Information Security

INTRODUCTION TO INFORMATION SECURITY

This lesson intends to help students’ gain fundamental and

comprehensive understanding of information security and cyber
security. It focuses on an overview of major information security
issues, technologies, and approaches.

Learning Outcomes:

At the end of the lesson, you are expected to:

1. Identify the factors that contribute to the increasing

vulnerability of information resources;
2. Evaluate vulnerability of an information system and establish a
plan for risk management;
3. Compare and contrast human mistakes and social engineering;
4. Discuss the types of deliberate attacks;
5. Define the three risk mitigation strategies;
6. Differentiate Unintentional and Deliberate threats;
7. Identify the three major types of controls that organizations can
use to protect their information resources.

WHAT IS SECURITY?
It is “the quality or state of being secure—to be free from danger.”In
other words, protection against adversaries—from those who would do
harm, intentionally or otherwise—is the objective.

http://www.cengage.com/resource_uploads/downloads/1111138214_2
59146.pdf

WHAT IS INFORMATION SECURITY?

All of the processes and policies designed to protect an organization's

data and information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction.

Factors contributing to vulnerability of information resources:

INTRODUCTION TO INFORMATION SYSTEMS 1

Information Security

1. Today's interconnected, interdependent, wirelessly-networked

business environment
2. Smaller, faster, cheaper computers and storage devices
3. Decreasing skills necessary to be a computer hacker
4. Increased employee use of unmanaged devices
5. Lack of management support

http://csbapp.uncw.edu/mis213/04/4-1.html

Unintentional Threats
Unintentional threats are performed WITHOUT malicious intent.
(Often unknowingly!)

These may include:

1. Natural disasters (hurricanes, tornadoes, etc.)

2. Technical Failures (hardware is not always guaranteed to
work)
3. Human Errors (lost laptops or other devices, opening emails
from unknown senders, etc.)
4. Social Engineering (use of social skills to trick someone into
providing confidential information). The person supplying the
information is the UNINTENTIONAL threat.

Businesses should establish policies to reduce human error and

other unintentional threats:

1. Changes to critical data should be monitored with permissions

to designated individuals only
2. User manuals should be developed to control access
3. Dispose all printouts appropriately (shredders)
4. Separate job functions (the programmer should not have access
to storage devices)
5. IT Auditors
6. Encryption of data
7. Keep transaction logs to see who has accessed programs and
when

http://csbapp.uncw.edu/mis213/04/4-2.html

INTRODUCTION TO INFORMATION SYSTEMS 2

Information Security

Deliberate Threat
A man-made incident that is either enabled or deliberately caused by
human beings with malicious intent, e.g.,
disgruntled employees, hackers, nation-states, organized
crime, terrorists, and industrial spies.

http://itlaw.wikia.com/wiki/Man-made_deliberate_threat

Top types of deliberate threats

• Espionage / Trespassing - spying on potential or actual

enemies primarily for military purposes. Spying involving
corporations is known as industrial espionage.
• Extortion- is a criminal offense of obtaining money, property,
or services from a person, entity, or institution, through
coercion.
• Sabotage / vandalism - a deliberate action aimed at weakening a
polity or corporation through subversion, obstruction, disruption, or
destruction. In a workplace setting, sabotage is the conscious withdrawal
of efficiency generally directed at causing some change in workplace
conditions.
• Theft (equipment, information, or identity)
• Software attacks (virus, trojan horse, worm, DOS – denial-of-
service attack, phishing (illegal attempt to acquire illegal
information, spyware, keylogger, malware/spamware, etc.)
• Many others!

A successful organization should have the following multiple layers of

security in place to protect its operations:

1. Physical security, to protect physical items, objects, or areas

from unauthorized access and misuse
2. Personnel security, to protect the individual or group of
individuals who are authorized to access the organization and
its operations
3. Communications security, to protect communications media,
technology, and content
4. Network security, to protect networking components,
connections, and contents
5. Information security, to protect the confidentiality, integrity
and availability of information assets, whether in storage,
processing, or transmission. It is achieved via the application of
policy, education, training and awareness, and technology

INTRODUCTION TO INFORMATION SYSTEMS 3

Information Security

What Organizations are Doing

1. Risk Management
Identify, control, and minimize the impact of threats.
Specifically, we are worried about threats to information
resources.
2. Risk analysis
To assess the value of each asset being protected, estimate the
probability it might be compromised, and compare the
probable costs of it being compromised with the cost of
protecting it.
3. Risk mitigation
When the organization takes concrete actions against risk. It
has two functions:

1. Implement controls to prevent identified threats from

occurring, and
2. Developing a means of recovery should the threat become a
reality.

Most common methods of risk mitigation:

1. Risk Acceptance - accept the potential risk, continue operating

with no controls, and absorb any damages that occur.
2. Risk Limitation - limit the risk by implementing controls that
minimize the impact of threat.
3. Risk Transference - transfer the risk by using other means to
compensate for the loss, such as purchasing insurance.

http://csbapp.uncw.edu/mis213/04/4-4.html

Information Security Controls

Physical Controls (doors, walls, gates, locks, badges, guards, alarms,
etc.)

Access Controls

• Authentication verifying you are who you say you are by any
of the following ways:
o Something you ARE (biometrics, fingerprints, eye
scanner, etc.)

INTRODUCTION TO INFORMATION SYSTEMS 4

Information Security

o Something you HAVE (ID card, key, etc.)

o Something you DO (vocal recognition, signatures, etc.)
o Something you KNOW (password, code, security
questions, etc.)
• Authorization granting access to data or equipment only as
needed/required

Communications Controls

• Firewalls (filters traffic in and out of a network)

• Antivirus software
• White listing and Blacklisting software or websites (allowing
or disallowing)
• Encryption (encoding data)
• Digital Certificates
• VPN (Virtual Private Network)
• Employee Monitoring Systems

Other things companies can do:

• Business Continuity Planning - have a plan in case something

happens
• Backup

INTRODUCTION TO INFORMATION SYSTEMS 5

Information Security

• Recovery
• Information Security Auditing

http://csbapp.uncw.edu/mis213/04/4-5.html

INTRODUCTION TO INFORMATION SYSTEMS 6

Information Security

Glossary
Deliberate Threats are man-made deliberate threat incident that is
either enabled or deliberately caused by human beings with malicious
intent, e.g., disgruntled employees, hackers, nation-states, organized
crime, terrorists, and industrial spies.

Information Security are the processes and policies designed to

protect an organization's data and information systems from
unauthorized access, use, disclosure, disruption, modification, or
destruction.

Security is “the quality or state of being secure—to be free from

danger.”11 In other words, protection against adversaries—from those
who would do harm, intentionally or otherwise—is the objective.

Unintentional threats are performed without malicious intent.

References
Rainer & Prince. Introduction to Information Systems, 5th Edition.
Wiley 2015

Joseph Valacich and Christoph Schneider. Information Systems

Today, 5th edition. Prentice Hall, 2010.

http://www.cengage.com/resource_uploads/downloads/1111138214_2
59146.pdf

http://csbapp.uncw.edu/mis213/04/4-1.html

http://csbapp.uncw.edu/mis213/04/4-2.html

http://itlaw.wikia.com/wiki/Man-made_deliberate_threat

http://csbapp.uncw.edu/mis213/04/4-4.html

http://csbapp.uncw.edu/mis213/04/4-5.html

INTRODUCTION TO INFORMATION SYSTEMS 7

Information Security

INTRODUCTION TO INFORMATION SYSTEMS 8