Information Systems Security:

A Managerial Perspective

Information security has bmn recog&ed as drte &the major issues af importance
in the management of organizational information systems. Losses resulting from
computer abuse and errors ~8 substantial, and information systems managers
continue to cite security rend control as a key management iwue. This paper
presents the various dimensions of the problem, suggests specific steps that can
be taken to improve tha management of information security, and points to
several research directions.

The rapid progress in ~on~puterand ~mmuu~~atious

te~hno~ogjes in the
fasttwo decades has rendered most organizations vulnerable to misuse
or abuse of computer-based information systems QS).” While informa-
tion systems provide opportunities to improve an organization’s func-
'~Hrruv, N. AND NEUMANN,% (1990).Frim tioning and enhance its products or services, they can &XI expose
cipkr?sof information systems for manage-
men/. Dubuque, Iowa: Wm. C. Brown (3rd
organizations to significant risks as organizations become increasingly
edn). WISBMAN, c. (1988). Strutegic Irr- dependent on information resources.* Therefore, important concerns
jbr’motion Sjstems. Homewoad, IL: Irwin. that accompany the use of information technology arc how much
‘XXUKC>vrrs, 1. (1984). Management of corn--
putw operaricms. Englewood Cliffs, NJ:
security is needed to protect computing facilities and information
Prentice-WalI. resources and how to obtain this level of security.”
JBRANCHEAU, 1. AND WETHERBF, 3.c. Evidence for the ~n~~~~ta~~~~of IS security is provided by the
<1%?7). Key issuesin jff~ormatjon systems.
%I.5 ~~~~~~~~~,I I jx-n. I ) , pp. 13-45.CAR- frequency with which security and control are cited as a key manage-
KOLl”,.;.?a.frw). cnrtrpz4atet- swwity. Bos- ment issue by IS rnanag~~s.~~Sptague and ~~~~nrljn further suggest that
hm, MA: Butrerworths fkd edn). security and integrity are one of the six hjgh-priority concerns of IS
%Al.l., I... AND HARRIS, R. (1982). .%J~fS
mcmhers: A membership analysis. MIS
managers in the future.”
G)it~rk?+‘, 6 (No. I), pp. 19-38. HFNJON, Information security can be viewed from two aspects: technological
r>,~. (1983). A field study of end user and managerial. While much attention is given to the technological
computing: Findings and issues, Mf$
&uurtrrly, 7 (No. 4), pp. 35-45. DICKSON,
isues, only little attention is given, both in literature and the real world,
O.w., L.~lTHEISER,R.L., NECHIS, M. ANI? to the managerial side,”
WE'THRKIZE, J.C-.(1984). Key information The purpose of this paper is to review the managerial aspects of
systems issues for the 1980s. MIS Qwmr-
information security, and to point to practical recommendations in these
aspects. The f&owing sections provide a brief overview of IS security,
discuss the di~~~~ltje~ of managing ~nformatjon security, and address
the i,ssues of attack and defence. managerial issues ~~n~er~ing 1S
security are then defined and some basic recommendations are drawn.
‘The paper concludes with a summary of managemen~~s role in IS
security.

Xrtformation cystems manugrmenl in pr& What is information security?

tiw. Enalewood Cliffs, NJ: Prenticc”.Hsll,
Information security is concerned with the protection of computing
_L .
facilities from deliberate or accidental threats that may exploit vulner-
abilities of a computing system. ’ The target of a crime involving
computers may be any portion of a computing facility: hardware,
/nformation systems security

software, data or communication networks. The multiplicity of targets

makes information security difficult.
There is a scarcity of reliable information about the amount of
computer crime occurring and the nature and severity of the crimes. The
available evidence suggests significant losses8 although the full extent is
unknown. A number of organizations have compiled evidence about the
nature and scope of computer crime. Highlights of some of these studies
are reported below. The purpose of these examples is not to examine
specific cases in depth, but rather to convey some idea of the volume,
variety and scope of known computer crime.
* O’Donoghue studied 184 Forbes 500 Corporations.’ Of these, 56
per cent reported that a major computer crime had been detected
during the previous 12 months, for an average loss of $11 800 per
incident.
e In November 1988, a virus spread through a Department of Defense
(DOD) communications network (Internet) linking computers lo-
cated in military complexes and university campuses.” The virus
entered an estimated 6000 computer systems. Although the virus
did not destroy data on the computers’ data files, it did take up
memory space and, by reproducing itself over and over, slowed
down processing on the computers. The damage was estimated to
be about $100 million.
e IBM reported an $11 million loss in December 1987, when a West
German student’s Christmas message to a friend (attached to a
virus) unintentionally swamped IBM’s international network. The
infected message created an ‘electronic chain letter’ that virtually
continued from page 105 shutdown the network.
WILKES. M.V. (1990). Conmuter security in
the husks world.‘Communications ofthe 0 While some experts (e.g., Parker”) feel that it is impossible to
ACM, 33 (No. 4), pp. 399401. assess the amount and damage of computer crimes, other experts
7PFLEEGER, C.P. (1989). &WUity in COmpUt- argue that it is possible to develop usable data on computer crime.
ing. Englewood Cliffs, NJ: Prentice-Hall.
‘ALAW, M. AND WEISS, I. (1985). Managing
One estimate suggests that out of 1406 cases tracked there is an
the risks associated with end-user comput- average loss of $500 000 per case.”
ing. Jotirnal of ~anagemerlt I~f~rmatjo~
Systems, 2 (No. 3), pp. 5-20. American In January 1984, a published study included a forecast of spending on
Bar Association (1984). Report on compu- information security. This forecast projected an increase in spending
ter crime. American Bar Association, Sec-
tion on Criminal Justice, Pamphlet,
from an estimated $3.51 billion in 1987 to a projected $11.83 billion in
Washington, DC. NYCUM, S.H. AND PAR- 1995.13 Despite the importance of the topic, information security is still
KER, D.B. (1986). Prosecutorial experience considered by many executives as a ‘necessary evil’ that should be the
with state computer crime laws in the Un-
ited States. In: Security and protection in
concern of computer scientists rather than of managers. This attitude
information systems (A. drissonanche, developed in part because of the difficulties in managing information
ed.). Elsevier. pp. 307-319. security.
90’~~~~~~~~~, J. (1986). Computer crime
is usually an inside job. Digital Review, 21
July. Difficulties in managing information security
10~~~~~~~~~, M. (1989). Morris indicted
in Internet virus affair. Co~~~uter~~r~d, 31 The management of information security is arduous and is increasing in
July, p. 8.
“PARKER, D.B. (1986). Consequential loss complexity. Some major factors that have a significant impact on the
from cornouter crime. in: Securily and pro- problem are:
tection in’information systems (A G&so-
nanche. ed.). Elsevier. DD. 375-380. l Content;
‘“US kon&ess, Offick’ of Technology Lack of control;
0
Assessment (1986). Federal government in-
formation technology: Management, secur- e Opportunities;
;ty and congression% oversight. OTA-CIT- e Detection and prosecution;
297, IJS Government
Washington, DC.
Printing Office,
e Magnitude and complexity;
‘3American Bar Association, 0~. cit., Ref. e Difficulty in defence; and
8. l Assessment of costs and benefits.

106
 J.L. WILSON et at.
Content
Information security encompasses four major assets of computing
resources: hardware, software, data and communication networks.14 In
planning for the security of these resources, one can identify dozens of
security issues ranging from computer viruses and software piracy to
theft of hardware equipment.

Lack of control
Information assets are controlled by many individuals. Nolan indicated
that in 1980 only 36 per cent of the average organization’s information
processing budget was under the control of the chief information officer
(CIO). l5 This lack of control poses significant difficulties in securing the
computing resources.

The opportunities
Rapidly changing computing environments present many new opportu-
nities for computer criminals. ih Furthermore, the public portion of
communication networks (such as telephone lines) is very vulnerable.
For example, wire tapping is a simple and inexpensive undertaking;
even fibre optics lines can now be tapped. It is simply impossible or too
expensive to protect against all the threats.”

Detection and prosecution

Most computer crimes are probably undetected. Furthermore, detected
computer crimes often go unprosecuted and only a very small propor-
tion of those that are prosecuted receive guilty verdicts. For example, in
the O’Donoghue study,‘* about 30 per cent of computer crime was
untraceable.

Magnitude and complexity

The security problem can be developed on a fairly large scale. The
widespread use of distributed computing and communication networks
allows intruders to break into remote systems and remain undetected.

Difficulties in defence
Even with the technically best countermeasures designed to reduce
system vulnerability, an intruder has an advantage: most organizations
simply cannot afford to protect against allpossible threats. Moreover, in
some instances, the technology may not even be available for protec-
tion.

Assessment of costs and benefits

It is very difficult, not only to detect computer crime, but also to assess
the damage that results from such crimes. There are many intangibles.
The subsequent costs of a computer crime can be very complicated to
“‘Up.cit., Ref. 7. assess, especially in advance. l9 Therefore, it is difficult to conduct a risk
?NOLAN, R. (1982). Managing information analysis in order to justify security investments in information systems.
systems by committee. Harvard Business
Review, 60 (No. 4), pp. 72-79.
“ATKINS, w. (1985). Jesse James at the
terminal. Harvard Business Review, 63 Threats and attacks
(No. 4), pp. 82-87.
‘?Op. cit., Ref. 7. The threats
180p.cit., Ref. 9.
*‘Op. cit., Ref. 11. A threat is a circumstance that has the potential to cause loss or harm to

107
hformation systems security

computing resources, such as hardware, software, data or communica-

tion networks.*O Threats exhibit varying degrees of detectability and
controllability. Fire is an example of a threat which is easily detectable
and controllable while natural disasters such as earthquakes or floods
are difficult to control and detected only when they occur.
Threats to computing resources may impact assets in four ways:

0 Destruction: the asset is not reparable or recoverable.

0 Modification: altering an asset by changing its representation or
adding more to the representation.
@ Disclosure: information is accessed by or released to someone
lacking a need-to-know.
e Denial of services: resources are unavailable to authorized users.

The threats associated with a computer environment include those that

are commonly associated with general protection of property, as well as
problems peculiar to computers and information systems. The two
major categories are environmental threats and human threats.

~nvirun~e~tal threats represent non-deliberate, accidental threats to

computing facilities that include earthquakes, hurricanes and storms,
lightning strikes and floods. These risks are considered as acts of God
and beyond human control. They also include, however, man-made
accidental hazards, incIuding urban unrest and hazardous industries,
which increase the vulnerability of a computing facility. Environmental
threats are the most visible and tangible threats, which can also be most
devastating.

Humun threats can originate from outsiders (37 per cent according to
O’Donoghue”), who penetrate a computer system through communica-
tion networks, or from insidrr.~ (63 per cent), who are authorized to use
the computer system:

e O~~ider~: ‘Hacker’ is the term used to describe outside people who

penetrate a computer system. A ‘Cracker’ is a malicious hacker and
is comprised mostly of juvenile delinquents, who are a serious
nuisance for business.22
e Insiders: Like other types of white-collar crime, attacks from
insiders are frequently not reported to law enforcement authorities.
Consequently, attacks from insiders have received considerably less
public attention than have attacks from hackers.*’ Threats from
insiders, authorized to use the computer system, can be categorized
as mistakes, dishonest employees with self-serving goals, loss or
disruption to computer systems from any cause, and disgruntled
employees who commit damaging acts without economic or other
self-serving goals.24

The attackers
-“Op. cit., Ref. 7. There is fairly rapid growth in malicious acts against computer-based
“‘Op. cit., Ref. 9. information systems and in computer-related crimes. However, only
Z2~~~.~~~~~, J. (1986). Computer crime:
The who, what, where, when, why and few computer criminals are being caught and prosecuted. Information
how. Data Processing and Communications systems can be attacked at any time by many potential attackers. Based
Securiry, 10 (No. l), pp. 19-23. on a literature search, Bolognaz5 made an attempt to compile an
230p. cit., Ref. 12.
241bid. attacker’s profile, as depicted in Figure 1.
“Op. cit.. Ref. 22. Computer criminats tend to be relatively honest and in positions of

108
 J.L. WILSON et al.

Sex: Male
Age: 19-30
Race: White
Criminal Record: None
Position: In data processing or accounting
IQ: High, bright and creative
Appearance: Outwardly self-confident, eager and energetic
Approuc~ to work: Adventurous, willing to accept technical
challenge, and highly motivated

Figure 1. The profile of a typical computer criminal

trust. Most of them do not consider their acts to be truly crimes. The
intruders are relatively young, bright, eager and highly motivated. Most
intruders are male while women have tended to be accomplices. While a
typical attacker comes from an IS-related position, many other compu-
ter criminals who have been caught have had no formal or extensive
computer training. This profile results in many potential criminals,
which makes protecting against them difficult.”
The motivation. according to Bologna,” can be classified in one of
the following categories:
a Economic: Need for money because of reasons that may include
high living, expensive tastes, gambling, family sickness or drug
abuse.
Ideological: It is fashionable to be anti-establishment, so deceiving
the establishment is a fair game because the establishment is
deceiving everyone else.
Egocentric: Beating the system is fun, challenging and adventurous.
Egocentricity seems to be the most distinguishing motive of compu-
ter criminals. They often commit their crimes to show how smart
they are and how easily controfs can be compromised by a truly
dedicated and knowfedgeable worker.
Psychological: Let’s get even with the employer, because the
employee feels exploited by their cold, indifferent and impersonal
employer.

The attack methods

Input tampering and programming techniques are two basic approaches
most commonly used, independently or jointly, by the criminals to
deliberately attack computer systems.
Input ia~zperi~g is the approach most often used by insiders. It
involves entering false, fabricated or fraudulent data into the computer.
In programming fechniques, the criminal modifies a computer program
directly or indirectly. This is where programming skills and knowledge
of the defence systems are essential. While programming fraud enjoys
the greater publicity, its rate of prevalence is much lower than that of
260[~. cit., Ref. 11. input tampering.
‘?Op. cit., Ref. 22. The most publicized attack method in recent years is the use of
28COHEN, F. (1987). Computer viruses: malicious code, to include viruses, worms and Trojan horses. A virus is
Theory and experiments. Proceedings uf
the 7th National Computer Security Confer- a program that can destroy or alter data and programs by direct
ence. Washington, DC, pp. 22@225. modification of their images on disc (or other secondary storage)? The

109
lnfor~ation systems security
virus received its name from its ability to attach itself to other computer
programs (distribution) and execute when the host program executes. It
then searches for other programs to infect. With the infection property,
a virus can spread throughout a computer system in one company or in
several organizations. Viruses spread by causing secret programming
instructions to be propagated into other programs. The infected pro-
grams are then repeatedly transmitted from one computer to the next
throughout the communication network, or are carried by hand on
diskettes from one computer to the next.”
A worm is a self contained program that copies itself from one host
environment to another and then causes itself to be executed in the new
environment.“’ Unlike viruses, worms do not attach themselves to
programs but execute as autonomous processes. Most worms exist and
thrive within computer networks. They exploit holes or management
oversights in a network to crawl from system to system in order to carry
out their mission: destroy data, steal information or wreak other kinds
of havoc.“’
Another attack method is the ZYo#n horse. The Trojan horse is a
program that looks as if it is legitimate and indeed it will behave as such,
doing whatever it is expected to do. However, when the program is
triggered, it will do other things of which a user is not aware. Thus, the
legitimate software is acting as a Trojan horse. After doing the dirty
work, most Trojan horses will erase all traces of themselves from the
computer memory to defeat subsequent investigation.“’

Countermeasures and defence methods

Defence methods, or countermeasures, consist of actions, procedures,
techniques, devices or other measures that are used to reduce the
strength of the threats. Such methods include administrative, procedu-
ral and technical mechanisms which are explicitly concerned with
protection of info~ation and information systems. Typical categories
of defence methods against threats are:
Organizational control;
: Physical security;
Logical access controls;
: Data controls;
0 Communication controls;
* Application controls;
0 Virus controls; and
0 Control of personnel.
‘“Op. cit., Ref. 7. These categories can be viewed as layers of security barriers. Like an
‘“CLYDE, R.A. (1991). Network worms.
Proceedings of the 8th Annual Conference
onion, good security is composed of layers wrapped on layers of defence
for Information Security Professi~nal.~. San barriers.‘3
Diego, CA, pp. Cll-C18.
“‘Ibid.
Organizational controls
“DRAPER, s. (1984). Troian horses and
trusty hackers: C~mmunEcations of the Organizational controls are policies and guidelines established by the
ACM, 27 (No. 11). ho. 1085-1089. CAR-
ROLL., op. iit., Ref: 3.. .
highest levels of management to demonstrate its commitment to the
33WALL.S, J. AND TURBAN, E. (1990). A protection of the organization’s information system assets. These con-
methodology for selecting controls for trols are strategic in nature, dictating organization-wide policy to impact
computer-based information systems.
Working Paper, School of Business, Uni- how an information system will be used. Organizational controls
versity of Southern California. include:

110
 J.L. WILSON et at.

Policy formulation. Top-management should formulate a written in-

formation security charter statement and implement an organization-
wide policy to set the ground rules for a detailed security plan. The
charter and policy should address information as an organizational
asset, provide a mission statement of the information systems security
officer and address the responsibilities of this function.

Management commitment. The formulation of security policies and

procedures should emphasize the commitment of higher level manage-
ment to security. It also establishes that individuals will be held
accountable for security. The designation of a security officer will
further provide a central authority for issues dealing with security.

Contingency planning. Contingency planning and back-up controls

address actions to be taken if processing centres or support facilities
were to face a catastrophic event. Management should show active
involvement in establishing a contingency plan and allocate sufficient
resources to support and carry out this plan.

Physical security
Physical security is concerned with protecting computer facilities and
resources to safeguard their proper functioning and survival. Protecting
the physical environment of a computer system is the first line of
defence, and probably the easiest one. Protective features in this
category include:

Environment control. The risks associated with natural and environmen-

tal hazards should be minimized, if possible, by avoiding the location of
the computing facility in areas with high probability of natural or
environmental hazards. If impossible, then proper facility planning to
withstand such risks will minimize them.

Physical access control. Physicat access controls involve limiting access

to system assets such as hardware, storage media and documentation. A
fundamental concept in physical security is the placement of computer
resources in limited access areas. This approach segregates assets such
as computers, peripherals, removable secondary storage media and
personnel.
The required complexity of physical access controls depends on
organizational characteristics, such as size of the organization, import-
ance of the IS resource to the organization and its functioning, and
hours of operation at any particular computing facility. Simple measures
may be appropriate for small organizations, since an unauthorized
individual would be easily recognized. In larger organizations more
formalized controls are required. Some methods to restrict access
include:

@ Limiting the number of entrances and exits to the computing

facility;
@ Having a receptionist or guard monitor access at the facility
entrance;
0 Using badges and colour codes on badges to indicate authorization;
0 Signing passes for taking assets in and out of the facility; and
0 Restricting access to sensitive areas.

111
information systems security

After working hours physical access can be further restricted since

authorized user activity is low. Some heightened measures include
locking doors and windows, having adequate night lights, and hiring a
security service. Of particular concern are the procedures used by the
janitorial services, which are active after hours and require access to
perform their functions. Though convenient to the janitors, unlocking
several doors provides the opportunity for unauthorized personnel to
gain access.
The widespread use of microcomputers and end-user computing
supported by distributed systems facilitates increased accessibility to
computing assets spread over a broad geographic area. Physical controls
in these cases strive to alIow authorized personnel access without
excessive effort. Thus, additional physical measures, such as securing
cables and locks on hardware items, provide added physical security in
these cases. Another low cost solution is the installation of push-button
combination locks, where the combination would only be given to
authorized personnel and changed periodically.

Fire profection. Fires in computing centres should be prevented by

enforcing strict rules against fire hazards to reduce the fire threat.
However, adequate detection and suppression techniques should be
implemented to minimize fire damages. Fire detection equipment is
reliable, cheap and easy to install. While these devices cannot prevent
fires, they can provide timely alert and avoid disasters. Portable fire
extinguishers can also serve as a first line of defence in keeping small
fires from spreading. Clearly labelled and visible extinguishers should
be placed in computer rooms, tape and disc storage areas, and any other
auxiliary machine rooms within the facility. However, only CO2 exting-
uishers should be used since dry powder extinguishers are totally
unacceptable for computing equipment. Automatic fire suppression
systems, using COZ or Haion, are commercially available but expensive.
The economic value of computing equipment at any particular location
and its importance to the organization will determine the feasibility of
installing dedicated automatic fire suppression systems.

Electrical power control. Electrical power controls protect systems

against power cuts and fluctuations in power supply. Some common
mechanisms are line conditioners, uninterruptible power supply (UPS)
systems, and back-up electric generators. Both line conditioners and
UPS systems filter commercial power by absorbing fluctuations and
ensuring clean electrical power. UPS will also continue to supply
electricity for a short time to safely operate equipment. During this
period other backup power sources are invoked or equipment is shut
off. Backup electric generators can be used to provide power not only to
data processing equipment, but also to other essential services such as
lighting and air-conditioning systems. The high cost of installation and
maintenance of these countermeasures, particularly for back-up electric
generators, must be justified by the degree of dependency of the
data-processing operations.

Logical access control

Mechanisms providing logical access control focus on granting access
permission to computing facilities. Logical access control mechanisms
are hardware or software driven and usually focus on user identification

112
 J.L. WILSON et al.

and authentication. User identification is the process by which an

individual identifies himself or herself to a computer-based information
system as a valid user. User authentication is the procedure by which a
user establishes that he or she is indeed that user, and has the right to
use the system or portions of it. Logical access control mechanisms also
limit authorized users access to only those resources required to
accomplish assigned job functions.
Implementation of logical access controls requires invoking good
administrative procedures. These procedures must first identify the
resources to be protected. They must identify each individual in the
organization with a unique user identifier. Lastly, they must provide an
authentication capability to verify that a user is really who he or she
claims to be. Authentication mechanisms are divided into three categor-
ies:
@ What the user knows, such as a password or an encryption key;
e What the user has - such as a token or a smart card;
0 Or something about the user - such as fingerprints, signatures or
retinal scans.
These categories are practically carried out as passwords or alternative
authentication schemes.

Pu.sswovds are the most common mechanism used today.a4 Traditional

password mechanisms fall into two categories: user-generated or
system-generated. In a large number of computer systems, passwords
are the first line of defence against unauthorized persons trying to gain
access to computer resources. Sometimes it might be the only line of
defence. As such, it is imperative that this defence be as formidable as
possible. Passwords are considered to be of limited usefulness as
protection devices because of the relatively small number of characters
they contain. However, despite horror stories associated with pass-
words’ use, researchers are in agreement that passwords can provide
ample security if managed and handled properly.“”

Alternative azfthe~t~cat~orz schemes include tokens, smart cards and

biometric devices. An example of a token is a bank ATM card. It
requires a user to insert the card into a ‘card reader’ which reads data
stored on the card’s ‘magnetic tape’ and then demands a second
identifier: the user’s memorized personal identification number (PIN)
to verify access. The ATM card along with the PIN ensures that the user
is authenticated properly.
Smart cards are microprocessor-based, credit card-size devices, with a
numeric keypad and LCD screen. Most commercially available products
operate in a challenge/response strategy: when a user logs on to a
computing facility and enters a password or PIN, the computer responds
with a numerical ‘challenge’ consisting of one or more digits. The user
%XIKAN, M. AND HAGA, W.J. (1990). Pass-
word security: An exploratory study. NPS keys this challenge into the card, which performs a calculation using an
Technical Reoort fNPS-54-90-011). Naval internally stored algorithm and displays a ‘response’. The response is
Postgraduate ‘School, Monterey, dk. entered to the host computer and checked for correctness. A user is
3S~~~~~~, B. (1988). Understanding the
use of passwords. Computers and Security, authenticated only after both the password and the response to the
7 (No. 2), pp. 132-236. MORRIS, K. AND challenge have been validated.
THOMPSON, K. (1979). Password security:
A Biometric devices make use of a person’s biometric data, such as
case history. Communications of the A CM,
22 (No. ll), pp. 594-597. fingerprints or retinas of an eye, for authentication purposes.“6 Biomet-
‘%p. cit., Ref. 28. ric devices which have been successfully applied in commercially

113
Information systems security

available products include: retina and iris pattern scanners, voice

verification, fingerprints and hand-geometry scanners. Other biometric
devices examine facial images, signature dynamics and typing rhythms.
However, these devices are complex, implying large data transfers
between user and host. Protecting these data between reading device
and host is correspondingly more difficult. The comparisons arc auto-
mated but statistical, opening the system to problems with Type I errors
{admitting the wrong user) and Type II errors (excluding the right user).
In addition they are costly to implement. Due to these characteristics,
biometric devices are recommended only for organizations with highly
sensitive data.

Data controls
Data security is concerned with protecting data from accidental or
intentional disclosure to unauthorized persons or from unauthorized
modification or destructionSS7 Data security functions are implemented
through operating systems features (e.g., encryption schemes), security
access control programs which limit the use of the data to authorized
users, database products which monitor completeness and integrity,
back-up~recovery procedures that serve as an integral part of a conting-
ency plan, and external control procedures.
Two basic principles should be reflected in data security:
* ~~nimaZ privilege. Only information a user needs to carry out an
assigned task should be made available to them.
* Minimal exposure. Once a user gains access to sensitive informa-
tion, they have the responsibility of protecting it by making sure
only people whose duties require it obtain knowledge of this
information while it is being processed, stored or in transit.“s

A communication network may be secured against outside threats by

using a communication access control to guard against unauthorized
dial-in attempts, system and encryption methods and electronic emana-
tion controls to prevent wiretapping.

Communication access control. Many companies require ‘dialing-in’

users to identify themselves with an assigned PIN or a unique password.
An access control system authenticates the user’s PIN or password.
Further protected communication systems proceed one step further to
ensure that calls are accepted only from known telephone numbers:
they break the original connection and call back the user at the number
where that user is expected to be. Such systems restrict incoming calls
from direct access to the computer system and grant access only through
call-backs.

Message encryption. Message encryption or scrambling is used to

%3M Corporation (1987). Good security
practices for information systems netwnrks.
Irving, NY: IBM Corporation.
%ARDINER AND TURBAN, op. Cit.,
%AI..PER, S.D., DAVIS, G.C.,
Q’NE~l-e
DUNNE,R. AND PFAU, P.R. (1985). f?kWd-
book of EDP auditing. Boston, MA: War-
ren. Gorham and Lament.
prevent data theft by wiretapping. Encrypting data may be accom-
plished by installing scrambling devices at both ends of the communica-
tion connection, or by installing an algorithm within a computer
Ref. 6. program. Scrambling the transmitted data makes it uninterpretable to a
wiretapper.
Electronic erna~~tj~~ control. Electronic emanations are signals trans-

114
 J.L. WILSON et al.
mitted as radiation through the air and conductors. Emanations security
controls are measures designed to deny unauthorized access to informa-
tion that might be derived from intercept and analysis of compromising
emanations. Two traditional approaches are taken to prevent disclosure
through emanations. The first employs shielding system components or
entire computing facilities to trap signals. The second is the modification
of emitted signals such as the addition of spurious signals. Through
shielding or modification of the emanations, adversaries are prevented
from intercepting and interpreting electromagnetic emanations from
computers, communications devices, and other electronic equipment.

Application controls
Traditional accounting controls should be included in the design of
application systems, One well-known principle is separation of duties -
ensuring that no employee performs all steps in a single transaction.
Such a practice is a deterrent to crime, because the transaction is subject
to separate, independent checks for accuracy and possible fraud.
Security can also be improved by occasionally rotating the duties and
responsibilities of employees.40 Similar controls may be imposed on the
use of many application systems.

Virus controls
A number of different controls and precautions should be implemented
to prevent malicious code penetration or detect those that exist:4’
Prevention: Know the origin of all software and refrain from using
software from unknown sources. Use a memory-resident virus
immune program to alert against virus presence. Test all new
software using an anti-virus program and isolate new software until
it is tested. Restrict access to programs and data on a need-to-know
basis. Forbid employees to install unauthorized software on office
computers or take office software home for use.
~e~~c~jo~~ Use an anti-virus program periodically to check all
software for reinfection. Watch for changes in a systems’ operation.
Monitor modification dates of programs and files, look for changes
in volume labels and try to check the length of programs to detect
changes.

Control of personnel
Personnel internal to the organization have been identified as the
greatest risk group to an information system. Management control of
personnel is concerned with the appropriate selection, screening and
supervision of employees.

Selection and screening. It is essential for employees who have access to

4t)HUSSAIN, D. AND HUSSAIN. K.M. (1988). information and computing resources to perform with competence,
Managing computer resources. Home-
wood, 11: Irwin. loyalty and integrity; however, such traits often cannot be readily
41~0~~~, C.L. (1987). Taxonomy of com- determined in prospective employees except by a skilled interviewer.
puter virus defense mechanisms. Proceed- Therefore, a thorough pre-employment screening of applicants is neces-
ings of the 10th National Computer Security
Conference. Washington, DC, pp. 220- sary for applicants who will have access to computer systems.42
225.
42KN0’lTS, R. AND RICHARDS, 7. (1989).
Retention. Once hired, personnel should be aware of the value of system
Computer security: Who’s minding the
store? The Academy of Management Ex- assets. The value of information assets is rarely appreciated until it is
ecutive, If (No. l), pp. 6S66. corrupted or otherwise no longer accessible. To help protect these

115
fnfofnxition sysfems security

assets, new employees should be indoctrinated into their responsibilities

and sign a non-disclosure agreement. The security policy of the orga-
nization, and consequences for violation, should be explained. Com-
pliance with IS asset protection responsibilities must be mandatory, and
should be considered a condition of continued employment. Formal
security awareness programs should also be periodically administered to
user managers and employees to remind them of the organization’s
security policy, procedures and standards. The establishn~ent of an
employee code of conduct can clearly delineate expected employee
responsibility.

Termination. When empIoyees leave the organization, their accesses to

the computer system should be revoked. Unfortunately, user managers
frequently overlook this procedure through complacency, forgetfulness
or other reasons.43

The managerial issues - a framework

Realizing the threats, vulner~~biiities and available defence mechanisms,
managerial issues of jnforrnat~~~~ security can be organized along the
four classical phases of the process of managcmcnt: planning, organiz-
ing, directing and controi. Each of these phases encompasses a number
of topics. This arrangement can be used as a framework for developing
an information security management programme. A brief discussion of
topics for each phase follows,

Planning
‘fo minimize the risks to an organization’s information systems, an IS
security plan must be formulated and endorsed by the highest levels of
management.~4 The formulation of an IS security plan requires a
systematic study of the organization’s IS assets, and a listing of potential
threats and proposed countermeasures.“’ This process usually consists
of the foIlowing six steps:
0 Identify IS assets;
a Assess threats and risks;
0 Analyse vulnerabilities;
0 Evaluate existing and potential countermeasures;
* Evaluate current security level; and
a Formulate a security plan.
The end-product, the IS security plan, is a written document that
summarizes the assets, identifies the threats and yul~~~rab~litics of the
information systems and addresses IS security needs.

J30p. cit.,Ref. 40. Organizing

J4tARKOLt, J.M. AND WU. 0.1.. (1983).
Methodology for security analysis of data The organization phase aims at implementing the IS security plan.
processing systems. Computers & Security:y,
2 (Ph. l), pp. 24-34. Op. cif., Refs 7 and
Based on this plan, a company needs to organize its IS security. This
37. includes:
R.P.(1984).
%ISXIER, fflformarion systms
security. Englewood Cliffs: NJ: Prentice- 0 Development of security policy involving procedures and standards;
Hall. ZVIRAN, hl., HOGE, J.C. ANU MICUCCI, 0 Selection and training of security administrators;
V.A.(1989). SPAN - A DSS for security @ Selection and implementation of security products and techniques,
plan analysis, Ctimputers & Security, 9
(No. 21, pp. 1.53-160. 09. cit., Ref. 2. etc.
 J.L. WILSON et ai.

In many companies the responsibility for security is fragmented. The

remedy is to appoint a high-level security manager with the authority to
act for the entire organization for all security-related issues. There are
sound technical and practical reasons for placing the IS security
manager in the IS department. 4kThe security manager is responsible for
carrying out the organization’s security plan, including the development
and implementation of all required procedures and standards to execute
the plan.

This phase involves leading and managing security administrators, and

conducting user and management awareness programmes to gain sup-
port and increase motivation for security.
The direction phase is also a responsibility of the organization’s line
managers, who should be familiar with the organization’s security
policy. Line managers are responsible for protecting all resources
allocated to them and for ensuring that employees are aware of and
abide by the established security policy and procedures and standards.“7

The control phase focuses on:

0 Monitoring the effectiveness of security procedures, standards and
controls;
e Administering security products, procedures and services;
@ Investigating security breaches;
e Participating in security reviews of application development efforts;
l Internal and external auditing; and
0 Consulting.
Some specific responsibilities of the audit functions include monitoring
all responsible areas to ensure adherence to the security policy, auditing
all critical operating system and application resources, and monitoring
access controls established by the security administrators.

Risk analysis and some basic recommendations

The future of IS security lies in the level of management awareness of
the vulnerability of the organization’s information systems and the
implications of security problems once they develop. Thus, a first step
towards a secured information system is gaining top management’s
recognition of the importance of the IS security issue.
While top management support is critical in emphasizing the import-
ance and increasing the awareness of the IS security issue, practical
guidance to obtaining security is needed. This is done through formulat-
ing an IS security policy and developing a comprehensive IS security
plan.
The decisions involved in establishing an IS security plan are subjec-
tive and unstructured. The crucial elements of risk and vulnerability
assessment are subject to personal perceptions of threats to information
“‘BUSS, M.U.J. AND SALERNO, L.M. (1984). resources, the impact of realized threats, and the probability of their
Common sense and computer security. occurrence. Although such a process calls for a systematic study of all IS
Harvard Business Review, 62 (No. 2),
112-121. assets and corresponding security characteristics, the results might be
l?Op. cit., Ref. 37. limited to the knowledge of a specific decision maker. Moreover, since

117
information systems security

decision makers may place emphasis in different areas, the outcomes

may vary from one decision maker to another. A decision support tool
can, therefore, provide significant guidance to reduce the risks associ-
ated with inadequate security measures.48
Installation of security measures is based on a balance between the
cost of security and the need to reduce or eliminate threats, or expected
loss. Risk management techniques help organizations to identify threats
and select cost-effective security measures.4y
Computer-based software packages provide a method for assessing
threats and risks and deciding which to accept, reduce, or eliminate.
Their major value is in providing a structure for ranking exposures that
can be incorporated into an action plan.50 Some software packages go
beyond this objective and provide a comprehensive decision aid for the
entire task of IS security planning.
Computer-based IS security analysis products fall into two categories:
qualitative and quantitative.“’ Quantitative packages direct a user in
assessing the value of the IS resources and estimating threat frequen-
cies. They then evaluate the threats as loss exposures or annualized loss
expectancy (ALE), expressed in monetary values. Calculations are
usually obtained by multiplying the replacement cost of an asset by the
estimated threat frequency. Since the end-product of quantitative
packages is more exact, their implementation requires more time and
effort than the qualitative approach. Qualitative security analysis pack-
ages use a risk scale, either alphabetical, numerical or verbal, for each
threat/vulnerability/asset combination. These scales allow decision mak-
ers to assess the impact of existing vulnerabilities and the appropriate-
ness of various countermeasures against the identified threats.
The following are examples of available products for risk assessment
and security planning:
0 The Buddy System,52 which employs a qualitative methodology to
determine the level of vulnerability in 14 areas and provides a final
risk analysis report with conclusions and recommendations.
CAS (Computer Aided Security) expert system for managing
computer security. 53 It consists of a semi-structured approach to
assess risks and applies the appropriate countermeasures to achieve
‘*Op. cit., Refs 3 (CARROLL), 7 and 44 IS security.
(CARK~LL AND wu).
l CRAMM is a menu-driven, knowledge-based, risk-assessment tool
4Q0n. cit.. Refs 12 and 45 (ZVIRAN et al.).
50~&~~~; R. (1986). Expert systems fbr and management methodology software support tool.“” Menus take
risk analysis and crisis management. In: the user through three stages of risk assessment using qualitative
Security and protection in information sys- means. Once a risk is identified, appropriate countermeasures are
tems (A. Grissonanche, ed.). Elsevier.
pp. 401-409. WOOD. cc. (1988). A context recommended from a library of over 1000 countermeasures.
for information systems security planning. 0 SPAN is a qualitative decision support system for the security
Computers & Security, 7 (No. 3), pp. 455- planning processs5 It attempts to reduce the gap between the
465.
“Datapro (1990). Risk analysis software. perceptions of threats and vuinerabilities and their reality by using
Datupro Reports on Informat~5~ Security, an internal database with a broad knowledge base of threats,
pp. 151-160. POWELL, K. (1988). SOftWXe
vulnerabilities and applicable countermeasures for each category of
program defines SBA’s security needs.
Government Security News, 7 (No. 24). IS assets. It systematically guides a decision maker through each
pp. 97-98. TOMKINS, F.G. (1989). How t0 planning step, ensuring that all activities receive adequate attention.
select a risk analysis software package. 0 Risk Watch supports quantitative and qualitative risk
Datupro Reports on Information Security,
p$?. 101-107.
assessments. 5h Online screens are used to key in asset information
Datapro, op. cit., Ref. 51. and customize threats data. The system matches the user’s data
op. cit., Ref. 51.
53T~~~~~~,
against its expert knowledge and identifies weaknesses in the
54Datapro, op. cit., Ref. 51.
55~~~~~~ et al., op. cit., Ref. 45. security plan, what safeguards should be implemented, and how
56Datapro, op. cit., Ref. 51. much each safeguard will save the organization.

118
 J.L. WILSON et ai.

Another recommendation pertains to the implementation of the IS

security plan. Planning for IS security is just a means and not an end.
After the plan is concluded and approved, an organization needs to
allocate the necessary resources to ensure implementation. Moreover,
frequent changes in an organization’s computing resources and
architecture, as well as its personnel, suggest that the IS security plan
needs to be periodically evaluated and revised.

Conclusion
As organizations become more dependent on the smooth functioning of
their IS resources, an increasing amount of attention should be given to
the security of these resources. As a result, many organizations need to
prepare and implement adequate security measures to protect IS
resources.
Technological developments and changes in the business environment
have induced important changes in the nature of computer-related
crime. These changes, in turn, impose a requirement on top manage-
ment, as well as on IS management, to recognize the threats to their
computing resources and establish a security policy and an IS security
plan.
In an effort to minimize the risks associated with the threats to an
organization’s computer-based information system, a set of counter-
measures should be installed. Countermeasures may be conceptualized
as performing three basic functions: prevention, detection and correc-
tion of threats. A particular countermeasure may exhibit more than one
of the three basic functions, as it may also protect more than one type of
asset against more than one type of threat. Each organization must
assess its particular security needs and install a practical mix of
countermeasures to minimize the threats to its computing facilities.

119