, HR must be able to support and enable the implementation of the strategy. This is a job that cannot be mechanized, outsourced, or shared as a service. It stems from a thorough understanding of a company’s strategy as well as its current capabilities. HR has a significant edge in this area since every strategy is conducted by people who need to be supported, taught, and equipped to achieve the strategic goal (Hults, 2014). HR includes management choices on policies and procedures that influence the employee relationship and are geared toward accomplishing certain objectives (Boselie, 2021). Human resources may check in with top talent frequently to see what they enjoy and do not like about their jobs. Supervisors can use this knowledge to include more of their passion projects into their roles. (Qualities to look for when hiring an employee: Scranton Online 2022)

Servers, networks, and other computer systems are managed and maintained by System Administrators (SA). They play around with hardware and software, learning a little programming and scripting to run jobs and activities across their applications and infrastructure. IT professionals and SAs participate in meetings, deliver status updates, and manage their teams. As a SA, it is your obligation to be well-versed in a variety of topics; you cannot be an expert in everything. Knowing what you are looking for in each group member helps with the hiring process. When you have a group, it is your responsibility to be the leader you need to be. Encouraging, collaborating, and communicating are key factors a strong leader needs to master. No matter how perfect of a team there is, there are always changes within an organization and people. Firing someone is a requirement you must be informed about. Using HR is your friend and helps obstacles that do not come to mind.















Boselie, P. (2021, November). A human resource management review on public management and public administration research: Stop right there…before we go any further… Retrieved April 29, 2022, from,and%20measured%20in%20multiple%20ways.

Forsyth, D. R., & Nye, J. L. (2008). Seeing and being a leader: The perceptual, cognitive, and interpersonal roots of conferred influence. Leadership at the crossroads: Leadership and psychology, 1, 116-131.

Haber, E. M. (2008, November). System administrator teamwork: evidence from the SAGE salary survey. In Proceedings of the 2nd ACM Symposium on Computer-Human Interaction for Management of Information Technology (pp. 1-2). (Haber, 2008)

Hults. (2014, July 23). Why HR really does add value. Retrieved April 29, 2022, from

Khess. (2019, October 22). The sysadmin workplace: 10 lessons on how to deal with your boss. Retrieved April 29, 2022, from

Knight, R. (2016, June 14). The right way to fire someone. Retrieved April 29, 2022, from

Llopis, G. (2022, April 14). The most successful leaders do 15 things automatically, every day. Retrieved April 29, 2022, from

N/a. (2019, August 28). Why managers should do team building exercises. Retrieved April 29, 2022, from

N/a. (2022, February 14). Qualities to look for when hiring an employee: Scranton Online. Retrieved April 29, 2022, from

Splunk. (2021, October 29). The Definitive Guide for being a system administrator. Retrieved April 29, 2022, from









The Initial topic proposal was, “How to build a better systems administration team. Building a better, more efficient team relies on the people within the team, team leader, and team culture. From the perspective of the team leader, several things need to be done that do not require any tech knowledge such as being likable and holding people accountable. From the tech side monitoring systems, having a disaster recovery plan, and logging and backing up your files. I will be discussing both sides of building a better administration team (physical and social). Giving examples and helpful insight to creating and maintaining the team.”

The feedback I received was. This comment from Linda Conn “Were you the one who played baseball. I wonder if there are any correlations between building a good administration team and a baseball team.” This comment from Andrew Aken. “If you pick a specific insight (e.g., only hire those that have an odd number of toes – something more than being “likable”) and cover that with supporting evidence on how to build a better team, then this might work. However, you are trying to do way too much in how you described the topic. And what does hiring likable people have to do with DR?”



ClassmateResearchPaper/Malissa A BIT475- final document.docx








The Role of the System Administrator


Malissa Abdoul Samad Hamidou

Minot State University












Over the past few years, more and more companies are starting to become more tech-savvy and are starting to use virtual tools to help store ever-growing data and information (e.g., databases), but with this new technological era, this can negatively lead companies to the ignorance or incompetence of not understanding the cyber world, and the danger of data being stolen or taken. To combat the dangers cited, a system administrator is required. According to Simplilearn, A system administrator is responsible for maintaining the entire IT infrastructure of an organization. Their work ranges from maintaining servers to updating software and everything else in between. The objective of the research is to depict the role of the system administrator in an enterprise and to characterize the significant responsibilities of a system administrators. With the world and particularly organizations becoming technical and integrating to the digital domain, it is enthusiastically recommended to have an accomplished system administrator to protect your computer and security system.

PagerDuty tested that with the evolution of DevOps, the traditional Sysadmin has become more of a hybrid role, often wearing multiple hats, and helping with a variety of tasks and actions that may require some development and programming. The Sysadmin must have a solid knowledge of both the hardware and software to effectively configure a resilient and secure architecture to protect the company and ensure a seamless customer experience. System administrators are fundamental roles within each organization’s IT department, frequently covering a wide scope of technology support. Common sysadmin undertakings might go from implementing and managing network security to installing and testing hardware. System administrators for the most part work with computer systems and networking technologies, such as operating systems, databases, and server application software. The most well-known operating systems for sysadmins are Windows Server and Linux.

System administrators are quite often responsible for the upkeep of their organization’s IT infrastructure. Accordingly, they need a wide scoop of abilities to help them in their role; these incorporate hardware skills, software skills, and general business skills, they must be profoundly coordinated people who work well under pressure.

Generally, sysadmins work in a team environment, frequently with networking and computer programmers. Computer programmers write the software programs utilized by the sysadmin to assist that person with their job. Networking experts handle the cabling of systems and the installation and maintenance of network equipment, while other IT experts may have some expertise in specific areas such as voice over IP.

Sysadmins are supposed to keep their knowledge up to date by attending training seminars and reading industry publications. Sysadmins may likewise become certified in one or more areas of expertise (such as Microsoft certification) through external vendors; however, certification is not always required for employment as a system administrator.

The duties of a system administrator are wide-ranging and vary widely from one organization to another. Sysadmins are normally charged with supporting, installing, and maintaining servers or other computer systems, and planning for and responding to service outages and other problems. Other duties may include scripting or light programming, project management for systems-related projects. All System admins have some significant responsibilities to comprehend and go by.

User Administration: Maintaining user logins and communication

As expressed previously, the main reason why breaches may happen within several organizations is because people in these organizations mishandle and abuse data, hardware, and software. Among the examples to describe the mishandling of data was both leaving login details out in view and the accidental posting of data on the web. A system administrator’s major role is to guarantee the solid and viable utilization of complex information technology systems by end users, whether internal staff or external clients. The activities span from identity and access management to offering individualized technical support to individual users.

To prevent both events from happening, system administrators are responsible for maintaining the communication of users on a network and to deal a user’s personal login. Whether working on a server or a database, a System Admin has complete oversight of monitoring the communication of users on the network. The sort of controls that a System Admin might have while managing network communication may incorporate the requirement of utilizing a company provided email and login, the limitation of outside communication, and the possible limitation of social media. The reason that System Admins keep a nearby tab on the communication in an organization’s network is to forestall potential adventures or the spillage of grouped data and information. Sysadmins are responsible for guaranteeing that IT systems are always open and accessible. As a result, sysadmins are responsible for troubleshooting and resolving issues that affect system performance or admittance to an IT service. Additionally, this job involves progressing system improvements, such as upgrades in response to increasing end-user and business requirements.

When working on a server or other organizational approved applications, users are required to create and use login credentials to access that material. However, some cyberattacks do occur that result in login credentials being stolen, altered, or deleted. To avoid the threat of a possible attack, system administrators should regularly check and update or replace old login credentials with the latest ones. To further secure a user’s login information, administrators must be able to set rules and policies that will prevent a user from accidentally or deliberately disclosing their login information.

Monitoring the system’s performance

Most of IT issues go unreported until they affect end users. thus, system administrators monitor system health and search for uncommon network behavior, which may include security-sensitive behaviors, for example, illicit network access and data transmission.

To satisfy these objectives, advanced technology solutions may be sent, thus helping the larger IT Security and Operations offices. According to the datacenter, the reactive (troubleshooting) without better visibility into the health and performance of its systems and a tool that can provide early warnings. By establishing monitoring as a core IT function (a.k.a. monitoring as a discipline), businesses can benefit from a more proactive, early-action IT management style, while also streamlining infrastructure performance, cost, and security.

Maintaining systems and Networks

The essence of being a system administrator is to regularly check and update the system and network in use. To maintain the system and network, the system administrator must be able to monitor the performance of both productively and appropriately by regularly updating the operating system and other applications, installing required software, and monitoring and modifying databases. When a pop-up window on a device says to update the device, it is common knowledge to update said device; however, if one does not update or upgrade a device, the individual is at increased risk of being attacked and hacked online. As a system administrator, it is the individual’s duty and responsibility to access the system or network to regularly check whether applications and security systems are up to date or if there is an update for the current operating system; if there is an update, it is necessary for Sysadmins to immediately update programs, security, or the operating system.

Apart from updating regularly, it is also the duty of the system administrator to install programs that will benefit both the system and the network. The administrator must know if the programs will not only benefit the system but must know if the programs are up to date, not malicious or harmful, and must be able to prevent other network users from downloading external programs.

Due to the constant growth of data and the introduction of virtual tools, more and more organizations have now started using a tool called database to start storing large amounts of data that the organization has collected. However, a problem arises when these databases are attacked by hackers or malware that steals the data from these databases. According to, at least 16 billion records, including credit card numbers, home addresses, phone numbers and other highly sensitive information, have been exposed through data breaches since 2019. The first quarter of 2020 has been one of the worst in data breach history, with over 8 billion records exposed.

Web service administration and configuration management

Sysadmins execute routine web service administration and configuration management tasks, which incorporate documenting configuration changes and complying to business regulations regarding access and cybersecurity. According to upguard, having accurate records of the state of your systems is essential and baselining an attribute can ensure formal configuration change control processes are effective. Which is why version control is critical for al IT infrastructure. Automation and configuration management technologies can be used to apply configuration changes.

Implementing and creating Policies

Policies are put in place for users of a system and network to follow and ensure that the system and network are protected. If the system and network fail due to a disaster, the system administrator should have a disaster recovery plan in place; disaster recovery plan is a policy put in place by organizations to describe what should be done when a disaster occurs. According to Menon (2016), One of the most important requirements in the disaster recovery and emergency response situations is to establish reliable and continuous communication between the officers, medical team, and other rescue workers. As for the system administrator and a possible threat to the network, the administrator should immediately contact other users to immediately disconnect from the network; once this has been established, the administrator must then recover or secure all data that has not been lost or stolen. Having policies in place can help guide what needs to be done.

Now that more organizations have started or established the integration of the cyber-world to day-to-day routine and work, it has become more productive for organizations to direct work however has become more susceptible for organizations to be attacked and hacked into. One can say that just having a security system or program set up can assist with keeping these attacks from happening. however, that is not the case since programs may not detect problems within a system until it is late. Therefore, System Admins are significant because the people in this role are experts when it comes to knowing the internal workings of a system and network. The role of the System Administrator is even critical to organizations as Sysadmins can keep up to maintain communications and login information of individuals inside an organization, can keep up with system and network operation and can carry out to implement policy which can protect system and network. In the time of increasing technology and the rise of the Internet, it is better for individuals to continue to keep speed and better protect every individual system.






















Work Cited

Systems Administrator: Job Description, Skills Required, and Salary Trends in 2021.

(2022, April 13). Simplilearn.

All Data Breaches in 2019 – 2021 – An Alarming Timeline. (2021, April 7). Selfkey.

Menon.V, et al. (2016, February 11). Ensuring Reliable Communication in Disaster Recovery Operations with Reliable Routing Technique. Hindawi.

What Is Configuration Management and Why Is It Important? (2022, January 11). UpGard.

What is a System Administrator? (n.d). PagerDuty.











System Administration Within the DoD

Calli Rembowski

Minot State University

BIT 575

Dr. Andrew Aken

May 1, 2021














System Administration Within the DoD

The purpose of this paper is to explore system administration roles within the Department of Defense (DoD). More specifically, the U.S. Air Force specialty code 1D7X1B, corresponding U.S. Navy code 746A, and Army military occupational specialty 25B, as well as the DoD contracted civilian system administrator position. Their requirements, training, general job tasks and more will be examined, compared, and contrasted.

According to the Bureau of Labor Statistics Occupational Outlook Handbook, a bachelor’s degree in Information Technology or Management Information Systems is required for a system administrator position (Department of Labor, 2021). The average pay is $84,000/year or $40.00/hour (Department of Labor, 2021). The typical work environment is indoors, in a climate-controlled server room, or office type setting.

The duties and responsibilities of computer systems administrators will vary based on the site and equipment being used. According to the Occupational Outlook Handbook, they generally include researching and purchasing computer systems, server equipment, and replacement parts based on business needs (Department of Labor, 2021). It may also include conducting hardware and software installations, debugging and patching, troubleshooting issues, as well as performing regular maintenance and backups of both physical and virtual machines (Department of Labor, 2021). Additional duties are generally managing user accounts, access control lists and other security permissions, maintaining firewalls, and cataloging and updating company-owned laptops. Since the demand for and use of information technology is continuously increasing in a variety of businesses, it is not difficult to find system administrator positions throughout the country. In fact, the job search website Zip Recruiter lists over 235, 849 systems administrator jobs in the United States (Zip Recruiter, 2022). In North Dakota, there are over 181 listings (Zip Recruiter, 2022).

DoD Civilian System Administrator

The role of a contracted DoD system administrator is quite unique. The background and training of employees is often varied. Most employees come from related military careers, and not everyone that is hired has a college degree. In fact, many employees are hired based on their previous experience or current industry certifications and obtain a college degree in their spare time, after they are hired. All one really needs to succeed in this position is familiarity with the computer systems at the site, and willingness and ability to learn since most of the training is done on the job. DoD civilian systems administrators are generally hired in contracted positions to support military operations. With a contracted position, the employee is only hired for a short-term, based on the needs of the company to support a government contract. A government contract typically uses fiscal years and can be any length from one year to five years. If the company’s contract with the government is renewed, then the employee will retain their position. If the contract is not renewed, then the job is over. Due to the volatile nature of the employment, it is wise for employees to have a backup plan and resume ready to go in case their position ends suddenly. These positions are often compensated well due to the somewhat volatile nature of employment. Individuals are paid based on their position level and education or experience when hired. Salaries can range from $75,000 to $150,000, depending on the qualifications of the individual and the amount that is allocated in the contract.

Job tasks for this career field are similar most other system administrator positions, but vary and is based on the program, equipment, and site being supported. For example, if supporting drone operations at Grand Forks Air Force Base in North Dakota, one will be working with older SGI Tezro machines that run Irix operating systems, Red Hat Linux virtual machines, HP desktop computers with Windows software, KG-250 devices, Cisco routers, ATM switches, and HVAC equipment used to control the temperature of the mission control boxes housing the computer equipment. Tasks include monthly password changes for the system, setting up the machines for the aircrew to use, installing new software baselines and assisting Air Force airmen with hardware installations. At several locations, the equipment is located outdoors. System administrators must work to keep the computers from overheating and remain vigilant against humidity issues. Additionally, since drone operations happen 24/7, system administrators work in shifts and often during the holidays.

If supporting a communications Squadron at San Antonio Air Force Base in Texas, one may be primarily working with server equipment and virtual machines. Tasks for this position would include maintaining server hardware, assisting airmen with creating user accounts, and solving helpdesk tickets for non-classified internet protocol (NIPRNet) users. This position does not require shift work or for one to work over the holidays.

One of the most important requirements for this position is a certification to satisfy the DoD Directive 8140, which can be obtained within a few months after being hired. The DoD Directive 8140 replaced the original DoD 8570 directive in 2015. It was created as a way for the Department of Defense “to identify, tag, track and manage the information assurance, or cybersecurity workforce” (Lane, 2020). For DoD organizations to remain compliant, employees must possess specific IT certifications related to their career field, which are used as a way to validate their skills for their job (Lane, 2020). The directive further outlines which professional certifications will satisfy the requirement based on one’s job category. For example, for careers in the Information Assurance Technical category, one can obtain CompTIA’s A+, Security+, Network+, CySA+ or CASP+ (Lane, 2020). For the Information Assurance Management field, on can obtain the CompTIA Security+, Cloud+ or CASP+. Once the certification is obtained, it should be reported to an Information Assurance office to prove compliance. It is the employee’s responsibility to maintain the certification throughout their career.

Additionally, since this position often works closely with the miliary on classified systems, the ability to maintain a security clearance is an important requirement. Most positions require only a Secret level, but a select few require a Top Secret, Secret Compartmented Information (TS-SCI) level. The individual must go through a rigorous background check every 5-10 years and disclose all personal information about themselves, as well as contact information of those close to them for character interviews about the employee. The cost of the investigations and paperwork necessary to acquire and maintain the clearance is covered by the employer.

U.S. Armed Forces System Administrator

To become a systems administrator in the U.S. Armed Forces, there are several steps one must do to qualify. The first step is to take the Armed Services Vocational Aptitude Battery (ASVAB) exam. The ASVAB is an exam designed to test an individual’s knowledge in different areas. It uses numerical scoring to determine which jobs an individual will qualify for. The exam questions are split into nine or ten categories which vary based on the branch of service. For the Air Force, the categories are mechanical comprehension, auto information, shop information, assembling objects, paragraph comprehension, mathematics knowledge, electronics information, word knowledge, arithmetic reasoning, and general science (Powers, 2010, p. 9). In the Army, the ten categories are: clerical, electronics, combat, field artillery, general technical, general maintenance, mechanical maintenance, surveillance and communications, operators and food, and skilled technical (Union Media, 2022). For the Navy, there are nine categories: general science, word knowledge, arithmetic reasoning, mathematic knowledge, paragraph comprehension, auto and shop information, electronics information, mechanical comprehension, and assembling objects (ASVAB Tutor, 2022). The scores are then calculated and divided in to four job categories for all branches. These categories are mechanical, general, administrative and electronics. A list of career choices is available for an individual to choose from based on their calculated, numerical scores in each of the four job categories.

After passing the ASVAB and choosing a career, one must go through basic military training (BMT). This is a very intense boot camp lasts between eight to ten weeks, depending on the branch of service. It is designed to introduce individuals to the military way of life, explain what is expected of them, and teach them how to wear the uniforms. Once BMT is over, the individual is sent to a technical school to learn their new career. The military does not require any previous computer experience for the job. They will train you for the position, regardless of your background or knowledge level. If an individual fails the training portion, they are simply transferred to a new career field within the military. After technical school the individual is sent to their new duty station, where they will live for the next several years.

Like the DoD civilian position, the Armed Forces members are also required to maintain a security clearance relevant to the mission and equipment they are working with. The military covers the cost of the clearance and maintains paperwork for the individual.

One major aspect of the military positions is that the military members are required to maintain physical fitness standards during their enlistments. This requirement is relevant for all branches and includes distance running to be done by a certain time, as well as a set number of pushups, sit-ups and pullups, depending on the branch of service. Compensation for individuals in the military is based on a set pay scale that factors in a person’s rank and time in service. Every branch of the military uses the same pay-scale. For example, an individual with the rank of E-1 is paid $1,833 bi-weekly in all branches of the military, regardless of hours worked (Defense Finance and Accounting Service, n.d.).

Air Force AFSC 1D7X1B For the Air Force, system administration is classified as specialty code 1D7X1B, and is called cyber systems operations. A minimum score of 64 in the general category of the ASVAB is required to qualify for the job. After eight weeks of BMT, the candidate must attend the technical specialty school at Keesler Air Force Base (AFB) in Mississippi. At Keesler AFB, the Airman attends approximately 60 days of broad computer systems training. The topics covered include desktop hardware components and their installation, server installation and management, proper cabling, various software updates and installations, and network and firewall protocols. Additionally, airmen are taught how to manage user accounts with Microsoft Active Directory, establish and maintain access control lists, and the different requirements for classified and unclassified systems. Each topic is covered in a classroom environment with hands-on labs, and students must pass an exam before they can move on to the next topic. If an airman does not grasp the material or pass exams consistently, they are assigned to a different career field. In order to maintain compliance with the DoD Directive 8140 mentioned previously, the Air Force will pay for their airman to receive training for the CompTIA Security+ certification and cover the exam cost during the training school. However, it is the airman’s responsibility to maintain the certification during their career so that it does not expire.

Once an airman arrives at their duty location, they undergo several months of on-the-job training on the specific computer systems and the system administration tasks performed at their site. For example, if one is working in the base communications squadron, they may work with server equipment and virtual machines, and perform tasks such as help desk tickets for squadron technical issues or setting up either unclassified and classified accounts for new airman arriving at the base and loading certificates on to common access cards (CAC).

Army MOS 25B

The army equivalent of systems administrator is their military occupational specialty code (MOS) 25B, also referred to as Information Technology Specialist. After nine weeks of BMT, the soldier attends their technical school, called Advanced Individual Training (AIT) in Fort Gordon, Georgia. The Army AIT is twenty weeks long, with training that goes very in-depth and includes a lot of hands-on experience with various equipment so that the soldier is more prepared when they arrive at their duty location. At the school, a soldier learns proper cabling, how to setup desktop computers, printers, and servers from scratch, as well as troubleshooting basic network issues with Cisco equipment (Gwood113, 2021). Common troubleshooting techniques and an introduction to the Linux operating system is also covered (Gwood113, 2021).

While at the school, the soldier also goes through the process of obtaining a security clearance level needed for their duty location. Additionally, like the Air Force airmen, soldiers must maintain compliance with the DoD Directive 8140, mentioned earlier. This is done via CompTIA certifications, which is paid for by the Army and maintained by the soldiers throughout their careers.

After arriving at their duty location, job tasks are very similar to those in the Air Force. The soldier receives specialized hands-on training for the tasks and equipment used at their new site. Tasks may include setting up classified or unclassified accounts for soldiers, solving technical issues for their organization, or maintaining servers. The soldier could also work with specialized radar, drones or radio communications depending on their location.

Navy NEC 746A

In the Navy, the sailor must take the ASVAB exam and obtain an overall score of 222 to qualify for Navy Enlisted Classification (NEC) code 746A, Information Systems Administrator. As with the other military branches, the individuals must first graduate from the Navy version of BMT at Naval Station Great Lakes in Illinois. It is ten weeks long and covers the same things as the Air Force and Army BMTs, with an additional week of swimming skills due to the fact that in this branch, the sailor will be working around water. After graduating BMT, the sailors are sent to Naval Air Station (NAS) Oceana in Virginia Beach, or Naval Base San Diego for ninety days of training for their career field (United States Navy, 2022).

What makes a career in the Navy unique is that sailors are required to spend a certain amount of time of their enlistments aboard a ship or submarine. However, general job tasks are relatively the same as other branches. They include maintaining specialized computer hardware, installing software and patching, adjusting cabling as necessary, and maintaining user accounts and passwords in Microsoft Active Directory. If aboard an aircraft carrier or submarine, a sailor will be responsible for maintain radio and satellite communication equipment, maintaining logs, as well as operating “electronic equipment used for detection and tracking…cryptography and electronic warfare systems” (America’s Navy, 2022).

While all of the different positions mentioned in this paper share the same certifications, general requirements and job tasks, there are several key differences. For example, the military branches are all paid the same amount that is based on their rank, while the DoD civilian is compensated based on their experience, qualifications and amount allocated in a contract. Military members are required to meet physical fitness standards. Additionally, DoD civilian careers are more volatile. If the contract ends, they must find new employment on their own. However, in the military, the soldier, sailor or Airman is simply reassigned to a new location or career if theirs were to end.

In conclusion, this paper discussed the different types of system administration jobs within the Department of Defense: The Air Force AFSC 3D70X1, Army MOS 25B, and Naval specialty code 746A, and DoD civilian position of system administrator. Each role’s requirements and job tasks were discussed, compared and contrasted.

















America’s Navy. (2022). Information systems technician (IT) careers. United States Navy Recruiting.

ASVAB Tutor. (2022). Navy ASVAB scores.

Defense Finance and Accounting Service. (n.d.). Defense finance and accounting service. Defense Finance Accounting Service (DFAS).

Department of Labor. (2021, September 8). Network and computer systems administrators. U.S. Bureau of Labor Statistics Occupational Outlook Handbook.

United States Navy. (2022, January). Information Systems Technician. DOD COOL.

Lane, P. (2020, March 4). U.S. DoD 8570 vs. 8570.01-m vs. 8140: What’s the difference and how do IT certifications fit in? CompTIA.

Powers, R. (2010). ASVAB for dummies. John Wiley & Sons.

Union Media. (2022). Understanding Army ASVAB Composite Scores. become.

ZipRecruiter. (2022, April 8). Systems administrator jobs. Retrieved April 8, 2022, from

ClassmateResearchPaper/RESEARCH PAPER_Siddiqi.docx













Submitted by

Muddassir Siddiqi

















The purpose of this research project is to explore the existing IT audit frameworks prevalent in the higher education organizations and recommend the findings to the senior administration at the Central College located in Houston, Texas for potential adoption. The subject of IT audit is gaining significance due to organizations’ reliance on computing devices, systems, and infrastructure. A major challenge for internal auditors is how to best approach a companywide assessment of IT risks and controls within the scope of their overall assurance and consulting services. Therefore, auditors need to understand the organization’s business environment; the scope of IT audit; perform risk assessment and formalize an audit plan.

The institutions of higher education are like corporate sector in terms of business functions and processes, objectives and rules and requirements, and resources. However, they are characterized as open system and rely on diversity of administrative operational and instructional requirements. Moreover, institutions of higher education, especially public funded institutions, have a unique mission of serving a vast majority of students who often come with least resources. It is imperative to consider these factors while designing an IT audit plan for institutions of higher education (Carrow & Markham, 2009).

Business Environment

IT has become essential in supporting the growth and sustainability of all types of organization. Organizations have been using IT to automate and perform process integration, connecting the enterprise with customers, suppliers, and distributors to obtain sustainable competitive advantage. Moreover, the pervasive use of technology has created a critical dependency on IT that in turn demands a systematic and objective examination of IT assets and their functionality to make sure that organization adheres to applicable standards and requirements. We call such examination as IT audit. According to Gantz (2014), “IT auditing helps organizations understand, assess, and improve their use of controls to safeguard IT, measure and correct performance, and achieve objectives and intended outcomes” (p.XXi).

For an IT auditor to conduct an effective audit, it is critical to understand unique business risks and how technology supports existing business models and mitigates the organization’s overall risk profile. Rehage et al. (2008) suggest auditors to use different internal resources to identify and understand the organization’s goals and objectives, including:

· Mission, vision, and value statements.

· Strategic plans

· Annual business plans.

· Management performance scorecards.

· Business processes and value chain of business activities.

· Stockholder annual reports and supplements.

· Regulatory filings, such as those submitted to the

· U.S. Securities and Exchange Commission (SEC).

Rehage et al. (2008) offer a comprehensive framework, figure 1, that could help understanding organization business environment for the purpose of InfoSec auditing.

Figure 1


Figure adapted and revised from: IT Control Objectives for Sarbanes- Oxley, 2nd Ed., used by permission of the IT Governance Institute (ITGI). ©2006 ITGI.

Scope for IT Audit

As the size of IT infrastructure varies from one organization to another and type and nature of core business, it is critical for IT auditor to find what areas for audit and ensure adequate coverage on the areas that have the greatest risk and where auditors can add most value to the organization. Rehage et al. (2008) call it as equivalent to defining the “IT universe”. For scoping, Deloitte Services (2022) has suggested key some key areas for organizations to consider:

1. Security and Privacy (Information leakage prevention, Security of changes, Biometrics, and identity management)

2. Data (Data privacy, Data quality, Data access)

3. Resilience and Continuity (Recovery after IS failure, Resilience and preparedness, Testing, drills and simulations)

4. Fraud (IT forensics, Fraud risk management)

5. Payments (Payment risk management, PSD/SEPA preparedness, Sanctions OFAC)

6. Projects and Testing (Project risk management, Test management, Implementation of tests)

7. Contracts (Contracting risk, Supplier risk management)

8. IT Controls (Controlling changes, Technology risk management, Organization-level risk management, IT internal audit)

Perform Risk Assessment

Risks arising from business strategies and activities need to be identified and prioritized. An important aspects of an effective IT audit is to identify the potential risks associated with digital assets and its strategic operations. A common practice is to assign a risk rating to all subcategories such as IT infrastructure, computer operations, and applications. These subcategories need to be ranked based on their impact on the vitality of the organization (GTAC, 2008). GTAC has recommended a set of different scale and methods of calculating the composite risk score that can guide organizations to conduct risk assessments based on their strategic and operating needs. According to Willcocks and Margetts (2017), the risks are not only inherent in certain features of the technology infrastructure but also may arise because of distinct organizational practices and patterns of actions.

Formalize Audit Plan

Defining the IT audit universe and performing a risk assessment are precursor steps to selecting what to include in the IT audit plan. A typical audit plan contains feedback from stakeholders, audit frequency, audit plan outline, and list of observations for management reporting and for necessary corrective and preventive actions (Strecker et al., 2010).

This paper provides an overview of the structure of InfoSec audit plan, and it can be potentially modelled at Central College with necessary changes and by considering what is most critical for the continuity of the organization business.


Global Technology Audit Guide (GTAC). 2008. Developing the IT Audit Plan. Retrieved April 26, 2022, from file:///C:/Users/Muddassir/Downloads/GTAG_DevelopingITAuditPlan.pdf.

Carrow, E & Markham, B. (2009). An Auditor’s Perspective on Frameworks for Information Systems Security in Higher Education. Retrieved April 28, 2022, from

Gantz, S. (2014). The Basics of IT Audit: Purposes, Processes, and Practical Information. Elsevier

Deloitte Services (2022). IT Audit and Information Security. Retrieved on April 25, 2022, from

Strecker, S., Heise, D. & Frank, U. (2011). RiskM: A multi-perspective modeling method for IT risk assessment. Information Systems Frontiers, 13, 595–611

Willcocks, L, & Margetts, H. (2017). Risk assessment and information systems. European Journal of Information Systems, 3, 127-138.

ClassmateResearchPaper/Security Education, Awareness, and Training – Sachin Shetty – BIT 575.docx

Security Education, Training, and Awareness (SETA) | 1







Security Education, Training, and Awareness (SETA)



Sachin Shetty

BIT 575

Minot Statue University

April 29, 2022


Consider a bank heist scenario. What happens during the heist? Usually, it’s one or more masked thugs breaking into a bank, demanding the teller to open the vault or safe or registers, and hand over the money. And in most cases, the teller will comply with their demands. Banks normally have extreme security measures in place. It has cameras in and out of the bank. It has a panic button for tellers to trigger the silent alarm and alert law enforcement. It has a vault which can withstand a lot of force and damage before it is cracked open. However, despite having extreme security measures implemented, there is one vulnerability that will always exists no matter what…and that is the employees. Employees of a company can be exploited by bad agents who want to commit malicious activities. So, in case of the bank heists, the thugs would exploit the tellers (employees) to gain access to the vault and steal the money, thereby bypassing some or most of the security measures in place. The same can happen in the IT world. Hackers can exploit employees to bypass firewalls, gain access to a company’s secured network, and commit devastating acts such as hack, cyberattack, ransomware, stealing data and selling to competitors, etc. And in most cases, employees don’t even realize that they are being exploited by hackers. Consider Toyota Boshuku Corporation. According to Lindsey (2019), the company was targeted by hackers as part of business email compromise (BEC) scam. Total financial losses from the BEC scam are reportedly close to $37 million (¥4 billion), and the company is now trying to recover this money with the help of law enforcement officials. Lindsey (2019) adds that on the surface, the BEC scam was not extraordinarily sophisticated. A BEC scam is essentially an advanced phishing or ransomware scam carried out on a large corporation, in which employees of that corporation are asked to send money to foreign bank accounts using a phony business pretext via fake email accounts. BEC attacks are used primarily to target finance and accounting departments. In this case, a third-party hacker posing as a business partner of the Toyota subsidiary sent emails to members of the finance and accounting department, requesting that funds be sent for payment into a specific bank account controlled by the hacker. The tricky part here was convincing a reasonably intelligent Toyota worker to wire $37 million to a foreign account. In some companies, this sum of money might have triggered all kinds of alarms and warnings. And it might have required the employee to obtain multiple signatures and approvals before making the payment. But at Toyota, the company was large enough that $37 million probably didn’t seem like an outlandishly large figure. Thus, a $37 million fund transfer flowing out of the European subsidiary might not have initially raised any questions from mid-level employees. And it is not only business companies that face this threat. Even government and military offices are susceptible to it. “When China wanted to build the J-20, a new stealth fighter jet, they were reportedly helped by industrial espionage” (Daniels, 2017). Daniel (2017) adds that there were said to be several prototypes of J-20, but the final sleek design resembles the F-22, a stealth fighter made by Lockheed Martin. China’s smaller stealth fighter, called the FC-31 Gyrfalcon, in development is seen as a knockoff of Lockheed’s F-35. “The Chinese have been able to hack into computer networks to steal designs and other information on U.S. carriers, advanced defense systems as well as the F-22 and F-35 jets” (Daniels, 2017). The above examples illustrate how employees can be exploited by hackers and the consequences that followed. So how can this exploit be combated or minimized? The answer is SETA: Security Education, Training, and Awareness.

As per Whitman and Mattord (2017), SETA is a managerial program designed to improve the security of information assets by providing knowledge, skills, and guidance for organization employees. It is crucial to implement SETA at an organization as it can yield multiple benefits such as:

· They can improve employee behavior.

· They can inform members of the organization about where to report violations of policy.

· They enable the organization to hold employees accountable for their actions.

· Designed to reduce the incidence of accidental security breaches by members of the organization…who come in contact with its information assets.

· Enhances security behavior by internal and external stakeholders by focusing on InfoSec policy and best practices (pg 210).

According to Wilson et al. (1998), education integrates all the security skills and competencies of the various functional specialties into a common body of knowledge. It also strives to produce IT security specialists and professionals capable of vision and proactive response. Training strives to produce relevant and needed security skills and competencies by practitioners of functional specialties other than IT security (e.g., management, systems design and development, acquisition, auditing) (Pg 16). “Awareness serves to instill a sense of responsibility and purpose in employees who handle and manage information, and it leads employees to care more about their work environment” (Whitman and Mattord, 2017, pg 220). Wilson et al. (1998) adds that the purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. Awareness relies on reaching broad audiences with attractive packaging techniques while training is more formal, having a goal of building knowledge and skills to facilitate job performance. The most significant difference between training and awareness is that training seeks to teach skills, which allow a person to perform a specific function, while awareness seeks to focus an individual’s attention on an issue or set of issues. In awareness activities the learner is a recipient of information, whereas the learner in a training environment has a more active role. The skills acquired during training are built upon the awareness foundation, primarily the security basics and literacy material (Pg 15-17).

According to Wilson and Hash (2003), the major steps in awareness and training program development are:

· Designing an Awareness and Training Program

· Developing Awareness and Training Program

· Implementing the Awareness and Training Program

· Post Implementation (Pg 11).

The first phase is designing the awareness and training program. Wilson and Hash (2003) states that the program must be designed with the organization mission in mind. It is important that the awareness and training program supports the business needs of the organization and be relevant to the organization’s culture and IT architecture. In the design step of the program, the agency’s awareness and training needs are identified, an effective agency wide awareness and training plan is developed, and priorities are established. To determine an organization’s awareness and training needs during the design phase, a process called needs assessment is used. The results of a needs assessment can provide justification to convince management to allocate adequate resources to meet the identified awareness and training needs. It also helps establish the security awareness and training program requirements. There is also a discussion regarding complexity of the material. The complexity of the material must be determined before development begins. It is crucial that the needs assessment identify those individuals with significant IT security responsibilities, assess their functions, and identify their training needs. Training material should be developed that provides the skill set(s) necessary for attendees to accomplish the security responsibilities associated with their jobs. Funding requirements is also discussed during the design phase. Approaches used to determine funding sources must be addressed by agencies based on existing or anticipated budget and other agency priorities. Problems in security awareness and training plan development may occur when security awareness and training initiatives are deemed to be lower in priority than other agency initiatives (Pg 11-22).

The second phase is developing the awareness and training program. According to Wilson and Hash (2003), the focus should be on specific material that the participants should integrate into their jobs. The goal of awareness material is simply to focus attention on good security practices while the message that the awareness effort sends should be short and simple. E-mail advisories, online IT security daily news websites, and periodicals are good sources of ideas and material. Also, the awareness and training plan should contain a list of topics. Agency policy, program reviews, internal audits, internal controls program reviews, self-assessments, and spot-checks can be used to identify topics to address. The awareness audience must include all users in an organization. The message to be spread through an awareness program, or campaign, should make all individuals aware of their commonly shared IT security responsibilities. On the other hand, the message in a training class is directed at a specific audience. The message in training material should include everything related to security that attendees need to know to do their jobs. Training material is usually far more in-depth than material used in an awareness session or campaign (Pg 23-29).

The third phase is implementing the awareness and training program. As per Wilson and Hash (2003), it is essential that everyone involved in the implementation of the program understand their roles and responsibilities. In addition, schedules and completion requirements must be communicated. The program’s implementation must be fully explained to the organization to achieve support for its implementation and commitment of necessary resources. This explanation includes expectations of agency management and staff support, as well as expected results of the program and benefits to the organization (Pg 31-34).

And the final phase is post-implementation. Wilson and Hash (2003) states that continuous improvement should always be the theme for security awareness and training initiatives to ensure the program continues to be relevant and compliant with overall objectives. An organization’s IT security awareness and training program can quickly become obsolete if sufficient attention is not paid to technology advancements, IT infrastructure and organizational changes, and shifts in organizational mission and priorities. Once the program has been implemented, processes must be put in place to monitor compliance and effectiveness. An automated tracking system should be designed to capture key information regarding program activity (e.g., courses, dates, audience, costs, sources). The tracking system should capture this data at an agency level, so that it can be used to provide enterprise-wide analysis and reporting regarding awareness, training, and education initiatives. Requirements for the database should incorporate the needs of all intended users. Continuous improvement cannot occur without a good sense of how the existing program is working. Formal evaluation and feedback mechanisms are critical components of any security awareness, training, and education program. In addition, the feedback mechanism must be designed to address objectives established for the program. Once the baseline requirements have been solidified, a feedback strategy can be designed and implemented. Also, it will be necessary to ensure that the program continues to be updated as new technology and associated security issues emerge. Training needs will shift as new skills and capabilities become necessary to respond to new architectural and technology changes. A change in the organizational mission and/or objectives can also influence ideas regarding how best to design training venues and content. Managing change is the component of the program designed to ensure that training/ awareness/education deployments do not become stagnant and therefore irrelevant to real emerging issues faced by the organization. It is also designed to address changes in security policy and procedures reflected in the culture of the agency. Ongoing improvement is needed to create a level of security awareness and excellence that achieves a pervasive security presence in the organization. Securing an organization’s information and infrastructure is a team effort (Pg 35 – 39).

Poorly implemented or lack of SETA can result in disastrous consequences, such as the one encountered by Toyota Boshuku Corporation, while an effective SETA program can thwart such attacks. Consider the Nigerian prince email scams. In the early days, many victims fell for it because they thought it was genuine and was a quick way to make a lot of money. However, news articles about the scam soon spread around, thereby raising awareness. This resulted in less and less victims falling prey to the scam and this tactic is no longer being used by scammers or hackers. Another example is a personal experience. I received an email from my CEO asking me to send me the company credit card information as he had forgotten his and wanted to make some purchases. It even had his usual signature and the email ID seemed legitimate at first glance. Luckily, I attended the SETA program which the company’s IT / SA team had developed beforehand. They warned us about phishing attacks / fake emails, how to spot them, and what / what not to do. Because of SETA, I knew how to verify the email. I checked the sender’s email ID and, although it was quite similar to the CEO’s email ID, upon closer observation, I noticed that there was an additional punctuation mark ID. I immediately classified the email as a scam, notified the IT team, who in turn relayed warnings to everyone at the company, thereby raising awareness. I then ultimately deleted the email. When my colleagues received similar emails over the next few days, thanks to SETA, they knew what to do and promptly deleted those emails. The above examples highlight the effectiveness of SETA. It is crucial that all employees must participate and complete SETA program. Failure to do so might result in employment termination as that employee becomes a liability and can be exploited by a hacker. According to Hight (2005), a SETA program sets the security tone for the employees of an organization, especially if it is made part of the employee orientation. It plainly lays out the security expectations that the employer has for the employee. This program cannot just review policy, part of it must consist of an explanation of the policies and why they exist. For example, if properly explained why an employee’s password must be a certain number of characters and consist of a level of complexity it is much easier for employees to accept this policy and not come up with creative ways of circumventing the system and therefore putting the network at more risk than existed before. If they could be shown how quickly a simple password can be cracked it makes more of an impact on the end-user in seeing the part they play in keeping the data and the network safe from intruders (Pg 1). Employees must also be aware of their accountability, real-life examples of SETA failures, and regularly undergo cyber-attack simulations / training drills to understand the importance of SETA. If everyone in the organization performs excellently at the SETA program, then the threats of cyber-attacks can potentially be reduced to null. “Having a work force that is educated and more aware of security areas is like expanding the Information Security department into the whole company… This can create a “human firewall” that can be more powerful than properly configured firewalls and Intrusion Detection Systems” (Hight, 2005, pg 2).

Overall, it is evident that SETA is extremely crucial and must be a high priority investment for everyone, regardless of company or individual. The above highlights the consequences of not implementing an effective SETA program versus implementing an effective SETA program. Any advanced security infrastructure can easily be infiltrated or bypassed if not combined with an effective SETA program. And for SETA to be effective, it must constantly be revised and evolving to account for new threats. An evolving and effective SETA program combined with an advanced security infrastructure can go a long way in preventing cyberattack or hacks, thereby safeguarding company data and business.






· Daniels, J. (9 Nov, 2017). Chinese Theft of sensitive US military technology is still a ‘huge problem,’ says defense analyst, CNBC,’s%20smaller%20stealth%20fighter%2C%20called,knockoff%20of%20Lockheed’s%20F%2D35.&text=According%20to%20Kazianis%2C%20the%20Chinese,22%20and%20F%2D35%20jets.

· Hight, S.D. (2005). The importance of a security, education, training and awareness program, Pp 1-2,

· Lindsey, N. (20 Sept, 2019). Toyota Subsidiary Loses $37 Million Due to BEC Scam, CPO Magazine,

· Whitman, M.E. & Mattord, H.J. (2017). Governance and Strategic Planning for Security, Management of Information Security, Fifth Edition. Cengage Learning, Pp 210, 220.

· Wilson, M. & Hash, J. (October 2003). Building an Information Technology Security Awareness and Training program, NIST Special Publication 800-50, National Institute of Standards and Technology, Pp 1-39.

· Wilson, M. et al. (April 1998). Information Technology Training Requirements: A Role- and Performance-Based Model, NIST Special Publication 800-16, National Institute of Standards and Technology, Pp 15-17.




Initial Submission for Research Topic and Feedback:

Hello Dr. Akens,


For my research paper, I would like to discuss the importance of cybersecurity and what can SA(s) do to minimize them.

The frequency of cyberattacks isgrowing day by day as technology and internet usage grows among the population.

It will be interesting to see some of the companies which have been cyberattacked and what measures did they implement to avoid another attack in the future.



Sachin Shetty

Feedback to Learner4/9/22 4:10 PM

Topic is too broad. Please narrow down the topic and resubmit (-50). Topic is on an appropriate subject. A general treatise on what SAs can do to minimize cyber attackes is much, much, much too broad. If you can pick 1 task that SAs perform and empirically demonstrate how that minimizes attacks, that might be achieveable in 7-10 pages.. Please revise your topic and resubmit it through Blackboard prior to the end of the day on Sunday, 17 April 2022.


Second Submission for Research Topic and Feedback:

Hi Dr. Akens, I would like to research and provide more info on practices used by SAs to raise awareness and train employees at a company on how to be vigilant as a way to mitigate risks and cyberattacks. Considering that the hackers will usually rely on employees of a company as access points to hack into company servers and steal data, it is crucial that employees know what they can do to avoid being exploited by hackers. I can also talk about how SA can control and restrict employee access in system(s) as an additional way to mitigate risks. Let me know your thoughts. Thanks, Sachin Shetty

Feedback to Learner4/18/22 10:25 PM

Topic is too broad as stated. However, you just need to narrow the topic a small amount and discuss only the suggested topics in the following comments (-1). Topic is on an appropriate subject. Did not include topic statement (-5). Controlling & restricting access would be too broad to be covered. Employee awareness training & empirical data showing how it can be effective would be sufficient..


ClassmateResearchPaper/Upgrading Windows 2008 R2 Server to 2022 Server v2.docx




Company ABC Limited, USA

Windows 2008 R2 server upgrade to 2022 (Windows 10) Project






A Project Plan

Submitted in Partial Fulfilment of

The Requirements for the Degree of

Master of Science in Information Systems




Mohammad Nawaz




College of Science



Graduate School

Minot State University

Minot, ND



Spring, 2022
























This Project was submitted by

Mohammad Nawaz





Graduate Committee:




Dr.Andrew Aken







Date of submission: April 20, 2022






Executive Summary

This document provides an analysis and high level feasibility study to suggest scope of upgrading existing 2008 R2 server to the latest version of Microsoft 2022 (Windows 10) server. The areas which are covered in this report are on technical limitation, requirements, cost incurred, potential challenges, risks involved if not upgraded now, checklist, and steps which are essential for this upgrading project.


















Contents Scenario. 6 Upgrade Limitation 6 What are the risks involved if Windows 2008 is not upgraded. 6 Cost involved in upgrading to Windows 2022. 7 Steps involved in upgrading Windows 2088 to 2022? 7 Computer must meet technical requirements. 7 Select an upgrade strategy 8 Prepare a Checklist 9 Back out Plan if something goes wrong 10 What are the Risks involved during installation. 11 Product Keys. 12 Download a Windows 10 ISO 12 Testing of upgraded version 2022 12 Important checking points after the upgrade is complete 13 Conclusion 13 References 14 Appendix 15




The company ABC Limited has decided to upgrade its existing 2008 R2 Windows servers to 2022 (Windows 10) servers. The IT manager has asked the company’s system administrator (SA) to prepare a comprehensive plan, based upon its existing infrastructure with the scope to upgrade Windows 2008 R2 to 2022 Windows servers; highlighting technical limitations, cost, challenges, risks, checklist, and steps involved in this project.

Upgrade Limitation

Windows 2008 R2 servers cannot be upgraded directly to 2022 (Windows 10).

Therefore, we need to first upgrade to 2012 (Windows 8.1), and then upgrade to 2022 (Windows 10). The reason is that Microsoft Windows 10 requires that the latest version of Windows 7, Windows 8 and Windows 8.1 should be installed on a laptop, desktop or tablet computer before installing Windows 10. The steps involved in upgrading from 2012 R 2(Windows 8.1) to Windows 2022 (Windows 10) are similar to upgrading from 2008 R2 to 2012 R2 (Windows 8.1).

What are the risks involved if Windows 2008 is not upgraded.

Windows Server 2008 and Windows Server 2008 R2 have reached the end of their support lifecycle. In this situation, when no support is given by Microsoft, this result in following problems, as mentioned in one of the article by Computer Guru (2019);

· No Technical assistance provided by Microsoft, which results in performance of the system.

· There will be no software upgrades coming from Microsoft. The system lacks the latest functionalities.

· Lack of security updates from Microsoft. This will put the system to internal and outside threats, where data confidentiality, integrity and availability of data may be at risk.

. Windows server 2008 R2 is an old version of Microsoft. In 2020 Microsoft ended its support for the 2008 R2 version of Windows. This has already exposed business to cyberattacks and the system is failing compliance regulations, since 2008 R2 can no longer be up-to-date with patching. Because the latest patches are not installed by Microsoft, the system remains unpatched and vulnerable to exploitation. Staying with old technology has adversely impacted productivity.

Computer Guru (2019).

Cost involved in upgrading to Windows 2022.

Because the initial system 2008R2 is outdated, more than 4 years, and so is 2012 version, which needs to be upgraded to 2022 (Windows 10), which is also more than 4 years old, there is some cost associated with upgrading. This cost primarily consists of Microsoft license fees for 2012 R2 version, and 2022 (Windows 10) versions, along with Windows 10 apps from Windows app store, depending upon the selections.   During upgrading from 2008 R2 to 2022 Windows server takes approximately 5 man- hours. The work includes backing up existing servers, installing Windows Server 2012, and restoring the backups.

Steps involved in upgrading Windows 2088 to 2022?

In order to move forward with this project, it is essential that following steps should be taken prior to upgrading. These steps primarily meet the technical and selection of strategy to be adopted for this upgrade.



1)      Computers must meet technical requirements.

Microsoft 2022 (Windows 10), has advanced features, hence there are requirements for hardware/system. Therefore it is recommended to have a Processor with minimum of One GIGAHERTZ capacity, RAM with One GIGABYTE for 32 – bit or 2 GB for 64 bit, Hard disk space needs to be 16 GB, or 20 GB, depending upon the bits of the operating system.

1.4 GHz 64-bit processor Compatible with x64 instruction set. Supports NX and DEP.

(Microsoft 2021)

2) Network Requirements: 

Network requirements must have an Ethernet adapter capable of at least 1 gigabit per second throughput.

1) Select an upgrade strategy

2008 R2 has been in operation for a very long time. The system over a period of time has developed bugs and the computer has performance and speed issues.

Clean Installation will help in installing those apps which are essential, and get rid of unwanted apps, this having re-control of the system apps, and starting with a clean Windows Registry.

Though clean install will wipe out all data, therefore, backup of all files needs to be done before the upgrading process starts. After the installation of Windows 10, all files should be reloaded in the server, and personalization of the computer may be done.

Lee.B (2022).

2) Prepare a Checklist

Following checklist consists of high level steps required to expedite the upgrade the system, and at the same time, these checklists will be used to mitigate any risks involved during upgrading.

a) Back up Computer

Before the upgrade to Windows server 2012, it is necessary that all data is backed up pertaining to all information and applications on the 2008R2 server. If the data is not backed up, this may encounter great risk in losing data. During upgrade the chance of computer crash is very imminent. This will lead to loss of data or damaged files.

There is a 3-2-1 backup rule, which means that 3 copies of your data are created, make sure that 2 copies are stored in two types of storage media, and the other one stored at offsite.

b) Critical Favourites/ bookmarks needs to be backed up

These can be backed up on to H: drive or OneDrive. They can be later imported into browsers on Windows 10.

c) Prepare list all apps and software already installed on the computer

If there are non-standard apps installed on 2008 R2 server, they can be printed in a text file, in this way inventory is created for later on installing in 2022 (Windows 10) version.

d) Find latest and special apps/software in Windows 10, App store

The Windows 10 server has an App Store which has an inventory of latest and  specialist apps, which can be downloaded, though there may be some licensing fee/ cost associated with them..

This will help in getting the app or software complied in the list in step “c”.

e) Windows 10 has plugins / add ins

These critical plugins or add- ins can be downloaded in Windows10.

f) In-house printers needs to be installed

The list of Printers already installed needs to be made prior to upgrading, and align with Window 10 available printers.

g) Compatibility of additional hardware after upgrade with Window 10

The additional hardware such as scanners, speakers, should conform to Windows 10. In case there is a gap between make and model, additional upgrades may be required to make these hardware compatible.

5) Back out Plan if something goes wrong

If something goes wrong, the process should be stopped and/ or reverted to the previous stage for fixing the issues.

6) What are the Risks involved during installation.

· Some of the risks during upgrade which can be encountered. Below possible risks can result in termination or faulty process of upgrading

· The upgrade can end up in failure of process

· If the process goes wrong, which can override the configuration

· If the specifications and requirements are not matched, then in these incompatibilities the upgrade process may malfunction

If something goes wrong, follow the below steps;

· This could be due to the result of corrupt update files. If that happens, delete the flawed file and this may resolve the issue.

· Windows may require several updates, which means that updates should be done in sequence. Also try rebooting the computer to troubleshoot the problem.

· ·There is risk that upgrade can fail, which can happen, if the disk on the drive is not of the required capacity. This lack of free space on the drive can be a reason why Windows update keeps failing. In order to troubleshoot this problem, try freeing up some space on the drives, and start the upgrade from the start.

· If there is conflict between drives or hardware compatibility ,try disconnecting any connected devices such as drives, USB, or printers that may be causing Windows updates to fail every time. Computer Guru (2019).

7) Product Keys.

Each Windows version has a specific Server product key. Similarly versions 2012 R2 and 2022 have specific Product keys. These Product keys should be obtained prior to upgrading.

8) Use of Windows Update Trouble shooter Tool.

The Microsoft Windows 10 has a designated tool to assist in troubleshooting problems in Microsoft updates issues of 2012. To access this tool, simply type troubleshoot in the taskbar search field, then Go to the settings and click Windows Update, then Run the Trouble shooter. This wizard will prompt you with specific instructions for specific problems.

9) Download a Windows 10 ISO

This upgrade from 2008R2 to 2012 (Windows 10) is with clean install strategy, therefore Windows 10 requires ISO image.  This file for ISO image can be downloaded from Microsoft web site.  To proceed further, below the “Create Windows 10 Installation Media” section, click the “Download tool now” button. This button will download the media creation tool. When the small window opens, click “Run “and accept the EULA to kick off the wizard. When the wizard starts, click Create installation media and then click next. In the next step, select the language, architecture, and edition of Windows 10 to be downloaded.

10) Testing of upgraded version 2022

Scope of testing

After upgrading 2008 R2 to Windows 2022(Windows 10), it is essential that various features and roles tested are listed below:


Upgrade path Server configurations Roles/Features Additional information
Windows Server 2008 to Windows Server 2022 Standalone Server Roles/Features:

· Bitlocker

· Hyper-V

Device features:


Secure boot was enabled
Windows Server 2008 to Windows Server 2022 Standalone Server Roles/Features:

· AD Controller

· NIC Teaming

· S2D

· Hyper-V

· Failover Cluster

Device features:



Secure boot was enabled


Dell Technologies (2022) and Microsoft

11) Important checking points after the upgrade is complete

Once the upgrade is completed, the logged errors if any need to be viewed and analysed such as any service failed or suspended issues, and take the appropriate remediation steps. Adam. M. (2019), Dell Technologies (2022), and Software Keep (2022).


The present Windows server 2008 R2 meets the technical requirements to be upgraded to 2022 (Windows 10). But the upgrade can only be done in a two-step upgrade process. 2008 R2 cannot be upgraded directly to 2022, therefore first upgrading is from 2008 R2 to 2012 R2 (Windows 8.1), and second upgrading is from 2012 R2 (Windows 8.1) to 2022 version (Windows10).

Clean install strategy over in-place upgrade is highly recommended as 2008 R2 has been in service for a long time, and concerns are that the previous  Operating System (OS) could negatively affect the newly installed OS. Therefore, it is recommended that 2008 R2 should be backed up in advance prior to upgrading. Though there is some cost involved in upgrading 2008 R2 to 2022 (Windows 10), which is very low, mainly for licensing fee and apps after the upgrade is done. The cost outweighs the benefits tremendously. There is also a small cost involved in utilizing (man-hours) in backup, upgrading, restoring the backup files, and testing. The cost incurred during upgrading can be covered by internal cost centers.

In conclusion, upgrading 2008 R2 to 2022 (Windows 10) is of paramount importance and may be carried out in the immediate future for a faster, more secure, and enhanced productivity of the system.




2-Computer Guru- Dangers of not upgrading windows 7 and server 2008. (2019).,continually%20updated%20to%20stay%20secure.

3-Dell Technologies. In-place Upgrade Guidelines for Windows Server 2022. (2022).

4-Lee.B. In-Place Upgrade Windows Server 2008 R2 to Windows Server 2022. (2021).

5- Limoncelli. T, Hogan. C, Chalup. S. The Practices of System and Network Administration. (2017)

6- Microsoft. Upgrade Windows Server 2008 R2 to Windows Server 2012 R2.

7-Small. W. What are the limits of Windows Foundation Server 2008? (2009).

8-Software keep. Windows Server 2022 Installation Guide: Step by Step. (2022).





Appendix A

Topic of the research paper

This appendix states the topic of the research paper, and comments by Dr.Aken to modify the scope of the topic. My proposed topic was to write about the role of System Administrator in preparing steps for server upgrades in an organization. The Windows server which is at present has 2008 version needs to be upgraded to 2012 version. Dr. Aken commented that I should modify my scope of work as follows” Nawaz, The topic is specific enough and appropriate. However, it may be a bit dated. What about upgrading Windows 2008 Server to 2022 Server? The steps would be pretty similar and it would be more useful since 2012 is pretty dated by now and it wouldn’t be the best choice for retiring an unsupported operating system.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.