SECURITY THREATS TO INFORMATION SYSTEM

MIS ASSIGNMENT
BY – AARON V JOSEPH
210903002, BCom Hons (A) ,VI SEM

1. INTRODUCTION

Information systems (IS) are exposed to different types of security threats

which can result with significant financial loses and damage to the information
system resources. The types of damage caused by security threats are
different, e.g. database integrity security breaches, physical destruction of
entire information systems facility caused by fire, flood, etc. The source of
those threats can be unwanted activities of "reliable" employees, hacker's
attacks, accidental mistakes in data entry, etc. The financial losses caused
by security breaches often can not be exactly defined because of the facts that
significant numbers of smaller scale security incidents are never discovered,
a part of incidents are described as accidental mistakes, and all of that is a
result of a tendency to minimize the responsibility of a person responsible for
the security incident . Security threat can be defined as every event that
can result with information confidentiality, integrity and availability
breaches, or with any other form of information system resources damage.
The security threats consequences are different, so some security threats have
influence on confidentiality or reliability of stored data, and some threats have
influence on functionality and efficiency of entire information system. Security
threats can be observed and classified on different ways and different
criteria. A motivation for this article arises from the information system
security survey conducted by authors in 2005. and 2006.. This survey has
shown that the level of information system security in Croatian companies is
relatively low. There are significant differences in security level by different
economic sectors, e.g. financial and ICT versus manufacturing and sales
& retail sector. The total number of business organizations that
participated in survey was 60 (36 participants in the 2005. and 24
participants in 2006.). The Croatian companies that participated in survey
were grouped in following groups based on their common characteristics:
manufacturing, sales and retail, ICT sector, financial sector (banks, financial
funds, insurances), and public administration. For this paper two survey
questions are interested questions regarding the information system
security threat classifications.
Precisely, 1. Does your organization systematically monitor and record the
information system security threats to which it is exposed? and
2. Does your organization use any of described information system
security threat classifications for ISS threats monitoring?
Only 10,81% of survey participants in 2005 conducted systematical
monitoring and recording of information system security threats to which their
organization is exposed to. The majority of organizations that have
answered yes on this question comes from ICT sector (21,43%) and
financial sector (11,11%). Only 8,82% of participant used one of internationally
defined and recognized information system security threat classifications. The
best situation was in ICT sector where 14,28% has systematical record and
use information system security threats classification and financial sector
(11,11%). The two ISS threat classifications (ISO/IEC 17799) and
simplified NIST classification were mostly used. These results motivated us
to describe the most important security threats (ISS) classifications, and to
develop gives a new hybrid model which can be implemented in every
environment as a template for ISS threat monitoring and classifying.

2. FACTORS AFFECTING SECURITY TO INFORMATION

SYSTEMS
2.1 HUMAN FACTOR
Here we take into account human variables, including how people
behave physically and psychologically in connection to information
system security. Additionally, the study in reference noted that the
suitability of user behaviors when using the system is crucial to an
organization’s information system security success. This area of
human variables includes carelessness, lack of skills, and trust. Details
on the information in Table 1 are provided in the next section.

Trust: According to this study, trust is the human component having

the greatest impact on the security of information systems. Because of
recommendations from co-workers or personal experience, one comes
to trust another individual . Although trust seems admirable, if safety
measures are not implemented, it can turn into a point of attack .
Employees exchanging login information or data without taking
security into account are one of the dangerous behaviours related to
trust These actions exacerbate the risks to information system
security . Though findings show that about 73.5% of respondents
know the risk of sharing personal credentials, there is still a small
number of people who do not understand this risk, which can result in
catastrophic information system security risks and vulnerabilities at
the institute. The same applies to the restriction of information based
on public, protected, and restricted.

Carelessness: According to reports, human carelessness also has an

impact on the security of information systems in a learning
environment. Carelessness is defined as an individual’s activity or
behaviour that deliberately or unknowingly jeopardises the
information system’s security. For instance, discussing work-related
matters in emails or on public networks, where it is estimated that the
average email user sends up to 112 emails per day and that about one
in every seven of these emails is connected to office gossip . Social
media chitchat about work- related issues can be irresponsible and
reveal confidential information to unwanted or unauthorised parties,
increasing security risks and vulnerabilities for a firm. Results showed
that more than half of respondents agreed to discuss office-related
issues on social media, which results in numerous information system
security threats and vulnerabilities. Additionally, additional actions
like allowing a visitor to use a company computer or connecting a
personal computer to the network without taking the proper security
procedures raise alarms about security (Item 1.4). Security hazards can
also be brought about by leaving workplace computers unattended
 (Item 1.5), introducing new hardware or software to users without
proper training (Item 1.6), and operating ICT infrastructures without
an ICT/IS security policy (Item 1.7). Additionally, employing old
technology and software, among many other negligent practices (Item
1.8), is thought to put corporate information security at risk.

Lack of skills: Table 1 found a further human element affecting

information security in a learning environment, namely a lack of
skills. According to research by in reference [35], many people lack
faith in the information system security expertise and experience of
their specialists to handle current security concerns. Due to the high
cost of most information security certifications for individuals (Item
1.9), this is a challenge. Additionally, the majority of businesses are
reluctant to sponsor their staff members for professional qualifications
[36]. On the other hand, as demonstrated the study in reference [37],
common users also lack capabilities. This combination eventually has
an impact on initiatives to protect the security of information systems.

2.2 Inadequate Information Systems Security Policies

An organization’s personnel’s duties and responsibilities for
safeguarding its information systems are specified in its information
security policy [38]. Policies ensure proper administration of
technology resources if they are followed [39]. If not addressed
properly, this group of factors can lead to information system security
threats and vulnerabilities, as explained in the following subsections.

Lack of Information System Security Policy Training: The most

prevalent component within the policy category is a lack of
information security policy training. Users would receive training to
equip them with the necessary knowledge to ensure information
system security [25] [40]. Users who go through training are given
reliable tools and the know-how to keep company information secure.
Table 1 shows that most of the people who answered the survey at
IAA did not get any training on ICT or information system security
policies (Item 2.1). This means that they use ICT facilities without
knowing the right rules and safety features to protect themselves and
their institution.
 Poor Creation of Information System Security Policies: one of the
information system security threats and vulnerabilities cause is the
poor creation of information system security policy. Findings of this
study show that participants were unaware of such policies, which
means they were not involved in their creation as stakeholders (Item
2.2). Studies in reference [13] provide guidelines to adhere to and
minimum standards for a security policy. Data security, Internet and
network services governance, use of company-owned devices,
physical security, incident handling and recovery, monitoring and
compliance, and policy administration are the parts of the security
policy that they advise including. In addition to these requirements,
reference [25] stressed how important it was to include all security
stakeholders in the process of writing the policy. They will be able to
share their expertise, thoughts, and ideas because the organisation’s
weak spots will be exposed [41]. A good policy will be made if you
make sure to include important stakeholders and follow the standards
that are suggested.

Poor Implementation of Information Systems Security Policies: Poor

information systems security policy application, as shown in Table 1,
is one of the variables that without proper addressing, can lead to
information system security threats and vulnerabilities in an
organisation (item 2.3). According to the study in reference [42],
policy implementation challenges arise because the majority of
policies are created for compliance reasons rather than to address
actual security requirements. Also, say that when information systems
policies aren’t put into place properly, they become useless documents
that make the system more vulnerable. With the right implementation
of information system security policies [20], the company could find
implementation issues, limitations, and technological changes that
need to be considered when making policies.

2.3 WORK ENVIRONMENT

This definition refers to the social elements and physical
circumstances in which users of information systems carry out their
work. The category of elements most frequently identified to have an
impact on the security of information systems in the workplace is
Individual factors of this sub-category are detailed in the next sub-
section according to Table 1.

Inadequate Management Support: inadequate management support for

information system security in an organisation can lead to security
threats and vulnerabilities. Findings show that IAA management does
not provide awareness and training in information system security
policies to employees (item 3.1). Senior managers should serve as role
models for the organisation by ensuring appropriate training and
awareness campaigns, as well as by positively influencing their
security behaviour [15] [45]. Other strategies used by management to
assist subordinates include idealising security impact inside an
organisation, giving each person special consideration, and inspiring
drive [46]. According to researchers in reference [47] and [48],
management’s failure to support security programmes increases the
organisation’s information system security risk and vulnerabilities.

Organizational Security Culture: Another issue that is frequently

mentioned in relation to information system security is organisational
security culture. Establishing policies, norms, and guidelines that
direct employees’ behaviour within a company becomes part of the
organisation’s culture [16]. The organisation’s inability to establish the
proper security culture has led to a rise in security threats associated
with information systems [15] [33]. Themanagement must establish
the proper security culture and integrate it into the long-term agenda.
Sadly, research indicates that IAA does not operate in this way (Item
3.2).

Workload: Another aspect included in the work environment category

that has been noted is workload. The workload in this essay refers to
the volume of work that must be finished within the allotted time and
resources [49]. Findings show that there are no restrictions on the use
of optimisation software at IAA, which can lead to information system
security threats and vulnerabilities. According to studies, employees’
ambition to optimise production with limited resources leads to a
number of information system security threats and vulnerabilities.
 Over time, the organisation’s pressure on workers to meet higher
financial targets raises the possibility that they will violate security
[50]. Because of the constant pressure to stretch resources, employees
put performance over security concerns [51].

Internet and Network Use: This describes how much a company relies
on the Internet and networks to run its operations. The need for an
Internet connection in the current business climate is essential to being
competitive . The usage of the Internet becomes a risk to the security
of information systems if the organisation uses it to support its
operations without properly weighing the security concerns [53].
Findings show that respondents are unaware of any restrictions
regarding the use of internet and network facilities at IAA (Item 3.4).
This can result in the inappropriate use of such services, which leads
to information system security risks and vulnerabilities.

Access Control: As users demand greater privileges when interacting

with the system, access controls typically become less effective [54].
Instead of just making someone happy at the expense of overall
security, the company must regulate system accessibility based on an
individual’s tasks and responsibilities [55]. The information must be
classified into three types: public, protected, and restricted.

2.4 DEMOGRAPHIC VARIABLES

This section presents information on a variety of demographic
variables that have been implicated in information system security
threats and vulnerabilities. Gender, age, level of education, experience,
and managerial function, according to reference [57], can all be used
to predict a person’s intention to adhere to information system security
as described below.

Gender: According to this study, gender can lead to various

information system security threats and vulnerabilities. Findings show
that it is the perception of the majority of respondents that information
system security is more likely to be a male practice than a female one
(Item 4.1). This perception leaves behind the majority of female
employees, who are competent enough and can bring the required
change in securing the organisations’ information systems. Researcher
in reference [58] found that females are more likely than males to
perceive high levels of security threats. In a different study, reference
[20] found that men are more likely than women to exhibit superior
information security behaviours. Researchers in reference [36] say that
since information system is thought of as a male-dominated field, it is
important to get more women to sign up for information systems
security courses and get them interested in a career in information
system security.

Work Experience: The presumption is that an individual’s employment

history, both technical and non-technical, has some bearing on how
appropriate their information security behaviour is. According to
reference [59], experienced staff are safer thanks to their prior
exposure to handling various security events. Additionally, work
experience offers the chance for training, which imparts important
knowledge for defence against assaults [56]. According to the findings
of this study, experience in a less secure environment cannot provide
an employee with security knowledge and experience (item 4.2). As
explained in previous subcategories, without an adequate information
system security training and awareness program, it is likely for the
institute to have vulnerabilities and threats in its information systems.

Internet User Age: These study findings show that the internet use
habits of young people have more information system security
incidents compared to senior employees . According to the researcher
in reference, younger individuals are more likely than older people to
be aware of information system security threats and vulnerabilities.
They are similarly irresponsible with their security knowledge .
Additionally, when undergoing new changes, youthful people are
simple to teach, which is important when the firm changes its security
procedures [60]. Based on these results, more work needs to be done
to deal with how careless young people are and to teach adults more
about security vulnerabilities and threats at IAA.

Level of Education: The results of this study show that the people who
took part in it think that a level of education in the internet, cyber
 security, and information system security can protect the institute from
vulnerabilities and threats to information system security . According
to research in reference , businesses face a variety of information
security risks as a result of the information being shared via the
Internet. These difficulties with maintaining information integrity and
confidentiality depend on the understanding, education, and conduct
of the end user. A trained cyber-literate workforce and an education
system that can create such a workforce are necessary for successfully
defending the organisation’s vital infrastructure against cyberattacks.

OBSERVATIONS AND CONCLUSIONS

This research put information system security threats and vulnerabilities into
four groups. The first category comprises human elements, including
carelessness, level of skill, and trust. The inadequacy of information security
policies, which includes problems with policy creation, implementation, and a
lack of security training, was the second category. The study also looked at the
“work environment”, which includes things like support from management,
organisational security culture, workload, Internet and network use, and access
control. Last but not least, the study included variables related to gender, age,
education level, and work experience under the category of “demographic
variables”. The study findings showed that almost all these categories received
negative responses and contributed highly to the information system risk and
vulnerabilities at the institute. Moreover, there is an unregulated level of trust,
negligence, and inadequate security measures. According to these results, the
study suggests that:

1) Organisations should regularly train their staff to improve their information

system security proficiency.

2) Given that women are disproportionately affected, the institutes should make
a concerted effort to increase their awareness.

3) The institute should create up-to-date policies that fully handle the issues
with contemporary information system security and update in a minimum of
every four (4) years.

4) The institute ought to promote actions that lessen exposure to information

system security concern.

References

[1] Kundy, E.D. and Lyimo, B.J. (2019) Cyber Security Threats in Higher
Learning Institutions in Tanzania A Case Study of University of Arusha
and Tumaini University Makumira. Olva Academy—School of
Researchers, 2, 1-37.
[2] Semlambo, A., Almasi, K. and Liechuka, Y. (2022) Perceived Usefulness
and Ease of Use of Online Examination System: A Case of Institute of
Accountancy Arusha. International Journal of Scientific Research and
Management (IJSRM), 10, 851-861.
https://doi.org/10.18535/ijsrm/v10i4.ec08
[3] Semlambo, A., Almasi, K. and Liechuka, Y. (2022) Facilitators’
Perceptions on Online Assessment in Public Higher Learning Institutions
in Tanzania: A Case Study of the Institute of Accountancy Arusha (IAA).
International Journal of Scientific Research and Management (IJSRM),
10, 34-42.
https://doi.org/10.18535/ijsrm/v10i6.lis02
[4] Lubua, E.W., Semlambo, A. and Pretorius, P.D. (2017) Factors Affecting
The Use of Social Media in the Learning Process. South African Journal
of Information Management, 19, a764.
https://doi.org/10.4102/sajim.v19i1.764
[5] Nfuka, E.N., Sanga, C. and Mshangi, M. (2015) The Rapid Growth of
Cybercrimes Affecting Information Systems in the Global: Is this a Myth
or Reality in Tanzania? International Journal of Information Security
Science, 3, 182-199.
[6] Tanzania Communication Regulatory Authority. (2022) 2022 Quarterly
Statistics Reports. Tanzania Communication Regulatory Authority, Dar es
Salaam.
[7] Saunders, J. (2017) Tackling Cybercrime—The UK Response. Journal of
Cyber Policy, 2, 4-15.
https://doi.org/10.1080/23738871.2017.1293117
[8] Lewis, J. (2018) Economic Impact of Cybercrimes-No Slowing Down.
McAfee, Santa Clara.
https://www.mcafee.com/enterprise/en-us/assets/reports/restricted/rp-
economic-impact-cybercrime.pdf
[9] Kaspersky (2021) Top Ransomware Attacks of 2020. Kaspersky,
Moscow.
[10] International Telecommunication Union (2021) Cyber Security in
Tanzania: Country Report. International Telecommunication Union,
Geneva.
[11] International Business Machine Cooperation (IBM) (2021) Cost of Data
Breach Report. International Business Machine Cooperation, Armonk.
[12] Gordon, L.A., Loeb, M.P. and Zhou, L. (2011) The Impact of Information
Security Breaches: Has There Been a Downward Shift in Costs? Journal
of Computer Security, 19, 33-56.
https://doi.org/10.3233/JCS-2009-0398
[13] Lubua, E.W. and Pretorius, P.D. (2019) Ranking Cybercrimes Based on
Their Impact on Organisations’ Welfare. 2019 THREAT Conference
Proceedings, Johannesburg, 26-27 June 2019, 1-11.
[14] Al-Omari, A., El-Gayar, O. and Deokar, A. (2012) Security Policy
Compliance: User Acceptance Perspective. 2012 45th Hawaii
International Conference on System Sciences, Maui, 4-7 January 2012, 1-
10.
https://doi.org/10.1109/HICSS.2012.516