CHAPTER 5: THE

IMPORTANCE OF
INFORMATION SECURITY
IN ORGANIZATIONS
Muhamad Khairulnizam Zaini
Senior Lecturer
Information Systems Management
UiTM Selangor
2017

1
 LESSON OBJECTIVES:

1
Understand the importance of information security to organizations

2 Understand the meaning of threats and vulnerabilities

3 Understand the business impacts of realized threats

2
THE IMPORTANCE
OF INFORMATION
SECURITY

3
The Importance of Information Security for Business

..maintains the competitive

..necessity in sustaining an advantage, improves public image,
...ensuring business continuity by
organization’s business increases innovation and protects
reducing business risks.
operations. the enterprise’s assets.
Kruger et al., 2010
Thompson et al., 2006 Parker, 1997, Anttila et. al, 2004,
COBIT 5

…ensures a high quality of service ...ensures alignment of information

of information infrastructures and
technologies, which support and
complement the business goal of
an organization.
Lane, 2007
…ensures that technological security with business strategies
assets are safely accounted for and objectives, value delivery and
and protected. accountability and expands
Whitman and Mattord, 2011 business opportunities.
ISO 27001:2013, Vasiu et. al, 2003

4
Discussions..
Protect
Prevents
profit and
data theft
regulation

Information
Protect
& computer
intellectual
crimes has
property
escalated

maintains Foils cyber

productivity terrorism

5
THE VULNERABILITY
& THREATS

6
Source: https://heimdalsecurity.com 7
OVERVIEW: VULNERABILITIES & THREATS
A vulnerability refers to a
known weakness of an asset
(resource) that can be
exploited by one or more
attackers. In other words, it is
a known issue that allows an
attack to be successful. For
example, when a team
member resigns and you
forget to disable their access
to external accounts, change
logins or remove their names
A threat refers to a new or newly discovered incident with the from company credit cards,
potential to do harm to a system or your overall organization. this leaves your business
There are three main types of threats – natural threats (e.g., open to both intentional and
floods or a tornado), unintentional threats (such as an unintentional threats.
employee mistakenly accessing the wrong information) and
intentional threats.

Intentional threats? 8 Source: www.bcm.com

Intentional (deliberate) threats
 Computer crimes are the best examples of intentional
threats, or when someone purposely damages property
or information. Computer crimes include espionage,
identity theft, child pornography, and credit card crime.
https://www.cerias.purdue.edu/assets/pdf/k12/infosec_newsletters/03threats.pdf

 Intentional threats includes spyware, malware, adware

companies or the actions of a disgruntled employee. In
addition, worms and viruses are also categorized as
threats, because they could potentially cause harm to
your organization through exposure to an automated
attack, as opposed to one perpetrated by humans.
9
 Acts of Compromises Deliberate Deliberate Deliberate Deliberate
human to intellectual acts of acts of acts of acts of theft
error/failure properties trespass information sabotage or • Illegal removal
• accidents • piracy • Unauthorized extortion vandalism of equipment or
• Employee • Copyright access information
• blackmail • Destruction of
mistakes infringements • Data collection • Information system or
disclosure information

Sources of threats
10
Deliberate Forces of Deviations in Technical Technical Technological
software nature quality of Hardware software obsolescence
attack • Unauthorized services failure failure • Uselessness
• viruses access • Power, Lan , • equipment • Bugs, codes technology
• Denial or • Data collection Wan loopholes etc • Outdated tech
service • Service issues
from service
providers

Sources of threats
11
12
Malicious Threats: Insiders
The most common threat

Information security breaches are now the burning issues.

“14% of all data breaches linked to insiders”

source: The Verizon 2013 Data Breach Investigation Report

Among 874incidents, as reported by companies to the

Ponemon Institute for its recent 2016 Cost of Data Breach
Study, 568 were caused by employee or contractor
negligence; 85 by outsiders using stolen credentials; and
191 by malicious employees and criminals.
13
Some real-life examples..
Alphabet, Google’s parent company, recently filed a lawsuit against its
former engineer Anthony Levandowski, who is now working with Uber. The
company accused Levandowski of copying more than 14,000 internal files
and taking them directly to his new employer.
source: https://www.tripwire.com

Anthony Lewandoski was a high profile engineer at Waymo, a subsidiary of

Alphabet (formerly known as Google). His role there was to push forward
the development self-driving cars.

In December 2015, he downloaded 9.7 GB of company files on his

computer so he could “work from home”. But in January 2016 he left
Waymo to join Uber’s own self-driving car division.

We cannot know for sure whether Lewandowski used the files to help Uber
in their own project, but the situation was ostentatious enough that Waymo
sued Uber and asked for a halt in their self-driving car trials until further
notice.

If the allegations are true, the damage caused to Waymo, and Google for
that matter, could far exceed the one caused by an external hacking. Years
of hard work and investment were practically handed over on silver platter
14
to a major competitor.
source: https://heimdalsecurity.com/
 15
http://www.cdse.edu/documents/toolkits- http://www.cdse.edu/documents/cdse/CDSE-Insider-Threat-
insider/Robert-Mo-Insider-Threat-Case-Study.pdf Case-Study-Yuan-Li.pdf
 Security Vulnerability
 A vulnerability is a weakness which allows an attacker to reduce a
system's information assurance.
 Vulnerability is the intersection of three elements: a system
susceptibility or flaw, attacker access to the flaw, and attacker
capability to exploit the flaw ("The Three Tenets of Cyber
Security". U.S. Air Force Software Protection Initiative.
Retrieved 2009-12-15).
 A vulnerability refers to a known weakness of an asset (resource)
that can be exploited by one or more attackers. In other words, it
is a known issue that allows an attack to be successful.
16
Vulnerability assessment
 Benefits of a Vulnerability Assessment & Cyber
Security Assessment The goal is to limit exposure
and attack surfaces to make compromising and
exploitation of network vulnerabilities more difficult.

 Identify and safely exploit vulnerabilities on network devices, operating

systems, desktop applications, Web applications, databases, and
more.
 Detect and repair potential weaknesses in your network before they
can be exploited by cyber criminals.
 Understand and enhance the current state of your cyber security
posture and level of risk.
 Test your policy agreement and your organization's ability to identify
and respond to security threats.
 Determine the adequacy of employee security awareness as a
baseline for skill acquisition and reinforcement of human defences.
 Demonstrate compliance with current government and industry
regulations such as PCI-DSS, FFIEC, GLBA, and HIPAA/HITECH.
 Manage resources more efficiently by focusing attention and resources
where needed.
17

Source: http://www.infosightinc.com/solutions/advisory-services/vulnerability-assessment.php
 Impact of Security Risks and Threats

Viruses, worms, and Trojan horses can corrupt data on a user’s

computer, infect other computers, weaken computer security, or
provide back doors into protected networked computers. Viruses can
corrupt digital content on a user’s computer, spyware, adware, and

Other forms of security risk also

represent a significant problem
to businesses, their users, and
the company networks.
All types of threat and security risk can seriously
impair business operations, network use, and
computer performance while performing many
tasks unknown to the user of an infected computer.
18
 Some research examples..
Authors Study Objectives/Context
Zafar et. al, To investigates the financial impact of publicly
2012 announced information security breaches on
breached firms and their non-breached competitors
Akram, 2013 To theorize and empirically measure the effects of
information disclosure on the accuracy of business
decision-making at various organizations
Mani et. al, To contribute to a better understanding of the
information security threats, awareness, and risk
2014
management standards currently employed by the
real estate sector in South Australia
Telstra, 2014 To understand the security market dynamics,
particularly the drivers, restraints and adoption
trends facing Australian organizations.
Gallagher et. To establish a measure of the impact of security
breaches and to assess differences in the impact
al, 2016
experienced across organizations of different sizes,
different industries, and the degree to which they
are centralized or decentralized.
Telstra, 2016 To understand the security market dynamics,
particularly the drivers, restraints and adoption
trends facing Australian and Asians organizations.
Threats/Risks
e-business/e-commerce utilization for businesses
attacks or threats to information assets can result in
inadequate decisions, which consequently affect the
entire structure of the organization / insecure
information assets
Physical breaches (e.g. due to stolen data storage
devices such as smart mobile devices and computers)
and non-physical breaches (e.g. due to computer or
network intrusions) on real estate information.
Technology becomes more important to business
every day. But the technologies that currently make
the biggest difference – like Cloud Computing, Big
Data and Mobility – also increase your exposure to
security incidents.
Security breach through IT systems
Connectivity and technology provide great benefits to
our society and the economy today, and the full
potential to touch and benefit us all is yet to be fully
realized. However with this benefit comes some risk –
and as more of the world embraces technology and
connectivity, the risk increases and organizations
need to be able to manage this risk
Business Impacts
Unwanted access to internal information - Data loss
– competitive disadvantages
Information security has a substantial effect on
generating accurate, effective and efficient business
decisions.
An employee misuses work-related data for personal
gain will impact competitive advantages.
Critical infrastructure, business continuity and IT &
business processes were the most severely affected
by security incidents in organizations during the past
three years.
Disruption to operations
Security incidents impacted in productivity loss,
disruption of business operations, critical
infrastructure breakdown, reputational loss, loss of
sensitive data and financial loss.
19
Summary
 In this chapter you learned how to:

 Describe the importance of information security to

the organizations
 Explain the terms vulnerability and threats.
 Discuss the impacts of security risks and threats to
organizations

20