Business Information Systems

Technology, Development and Management for the Modern Business

6th edition

Chapter 15
Managing information
security

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Learning objectives

• After this lecture, you will be able to:

– understand and assess potential threats to a
computer-based information system;
– propose an overall strategy for ensuring the security
of a computer-based information system;
– identify specific techniques that might be used to
protect a computer-based information system against
damage or unauthorised access.

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Management issues

• From a managerial perspective, this lecture addresses the

following areas:
– An understanding of approaches towards information
systems security will help managers to develop and
implement an overall strategy for security.
– An understanding of the threats to information systems will
help in predicting and anticipating acts such as denial-of-
service attacks.
– Knowledge of specific techniques for protecting information
systems will help in the development of effective counter
measures.
– As organisations turn to the Internet for business purposes,
it becomes important to understand some of the new threats
that must be faced.
Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
Common threats to information systems

• Accidents
• Natural disasters
• Sabotage (industrial and individual)
• Vandalism
• Theft
• Unauthorised use (hacking)
• Computer viruses and malware.

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Accidents (1 of 2)

• Inaccurate data entry. As an example, consider a typical

relational database management system, where update
queries are used to change records, tables and reports. If the
contents of the query are incorrect, errors might be produced
within all of the data manipulated by the query. Although
extreme, significant problems might be caused by adding or
removing even a single character to a query.
• Attempts to carry out tasks beyond the ability of the employee.
In smaller computer-based information systems, a common
cause of accidental damage involves users attempting to install
new hardware items or software applications. In the case of
software applications, existing data may be lost when the
program is installed or the program may fail to operate as
expected.
Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Accidents (2 of 2)

• Failure to comply with procedures for the use of organisational

information systems. Where organisational procedures are
unclear or fail to anticipate potential problems, users may often
ignore established methods, act on their own initiative or
perform tasks incorrectly.
• Failure to carry out backup procedures or verify data backups.
In addition to carrying out regular backups of important business
data, it is also necessary to verify that any backup copies made
are accurate and free from errors.
• Update query: Used to change records, tables and reports held
in a database management system.

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Natural disasters

• All information systems are susceptible to damage

caused by natural phenomena, such as storms,
lightning strikes, floods and earthquakes.
• In Japan and the United States, for example, great
care is taken to protect critical information systems
from the effects of earthquakes.
• Although such hazards are of less concern in much
of Europe, properly designed systems will make
allowances for unexpected natural disasters.

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Sabotage

• Deliberate deletion of data or applications

– Logic bomb: Sometimes also known as a time bomb,
a logic bomb is a destructive computer program that
activates at a certain time or in reaction to a specific
event.
– Back door: A section of program code that allows a
user to circumvent security procedures in order to gain
full access to an information system.
– Data theft: This can involve stealing sensitive
information or making unauthorised changes to
computer records.
• Accidental deletion
Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Unauthorised use

• Hacker: Hackers are often described as individuals

who seek to break into systems as a test of their
abilities. Few hackers attempt to cause damage to
systems they access, and few are interested in
gaining any sort of financial profit.
• Cracker: A person who gains access to an
information system for malicious reasons is often
termed a cracker rather than a hacker. This is
because some people draw a distinction between
‘ethical’ hackers and malicious hackers.

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Control strategies

• Containment
– Control access to system
• Deterrence
– Penalties for staff or hackers
• Obfuscation
– Hiding or distributing information assets
• Recovery
– Recovers data after breach.

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Control techniques

• Physical protection uses physical barriers, for example,

restricted access to rooms and equipment.
• Biometric controls make use of the unique characteristics
of individuals in order to restrict access to sensitive
information or equipment. Scanners that check
fingerprints, voice prints or even retinal patterns are
examples of biometric controls.
• Telecommunication controls – common types include
passwords and user validation routines.
• Failure controls – attempt to limit damage by backup
procedures, for example.
• Auditing – keeping a check on the procedures, hardware
and software used.
Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Control approaches

• Formal security policies

• Passwords
• Encryption
• User validation techniques
• Backup procedures.

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Passwords

• User validation: Checks made to ensure the user is permitted

access to a system. Also known as access control systems,
they often involve user names and passwords, but can also
include biometric techniques.
• Access to the system can be divided into levels by issuing
different passwords to employees based on their positions and
the work they carry out.
• The actions of an employee can be regulated and supervised
by monitoring the use of their password.
• If a password is discovered or stolen by an external party, it
should be possible to limit any damage arising as a result.
• The use of passwords can encourage employees to take some
of the responsibility for the overall security of the system.

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Backup procedures (1 of 3)

• Business continuity planning: The process of developing

procedures aimed at restoring the normal operation of an
information system in the event of an emergency or disaster.
• Backup site: This houses a copy of the organisation’s main
data processing facilities, including hardware, software and
up-to-date data files. In the event of an emergency, processing
can be switched to the backup site almost immediately so that
the organisation’s work can continue.
• RAID: This stands for ‘redundant array of inexpensive disks’.
Essentially, identical copies of important data files are kept upon
a number of different storage devices. If one or more of the
storage devices fails, additional devices are activated
automatically, allowing uninterrupted access to the data and
reducing the possibility of losing transactions or updates.
Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
Backup procedures (2 of 3)

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Backup procedures (3 of 3)

• Incremental backup: Includes only those files that

have changed in some way since the last backup was
made.
• Full backup: A method of producing copies of
important data files by including all data files
considered to be important.

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Malware

Malware (malicious software) includes the

following:
• Computer viruses
• Trojans and key loggers
• Spyware.

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Computer virus

• Computer virus: This is a computer program that

is capable of self-replication, allowing it to spread
from one ‘infected’ machine to another.
• The origin of the term computer virus is credited
to Fred Cohen, author of the 1984 book
Computer Viruses: Theories and Experiments.
However, ‘natural’ computer viruses were
reported as early as 1974, and papers describing
mathematical models of the theory of epidemics
were published in the early 1950s.

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Virus security measures

• Unauthorised access to machines and software should be

restricted as far as possible.
• Machines and software should be checked regularly with
a virus detection program.
• All new disks and any software originating from an outside
source should be checked with a virus detection program
before use.
• Regular backups of data and program files must be made
in order to minimise the damage caused if a virus infects
the system.

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Virus terminology

• Virus scanner: Intended to detect and safely remove virus

programs from a computer system.
• Signature: Unique features of a virus such as the unique series
of values in its program file or message displayed on screen or
hidden text.
• Polymorphic virus: Capable of altering its form, so that the
‘standard’ signature of the virus is not present. This means that
a virus scanner may not always identify the virus correctly.
• Stealth virus: Specifically designed to avoid detection. Such
programs are normally written with the intention of defeating
common or well-known virus-scanning programs.
• Heuristics: Involves monitoring a system to detect common
behaviours associated with computer viruses, such as attempts
to access certain areas of the hard disk drive.
Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Trojans and worms

• Worm: A small program that moves through a

computer system randomly changing or overwriting
pieces of data as it moves.
• Trojan: A Trojan presents itself as a legitimate
program in order to gain access to a computer
system. Trojans are often used as delivery systems
for computer viruses.

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Spyware and adware

• Spyware: Describes a category of software intended

to collect and transmit confidential information without
the knowledge or consent of a computer user.
• Adware: Describes a type of software that contains
spyware intended to monitor a user’s online activities,
usually so that advertising can be targeted more
accurately.

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Internet-related threats (1 of 2)

• Denial of service (DoS): This is a form of attack on company information

systems that involves flooding the company's Internet servers with huge
amounts of traffic. Such attacks effectively halt all of the company’s Internet
activities until the problem is dealt with.
• Brand abuse: This describes a wide range of activities, ranging from the sale
of counterfeit goods (e.g. software applications) to exploiting a well-known
brand name for commercial gain.
• Cybersquatting: The act of registering an Internet domain with the intention
of selling it for profit to an interested party. As an example, the name of a
celebrity might be registered and then offered for sale at an extremely high
price.
• Cyberstalking: This refers to the use of the Internet as a means of harassing
another individual. A related activity is known as corporate stalking, where an
organisation uses its resources to harass individuals or business competitors.
• Cyberterrorism: This describes attacks made on information systems that
are motivated by political or religious beliefs.

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Internet-related threats (2 of 2)

• Online stock fraud: Most online stock fraud involves

posting false information to the Internet in order to
increase or decrease the values of stocks.
• Social engineering: This involves tricking people into
providing information that can be used to gain access
to a computer system.
• Phishing: A relatively new development, phishing
involves attempting to gather confidential information
through fake e-mail messages and web sites.

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved
 Managing Internet threats

A range of software applications are now available

to assist other methods of managing threats:
• Firewalls – software to prevent unauthorised access
to the company
• Intrusion detection software – monitors network to
identify intruders
• AI software – identifies unusual activity.

Copyright © 2019, 2015, 2008 Pearson Education, Inc. All Rights Reserved