Chapter 10
Information Security Management


“But How Do You Implement that Security?”
• Video conference with SDS (potential PRIDE promoter and
advertiser).
• PRIDE originally designed to store medical data.
• Does PRIDE systems have acceptable level of security?
• Doesn’t want to affiliate with company with major security
problem.
• Criminals focusing on inter-organizational systems.

Copyright © 2017 Pearson Education, Inc.

10-2


PRIDE Design for Security

Copyright © 2017 Pearson Education, Inc.

10-3


Study Questions
Q1: What is the goal of information systems security?
Q2: How big is the computer security problem?
Q3: How should you respond to security threats?
Q4: How should organizations respond to security threats?
Q5: How can technical safeguards protect against security threats?

Q6: How can data safeguards protect against security threats?
Q7: How can human safeguards protect against security threats?
Q8: How should organizations respond to security incidents?
Q9: 2026?

Copyright © 2017 Pearson Education, Inc.

10-4


Q1: What Is the Goal of Information Systems
Security?

Copyright © 2017 Pearson Education, Inc.

10-5


Examples of Threat/Loss

Copyright © 2017 Pearson Education, Inc.

10-6


What Are the
Sources of Threats?

Copyright © 2017 Pearson Education, Inc.


10-7


What Types of Security Loss Exists?
• Unauthorized Data Disclosure
– Pretexting
– Phishing
– Spoofing
 IP spoofing
 Email spoofing
– Drive-by sniffers
 Wardrivers
– Hacking & Natural disasters

Copyright © 2017 Pearson Education, Inc.

10-8


Incorrect Data Modification
• Procedures incorrectly designed or not followed.
• Increasing customer’s discount or incorrectly modifying
employee’s salary.
• Placing incorrect data on company Web site.
• Cause
– Improper internal controls on systems.
– System errors.
– Faulty recovery actions after a disaster.

Copyright © 2017 Pearson Education, Inc.


10-9


Faulty Service
• Incorrect data modification
• Systems working incorrectly
• Procedural mistakes
• Programming errors
• IT installation errors

• Usurpation
• Denial of service (unintentional)
• Denial-of-service attacks (intentional)

Copyright © 2017 Pearson Education, Inc.

10-10


Loss of Infrastructure
• Human accidents
• Theft and terrorist events
• Disgruntled or terminated employee
• Natural disasters
• Advanced Persistent Threat (APT1)
– Theft of intellectual property from U.S. firms.

Copyright © 2017 Pearson Education, Inc.


10-11


Goal of Information Systems Security
• Find appropriate trade-off between risk of loss and cost
of implementing safeguards.
• Protective actions
–Use antivirus software.
–Delete browser cookies?
–Make appropriate trade-offs to protect yourself and
your business.

Copyright © 2017 Pearson Education, Inc.

10-12


Q2: How Big Is the Computer Security Problem?
Computer Crime Costs per Organizational Respondent

Copyright © 2017 Pearson Education, Inc.

10-13


Average Computer Crime Cost and Percent of
Attacks by Type (5 Most Expensive Types)

Copyright © 2017 Pearson Education, Inc.


10-14


Ponemon Study Findings (2014)
• Malicious insiders increasingly serious security threat.
• Business disruption and data loss primary costs of computer
crime.
• Negligent employees, connecting personal devices to
corporate network, use of commercial cloud-based applications
pose significant security threats.
• Security safeguards work.
• Ponemon Study 2014

Copyright © 2017 Pearson Education, Inc.

10-15


Q3: How Should You Respond to Security
Threats?
Personal
Security
Safeguards

Copyright © 2017 Pearson Education, Inc.

10-16


So What? New from Black Hat 2014

• Briefings on how to hack things.
• Show how to exploit weaknesses in hardware, software,
protocols, or systems from smartphones to ATMs.
• Encourage companies to fix product vulnerabilities.
• Serve as educational forum for hackers, developers,
manufacturers, and government agencies.

Copyright © 2017 Pearson Education, Inc.

10-17


Dan Geer Recommendations
1. Mandatory reporting of security vulnerabilities.
2. Make software venders liable for damage their code causes
after abandoned, or users allowed to see/have source code.
3. ISP liable for harmful, inspected content.
4. “Right to be forgotten” - appropriate and advantageous.
5. End-to-End Encrypted Email

Copyright © 2017 Pearson Education, Inc.

10-18


Hacking Smart Things
• Automobiles wireless features and internal systems architecture
allow hackers to access automated driving functions.
• Control hotel lights, thermostats, televisions, and blinds in 200+
rooms by reverse-engineering home automation protocol called

KNX/IP
• 70% of smart devices use unencrypted network services, 60%
vulnerable to persistent XSS (cross-site scripting), and weak
credentials.

Copyright © 2017 Pearson Education, Inc.

10-19


Q4: How Should Organizations Respond to
Security Threats?
• Senior management creates company-wide policies:
– What sensitive data will be stored?
– How will data be processed?
– Will data be shared with other organizations?
– How can employees and others obtain copies of data stored about
them?
– How can employees and others request changes to inaccurate
data?

• Senior management manages risks.
Copyright © 2017 Pearson Education, Inc.

10-20


Security Safeguards and the Five Components

Copyright © 2017 Pearson Education, Inc.


10-21


Ethics Guide: Securing Privacy
“The best way to solve a problem is not to have it.”
– Resist providing sensitive data.
– Don’t collect data you don’t need.
• Gramm-Leach-Bliley (GLB) Act, 1999
• Privacy Act of 1974
• Health Insurance Portability and Accountability Act (HIPAA), 1996
• Australian Privacy Act of 1988
– Government, healthcare data, records maintained by businesses with
revenues in excess of AU$3 million.

Copyright © 2017 Pearson Education, Inc.

10-22


Ethics Guide: Securing Privacy: Wrap Up
• Business professionals must consider legality, ethics, and
wisdom when requesting, storing, or disseminating data.
• Think carefully about email you open over public, wireless
networks.
• Use long, strong passwords.
• If unsure, don’t give the data.

Copyright © 2017 Pearson Education, Inc.


10-23


Q5: How Can Technical Safeguards Protect
Against Security Threats?

Copyright © 2017 Pearson Education, Inc.

10-24


Essence of https (SSL or TLS)

Copyright © 2017 Pearson Education, Inc.

10-25