8/18/22, 10:36 AM Topic: S2D CISO

Search entries or author...

All Sort

Due Aug 21 10 points

9 replies (3)

S2D CISO

Learning Objectives

Describe the threats posed to information security and common attacks associated with those threats

Discussion

Shortly after the Board of Directors meeting, Charlie was named Chief Information Security Officer (CISO) to fill a
new leadership position that reports to the CIO, Gladys Williams. The primary role of the new position is to provide
leadership for CRU's efforts to improve its information security profile. How should Fred measure success when he
evaluates Gladys' performance for this project? How should he evaluate Charlie's performance? In addition, which
of the threats discussed in this chapter should receive Charlie's attention early in his planning process? 

Instructions

Click reply to post your answer the discussion questions (approximately 300 words). Post your response at
least two (2) days before the deadline, so we have time to discuss the implications of your response.
Review the responses of your classmates and reply with your comments and reactions as appropriate. You are
NOT expected to comment on EVERY post - only those that interest you (but a minimum of two follow-up posts
should be made). 

To view the grading rubric, click the more options menu (3 vertical dots) in the upper right and select "Show Rubric."

Reply

Sandhya Pabbu
Aug 18 3:54am

https://mycourses.umhb.edu/courses/29282/discussion_topics/237217?module_item_id=720322 1/10
8/18/22, 10:37 AM Topic: S2D CISO

Fred can measure success when he evaluates Gladys' performance for this project in light of the new security
measures and the method she established for the organization. Fred will evaluate Glady's efficiency in planning,
organization, execution, and activities based on her qualifications and capability of offering a high degree of
security. Bongiovanni (2019) points out that the evaluation must concern the organization's need for a robust
security system to minimize risks and a high level of features and accessibility of those safe and secure data
systems to accomplish its objectives. He must also assess Charlie's knowledge and contributions to information
security based on the issues that need to be rectified to improve system security. Since the organization's overall
performance depends on the proper alignment of information system (and surveillance) planning and corporate
strategy, which is frequently challenging to accomplish, Charlie's performance can be taken into account based on
the paradoxical situation between an organization's needs and wants.

Charlie should begin thinking about internal threats such as employee irresponsibility, disregard of information
security standards and regulations, or human error that may negatively influence cybersecurity early in the planning
stage. Emphasizing a security program and educating end users by creating a security policy viewpoint are two of
the best ways to avoid simple cybersecurity risks (Culot et al., 2021). The latter can be done by conducting
thorough training sessions and raising employee knowledge of security-related concerns. In addition, exhaustion
and overwork may also lead to more errors. Ensuring a company's personnel is content and well-rested is among
the most significant ways Charlie may use to prevent these breaches. Charlie may also initiate programs used in
system monitoring and surveillance approaches to find signs of potential cybersecurity issues so they may be
stopped. Both automated and manual intervention must be used in system monitoring and surveillance. For
concerns to be prioritized according to where the most danger is present, an investigation, a reaction, and reporting
procedures are necessary to avoid irresponsibilities.

References

Bongiovanni, I. (2019). The least secure places in the universe? A systematic literature review on information
security management in higher education. Computers & Security, 86, 350-357.

Culot, G., Nassimbeni, G., Podrecca, M., & Sartor, M. (2021). The ISO/IEC 27001 information security management
standard: literature review and theory-based research agenda. The TQM Journal.

Reply

Aravind Kummari
Aug 18 3:47am

In this case, evaluation of Gladys and Charlie's performance is critical. Fred could have regular meetings with
Gladys to discuss how the program is doing. Some means of measuring performance include evaluating the
number of viruses or worms discovered, the number that has gotten through the system, and overall performance
compared to past periods. Evaluating Charlie's performance can include recreating threat situations to see how he
responds. I concluded after reading the chapter that people are a security program's weakest link, and ensuring
that the staff is competent and dependable is essential. Following these evaluation measures, Charlie can assess
their ability to develop a successful information system strategy while adhering to the business model and
standards for cooperative control, agility, adaptability, operability, and resilience (McLaughlin & Gogan, 2018). Thus,
the possibility of narrow-minded and prejudiced conclusions is diminished, and plans become more flexible and
relevant to many circumstances.

https://mycourses.umhb.edu/courses/29282/discussion_topics/237217?module_item_id=720322 2/10
8/18/22, 10:37 AM Topic: S2D CISO

Charlie may begin by evaluating human error in his planning process as the original threat was created through a
worker's flash drive. Setting up safe use guidelines and demanding employee data validation may considerably
reduce the risk of errors. The policies and guidelines will help prevent unauthorized access to company equipment.
Proença & Borbinha (2018) state that it should be clear that these regulations are just a recognition of the possibility
that individuals can unintentionally sabotage security measures rather than reflect the family members' objectives.
Charlie may also consider cyberattacks, particularly computer hacking and trespassing. Since a worm on a USB
device was the root of the initial issue. Charlie should set aside strict procedures to inspect the personnel and train
them on managing security issues. Technology, procedures, and staff awareness training must be coupled to
prevent social engineering mistakes and increase awareness of the possible harm caused by negligence. The staff
must be aware of the dangers they face and what role it is their responsibility to play in defending against them.

References

McLaughlin, M. D., & Gogan, J. (2018). Challenges and best practices in information security management. MIS
Quarterly Executive, 17(3), 12.

Proença, D., & Borbinha, J. (2018, July). Information security management systems-a maturity model based on
ISO/IEC 27001. In International Conference on Business Information Systems (pp. 102-114). Springer, Cham.

Reply

Naseema Mohammad
Edited Aug 17 5:54pm

Discussion:

According to the Vital Source, I think Gladys should be evaluated on how well she implements the new security
policies and procedures for the company. Naturally, she places a great deal of trust in Charlie's performance
since she was the one who first presented Charlie with his novel proposal for the organization's upgraded
security. He was essentially her CIO nominee.
Internal dangers should be investigated early in the planning process before external concerns are considered.
Internal threats don't always indicate that staff members are acting maliciously, but human mistakes and
failures can also compromise cybersecurity. One of the greatest methods to stop basic cybersecurity concerns
from occurring is to develop a security program and educate end users through the creation of security policy
advice.

We should implement a proactive strategy to recognize the many dangers that could endanger the IT resource in
the company. Even if you've created and are continuing to maintain a plan, you still need to be aware of the various
threats that could harm the IT setup of your company. There are still other threats which include software attacks,
intellectual property theft, identity theft, equipment theft, information theft, sabotage, and information extortion,
social engineering threats in terms of emails, the internet, snail-mail, telephone, and other common attacks include
Network attacks, IP Spoofing Attacks, MITM (Man in the middle Attacks), and Software attacks.

Several common threats include

1. Inappropriate Access: This illicit access is not known to anyone in the company. If the finance manager
displays financial information at the organization's annual general meeting but it does not accurately reflect the
circumstances or the organization's prior performance. When an outsider who is connected to a network other
https://mycourses.umhb.edu/courses/29282/discussion_topics/237217?module_item_id=720322 3/10
8/18/22, 10:37 AM Topic: S2D CISO

than the company's network gains access to the network of an organization, once they are broken, an attacker
has access to the data that users have saved on the network resource, in fact, a worker at the company may
also use their privilege to access the data.

How to secure data from unauthorized access: Check your financial statements frequently, looking out for any
unusual behavior. When setting a password for your system, you can include a number or character, so if you
notice anything strange, notify it as soon as you can. Always use a firewall and antimalware program to protect
yourself from illegal access. Antivirus software will also regularly update and patch your operating system.

2. theft of data: The term "data theft" refers to a sort of attack wherein unauthorized access is utilized to gain
confidential information. The attacker can easily steal user credentials to authenticate himself to the
organization's server and to read and copy confidential data stored in files. Internal users can steal credentials,
and they can also be taken through a variety of programs, such as malware that has been put on the system.

How to secure: Install updates as soon as they are made available for your operating system, web browser,
antivirus program, and security software. You can also install and utilize antivirus and antispyware software on all
your company's computers. They both provide "patches" that correct security holes in the program and are your
first line of protection against internet attacks. Open only attachments from trusted sources in email messages and
other downloads.

3. Hacking: Hacking was a phrase that came naturally to describe a user who was skilled in network and system
management as well as computer programming. Hacking into a system is technical prowess and a creative act
that over time grew to be linked with nefarious or unlawful system breaches. Currently, hackers are very adept
and employ sophisticated methods that are difficult to spot. A hacker could be a member of your staff or a third
party carrying out an unauthorized action during or after regular business hours. However, advanced
technologies are not always necessary for incidents like data theft or attacks on your system. The attacker may
carry out their attack by deceiving and tricking unwary individuals.

Reply

Ranjith Kumar Kothur

Aug 16 3:35am Last reply Aug 17 4:18pm

Gladys and Charlie seem to truly understand the cope and scale of the new information security effort. They both
realized spending a little extra on improving the antivirus and training the company’s employees isn’t going to cut it.
Fred, the CEO, immediately was worried about the cost and complications of improving security. He didn’t
understand what information security was. Charlie explained to Fred how important developing a security program
is. After that, Fred was on board. Thank goodness Fred is open-minded.

Before the discussion, Fred, Gladys, and Charlie focused on other ends in regards to information security. Fred was
more concerned with adding additional software to fix the malware issues when clearly there were easier steps that
need to be taken. Glady’s performance should be based on the new security measures and protocol that she has in
place for the organization. This of course, is putting a lot of trust into Charlie’s performance as she was the one to
introduce Charlie with his new plan on the organization’s new security. She practically had him nominated for CIO.
Because the original threat was initiated by an employee’s flash drive, Charlie may look at human errors first.
Establishing safe use policies and having employees confirm data can greatly reduce the risk of errors. Charlie may
also take into consideration software attacks. In the event of human errors (Even after reformed policies) Antivirus

https://mycourses.umhb.edu/courses/29282/discussion_topics/237217?module_item_id=720322 4/10
8/18/22, 10:37 AM Topic: S2D CISO

software is a good first defense in preventing damage. Measuring Gladys and Charlie’s performance might be
difficult. Fred could have monthly or quarterly meetings with them and seeing if the program is working. Some finite
ways to see performance could include seeing how many viruses or worms have been caught, how many have
passed through the system, and overall performance compared to previously. There could even be some tests.
They could send out some fake threats and see how well the employees respond. After reading the chapter, the
weakest link of a security program is usually people. Making sure employees are competent and trustworthy is a
key.

Reply | 1 reply (1)

Manvitha Reddy Kondra

Edited Aug 16 1:20pm Last reply Aug 17 4:05pm

How should Fred measure success when he evaluates Gladys' performance for this project? How should
he evaluate Charlie's performance?

Some finite ways to evaluate their performance could include seeing how many viruses or worms was the
organization able to identify after Charlie has taken up his roles as CISO, how many have passed through the
system, and the results could be compared with those of last month in order to see if there is any difference. Fred
can conduct some tests by sending out some fake threats and see how well the employees respond to them. Fred
can also conduct meetings to see if the programs Charlie and Glady have introduced is working fine. 

In addition, which of the threats discussed in this chapter should receive Charlie's attention early in his
planning process? 

A threat refers to any possible malicious attack that seeks to unlawfully access data, disrupt digital operations, or
damage information. Cyber threats can come from within an organization i.e., from trusted users or from remote
locations by unknown parties.

Before considering outside threats, Charlie should look into internal threats early in the planning process. An
internal threat occurs when individuals close to an organization who have authorized access to its network
intentionally or unintentionally misuse that access to negatively affect the organization's critical data or systems.
Internal threats are the ones that are caused because of human error or failure, and these can be a negative
contribution to cyber security. For example, they may inadvertently email customer data to external parties, click on
phishing links in emails or share their login information with others. Contractors, business partners and third-party
vendors are the source of other internal threats. Creating a security program to educate the end users, limiting
employees' access to the specific resources they need to do their jobs, training new employees and contractors on
security awareness before allowing them to access the network, implementing two-factor authentication are few of
the measures that Charlie should suggest to overcome the issue of internal threat.

Also, he should be consider the software attacks threat. Viruses and worms are malicious software programs aimed
at destroying an organization's systems, data and network. A computer virus is a malicious code that replicates by
copying itself to another program, system, or host file. It remains dormant until someone knowingly or inadvertently
activates it, spreading the infection without the knowledge or permission of a user or system administration. Since
the worms and viruses are coming from a personal flash drive there is someone either intentionally doing this or not
aware. To reduce the risk of these types of threats, Charlie should make sure that the organization installs antivirus
and anti-malware software on all their systems and networked devices and keep the software up to date. In

https://mycourses.umhb.edu/courses/29282/discussion_topics/237217?module_item_id=720322 5/10
8/18/22, 10:37 AM Topic: S2D CISO

addition, organizations must train users not to download attachments or click on links in emails from unknown
senders and to avoid downloading free software from untrusted websites.

Reply | 1 reply (1)

Rahi Patel
RP Aug 17 3:57pm

There are various types of threats: 

1) Compromises to Intellectual property: Intellectual property means an organization's secret, copyrights,

trademarks and more. It happens when software piracy takes place when someone breaks the copyright and steals
a license from one authorization.

2) Software Attacks: This happens when a person or a group develop software to attack a targeted system to
damage, destroy or deny the services. It is also known as Malicious code or software or Malware. There are
examples of that such as viruses, worms, macros or DOS.

3) Deviations in Quality of Service: A company's information system is built with different departments of security,
it happens when any of them is interrupted by a threat and can change the quality of service. Internet service,
power supply or communication can affect the information systems.

4) Trespass: When an attacker gains illegal access to confidential information it is known as trespass.

5) Forces of nature: Natural disasters like fire floods, volcanoes, or tsunamis can change the method of system,
transmission and information and can damage them.

6) Humar error: Humans can do mistakes by not intending about breaching the information. A misunderstanding,
improper training or false assumptions can affect the system and information in a company.

7) Information Extortion:  It can happen when a known person steals the information and blackmails for that to
return the information.

8) Missing, inadequate, incomplete: Missing or incomplete company policy can make the system more
vulnerable to an attacker.

9) Missing, inadequate or incomplete control:  It can lead to a threat to attack when a system is missing control
over information.

10) Sabotage: It can happen to destroy an organization's reputation by attacking the targeted system.

11) Theft: Stealing of information without acknowledging the owner.

12) Technical Hardware error: It leads to an attack when hardware has a known or unknown flaw while
distributing.

13) Technical software failures: A code is sold before the bug is detected.

14) Technical obsolescence: Old and vulnerable architecture of the system can make them more untrustworthy.

The attacks:

1) Malicious code: the execution of viruses, worms or trojan horses.

2) Hoax: A hoax with an actual virus that attacks computers.

3) Back doors:  Using a known or unknown mechanism.

4) Password Crack: reversed calculation of password.

5) Brute force: Try a possible password to crack the system.

6) DOS, Spoofing and Man in middle: These attacks on IP addresses.

7) Phishing, mail bombing and spam: False emailing to a user.

8) Timing attack: Stored by cache or cookies lead this attack.

https://mycourses.umhb.edu/courses/29282/discussion_topics/237217?module_item_id=720322 6/10
8/18/22, 10:37 AM Topic: S2D CISO

 According to me, Fred can evaluate Glady's performance on this project by matching all the requirements given for
Software Assurance on Page no 73 of Principles of Information Technology by Whitman and Mattord (2018)
What policies should be made given in this information about software development and project management 

Fred can evaluate Charlie's performance based on Security problems like breaching, attacking and detecting
threats by using software models. 

Also, Compromises on Intellectual property, software attacks, trespass, information extortion, sabotage and
hardware and software errors can receive Charlie's attention to make a new arrangement for information security. 

Reference: Whitman and Mattord. (2018). Principles of Information Security (6th Ed.)

Reply

Saikoteswar Koneru
Aug 15 12:09pm

It could be challenging to evaluate Gladys and Charlie's performance. Fred may meet with them on a monthly or
quarterly basis to assess how well the program is performing. How many viruses or worms have been detected,
how many have made it through the system, and overall performance in comparison to earlier times are some finite
ways to measure performance. Even some testing might be conducted. They could issue some fictitious threats
and observe how the staff reacts. After reading the chapter, I realized that people are typically a security program's
weakest link. The key is ensuring that personnel are capable and reliable.

Glady's performance ought to be evaluated in light of the new security measures and procedures she has
implemented for the company. Given that she was the one to present Charlie and his new plan for the
organization's new security, this obviously places a lot of faith in his performance. He was essentially nominated for
CIO by her.

Early in the planning process, internal threats should be investigated before external threats. Although human
mistake and failure can potentially pose a threat to cybersecurity, internal threats do not always indicate that the
employees are acting maliciously. 

Charlie might start by considering human error as the original threat was brought about through an employee's
flash drive. That's what I have to say because the original problem was caused by a worm on a USB device.
Someone is purposely causing trouble, or it might be an accident. Next comes locating the intruder, staff screening,
and training on how to handle security crises. One of the best methods to stop basic cybersecurity concerns from
occurring is by developing a security program and educating end users through the development of security policy
advice. The danger of mistakes can be significantly decreased by establishing safe use regulations and requiring
employee data confirmation. Charlie might also think about computer assaults. Antivirus software is a solid initial
line of defense in the event of human error (even after changed policies) in preventing damage.

Reply

https://mycourses.umhb.edu/courses/29282/discussion_topics/237217?module_item_id=720322 7/10
8/18/22, 10:37 AM Topic: S2D CISO

https://mycourses.umhb.edu/courses/29282/discussion_topics/237217?module_item_id=720322 8/10
8/18/22, 10:37 AM Topic: S2D CISO

https://mycourses.umhb.edu/courses/29282/discussion_topics/237217?module_item_id=720322 9/10
8/18/22, 10:37 AM Topic: S2D CISO

https://mycourses.umhb.edu/courses/29282/discussion_topics/237217?module_item_id=720322 10/10