Lecture 1 – Introduction to the

Management of Information Security

Acknowledgement:
MN604
– M. E. Whitman and H. J. Mattord, Management of Information Security. 6th ed.,
Course Technology, 2019
– M. E. Whitman and H. J. Mattord, Management of Information Security. 5th ed.,
Course Technology, 2016
– A. Basta, N. Basta and M. Brown, Computer Security and Penetration Testing. 2nd
ed., Cengage Learning, 2013.

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 1
 Learning Objectives

– List and discuss the key characteristics of

information security
– List and describe the dominant categories
of threats to information security
– Discuss the key characteristics of
leadership and management
– Differentiate information security
management from general business
management
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 2
 Introduction

• Information technology is the vehicle that stores and

transports information from one business unit to
another
– But what happens if the vehicle breaks down?
• Over time the concept of computer security has been
replaced by the concept of information security
• Information security is no longer the sole responsibility
of a discrete group of people in the company; rather, it
is the responsibility of every employee, and especially
managers
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 3
 Introduction

• Organizations must realise that information

security decisions should involve three distinct
groups of managers and professionals, or
communities of interest:
– Those in the field of information security
– Those in the field of IT
– Those from the rest of the organization

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 4
 What Is Security?

• In order to understand the technical aspects of information

security you must know the definitions of certain information
technology terms and concepts
• In general, security is defined as “being free from danger.” To
be secure is to be protected from the risk of loss, damage,
unwanted modification, or other hazards
• Security is often achieved by means of several strategies
undertaken simultaneously or used in combination with one
another
• It is the role of management to ensure that security strategies
are properly planned, wise, staffed, directed, and controlled

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 5
 Specialised areas of security

• Physical security
• Operations security
• Communications security
• Cyber (or computer) security
• Network security

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 6
 Information Security

• Information security (InfoSec) focuses on the

protection of information and the
characteristics that give it value, such as
confidentiality, integrity, and availability, and
includes the technology that houses and
transfers that information through a variety of
protection mechanisms such as policy, training
and awareness programs, and technology

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 7
 The C.I.A. Triad

Figure 1-1 The C.I.A. triad

Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 8
 Confidentiality

• Confidentiality is “An attribute of information that describes

how data is protected from disclosure or exposure to
unauthorised individuals or systems”
• Confidentiality means limiting access to information only to
those who need it, and preventing access by those who don’t
• To protect the confidentiality of information, a number of
measures are used:
– Information classification
– Secure document (and data) storage
– Application of general security policies
– Education of information custodians and end users
– Cryptography (encryption)
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 9
 Integrity

• Integrity is “an attribute of information that

describes how data is whole, complete, and
uncorrupted”[1]
• The integrity of information is threatened when
it is exposed to corruption, damage,
destruction, or other disruption of its authentic
state
• Corruption can occur while information is being
entered, stored, or transmitted
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 10
 Availability

• Availability is “An attribute of information that

describes how data is accessible and correctly
formatted for use without interference or
obstruction” [1]
• Availability of information means that users, either
people or other systems, have access to it in a usable
format
• Availability does not imply that the information is
accessible to any user; rather, it means it can be
accessed when needed by authorised users
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 11
 Privacy

• Privacy is “in the context of information security, the right

of individuals or groups to protect themselves and their
information from unauthorised access, providing
confidentiality” [1]
• The information that is collected, used, and stored by an
organization is to be used only for the purposes stated to
the data owner at the time it was collected
• In this context, privacy does not mean freedom from
observation (the meaning usually associated with the
word); it means that the information will be used only in
ways approved by the person who provided it
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 12
 Identification

• Identification is “the access control mechanism whereby

unverified entities who seek access to a resource provide
a label by which they are known to the system”
• An information system possesses the characteristic of
identification when it is able to recognise individual users
• Identification and authentication are essential to
establishing the level of access or authorization that an
individual is granted
• Identification is typically performed by means of a user
name or other ID

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 13
 Authentication

• Authentication is “The access control mechanism

that requires the validation and verification of an
unauthenticated entity’s purported identity”
• It is the process by which a control establishes
whether a user (or system) has the identity it claims
to have
• Individual users may disclose a personal
identification number (PIN), a password, or a
passphrase to authenticate their identities to a
computer system
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 14
 Authorization

• Authorisation is “the access control mechanism that

represents the matching of an authenticated entity
to a list of information assets and corresponding
access levels”
• After the identity of a user is authenticated,
authorization defines what the user (whether a
person or a computer) has been specifically and
explicitly permitted by the proper authority to do,
such as access, modify, or delete the contents of an
information asset
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 15
 Accountability

• Accountability is “the access control mechanism that

ensures all actions on a system—authorised or
unauthorised—can be attributed to an authenticated
identity. Also known as auditability”
• Accountability of information occurs when a control
provides assurance that every activity undertaken
can be attributed to a named person or automated
process
• Accountability is most commonly associated with
system audit logs
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 16
 Sun Tzu Wu’s The Art of War

Therefore I say: One who knows the enemy and knows himself will not be in
danger in a hundred battles [2]
One who does not know the enemy but knows himself will sometimes win,
sometimes lose[2]
One who does not know the enemy and does not know himself will be in
danger in every battle [2]
• To protect your organization’s information, you must:
– know yourself; that is, be familiar with the information
assets to be protected and the systems, mechanisms, and
methods used to store, transport, process, and protect
them; and
– know the threats you face
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 17
 Key Concepts of Information
Security: Threats and attacks

• A threat represents a potential risk to an information

asset, whereas an attack represents an ongoing act
against the asset that could result in a loss
• Threat agents damage or steal an organization’s
information or physical assets by using exploits to
take advantage of a vulnerability where controls are
not present or no longer effective
• Unlike threats, which are always present, attacks
exist only when a specific act may cause a loss

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 18
 Categories of Threats to
InfoSec

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 19
 Espionage or Trespass

• When an unauthorised person gains access to information an

organization is trying to protect, the act is categorised as
espionage or trespass
• Attackers can use many different methods to access the
information stored in an information system
• Some information-gathering techniques are legal—for example,
using a Web browser to perform market research
– These legal techniques are collectively called competitive
intelligence
• When information gatherers employ techniques that cross a legal
or ethical threshold, they are conducting industrial espionage

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 20
 Espionage or Tresspass

• In the real world, a hacker frequently spends long hours examining the
types and structures of targeted systems and uses skill, guile, and/or
fraud to attempt to bypass controls placed on information owned by
someone else
• Hackers possess a wide range of skill levels, as with most technology
users
– However, most hackers are grouped into two general categories—the
expert hacker and the novice hacker
• Once an attacker gains access to a system, the next step is to increase
privileges (privilege escalation)
– Most accounts associated with a system have only rudimentary “use”
permissions, the attacker needs administrative or “root” privileges

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 21
 Forces of Nature
• Some typical force of nature attacks include the
following:
• Fire • Hurricanes, Typhoons,
• Flood and Tropical
• Earthquake Depressions
• Lightning • Tsunami
• Landslide or Mudslide • Electrostatic Discharge
(ESD)
• Tornados or Severe
Windstorms • Dust Contamination

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 22
 Human Error or Failure
• Some typical human error or failure attacks
include the following:
– Social Engineering
– Advance-fee Fraud
– Phishing
o URL Manipulation
o Web site forgery
– Spear Phishing
– Pretexting
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 23
 Information Extortion

• Information extortion, also known as

cyberextortion, is common in the theft of
credit card numbers
• Recent information extortion attacks have
involved specialised forms of malware known
as ransomware that encrypt the user’s data
and offer to unlock it if the user pays the
attacker organise

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 24
 Sabotage or Vandalism

• This category of threat involves the deliberate sabotage of a

computer system or business, or acts of vandalism to destroy
an asset or damage the image of an organization
• These acts can range from petty vandalism by employees to
organised sabotage against an organization
• Vandalism to a Web site can erode consumer confidence,
diminishing an organization’s sales, net worth, and reputation
• Activism in the digital age:
– Online Activism
– Cyberterrorism and Cyberwarfare
– Positive Online Activism
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 25
 Software Attacks

• Malware, including viruses, worms, Trojan horses,

polymorphic threats and hoaxes
• Back doors, trap doors, and maintenance hooks
• Denial-of-service (DoS) and distributed denial-of-service
attacks (DDoS)
• E-mail attacks such as spam, mail bombs and social
engineering attacks
• Communications interception attacks such as packet
sniffers, spoofing, pharming and man-in-the-middle
attacks like TCP hijacking or session hijacking
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 26
 Technical Software Failures

• Technical hardware failures or errors occur when a manufacturer

distributes equipment containing a known or unknown flaw
• Large quantities of computer code are written, debugged,
published, and sold before all their bugs are detected and
resolved
• Sometimes, combinations of certain software and hardware
reveal new failures that range from bugs to untested failure
conditions
• Technical hardware failures or errors occur when a manufacturer
distributes equipment containing a known or unknown flaw

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 27
 Deadly Sins of Software
Security
• Web Application Sins • Implementation Sins
• SQL Injection • Buffer Overruns
• Format String Problems
• Web Server-Related • Integer Overflows
• C++ Catastrophes
Vulnerabilities • Catching Exceptions
• Web Client-Related • Command Injection
• Failure to Handle Errors Correctly
Vulnerabilities (XSS) • Information Leakage
• Use of Magic URLs, • Race Conditions
• Poor Usability
Predictable Cookies and • Not Updating Easily
Hidden Form Fields • Executing Code with Too Much Privilege
• Failure to Protect Stored Data
• The Sins of Mobile Code
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 28
 Deadly Sins of Software
Security
• Cryptographic Sins • Networking Sins
• Use of Weak • Failure to Protect
Password Based Network Traffic
Systems • Improper Use of PKI,
• Weak Random Especially SSL
Numbers • Trusting Network
• Using the Wrong Name Resolution
Cryptography
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 29
 Technological Obsolescence

• Antiquated or outdated infrastructure can lead to

unreliable and untrustworthy systems
• Management must recognise that when technology
becomes outdated, there is a risk of losing data integrity
from attacks
• Ideally, proper planning by management should prevent
technology from becoming obsolete, but when
obsolescence is clear, management must take immediate
action
• Perhaps the most significant case of technology
obsolescence in recent years is Microsoft’s Windows XP
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 30
 What Is Management?

• Management is the process of achieving

objectives using a given set of resources
• A manager is a member of the organization
assigned to marshal and administer resources,
coordinate the completion of tasks, and
handle the many roles necessary to complete
the desired objectives

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 31
 The Planning-Controlling Link

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 32
 Principles of Information Security
Management

• The unique functions of information security

management are known as the six Ps:
– Planning
– Policy
– Programs
– Protection
– People
– Project Management
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 33
 InfoSec Planning

• Planning as part of InfoSec management is an

extension of the basic planning model
discussed earlier in this chapter
• Included in the InfoSec planning model are
activities necessary to support the design,
creation, and implementation of information
security strategies, as they exist within the IT
planning environment

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 34
 InfoSec Planning

• Several types of InfoSec plans exist:

– incident response planning
– business continuity planning
– disaster recovery planning
– policy planning
– personnel planning
– technology rollout planning
– risk management planning and
– security program planning including education, training
and awareness
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 35
 InfoSec Planning

• Included in the InfoSec planning model are activities

necessary to support the design, creation, and
implementation of InfoSec strategies within the
planning environments of all organizational units,
including IT
• Because the InfoSec strategic plans must support
not only the IT use and protection of information
assets, but those of the entire organization, it is
imperative that the CISO work closely with all senior
managers in developing InfoSec strategy
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 36
 Policy

• Policy is “a set of organizational guidelines

that dictate certain behavior within the
organization”
• In InfoSec, there are three general categories
of policy:
– Enterprise information security policy (EISP)
– Issue-specific security policy (ISSP)
– System-specific policies (SysSPs)
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 37
 Programs

• InfoSec operations that are specifically

managed as separate entities
• A security education training and awareness
(SETA) program is one such entity
• Other programs that may emerge include a
physical security program, complete with fire,
physical access, gates, guards, and so on

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 38
 Protection

• The protection function is executed via a set of

risk management activities, including risk
assessment and control, as well as protection
mechanisms, technologies, and tools
• Each of these mechanisms represents some
aspect of the management of specific controls
in the overall information security plan

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 39
 People

• People are the most critical link in the

information security program
• This area of InfoSec includes security
personnel and the security of personnel, as
well as aspects of the SETA program
mentioned earlier

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 40
 Projects

• The final component is the application of

thorough project management discipline to all
elements of the information security program
• Project management involves identifying and
controlling the resources applied to the
project, as well as measuring progress and
adjusting the process as progress is made
toward the goal

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 41
 Project Management

• Information security is a process, not a project,

however, each element of an information security
program must be managed as a project, even if the
overall program is perpetually ongoing
• How can information security be both a process and
a project? It is, in fact, a continuous series, or chain,
of projects
• Some aspects of information security are not project
based; rather, they are managed processes
(operations) and are ongoing
Compiled by: Dr Ammar Alazab
March 2023 Updated by Anuj Nepal 42
 Summary
• Threats or dangers facing an organization’s people, information, and systems fall
into the following general categories:
– Compromises to intellectual property
– Deviations in quality of service
– Espionage or trespass
– Forces of nature
– Human error or failure
– Information extortion
– Sabotage or vandalism
– Software attacks
– Technical hardware failures or errors
– Technical software failures or errors
– Technological obsolescence
– Theft

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 43
 Summary (cont.)

• An attack is a deliberate act that takes advantage of a

vulnerability to compromise a controlled system. It is
accomplished by a threat agent that damages or steals an
organization’s information or physical assets. A vulnerability is
an identified weakness in a controlled system, where controls
are not present or are no longer effective
• Poor software development practices can introduce significant
risk, but by developing sound development practices, change
control, and quality assurance into the process, overall
software quality and the security performance of software
can be greatly enhanced

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 44
 Summary (cont.)

• In its simplest form, management is the process of

achieving objectives by using resources
• The important distinction between a leader and a
manager is that a leader influences employees so
that they are willing to accomplish objectives,
whereas a manager creates budgets, authorises
expenditures, and hires employees

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 45
 References

• [1] M. E. Whitman and H. J. Mattord, Management of

Information Security. 5th ed., Course Technology,
2016
• [2] Tzu, S. (2008). The art of war. In Strategic Studies
(pp. 63-91). Routledge.

Compiled by: Dr Ammar Alazab

March 2023 Updated by Anuj Nepal 46
 Review Questions

• What is information security? What essential protections

must be in place to protect information systems from
danger?
• What is the definition of “privacy” as it relates to InfoSec?
How is this definition different from the everyday definition?
Why is this difference significant
• Discuss the difference between organizational planning and
contingency
• Discuss the difference between organizational planning and
contingency

2018 47