Design and validation of Security protocol

1. Abstract
2. Introduction Information–
a. Information is now treated as commodity.
b. Need of Information Security
c. What is security protocol
3. Need of Formal Analysis
4. Literature Survey
5. Formal analysis Tool
a. AVISPA
b. Syther
c. Proverify
6. Open Challenges and Research Scope
7. Application Area
a. Authentication
b. Key Management
8. Paper communicated
a. Abstract
b. Conclusion
9. Conclusion
10. Reference
Start for Free Contact Us

 Why Imperva
 Products
 Solutions
 Support
 Partners
 Customers
 Resources
 Company

Home > Learning Center > DataSec > Information Security: The

Ultimate Guide 
Article's content

 What is Information Security (InfoSec)?

 What are the 3 Principles of Information Security?
 Information Security vs Cybersecurity
 Information Security Policy
 Top Information Security Threats
 Active vs Passive Attacks
 Information Security and Data Protection Laws
 Information Security with Imperva

Looking for a way to protect personal data?

See how Imperva can help

Information Security: The
Ultimate Guide
112.7k views
Data SecurityEssentialsRegulation & Compliance

What is Information Security (InfoSec)?

Information security (sometimes referred to as InfoSec) covers
the tools and processes that organizations use to protect
information. This includes policy settings that prevent
unauthorized people from accessing business or personal
information. InfoSec is a growing and evolving field that covers a
wide range of fields, from network and infrastructure security to
testing and auditing.

Information security protects sensitive information from

unauthorized activities, including inspection, modification,
recording, and any disruption or destruction. The goal is to
ensure the safety and privacy of critical data such as customer
account details, financial data or intellectual property.

The consequences of security incidents include theft of private

information, data tampering, and data deletion. Attacks can
disrupt work processes and damage a company’s reputation, and
also have a tangible cost.

Organizations must allocate funds for security and ensure that

they are ready to detect, respond to, and proactively prevent,
attacks such as phishing, malware, viruses, malicious insiders,
and ransomware.

Whitepaper: Meeting Data Security Challenges in the Age of

Digital Transformation.

What are the 3 Principles of Information

Security?
The basic tenets of information security are confidentiality,
integrity and availability. Every element of the information
security program must be designed to implement one or more of
these principles. Together they are called the CIA Triad.

Confidentiality

Confidentiality measures are designed to prevent unauthorized

disclosure of information. The purpose of the confidentiality
principle is to keep personal information private and to ensure
that it is visible and accessible only to those individuals who own
it or need it to perform their organizational functions.

Integrity

Consistency includes protection against unauthorized changes

(additions, deletions, alterations, etc.) to data. The principle of
integrity ensures that data is accurate and reliable and is not
modified incorrectly, whether accidentally or maliciously.

Availability

Availability is the protection of a system’s ability to make

software systems and data fully available when a user needs it
(or at a specified time). The purpose of availability is to make the
technology infrastructure, the applications and the data available
when they are needed for an organizational process or for an
organization’s customers.

Blog: 7 Ways Good Data Security Practices Drive Data

Governance.
The CIA Triad defines three key principles of data security

Information Security vs Cybersecurity

Information security differs from cybersecurity in both scope and
purpose. The two terms are often used interchangeably, but more
accurately, cybersecurity is a subcategory of information security.
Information security is a broad field that covers many areas such
as physical security, endpoint security, data encryption, and
network security. It is also closely related to information
assurance, which protects information from threats such as
natural disasters and server failures.

Cybersecurity primarily addresses technology-related threats,

with practices and tools that can prevent or mitigate them.
Another related category is data security, which focuses on
protecting an organization’s data from accidental or malicious
exposure to unauthorized parties.

Information Security Policy

An Information Security Policy (ISP) is a set of rules that guide
individuals when using IT assets. Companies can create
information security policies to ensure that employees and other
users follow security protocols and procedures. Security policies
are intended to ensure that only authorized users can access
sensitive systems and information.

Creating an effective security policy and taking steps to ensure

compliance is an important step towards preventing and
mitigating security threats. To make your policy truly effective,
update it frequently based on company changes, new threats,
conclusions drawn from previous breaches, and changes to
security systems and tools.

Make your information security strategy practical and reasonable.

To meet the needs and urgency of different departments within
the organization, it is necessary to deploy a system of exceptions,
with an approval process, enabling departments or individuals to
deviate from the rules in specific circumstances.

Top Information Security Threats

There are hundreds of categories of information security threats
and millions of known threat vectors. Below we cover some of the
key threats that are a priority for security teams at modern
enterprises.

Unsecure or Poorly Secured Systems

The speed and technological development often leads to

compromises in security measures. In other cases, systems are
developed without security in mind, and remain in operation at an
organization as legacy systems. Organizations must identify these
poorly secured systems, and mitigate the threat by securing or
patching them, decommissioning them, or isolating them.

Social Media Attacks

Many people have social media accounts, where they often

unintentionally share a lot of information about
themselves. Attackers can launch attacks directly via social
media, for example by spreading malware via social media
messages, or indirectly, by using information obtained from these
sites to analyze user and organizational vulnerabilities, and use
them to design an attack.

Social Engineering

Social engineering involves attackers sending emails and

messages that trick users into performing actions that may
compromise their security or divulge private information.
Attackers manipulate users using psychological triggers like
curiosity, urgency or fear.

Because the source of a social engineering message appears to

be trusted, people are more likely to comply, for example by
clicking a link that installs malware on their device, or by
providing personal information, credentials, or financial details.

Organizations can mitigate social engineering by making users

aware of its dangers and training them to identify and avoid
suspected social engineering messages. In addition, technological
systems can be used to block social engineering at its source, or
prevent users from performing dangerous actions such as clicking
on unknown links or downloading unknown attachments.

Malware on Endpoints

Organizational users work with a large variety of endpoint

devices, including desktop computers, laptops, tablets, and
mobile phones, many of which are privately owned and not under
the organization’s control, and all of which connect regularly to
the Internet.

A primary threat on all these endpoints is malware, which can be

transmitted by a variety of means, can result in compromise of
the endpoint itself, and can also lead to privilege escalation to
other organizational systems.

Traditional antivirus software is insufficient to block all modern

forms of malware, and more advanced approaches are developing
to securing endpoints, such as endpoint detection and response
(EDR).

Lack of Encryption

Encryption processes encode data so that it can only be decoded

by users with secret keys. It is very effective in preventing data
loss or corruption in case of equipment loss or theft, or in case
organizational systems are compromised by attackers.

Unfortunately, this measure is often overlooked due to its

complexity and lack of legal obligations associated with proper
implementation. Organizations are increasingly adopting
encryption, by purchasing storage devices or using cloud services
that support encryption, or using dedicated security tools.

Security Misconfiguration

Modern organizations use a huge number of technological

platforms and tools, in particular web applications, databases,
and Software as a Service (SaaS) applications, or Infrastructure
as a Service (IaaS) from providers like Amazon Web Services.

Enterprise grade platforms and cloud services have security

features, but these must be configured by the organization.
Security misconfiguration due to negligence or human error can
result in a security breach. Another problem is “configuration
drift”, where correct security configuration can quickly become
out of date and make a system vulnerable, unbeknownst to IT or
security staff.

Organizations can mitigate security misconfiguration using

technological platforms that continuously monitor systems,
identify configuration gaps, and alert or even automatically
remediate configuration issues that make systems vulnerable.

Active vs Passive Attacks

Information security is intended to protect organizations against
malicious attacks. There are two primary types of attacks: active
and passive. Active attacks are considered more difficult to
prevent, and the focus is on detecting, mitigating and recovering
from them. Passive attacks are easier to prevent with strong
security measures.

Active Attack

An active attack involves intercepting a communication or

message and altering it for malicious effect. There are three
common variants of an active attacks:

 Interruption—the attacker interrupts the original

communication and creates new, malicious messages,
pretending to be one of the communicating parties.
 Modification—the attacker uses existing communications,
and either replays them to fool one of the communicating
parties, or modifies them to gain an advantage.
 Fabrication—creates fake, or synthetic, communications,
typically with the aim of achieving denial of service (DoS).
 This prevents users from accessing systems or performing
normal operations.

Passive Attack

In a passive attack, an attacker monitors, monitors a system and

illicitly copies information without altering it. They then use this
information to disrupt networks or compromise target systems.

The attackers do not make any change to the communication or

the target systems. This makes it more difficult to detect.
However, encryption can help prevent passive attacks because it
obfuscates the data, making it more difficult for attackers to
make use of it.

Active Attacks Passive Attacks

Modify messages, communications or data Do not make any change to dat

systems

Poses a threat to the availability and integrity Poses a threat to the confidentia
of sensitive data sensitive data.

May result in damage to organizational Does not directly cause damage

systems. organizational systems.

Victims typically know about the attack Victims typically do not know ab
attack.
 Main security focus is on detection and Main security focus is on preven
mitigation.

Information Security and Data Protection

Laws
Information security is in constant interaction with the laws and
regulations of the places where an organization does business.
Data protection regulations around the world focus on enhancing
the privacy of personal data, and place restrictions on the way
organizations can collect, store, and make use of customer data.

Data privacy focuses on personally identifiable information (PII),

and is primarily concerned with how the data is stored and used.
PII includes any data that can be linked directly to the user, such
as name, ID number, date of birth, physical address, or phone
number. It may also include artifacts like social media posts,
profile pictures and IP addresses.

Data Protection Laws in the European Union (EU): the

GDPR

The most known privacy law in the EU is the General Data

Protection Regulation (GDPR). This regulation covers the
collection, use, storage, security and transmission of data related
to EU residents.

The GDPR applies to any organization doing business with EU

citizens, regardless of whether the company itself is based inside
or outside the European Union. Violation of the guidelines may
result in fines of up to 4% of global sales or 20 million Euro.

The main goals of the GDPR are:

 Setting the privacy of personal data as a basic human right

 Implementing privacy criteria requirements
 Standardization of how privacy rules are applied
GDPR includes protection of the following data types:

 Personal information such as name, ID number, date of birth,

or address
 Web data such as IP address, cookies, location, etc.
 Health information including diagnosis and prognosis
 Biometric data including voice data, DNA, and fingerprints
 Private communications
 Photos and videos
 Cultural, social or economic data

Data Protection Laws in the USA

Despite the introduction of some regulations, there are currently

no federal laws governing data privacy in general in the United
States. However, some regulations protect certain types or use of
data. These include:

 Federal Trade Commission Act—prohibits organizations

from deceiving consumers with regard to privacy policies,
failure to adequately protect customer privacy, and
misleading advertising.
 Children’s Online Privacy Protection Act—regulates the
collection of data related to minors.
 Health Insurance Portability and Accounting
Act (HIPAA)—regulates the storage, privacy and use of
health information.
 Gramm Leach Bliley Act (GLBA)—regulates personal
information collected and stored by financial institutions and
banks.
 Fair Credit Reporting Act—regulates the collection, use,
and accessibility of credit records and information.

Additionally, the Federal Trade Commission (FTC) is responsible

for protecting users from fraudulent or unfair transactions such as
data security and privacy. The FTC can enact regulations, enforce
laws, punish violations, and investigate organizational fraud or
suspected violations.

In addition to federal guidelines, 25 US states have enacted

various laws to regulate data. The most famous example is the
California Consumer Privacy Act (CCPA). The law went into effect
in January 2020 and provides protection to California residents,
including the right to access private information, request deletion
of private information, and opt out of data collection or resale.

There also other regional regulations such as:

 Australian Prudential Regulatory Authority (APRA) CPS 234

 Canada Personal Information Protection and Electronic
Documents Act (PIPEDA)
 Singapore Personal Data Protection Act (PDPA)

Information Security with Imperva

Imperva helps organizations of all sizes implement information
security programs and protect sensitive data and assets.

Imperva Application Security

Imperva provides multi-layered protection to make sure websites

and applications are available, easily accessible and safe. The
Imperva application security solution includes:

 DDoS Protection—maintain uptime in all situations. Prevent

any type of DDoS attack, of any size, from preventing access
to your website and network infrastructure.
 CDN—enhance website performance and reduce bandwidth
costs with a CDN designed for developers. Cache static
resources at the edge while accelerating APIs and dynamic
websites.
 WAF—cloud-based solution permits legitimate traffic and
prevents bad traffic, safeguarding applications at the edge.
Gateway WAF keeps applications and APIs inside your
network safe.
 Bot management—analyzes your bot traffic to pinpoint
anomalies, identifies bad bot behavior and validates it via
challenge mechanisms that do not impact user traffic.
 API security—protects APIs by ensuring only desired traffic
can access your API endpoint, as well as detecting and
blocking exploits of vulnerabilities.
  Account takeover protection—uses an intent-based
detection process to identify and defends against attempts to
take over users’ accounts for malicious purposes.
 RASP—keep your applications safe from within against known
and zero-day attacks. Fast and accurate protection with no
signature or learning mode.
 Attack analytics—mitigate and respond to real security
threats efficiently and accurately with actionable intelligence
across all your layers of defense.

Imperva Data Protection

Imperva’s data security solution protects your data wherever it

lives—on premises, in the cloud and in hybrid environments. It
also provides security and IT teams with full visibility into how the
data is being accessed, used, and moved around the
organization.

Our comprehensive approach relies on multiple layers of

protection, including:

 Database firewall—blocks SQL injection and other threats,

while evaluating for known vulnerabilities.
 User rights management—monitors data access and
activities of privileged users to identify excessive,
inappropriate, and unused privileges.
 Data masking and encryption—obfuscates sensitive data
so it would be useless to the bad actor, even if somehow
extracted.
 Data loss prevention (DLP)—inspects data in motion, at
rest on servers, in cloud storage, or on endpoint devices.
 User behavior analytics—establishes baselines of data
access behavior, uses machine learning to detect and alert on
abnormal and potentially risky activity.
 Data discovery and classification—reveals the location,
volume, and context of data on premises and in the cloud.
 Database activity monitoring—monitors relational
databases, data warehouses, big data and mainframes to
generate real-time alerts on policy violations.
 Alert prioritization—Imperva uses AI and machine learning
technology to look across the stream of security events and
prioritize the ones that matter most.

Latest Blogs

Data Security
Imperva® and Fortanix Partner to Protect Confidential Customer
Data
Error! Filename not specified.

John Bedrick

Apr 27, 2023  5 min read

 Data Security
Imperva is an Overall Leader in the 2023 KuppingerCole
Leadership Compass Data Security[…]
Error! Filename not specified.

John Bedrick

Apr 17, 2023  3 min read

 Data Security
Imperva recognized as a Strong Performer in Forrester Wave:
Data Security Platforms, Q1 2023
Error! Filename not specified.

John Bedrick

Mar 27, 2023  2 min read

 Engineering
...

Augmented Software Engineering in an AI Era

Error! Filename not specified.

Gabriel Bayo

Mar 13, 2023  6 min read

 Data Security
Imperva Announces Joining the EDB GlobalConnect Technology
Partner Program and[…]
Error! Filename not specified.

John Bedrick

Mar 8, 2023  3 min read

Data Security
Why Healthcare Cybercrime is the Perfect Storm
Error! Filename not specified.
 Terry Ray

Mar 7, 2023  5 min read

Latest Articles

App Security
...




OSI Model

867k Views
App Security
...

Penetration Testing

560.7k Views
Data Security
...

SOC 2 Compliance

542.7k Views
Edge Security
...




DDoS Attacks
 376k Views
App Security
...




Buffer Overflow Attack

211.5k Views
Edge Security
...




Distributed Denial of Service (DDoS)

210.9k Views
App Security
...

CAPTCHA

178.1k Views
Data Security
...

PCI DSS Certification

164.9k Views

Partners

 Imperva Partner Ecosystem

 Channel Partners
  Technology Alliances
 Find a Partner
 Partner Portal Login

Resources

 Imperva Blog
 Resource Library
 Case Studies
 Learning Center

About Us

 Why Imperva
 Who We Are
 Events
 Careers
 Press & Awards
 Contact Information

Network

 Network Map
 System Status

Support

 Emergency DDoS Protection

 Support Portal
 Imperva Community
 Documentation Portal
 API Integration
 Trust Center

+1 866 926 4678

English



 
Cookies Settings Trust Center Modern Slavery
Statement Privacy Legal

Copyright © 2022 Imperva. All rights reserved

Imperva uses cookies to improve your experience, deliver personalized content and analyze our traffic. You may
modify your cookies settings at any time, as explained in our Cookie Notice
Cookies SettingsAccept All
There are so many reasons why information is the greatest commodity in
the world. Information helps people. It spreads the knowledge of topics and
subjects. It is the basis for every study, occupation, and hobby. The most
important reason why information is the greatest commodity in the world, a
reason that effectively sums up all others, is simple-everyone needs
information.

Modern information technology changes not only how commercial transactions occur, but
also more fundamentally the subject matter of commerce itself.' It creates new products,
which require re-examination of the definitions of property rights, liability, and contract
terms relating to information rather than goods. The challenge posed to scholars and
policymakers by these issues constitutes the new frontier of commercial law.
What is Information Security?

rashi_garg

 Read
 Discuss
Introduction :
Information security is the practice of protecting information by mitigating
information risks. It involves the protection of information systems and the
information processed, stored and transmitted by these systems from unauthorized
access, use, disclosure, disruption, modification or destruction. This includes the
protection of personal information, financial information, and sensitive or confidential
information stored in both digital and physical forms. Effective information security
requires a comprehensive and multi-disciplinary approach, involving people,
processes, and technology.
Information Security is not only about securing information from unauthorized access.
Information Security is basically the practice of preventing unauthorized access, use,
disclosure, disruption, modification, inspection, recording or destruction of
information. Information can be a physical or electronic one. Information can be
anything like Your details or we can say your profile on social media, your data on
mobile phone, your biometrics etc. Thus Information Security spans so many research
areas like Cryptography, Mobile Computing, Cyber Forensics, Online Social Media,
etc. 
During First World War, Multi-tier Classification System was developed keeping in
mind the sensitivity of the information. With the beginning of Second World War,
formal alignment of the Classification System was done. Alan Turing was the one
who successfully decrypted Enigma Machine which was used by Germans to encrypt
warfare data. 
Effective information security requires a comprehensive approach that considers all
aspects of the information environment, including technology, policies and
procedures, and people. It also requires ongoing monitoring, assessment, and
adaptation to address emerging threats and vulnerabilities.
Why we use Information Security?
We use information security to protect valuable information assets from a wide range
of threats, including theft, espionage, and cybercrime. Information security is
necessary to ensure the confidentiality, integrity, and availability of information,
whether it is stored digitally or in other forms such as paper documents. Here are some
key reasons why information security is important:
1. Protecting sensitive information: Information security helps protect
sensitive information from being accessed, disclosed, or modified by
unauthorized individuals. This includes personal information, financial data,
and trade secrets, as well as confidential government and military
information.
2. Mitigating risk: By implementing information security measures,
organizations can mitigate the risks associated with cyber threats and other
security incidents. This includes minimizing the risk of data breaches,
denial-of-service attacks, and other malicious activities.
3. Compliance with regulations: Many industries and jurisdictions have
specific regulations governing the protection of sensitive information.
Information security measures help ensure compliance with these
regulations, reducing the risk of fines and legal liability.
4. Protecting reputation: Security breaches can damage an organization’s
reputation and lead to lost business. Effective information security can help
protect an organization’s reputation by minimizing the risk of security
incidents.
5. Ensuring business continuity: Information security helps ensure that critical
business functions can continue even in the event of a security incident.
This includes maintaining access to key systems and data, and minimizing
the impact of any disruptions.
Information Security programs are build around 3 objectives, commonly known as
CIA – Confidentiality, Integrity, Availability. 
 
1. Confidentiality – means information is not disclosed to unauthorized
individuals, entities and process. For example if we say I have a password
for my Gmail account but someone saw while I was doing a login into
Gmail account. In that case my password has been compromised and
Confidentiality has been breached.
2. Integrity – means maintaining accuracy and completeness of data. This
means data cannot be edited in an unauthorized way. For example if an
employee leaves an organisation then in that case data for that employee in
 all departments like accounts, should be updated to reflect status to JOB
LEFT so that data is complete and accurate and in addition to this only
authorized person should be allowed to edit employee data.
3. Availability – means information must be available when needed. For
example if one needs to access information of a particular employee to
check whether employee has outstanded the number of leaves, in that case it
requires collaboration from different organizational teams like network
operations, development operations, incident response and policy/change
management. 
Denial of service attack is one of the factor that can hamper the availability
of information.
Apart from this there is one more principle that governs information security
programs. This is Non repudiation. 
 
 Non repudiation – means one party cannot deny receiving a message or a
transaction nor can the other party deny sending a message or a transaction.
For example in cryptography it is sufficient to show that message matches
the digital signature signed with sender’s private key and that sender could
have a sent a message and nobody else could have altered it in transit. Data
Integrity and Authenticity are pre-requisites for Non repudiation. 
 
 Authenticity – means verifying that users are who they say they are and
that each input arriving at destination is from a trusted source.This principle
if followed guarantees the valid and genuine message received from a
trusted source through a valid transmission. For example if take above
example sender sends the message along with digital signature which was
generated using the hash value of message and private key. Now at the
receiver side this digital signature is decrypted using the public key
generating a hash value and message is again hashed to generate the hash
value. If the 2 value matches then it is known as valid transmission with the
authentic or we say genuine message received at the recipient side
 Accountability – means that it should be possible to trace actions of an
entity uniquely to that entity. For example as we discussed in Integrity
section Not every employee should be allowed to do changes in other
employees data. For this there is a separate department in an organization
that is responsible for making such changes and when they receive request
for a change then that letter must be signed by higher authority for example
Director of college and person that is allotted that change will be able to do
change after verifying his bio metrics, thus timestamp with the user(doing
changes) details get recorded. Thus we can say if a change goes like this
then it will be possible to trace the actions uniquely to an entity.
advantages to implementing an information classification system in an organization’s
information security program:
1. Improved security: By identifying and classifying sensitive information,
organizations can better protect their most critical assets from unauthorized
access or disclosure.
 2. Compliance: Many regulatory and industry standards, such as HIPAA and
PCI-DSS, require organizations to implement information classification and
data protection measures.
3. Improved efficiency: By clearly identifying and labeling information,
employees can quickly and easily determine the appropriate handling and
access requirements for different types of data.
4. Better risk management: By understanding the potential impact of a data
breach or unauthorized disclosure, organizations can prioritize resources
and develop more effective incident response plans.
5. Cost savings: By implementing appropriate security controls for different
types of information, organizations can avoid unnecessary spending on
security measures that may not be needed for less sensitive data.
6. Improved incident response: By having a clear understanding of the
criticality of specific data, organizations can respond to security incidents in
a more effective and efficient manner.
There are some potential disadvantages to implementing an information
classification system in an organization’s information security program:
1. Complexity: Developing and maintaining an information classification
system can be complex and time-consuming, especially for large
organizations with a diverse range of data types.
2. Cost: Implementing and maintaining an information classification system
can be costly, especially if it requires new hardware or software.
3. Resistance to change: Some employees may resist the implementation of
an information classification system, especially if it requires them to change
their usual work habits.
4. Inaccurate classification: Information classification is often done by
human, so it is possible that some information may be misclassified, which
can lead to inadequate protection or unnecessary restrictions on access.
5. Lack of flexibility: Information classification systems can be rigid and
inflexible, making it difficult to adapt to changing business needs or new
types of data.
6. False sense of security: Implementing an information classification system
may give organizations a false sense of security, leading them to overlook
other important security controls and best practices.
7. Maintenance: Information classification should be reviewed and updated
frequently, if not it can become outdated and ineffective.
Uses of Information Security :
 Information security has many uses, including:
1. Confidentiality: Keeping sensitive information confidential and protected
from unauthorized access.
2. Integrity: Maintaining the accuracy and consistency of data, even in the
presence of malicious attacks.
3. Availability: Ensuring that authorized users have access to the information
they need, when they need it.
4. Compliance: Meeting regulatory and legal requirements, such as those
related to data privacy and protection.
 5. Risk management: Identifying and mitigating potential security threats to
prevent harm to the organization.
6. Disaster recovery: Developing and implementing a plan to quickly recover
from data loss or system failures.
7. Authentication: Verifying the identity of users accessing information
systems.
8. Encryption: Protecting sensitive information from unauthorized access by
encoding it into a secure format.
9. Network security: Protecting computer networks from unauthorized
access, theft, and other types of attacks.
10. Physical security: Protecting information systems and the information they
store from theft, damage, or destruction by securing the physical facilities
that house these systems.
Issues of Information Security :
Information security faces many challenges and issues, including:
1. Cyber threats: The increasing sophistication of cyber attacks, including
malware, phishing, and ransomware, makes it difficult to protect
information systems and the information they store.
2. Human error: People can inadvertently put information at risk through
actions such as losing laptops or smartphones, clicking on malicious links,
or using weak passwords.
3. Insider threats: Employees with access to sensitive information can pose a
risk if they intentionally or unintentionally cause harm to the organization.
4. Legacy systems: Older information systems may not have the security
features of newer systems, making them more vulnerable to attack.
5. Complexity: The increasing complexity of information systems and the
information they store makes it difficult to secure them effectively.
6. Mobile and IoT devices: The growing number of mobile devices and
internet of things (IoT) devices creates new security challenges as they can
be easily lost or stolen, and may have weak security controls.
7. Integration with third-party systems: Integrating information systems
with third-party systems can introduce new security risks, as the third-party
systems may have security vulnerabilities.
8. Data  privacy: Protecting personal and sensitive information from
unauthorized access, use, or disclosure is becoming increasingly important
as data privacy regulations become more strict.
9. Globalization: The increasing globalization of business makes it more
difficult to secure information, as data may be stored, processed, and
transmitted across multiple countries with different security requirements.