Information Systems
Security

Chapter 5

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–1


Learning Objective 1

Describe general approaches to
analyzing vulnerabilities and
threats in information systems.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–2


Overview
The information security system is the
subsystem of the organization that
controls the special risks associated
with computer-based information systems.
The information security system has
the basic elements of any information
system, such as hardware, databases,
procedures, and reports.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–3


The Information Security
System Life Cycle
Life-cycle Phase

Objective

Analyze system vulnerabilities
Systems analysis in terms of relevant threats and
their associated loss exposure.
Systems design

Design security measures and
contingency plans to control
the identified loss exposures.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–4


The Information Security
System Life Cycle
Life-cycle Phase
Systems
implementation
Systems operation,

evaluation,
and control

Objective
Implement the security
measures as designed.
Operate the system and
assess its effectiveness and
efficiency. Make changes
as circumstances require.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–5


The Information Security
System in the Organization
The information security system must be
managed by a chief security officer (CSO).
This individual should report directly
to the board of directors in order to
maintain complete independence.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–6


Analyzing Vulnerabilities

and Threats

Quantitative approach
to risk assessment
Qualitative approach

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–7


Analyzing Vulnerabilities
and Threats

Cost of an individual loss ×
Likelihood of its occurrence

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–8


Analyzing Vulnerabilities
and Threats

Identifying the relevant costs per loss and
the associated likelihoods can be difficult.
Estimating the likelihood of a given
failure requires predicting the future,
which is very difficult.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–9


Analyzing Vulnerabilities
and Threats

The system’s vulnerabilities and
threats are subjectively ranked in
order of their contribution to the
company’s total loss exposure.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–


Analyzing Vulnerabilities
and Threats

 business interruption
 loss of software
 loss of data
 loss of hardware
 loss of facilities
 loss of service and personnel
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–



Learning Objective 2

Identify active and passive
threats to information systems.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–


Vulnerabilities and Threats
What is a vulnerability?
A vulnerability is a
weakness in a system.
What is a threat?
A threat is a potential
exploitation of a vulnerability.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–


Vulnerabilities and Threats

Active threats
Passive threats

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood


5–


Individuals Posing a Threat
to the Information System
Groups of individuals that could
be involved in an information
system’s attack:
Information systems personnel
Users

Intruders

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–


Individuals Posing a Threat
to the Information System

 computer maintenance persons
 programmers
 network operators
 information systems administrative
personnel
 data control clerks
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood


5–


Individuals Posing a Threat
to the Information System
Users are composed of heterogeneous
groups of people. Their functional
area does not lie in data processing.
An intruder is anyone who accesses
equipment, electronic data, or files
without proper authorization.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–


Individuals Posing a Threat
to the Information System
A hacker is an intruder who attacks
a system for fun and challenge.
What are other types of intruders?
 unnoticed intruders
 wiretappers
 piggybackers
 impersonating intruders
 eavesdroppers
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–



Active Threats to
Information Systems
Input manipulation
Program alteration
Direct file alteration
Data theft

Sabotage
Misappropriation
or theft of
information
resources

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–


Active Threats to
Information Systems
In most cases of computer fraud,
manipulation of input
is the method used.
Program alteration is perhaps
the least common method used
to commit computer fraud.
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood


5–


Active Threats to
Information Systems
A direct file alteration occurs when individuals
find ways to bypass the normal process
for inputting data into computer programs.
Data theft is a serious problem in business today.
What are some methods of computer sabotage?
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–


Active Threats to
Information Systems
Logic bomb
Trojan horse
Virus program
Denial of service attack
Defacing the company’s Web site
 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–


Active Threats to
Information Systems
What is a worm?

It is a type of virus that spreads
itself over a computer network.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–


Active Threats to
Information Systems
One type of misappropriation
of computer resources exists
when employees use company
computers resources for
their own business.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–


Learning Objective 3

Identify key aspects of an
information security system.

 2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood

5–