Information Systems
Security
Chapter 5
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–1
Learning Objective 1
Describe general approaches to
analyzing vulnerabilities and
threats in information systems.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–2
Overview
The information security system is the
subsystem of the organization that
controls the special risks associated
with computer-based information systems.
The information security system has
the basic elements of any information
system, such as hardware, databases,
procedures, and reports.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–3
The Information Security
System Life Cycle
Life-cycle Phase
Objective
Analyze system vulnerabilities
Systems analysis in terms of relevant threats and
their associated loss exposure.
Systems design
Design security measures and
contingency plans to control
the identified loss exposures.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–4
The Information Security
System Life Cycle
Life-cycle Phase
Systems
implementation
Systems operation,
evaluation,
and control
Objective
Implement the security
measures as designed.
Operate the system and
assess its effectiveness and
efficiency. Make changes
as circumstances require.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–5
The Information Security
System in the Organization
The information security system must be
managed by a chief security officer (CSO).
This individual should report directly
to the board of directors in order to
maintain complete independence.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–6
Analyzing Vulnerabilities
and Threats
Quantitative approach
to risk assessment
Qualitative approach
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–7
Analyzing Vulnerabilities
and Threats
Cost of an individual loss ×
Likelihood of its occurrence
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–8
Analyzing Vulnerabilities
and Threats
Identifying the relevant costs per loss and
the associated likelihoods can be difficult.
Estimating the likelihood of a given
failure requires predicting the future,
which is very difficult.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–9
Analyzing Vulnerabilities
and Threats
The system’s vulnerabilities and
threats are subjectively ranked in
order of their contribution to the
company’s total loss exposure.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–
Analyzing Vulnerabilities
and Threats
business interruption
loss of software
loss of data
loss of hardware
loss of facilities
loss of service and personnel
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–
Learning Objective 2
Identify active and passive
threats to information systems.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–
Vulnerabilities and Threats
What is a vulnerability?
A vulnerability is a
weakness in a system.
What is a threat?
A threat is a potential
exploitation of a vulnerability.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–
Vulnerabilities and Threats
Active threats
Passive threats
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–
Individuals Posing a Threat
to the Information System
Groups of individuals that could
be involved in an information
system’s attack:
Information systems personnel
Users
Intruders
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–
Individuals Posing a Threat
to the Information System
computer maintenance persons
programmers
network operators
information systems administrative
personnel
data control clerks
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–
Individuals Posing a Threat
to the Information System
Users are composed of heterogeneous
groups of people. Their functional
area does not lie in data processing.
An intruder is anyone who accesses
equipment, electronic data, or files
without proper authorization.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–
Individuals Posing a Threat
to the Information System
A hacker is an intruder who attacks
a system for fun and challenge.
What are other types of intruders?
unnoticed intruders
wiretappers
piggybackers
impersonating intruders
eavesdroppers
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–
Active Threats to
Information Systems
Input manipulation
Program alteration
Direct file alteration
Data theft
Sabotage
Misappropriation
or theft of
information
resources
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–
Active Threats to
Information Systems
In most cases of computer fraud,
manipulation of input
is the method used.
Program alteration is perhaps
the least common method used
to commit computer fraud.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–
Active Threats to
Information Systems
A direct file alteration occurs when individuals
find ways to bypass the normal process
for inputting data into computer programs.
Data theft is a serious problem in business today.
What are some methods of computer sabotage?
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–
Active Threats to
Information Systems
Logic bomb
Trojan horse
Virus program
Denial of service attack
Defacing the company’s Web site
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–
Active Threats to
Information Systems
What is a worm?
It is a type of virus that spreads
itself over a computer network.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–
Active Threats to
Information Systems
One type of misappropriation
of computer resources exists
when employees use company
computers resources for
their own business.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–
Learning Objective 3
Identify key aspects of an
information security system.
2004 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, by Bodnar/Hopwood
5–