Professional Documents
Culture Documents
A Managerial Perspective
A Managerial Perspective
A Managerial Perspective
A Managerial Perspective
Information security has bmn recog&ed as drte &the major issues af importance
in the management of organizational information systems. Losses resulting from
computer abuse and errors ~8 substantial, and information systems managers
continue to cite security rend control as a key management iwue. This paper
presents the various dimensions of the problem, suggests specific steps that can
be taken to improve tha management of information security, and points to
several research directions.
106
J.L. WILSON et at.
Content
Information security encompasses four major assets of computing
resources: hardware, software, data and communication networks.14 In
planning for the security of these resources, one can identify dozens of
security issues ranging from computer viruses and software piracy to
theft of hardware equipment.
Lack of control
Information assets are controlled by many individuals. Nolan indicated
that in 1980 only 36 per cent of the average organization’s information
processing budget was under the control of the chief information officer
(CIO). l5 This lack of control poses significant difficulties in securing the
computing resources.
The opportunities
Rapidly changing computing environments present many new opportu-
nities for computer criminals. ih Furthermore, the public portion of
communication networks (such as telephone lines) is very vulnerable.
For example, wire tapping is a simple and inexpensive undertaking;
even fibre optics lines can now be tapped. It is simply impossible or too
expensive to protect against all the threats.”
Difficulties in defence
Even with the technically best countermeasures designed to reduce
system vulnerability, an intruder has an advantage: most organizations
simply cannot afford to protect against allpossible threats. Moreover, in
some instances, the technology may not even be available for protec-
tion.
107
hformation systems security
Humun threats can originate from outsiders (37 per cent according to
O’Donoghue”), who penetrate a computer system through communica-
tion networks, or from insidrr.~ (63 per cent), who are authorized to use
the computer system:
The attackers
-“Op. cit., Ref. 7. There is fairly rapid growth in malicious acts against computer-based
“‘Op. cit., Ref. 9. information systems and in computer-related crimes. However, only
Z2~~~.~~~~~, J. (1986). Computer crime:
The who, what, where, when, why and few computer criminals are being caught and prosecuted. Information
how. Data Processing and Communications systems can be attacked at any time by many potential attackers. Based
Securiry, 10 (No. l), pp. 19-23. on a literature search, Bolognaz5 made an attempt to compile an
230p. cit., Ref. 12.
241bid. attacker’s profile, as depicted in Figure 1.
“Op. cit.. Ref. 22. Computer criminats tend to be relatively honest and in positions of
108
J.L. WILSON et al.
Sex: Male
Age: 19-30
Race: White
Criminal Record: None
Position: In data processing or accounting
IQ: High, bright and creative
Appearance: Outwardly self-confident, eager and energetic
Approuc~ to work: Adventurous, willing to accept technical
challenge, and highly motivated
trust. Most of them do not consider their acts to be truly crimes. The
intruders are relatively young, bright, eager and highly motivated. Most
intruders are male while women have tended to be accomplices. While a
typical attacker comes from an IS-related position, many other compu-
ter criminals who have been caught have had no formal or extensive
computer training. This profile results in many potential criminals,
which makes protecting against them difficult.”
The motivation. according to Bologna,” can be classified in one of
the following categories:
a Economic: Need for money because of reasons that may include
high living, expensive tastes, gambling, family sickness or drug
abuse.
Ideological: It is fashionable to be anti-establishment, so deceiving
the establishment is a fair game because the establishment is
deceiving everyone else.
Egocentric: Beating the system is fun, challenging and adventurous.
Egocentricity seems to be the most distinguishing motive of compu-
ter criminals. They often commit their crimes to show how smart
they are and how easily controfs can be compromised by a truly
dedicated and knowfedgeable worker.
Psychological: Let’s get even with the employer, because the
employee feels exploited by their cold, indifferent and impersonal
employer.
109
lnfor~ation systems security
virus received its name from its ability to attach itself to other computer
programs (distribution) and execute when the host program executes. It
then searches for other programs to infect. With the infection property,
a virus can spread throughout a computer system in one company or in
several organizations. Viruses spread by causing secret programming
instructions to be propagated into other programs. The infected pro-
grams are then repeatedly transmitted from one computer to the next
throughout the communication network, or are carried by hand on
diskettes from one computer to the next.”
A worm is a self contained program that copies itself from one host
environment to another and then causes itself to be executed in the new
environment.“’ Unlike viruses, worms do not attach themselves to
programs but execute as autonomous processes. Most worms exist and
thrive within computer networks. They exploit holes or management
oversights in a network to crawl from system to system in order to carry
out their mission: destroy data, steal information or wreak other kinds
of havoc.“’
Another attack method is the ZYo#n horse. The Trojan horse is a
program that looks as if it is legitimate and indeed it will behave as such,
doing whatever it is expected to do. However, when the program is
triggered, it will do other things of which a user is not aware. Thus, the
legitimate software is acting as a Trojan horse. After doing the dirty
work, most Trojan horses will erase all traces of themselves from the
computer memory to defeat subsequent investigation.“’
110
J.L. WILSON et at.
Physical security
Physical security is concerned with protecting computer facilities and
resources to safeguard their proper functioning and survival. Protecting
the physical environment of a computer system is the first line of
defence, and probably the easiest one. Protective features in this
category include:
111
information systems security
112
J.L. WILSON et al.
113
Information systems security
Data controls
Data security is concerned with protecting data from accidental or
intentional disclosure to unauthorized persons or from unauthorized
modification or destructionSS7 Data security functions are implemented
through operating systems features (e.g., encryption schemes), security
access control programs which limit the use of the data to authorized
users, database products which monitor completeness and integrity,
back-up~recovery procedures that serve as an integral part of a conting-
ency plan, and external control procedures.
Two basic principles should be reflected in data security:
* ~~nimaZ privilege. Only information a user needs to carry out an
assigned task should be made available to them.
* Minimal exposure. Once a user gains access to sensitive informa-
tion, they have the responsibility of protecting it by making sure
only people whose duties require it obtain knowledge of this
information while it is being processed, stored or in transit.“s
114
J.L. WILSON et al.
mitted as radiation through the air and conductors. Emanations security
controls are measures designed to deny unauthorized access to informa-
tion that might be derived from intercept and analysis of compromising
emanations. Two traditional approaches are taken to prevent disclosure
through emanations. The first employs shielding system components or
entire computing facilities to trap signals. The second is the modification
of emitted signals such as the addition of spurious signals. Through
shielding or modification of the emanations, adversaries are prevented
from intercepting and interpreting electromagnetic emanations from
computers, communications devices, and other electronic equipment.
Application controls
Traditional accounting controls should be included in the design of
application systems, One well-known principle is separation of duties -
ensuring that no employee performs all steps in a single transaction.
Such a practice is a deterrent to crime, because the transaction is subject
to separate, independent checks for accuracy and possible fraud.
Security can also be improved by occasionally rotating the duties and
responsibilities of employees.40 Similar controls may be imposed on the
use of many application systems.
Virus controls
A number of different controls and precautions should be implemented
to prevent malicious code penetration or detect those that exist:4’
Prevention: Know the origin of all software and refrain from using
software from unknown sources. Use a memory-resident virus
immune program to alert against virus presence. Test all new
software using an anti-virus program and isolate new software until
it is tested. Restrict access to programs and data on a need-to-know
basis. Forbid employees to install unauthorized software on office
computers or take office software home for use.
~e~~c~jo~~ Use an anti-virus program periodically to check all
software for reinfection. Watch for changes in a systems’ operation.
Monitor modification dates of programs and files, look for changes
in volume labels and try to check the length of programs to detect
changes.
Control of personnel
Personnel internal to the organization have been identified as the
greatest risk group to an information system. Management control of
personnel is concerned with the appropriate selection, screening and
supervision of employees.
115
fnfofnxition sysfems security
Planning
‘fo minimize the risks to an organization’s information systems, an IS
security plan must be formulated and endorsed by the highest levels of
management.~4 The formulation of an IS security plan requires a
systematic study of the organization’s IS assets, and a listing of potential
threats and proposed countermeasures.“’ This process usually consists
of the foIlowing six steps:
0 Identify IS assets;
a Assess threats and risks;
0 Analyse vulnerabilities;
0 Evaluate existing and potential countermeasures;
* Evaluate current security level; and
a Formulate a security plan.
The end-product, the IS security plan, is a written document that
summarizes the assets, identifies the threats and yul~~~rab~litics of the
information systems and addresses IS security needs.
117
information systems security
118
J.L. WILSON et ai.
Conclusion
As organizations become more dependent on the smooth functioning of
their IS resources, an increasing amount of attention should be given to
the security of these resources. As a result, many organizations need to
prepare and implement adequate security measures to protect IS
resources.
Technological developments and changes in the business environment
have induced important changes in the nature of computer-related
crime. These changes, in turn, impose a requirement on top manage-
ment, as well as on IS management, to recognize the threats to their
computing resources and establish a security policy and an IS security
plan.
In an effort to minimize the risks associated with the threats to an
organization’s computer-based information system, a set of counter-
measures should be installed. Countermeasures may be conceptualized
as performing three basic functions: prevention, detection and correc-
tion of threats. A particular countermeasure may exhibit more than one
of the three basic functions, as it may also protect more than one type of
asset against more than one type of threat. Each organization must
assess its particular security needs and install a practical mix of
countermeasures to minimize the threats to its computing facilities.
119