mis - chapter 15 - managing information resources and security

PA R T V

Implementing and ManagingIT

13. Information Technology Economics14. Building Information Systems15. Managing Information Resources and Security16. Impacts of IT on Organizations, Individuals, and

Society (online)

�

679

C H A P T E R

15Managing InformationResources and Security

Cybercrime in the NewMillennium

15.1The IS Department and End

Users

15.2The CIO in Managing the IS

Department

15.3IS Vulnerability and Computer

Crimes

15.4Protecting Information

Resources: From National toOrganizational Efforts

15.5Securing the Web, Intranets,

and Wireless Networks

15.6Business Continuity and

Disaster Management

15.7Implementing Security:

Auditing and Risk Analysis

Minicases: (1) Home Depot /(2) Managing Security

LEARNING OBJECTIVESAfter studying this chapter, you will be able to:

� Recognize the difficulties in managing informa-tion resources.

� Understand the role of the IS department andits relationships with end users.

� Discuss the role of the chief information officer.

� Recognize information systems’ vulnerability,attack methods, and the possible damage frommalfunctions.

� Describe the major methods of defending infor-mation systems.

� Describe the security issues of the Web andelectronic commerce.

� Describe business continuity and disaster recov-ery planning.

� Understand the economics of security and riskmanagement.

0006D_c15_679-731.qxd 16/10/03 17:25 Page 679

680

CYBERCRIME IN THE NEW MILLENNIUM

On January 1, 2000, the world was relieved to know that the damage to infor-mation systems due to the YK2 problem was minimal. However, only about sixweeks into the new millennium, computer systems around the world were at-tacked, unexpectedly, by criminals.

On February 6, 2000, the biggest e-commerce sites were falling like domi-nos. First was Yahoo, which was forced to close down for three hours. Next wereeBay, Amazon.com, E*Trade, and several other major EC and Internet sites thathad gone dark.

The attacker(s) used a method called denial of service (DoS). By hammering aWeb site’s equipment with too many requests for information, an attacker caneffectively clog a system, slowing performance or even crashing a site. All oneneeds to do is to get the DoS software (available for free in many hacking sites),break into unrelated unprotected computers and plant some software there, se-lect a target site, and instruct the unprotected computers to repeatedly send re-quests for information to the target site. It is like constantly dialing a telephonenumber so that no one else can get through. It takes time for the attacked siteto identify the sending computers and to block e-mails from them. Thus, theattacked site may be out-of-service for a few hours.

The magnitude of the damage was so large that on February 9, the U.S.Attorney General pledged to track down the criminals and ensure that theInternet remains secure. This assurance did not last too long, as can be seen fromthe following story told by Professor Turban:

When I opened my e-mail on May 4, 2000, I noticed immediately that the numberof messages was larger than usual. A closer observation revealed that about 20 mes-sages were titled I LOVE YOU, and most of them came from faculty, secretaries, andadministrators at City University of Hong Kong. It was not my birthday and therewas no reason to believe that so many people would send me love messages thesame day. My initial thought was to open one message to find out what’s going on.But, on second thought I remembered the “Melissa” virus and the instructions notto open any attachment of a strange e-mail. I picked up the telephone and calledone of the senders, who told me not to open the attachment since it contained adeadly virus.

Although Professor Turban’s system escaped the virus, thousands of usersworldwide opened the “love” attachment and released the bug. It is interestingto note that the alleged attacker, from the Philippines, was not prosecuted be-cause he did not break any law in the Philippines. The damage, according toZetter and Miastkowski (2000), was estimated at $8.7 billion worldwide.

Sources: Compiled from news items during May 3–11, 2000, and from Zetter and Miastkowski (2000).

➥ LESSONS LEARNED FROM THIS CASE

Since May 2000 there have been more than a dozen major virus attacks, andhundreds of small ones, causing damages to organizations and individuals. (seeRichardson, 2003).

Clearly, information resources, including computers, networks, programs,and data, are vulnerable to unforeseen attacks. Attackers can zero in on a single

0006D_c15_679-731.qxd 16/10/03 17:25 Page 680

15.1 THE IS DEPARTMENT AND END USERS 681

company, or can attack many companies and individuals without discrimination,using various attack methods. Although variations of the attack methods areknown, the defense against them is difficult and/or expensive. As the story ofthe “love” virus demonstrated, many countries do not have sufficient laws todeal with computer criminals. For all of these reasons, protection of networkedsystems can be a complex issue.

The actions of people or of nature can cause an information system to func-tion in a way different from what was planned. It is important, therefore, toknow how to ensure the continued operation of an IS and to know what to doif the system breaks down. These and similar issues are of concern to the man-agement of information resources, the subject of this chapter.

In this chapter we look at how the IS department and end users work to-gether; the role of the chief information officer; the issue of information secu-rity and control in general and of Web systems in particular. Finally, we deal withplans of business continuity after a disaster, and the costs of preventing computerhazards.

15.1 THE IS DEPARTMENT AND END USERS

Throughout this book, we have seen that information systems are used toincrease productivity and help achieve quality, timeliness, and satisfaction forboth employees and customers. Most large, many medium, and even some smallorganizations around the world are strongly dependent on IT. Their informa-tion systems have considerable strategic importance.

IT resources are very diversified; they include personnel assets, technology assets,and IT relationship assets. The management of information resources is dividedbetween the information services department (ISD) and the end users. Infor-mation resources management (IRM) encompasses all activities related to theplanning, organizing, acquiring, maintaining, securing, and controlling of ITresources. The division of responsibility depends on many factors, beginning withthe amount of IT assets and nature of duties involved in IRM, and ending withoutsourcing policies. Decisions about the roles of each party are made during theIS planning (Chapter 9). (For some insights, see Sambamurthy et al., 2001.)

A major decision that must be made by senior management is where theISD is to report in the organizational hierarchy. Partly for historical reasons, acommon place to find the ISD is in the accounting or finance department.In such situations, the ISD normally reports to the controller or the chief finan-cial officer. The ISD might also report to one of the following: (1) a vice presi-dent of technology, (2) an executive vice president (e.g., for administration), or(4) the CEO.

THE IS DIRECTOR AS A “CHIEF.” To show the importance of the IS area, someorganizations call the director of IS a chief information officer (CIO), a titlesimilar to chief financial officer (CFO) and chief operating officer (COO). Typi-cally, only important or senior vice presidents receive this title. Other commontitles are: vice president for IS, vice president for information technology, or director ofinformation systems. Unfortunately, as Becker (2003) reports, some companiesprovide the title CIO, but do not accord the position the importance other

The IS Departmentin the Organization

0006D_c15_679-731.qxd 16/10/03 17:25 Page 681

682 CHAPTER 15 MANAGING INFORMATION RESOURCES AND SECURITY

“chiefs” are getting.) The title of CIO and the position to whom this personreports reflect, in many cases, the degree of support being shown by top man-agement to the ISD. The reporting relationship of the ISD is important in that itreflects the focus of the department. If the ISD reports to the accounting orfinance areas, there is often a tendency to emphasize accounting or financeapplications at the expense of those in the marketing, production, and logisticsareas. In some organizations the IS functions are distributed, depending on theirnature (see Minicase 1). To be most effective, the ISD needs to take as broad aview as possible.

THE NAME AND POSITION OF THE IS DEPARTMENT. The name of the ISD is alsoimportant. Originally it was called the Data Processing (DP) Department. Then thename was changed to the Management Information Systems (MIS) Departmentand then to the Information Systems Department (ISD). In addition, one can findnames such as Information Technology Department, Corporate Technology Cen-ter, and so on. In very large organizations the ISD can be a division, or even anindependent corporation (such as at Bank of America and at Boeing Corp.).

Some companies separate their e-commerce activities, creating a specialonline division. This is the approach taken by Qantas Airways, for example. Inothers, e-commerce may be combined with ISD in a technology department ordivision. Becker (2003) reports on a study that shows that companies get thelargest return from IT when they treat the ISD like any other important part oftheir business.

The status of the ISD also depends on its mission and internal structure.Agarwal and Sambamurthy (2002) found in a survey that companies usuallyorganize their IT function in one of the following: making IT an active partnerin business innovation, providing IT resources for innovation and global reach,or seeking flexibility via considerable amount of outsourcing.

The increased role and importance of IT and its management both by a cen-tralized unit and by end users, require careful understanding of the manner inwhich ISD is organized as well as of the relationship between the ISD and endusers. These topics are discussed next. Also, for more on the connection betweenthe ISD and the organization, see the IRM feedback model in Online File W15.1at the book’s Web site.

It is extremely important to have a good relationship between the ISD and endusers. Unfortunately, though, this relationship is not always optimal. The devel-opment of end-user computing and outsourcing was motivated in part by thepoor service that end users felt they received from the ISD. (For the issue ofhow to measure the quality of IS services, see Jiang et al., 2002). Conflictsoccur for several reasons, ranging from the fact that priorities of the ISD maydiffer from those of the end users to lack of communication. Also, there aresome fundamental differences between the personalities, cognitive styles, edu-cational backgrounds, and gender proportion of the end users versus the ISDstaff (generally more males in the ISD) that could contribute to conflicts. Anexample of such conflict is illustrated in IT At Work 15.1.

The Minnesota situation is fairly common. One of this book’s authors, whenacting as a consultant to an aerospace company in Los Angeles, found that endusers frequently bought nonstandard equipment by making several smallerpurchases instead of one large, because the smaller purchases did not require

The IS Departmentand End Users

0006D_c15_679-731.qxd 16/10/03 17:25 Page 682


authorization by the ISD. When asked if the ISD knew about this circumvent-ing of the rules, a violating manager answered, “Of course they know, but whatcan they do—fire me?”

Generally, the ISD can take one of the following four approaches towardend-user computing:

1. Let them sink or swim. Don’t do anything, let the end user beware.

2. Use the stick. Establish policies and procedures to control end-user comput-ing so that corporate risks are minimized, and try to enforce them.

3. Use the carrot. Create incentives to encourage certain end-user practices thatreduce organizational risks.

4. Offer support. Develop services to aid end users in their computing activities.

Each of these responses presents the IS executive with different opportunitiesfor facilitation and coordination, and each has its advantages and disadvantages.

The ISD is a service organization that manages the IT infrastructure needed tocarry on end-user IT applications. Therefore, a partnership between the ISD andthe end user is a must. This is not an easy task since the ISD is basically a tech-nical organization that may not understand the business and the users. Theusers, on the other hand, may not understand information technologies.Also, there could be differences between the IDS (the provider) and the endusers in terms of agreement on how to measure the IT services provided (qual-ity, quantity) difficulties (see Jiang et al., 2002). Another major reason for tenserelationships in many organizations are the difficulties discussed in Chapter 13regarding the evaluation of IT investment (Seddon et al., 2002).

To improve collaboration, the ISD and end users may employ three com-mon arrangements: the steering committee, service-level agreements, and theinformation center. (For other strategies, see Online File W15.2.)

As a last resort, the Department of Transportation pro-cured the hybrid PC and camouflaged the transaction asengineering equipment for conducting surveys. From thatpoint on, its staff decided they would do what they neededto do to get their jobs done, and the less the ISD knewabout what they were doing, the better. When asked whythey behaved this way, the administrator of the Depart-ment of Transportation simply said, “We have to do it thisway because the ISD will either try to stop or hold up for along period of time any decision we want to make, becausethey just are not familiar enough with the issues that weare facing in our department.”

For Further Exploration: What are the organizationalrisks when the Transportation Department takes this atti-tude? How can the conflict be resolved?

The Department of Transportation in Minnesota(dot.state.mn.us) had come across a hybrid PC system

that would allow road surveys to be accomplished with lesstime and effort, and greater accuracy. The system would re-quire two people to conduct a survey instead of the usualthree, and because of the precision of the computer-basedsystem, the survey could be done in half the time.

The department ran into a problem because the ISD forthe State of Minnesota had instituted standards for all PCsthat could be purchased by any state agency. Specifically,a particular brand of IBM PC was the only PC purchase al-lowed, without going through a special procedure. Thered tape, as well as the unwillingness of the ISD to allowany deviation from the standard, caused a great deal offrustration.

IT At Work 15.1MINNESOTA’S DEPARTMENT OF TRANSPORTATION VIOLATES PROCEDURES

Fostering the ISD/End-User

Relationships

0006D_c15_679-731.qxd 16/10/03 17:25 Page 683


THE STEERING COMMITTEE. The corporate steering committee is a group ofmanagers and staff representing various organizational units that is set up toestablish IT priorities and to ensure that the ISD is meeting the needs of theenterprise (see Minicase 1). The committee’s major tasks are:

● Direction setting. In linking the corporate strategy with the IT strategy, plan-ning is the key activity (see Chapter 9 and Willcocks and Sykes, 2000).

● Rationing. The committee approves the allocation of resources for and withinthe information systems organization. This includes outsourcing policy.

● Structuring. The committee deals with how the ISD is positioned in theorganization. The issue of centralization–decentralization of IT resources isresolved by the committee.

● Staffing. Key IT personnel decisions involve a consultation-and-approvalprocess made by the committee. Notable is the selection of the CIO andmajor IT outsourcing decisions.

● Communication. It is important that information regarding IT activities flowsfreely.

● Evaluating. The committee should establish performance measures for the ISDand see that they are met. This includes the initiation of service-level agreements.

The success of steering committees largely depends on the establishment ofIT goverance, a formally established set of statements that should direct thepolicies regarding IT alignment with organizational goals, risk determination,and allocation of resources (Cilli, 2003).

SERVICE-LEVEL AGREEMENTS. Service-level agreements (SLAs) are formalagreements regarding the division of computing responsibility between endusers and the ISD and the expected services to be rendered by the ISD. A service-level agreement can be viewed as a contract between each end-user unit and theISD. If a chargeback system exists, it is usually spelled out in the SLA. The processof establishing and implementing SLAs may be applied to each of the major com-puting resources: hardware, software, people, data, networks, and procedures.

The divisions of responsibility in SLAs are based on critical computing deci-sions that are made by end-user managers, who agree to accept certain comput-ing responsibilities and to turn over others to the ISD. Since end-user managersmake these decisions, they are free to choose the amount and kind of supportthey feel they need. This freedom to choose provides a check on the ISD andencourages it to develop and deliver support services to meet end-user needs.

An approach based on SLAs offers several advantages. First, it reduces“finger pointing” by clearly specifying responsibilities. When a PC malfunctions,everyone knows who is responsible for fixing it. Second, it provides a structurefor the design and delivery of end-user services by the ISD. Third, it createsincentives for end users to improve their computing practices, thereby reducingcomputing risks to the firm.

Establishing SLAs requires the following steps: (1) Define service levels.(2) Divide computing responsibility at each level. (3) Design the details of theservice levels including measurement of quality (see Jiang et al. 2002).(4) Implement service levels. Kesner (2002) add to these: (5) Assign SLA owner(the person or department that who gets the SLA), (6) monitor SLA compliance,(7) analyze performance, (8) refine SLAs as needed, and (9) improve service tothe department or company.

0006D_c15_679-731.qxd 16/10/03 17:25 84


Due to the introduction of Web-based tools for simplifying the task of mon-itoring enterprise networks, more attention has recently been given to service-level agreements, (Adams, 2000). (For an overview of SLAs, see Pantry andGriffiths, 2002; for suggestions how to control SLAs, see Diao et al., 2002.)

THE INFORMATION CENTER. The concept of information center (IC) (alsoknown as the user’s service center, technical support center or IS help center)was conceived by IBM Canada in the 1970s as a response to the increased num-ber of end-user requests for new computer applications. This demand created ahuge backlog in the IS department, and users had to wait several years to gettheir systems built. Today, ICs concentrate on end-user support with PCs,client/server applications, and the Internet/intranet, helping with installation,training, problem resolution, and other technical support.

The IC is set up to help users get certain systems built quickly and to pro-vide tools that can be employed by users to build their own systems. The con-cept of the IC, furthermore, suggests that the people in the center should beespecially oriented toward the users in their outlook. This attitude should beshown in the training provided by the staff at the center and in the way the staffhelps users with any problems they might have. There can be one or several ICsin an organization, and they report to the ISD and/or the end-user departments.

Further information on the purpose and activities of the IC is provided inOnline File W15.3.

To carry out its mission in the digital economy, the ISD needs to adapt. Rockartet al. (1996) proposed eight imperatives for ISDs, which are still valid today.These imperatives are summarized in Table 15.1.

Information technology, as shown throughout this book, is playing a criti-cal role in the livelihood of many organizations, small and large, private and

The New ITOrganization

TABLE 15.1 The Eight Imperatives for ISDs in the Digital Age

Imperative Description

Achieve two-way strategic You must align IT and organization’s strategies (Chapter 9).alignment

Develop effective relations An efficient partnership must be cultured between the end users andwith line manangement the ISD.

Develop and deploy new When companies compete on time, the speed of installing new applicationssystems quickly and having them run properly are critical needs (Chapter 14).

Build and manage infrastructure Infrastructure is a shared resource. Therefore its planning, architecture, and policy of use must be done properly (Chapter 9).

Manage vendor relationships As more vendors are used in IT projects, their management becomes critical. Vendor relations must be not only contractual, but also strategic andcollaborative (Chapter 13).

Reskill the IT organization The skills of IT managers, staff, and technical people must be constantlyupdated. Using the Web, e-training is popular (Chapters 5, 7).

Build high performance With shrinking IT budgets and need for new equipment, systems must bevery reliable and of high performance, as well as justifiable in terms ofcost (Chapter 13). Using a six-sigma approach is recommended.

Redesign and manage the The ISD, its role, power sharing with end user, and outsourcingcentralized IT organization strategies must be carefully crafted.

Source: Compiled from Rockart et al. (1996).

The NewIT Organization

0006D_c15_679-731.qxd 16/10/03 17:25 Page 685


The Role of theChief Information

Officer

public, throughout the world. Furthermore, the trend is for even more ITinvolvement. Effective ISDs will help their firms apply IT to transform them-selves to e-businesses, redesign processes, and access needed information ona tight budget. For more on managing IT in the digital era, see Sambamurthyet al. (2001).

15.2 THE CIO IN MANAGING THE IS DEPARTMENT

Managing the ISD is similar to managing any other organizational unit. Theunique aspect of the ISD is that it operates as a service department in a rapidlychanging environment, thus making the department’s projections and planningdifficult. The equipment purchased and maintained by the ISD is scattered allover the enterprise, adding to the complexity of ISD management. Here we willdiscuss only one issue: the CIO and his or her relationship with other managersand executives.

The changing role of the ISD highlights the fact that the CIO is becoming animportant member of the organization’s top management team (Ross and Feeny,2000). Also, the experience of 9/11 changed the role of the CIO, placing himor her in a more important organizational position (see Ball, 2002) because ofthe organization’s realization of the need for IT-related disaster planning andthe importance of IT to the organization’s activities.

A survey conducted in 1992 found that the prime role of the CIO was toalign IT with the business strategy. Secondary roles were to implement state-of-the-art solutions and to provide and improve information access. These rolesare supplemented today by several strategic roles because IT has become astrategic resource for many organizations. Coordinating this resource requiresstrong IT leadership and ISD/end-user collaboration within the organization. Inaddition, CIO–CEO relationships are crucial for effective, successful utilizationof IT, especially in organizations that greatly depend on IT, where the CIO joinsthe top management “chiefs” group.

The CIO in some cases is a member of the corporate executive committee, themost important committee in any organization, which has responsibility for strate-gic business planning. Its members include the chief executive officer and the sen-ior vice presidents. The executive committee provides the top-level oversight forthe organization’s information resources. It guides the IS steering committee thatis usually chaired by the CIO. Related to the CIO is the emergence of the chiefknowledge officer (CKO, see Chapter 10). A CIO may report to the CKO, or thesame person may assume both roles, especially in smaller companies.

Major responsibilities that are part of the CIO’s evolving role are listed inOnline File W15.4.

According to Ross and Feeny (2000) and Earl (1999–2000), the CIO’s role inthe Web-based era is influenced by the following three factors:

● Technology and its management are changing. Companies are using newWeb-based business models. Conventional applications are being transformedto Web-based. There is increasing use of B2B e-commerce, supply chainmanagement, CRM, ERP (see Willcocks and Sykes, 2000) and knowledgemanagement applications. The application portfolio includes more and moreWeb-based applications.

The CIO in theWeb-Based Era

0006D_c15_679-731.qxd 16/10/03 17:25 Page 686

15.3 IS VULNERABILITY AND COMPUTER CRIMES 687

● Executives’ attitudes are changing. Greater attention is given to opportunitiesand risks. At the very least, CIOs are the individuals to whom the more com-puter literate executives look for guidance, especially as it relates toe-business. Also, executives are more willing to invest in IT, since the cost-benefit ratio of IT is improving with time.

● Interactions with vendors are increasing. Suppliers of IT, especially the ma-jor ones (HP, Cisco, IBM, Microsoft, Sun, Intel, and Oracle), are influencingthe strategic thinking of their corporate customers.

The above factors shape the roles and responsibilities of the CIO in the fol-lowing seven ways: (1) The CIO is taking increasing responsibility for definingthe strategic future. (2) The CIO needs to understand (with others in the organ-ization) that the Web-based era is more about fundamental business changethan about technology. (3) The CIO is responsible for protecting the everincreasing IT assets, including the Web infrastructure, against ever-increasinghazards including terrorists’ attacks. (4) The CIO is becoming a business vision-ary who drives business strategy, develops new business models on the Web,and introduces management processes that leverage the Internet, intranets, andextranets. (5) The CIO needs to argue for a greater measure of central control.For example, placing inappropriate content on the Internet or intranets can beharmful and needs to be monitored and coordinated. (6) The IT asset-acquisitionprocess must be improved. The CIO and end users must work more closely thanever before. (7) The increased networked environment may lead to dis-illusionment with IT—an undesirable situation that the CIO should help toavoid. These seven challenges place lots of pressure on CIOs, especially in timesof economic decline (see Leidner et al. 2003).

As a result of the considerable pressures they face, CIOs may earn very highsalaries (up to $1,000,000/year in large corporations), but there is high turnoverat this position (see Earl, 1999/2000 and Sitonis and Goldberg, 1997). As tech-nology becomes increasingly central to business, the CIO becomes a key moverin the ranks of upper management. For example, in a large financial institu-tion’s executive committee meeting, attended by one of the authors, modestrequests for additional budgets by the senior vice presidents for finance and formarketing were turned down after long debate. But, at the same meeting theCIO’s request for a tenfold addition was approved in only a few minutes.

It is interesting to note that CEOs are acquiring IT skills. According to Duffy(1999), a company’s best investment is a CEO who knows technology. If boththe CIO and the CEO have the necessary skills for the information age, theircompany has the potential to flourish. For this reason some companies promotetheir CIOs to CEOs.

According to eMarketer Daily (May 12, 2003), CEOs see security as the sec-ond most important area for IT over the next two to three years. We will nowturn our attention to one area where the CIO is expected to lead—the securityof information systems in the enterprise.

15.3 IS VULNERABILITY AND COMPUTER CRIMES

Information resources are scattered throughout the organization. Furthermore,employees travel with and take home corporate computers and data. Informa-tion is transmitted to and from the organization and among the organization’s

0006D_c15_679-731.qxd 16/10/03 17:25 Page 687


components. IS physical resources, data, software, procedures, and any otherinformation resources may therefore be vulnerable, in many places at any time.

Before we describe the specific problems with information security and someproposed solutions, it is necessary to know the key terminology in the field.Table 15.2 provides an overview of that terminology.

Most people are aware of some of the dangers faced by businesses that aredependent on computers. Information systems, however, can be damaged formany other reasons. The following incidents illustrate representative cases ofbreakdowns in information systems.

INCIDENT 1. On September 12, 2002, Spitfire Novelties fell victim to what iscalled a “brute force” credit card attack. On a normal day, the Los Angeles-based company generates between 5 and 30 transactions. That Thursday, Spitfire’scredit card transaction processor, Online Data Corporation, processed 140,000 fakecredit card charges, worth $5.07 each. Of these, 62,000 were approved. The totalvalue of the approved charges was around $300,000. Spitfire found out about thetransactions only when they were called by one of the credit card owners whohad been checking his statement online and had noticed the $5.07 charge.

Brute force credit card attacks require minimal skill. Hackers simply runthousands of small charges through merchant accounts, picking numbers atrandom. (For details on a larger credit card scams see money.cnn.com/2003/02/18/technology/creditcards/index.htm.)

INCIDENT 2. In January 2003 a hacker stole from the database of Moscow’sMTS (mobile phone company) the personal details (passport number, age, home

TABLE 15.2 IT Security Terms

Term Definition

Backup An extra copy of the data and/or programs, kept in asecured location(s).

Decryption Transformation of scrambled code into readable data aftertransmission.

Encryption Transformation of data into scrambled code prior to itstransmission.

Exposure The harm, loss, or damage that can result if something hasgone wrong in an information system.

Fault tolerance The ability of an information system to continue to operate(usually for a limited time and/or at a reduced level)when a failure occurs.

Information system The procedures, devices, or software that attempt tocontrols ensure that the system performs as planned.

Integrity (of data) A guarantee of the accuracy, completeness, and reliability ofdata. System integrity is provided by the integrity of itscomponents and their integration.

Risk The likelihood that a threat will materializeThreats (or hazards) The various dangers to which a system may be exposed.Vulnerability Given that a threat exists, the susceptibility of the system to

harm caused by the threat.

InformationSystems

Breakdowns

0006D_c15_679-731.qxd 16/10/03 17:25 Page 688


address, tax ID number and more) of 6 million customers, including Russia’spresident V. V. Putin, and sold them on CD ROMs for about $15 each. The data-base can be searched by name, phone number, or address. The information canbe used for crimes such as identity theft, where someone uses the personalinformation of others to create a false identify and then uses it for some fraud.(e.g., get a fake credit card). In Russia neither the theft of such information norits sale was illegal (see Walsh, 2003).

INCIDENT 3. Destructive software (viruses, worms, and their variants, whichare defined and discussed more fully later in the chapter) is flooding the Inter-net. Here are some examples of the 2003 vintage: SQL Slammer is a worm thatcarries a self-regenerating mechanism that enable it to multiply quickly acrossthe Internet. It is so good at replicating, that it quickly generates a massiveamount of data, which slowed Internet traffic mainly in South Korea, Japan,Hong Kong, and some European countries in January 2003. It is a variation ofCode Red, that slowed traffic on the Internet in July 2001. On May 18, 2003,a new virus that masqueraded as an e-mail from Microsoft technical supportattacked computers in 89 countries. In June 2003, a high-risk virus w32/Bugbear started to steal VISA account information (see “Bugbear wormsteals…,” 2003).

INCIDENT 4. On March 15, 2003, a student hacked into the University of Hous-ton computer system and stole Social Security numbers of 55,000 students, fac-ulty, and staff. The student was charged with unauthorized access to protectedcomputers using someone else’s ID, with intent to commit a federal crime. Thecase is still in the courts, and prison time is a possibility.

INCIDENT 5. On February 29, 2000, hundreds of automated teller machines(ATMs) in Japan were shut down, a computer system at a nuclear plant seizedup, weather-monitoring devices malfunctioned, display screens for interest ratesat the post offices failed, seismographs provided wrong information, and therewere many other problems related to programming for “leap year.” The prob-lem was that years that end in “00” do not get the extra day, added every fouryears, unless they are divisible by 400 (2000 is such a leap year, but not 1900,or 2100). This rule was not programmed properly in some old programs inJapan, thus creating the problems. In May 2001, a glitch in Japan’s air-trafficsystems grounded 1,600 domestic flights for 30 minutes while the system wasoperated manually.

INCIDENT 6. For almost two weeks, a seemingly legitimate ATM operating ina shopping mall near Hartford, Connecticut, gave customers apologetic notesthat said, “Sorry, no transactions are possible.” Meanwhile, the machinerecorded the card numbers and the personal identification numbers that hun-dreds of customers entered in their vain attempts to make the machine dispensecash. On May 8, 1993, while the dysfunctional machine was still running in theshopping mall, thieves started tapping into the 24-hour automated teller net-work in New York City. Using counterfeit bank cards encoded with the num-bers stolen from the Hartford customers, the thieves removed about $100,000from the accounts of innocent customers. The criminals were successful in mak-ing an ATM machine do what it was supposedly designed not to do: breach its

0006D_c15_679-731.qxd 16/10/03 17:25 Page 689


own security by recording bank card numbers together with personal securitycodes.

INCIDENT 7. Netscape security is aimed at scrambling sensitive financial datasuch as credit card numbers and sales transactions so they would be safe frombreak-ins, by using a powerful 128-bit program. However, using 120 powerfulworkstations and two supercomputers, in 1996 a French student breached theencryption program in eight days, demonstrating that no program is 100 per-cent secure.

INCIDENT 8. In 1994 a Russian hacker (who did not know much English)broke into a Citibank electronic funds transfer system and stole more than$10 million by wiring it to accounts around the world. Since then, Citibank, agiant bank that moves about a trillion dollars a day, increased its security mea-sures, requiring customers to use electronic devices that create new passwordsvery frequently.

INCIDENT 9. On April 30, 2000, the London Stock Exchange was paralyzed byits worst computer system failure, before finally opening nearly eight hours late.A spokesman for the exchange said the problem, which crippled the supply ofprices and firm information, was caused by corrupt data. He gave no furtherdetails. Dealers were outraged by the fault, which came on the last day of thetax year and just hours after violent price swings in the U.S. stock markets. TheBritish Financial Services Authority said it viewed the failure seriously, addingit would insist any necessary changes to systems be made immediately and thatlessons were “learned rapidly” to ensure the breakdown was not repeated.

These incidents and the two in the opening case illustrate the vulnerabilityof information systems, the diversity of causes of computer security problems,and the substantial damage that can be done to organizations anywhere in theworld as a result. The fact is that computing is far from secure (e.g., see Austinand Darby, 2003, and the 2003 FBI report in Richardson, 2003).

Information systems are made up of many components that may be housed inseveral locations. Thus, each information system is vulnerable to many poten-tial hazards or threats. Figure 15.1 presents a summary of the major threats tothe security of an information system. Attacks on information systems can beeither on internal systems (suffered by about 30% of the responding organiza-tions in the CSI/FBI survey, as reported in Richardson, 2003), or via remotedial-ins (18%), or on Internet-based systems (78%). (See also sons.org/top20, forthe most critical Internet security vulnerabilites.)

According to CVE (Common Vulnerabilities and Exposure, an organizationbased at Mitre Corp. that provides information, educations, and advice regard-ing IT vulnerabilities and exposure, along with solutions)(cve.mitre.org/about/terminology.html), there is a distinction between vulnerability and exposure:

A universal vulnerability is a state in a computing system (or set of systems) whicheither: allows an attacker to execute commands as another user; allows an attackerto access data that is contrary to the specified access restrictions for that data; allowsan attacker to pose as another entity; or allows an attacker to conduct a denial ofservice.

System Vulnerability

0006D_c15_679-731.qxd 16/10/03 17:25 Page 690


An exposure is a state in a computing system (or set of systems) which is not auniversal vulnerability, but either: allows an attacker to conduct information gath-ering activities; allows an attacker to hide activities; includes a capability that behavesas expected, but can be easily compromised; is a primary point of entry that anattacker may attempt to use to gain access to the system or data; and is considereda problem according to some reasonable security policy.

We will use the term vulnerability here to include exposure as well (includingunintentional threats). Incidentally, by 2002 the CVE identified more than 5,000different security issues and problems (see Mitre, 2002).

The vulnerability of information systems is increasing as we move to a worldof networked and especially wireless computing. Theoretically, there are hun-dreds of points in a corporate information system that can be subject to somethreats. And actually, there are thousands of different ways that informationsystems can be attacked or damaged. These threats can be classified as uninten-tional or intentional.

UNINTENTIONAL THREATS. Unintentional threats can be divided into threemajor categories: human errors, environmental hazards, and computer systemfailures.

Processor

Accidental errors inprocessing storage

Local Area Network

Hardware• Failure of protection mechanisms• Contribution to software failure• Installation (use) of unauthorized

Systems Software• Failure of protection mechanisms• Information leakage• Installing unauthorized aoftware

Application Programmer• Programming of applications to behave contrary to specification

Terminals• Located in insecure environment

PCs• Fraudulent identification• Illegal leakage of authorized information• Viruses (on disks)• Physical theft

Systems Programmer• Bypassing security mechanisms• Disabling security mechanisms• Installing insecure system

External Environment• Natural disasters• Malicious attacks• Unauthorized access to computer center• Illiegal or illicit use of computing resources• Electronic theft• Fraud

Radiation

Authorizer• Incorrect specification of security policy

Crosstalk

Tap

Database

Access rules

Database• Unauthorized access• Copying• Theft

Operator• Duplication of confidential reports• Initializing insecure system• Theft of confidential material

Viruses

Firewall

Denial of services

Access• Abuse of controls

Internet

FIGURE 15.1 Security threats.

0006D_c15_679-731.qxd 16/10/03 17:25 Page 691


Many computer problems result from human errors. Errors can occur in thedesign of the hardware and/or information system. They can also occur in theprogramming, testing, data collection, data entry, authorization, and instruc-tions. Human errors contribute to the vast majority (about 55 percent) of control-and security-related problems in many organizations.

Environmental hazards include earthquakes, sever storms (e.g., hurricanes,snow, sand, lightning, and tornadoes), floods, power failures or strong fluctua-tions, fires (the most common hazard), defective air conditioning, explosions,radioactive fallout, and water-cooling-system failures. In addition to damagefrom combustion, computer resources can incur damage from other elementsthat accompany fire, such as smoke, heat, and water. Such hazards may disruptnormal computer operations and result in long waiting periods and exorbitantcosts while computer programs and data files are recreated.

Computer systems failures can occur as the result of poor manufacturing ordefective materials. Unintentional malfunctions can also happen for other rea-sons, ranging from lack of experience to inappropriate testing. See A Closer Look15.1 for the story about recent systems failures at airport.

INTENTIONAL THREATS. As headlines about computer crime indicate, com-puter systems may be damaged as a result of intentional actions as well. Theseaccount for about 30 percent of all computer problems, according to the Com-puter Security Institute (gocsi.com), but the monetary damage from such actionscan be extremely large. Examples of intentional threats include: theft of data;inappropriate use of data (e.g., manipulating inputs); theft of mainframe com-puter time; theft of equipment and/or programs; deliberate manipulation inhandling, entering, processing, transferring, or programming data; labor strikes,riots, or sabotage; malicious damage to computer resources; destruction fromviruses and similar attacks; and miscellaneous computer abuses and Internetfraud. In addition, while terrorists’ attack do not usually directly target com-puters, the computers and information systems can be destroyed in such cases,as happened in the 9/11 disaster in New York and Washington, D.C. Intentional

When the multibillion-dollar airport was opened inHong Kong on July 6, 1999, a combination of com-

puter glitches and unprepared personnel turned the air-port into chaos. Both travelers and cargo were affected.For example, one software bug erased all inventoryrecords, leaving no clue as to who owned what. Anothersoftware bug erased flight information from monitors,preventing passengers from finding flights. Computerproblems in the baggage system resulted in 10,000 lostbags. Fresh food and seafood being shipped to restaurants

and hotels got spoiled, and considerable business was lost.In the United States, Denver’s airport, which opened in1995, had been plagued by computer glitches as well (seeChapter 14). Similarly, in Malaysia, when a new facilityopened on July 1, 1999, a computerized total airportmanagement system collapsed on the first day.

In all these airport cases, the problem was not exter-nal hackers’ attacks or internal intentional acts. The bugsresulted from poor IS planning, lack of coordination, andinsufficient testing.

A CLOSER LOOK15.1 COMPUTER GLITCHES DELAY AIRPORT OPENINGS

0006D_c15_679-731.qxd 16/10/03 17:25 Page 692


threats can even be against whole countries. Many fear the possibility of cyber-attacks by some countries against others.

According to the Computer Security Institute (gocsi.com), 64 percent of all cor-porations experienced computer crimes in 1997. The figures in the years 1998through 2003 were even higher—about 96 percent in 2003 (per Richardson,2003). The number, magnitude, and diversity of computer crimes are increasing.Lately, increased fraud related to the Internet and e-commerce is in evidence.For an overview of computer crime, see Loundy, 2003; for FBI statistics for2002/2003, see Richardson, 2003.

TYPES OF COMPUTER CRIMES AND CRIMINALS. In many ways, computercrimes resemble conventional crimes. They can occur in various ways. First, thecomputer can be the target of the crime. For example, a computer may be stolenor destroyed, or a virus may destroy data. The computer can be the medium ortool of the attack, by creating an environment in which a crime or fraud canoccur. For example, false data are entered into a computer system to misleadindividuals examining the financial condition of a company. Finally, the com-puter can be used to intimidate or deceive. For instance, a stockbroker stole$50 million by convincing his clients that he had a computer program withwhich he could increase their return on investment by 60 percent per month.Crimes done on the Internet, called cybercrimes (discussed later), can fall intoany of these categories.

Crimes can be performed by outsiders who penetrate a computer system (fre-quently via communication lines) or by insiders who are authorized to use thecomputer system but are misusing their authorization. Hacker is the term oftenused to describe an outside person who penetrated a computer system. For anoverview of hacking and the protection against it, see Fadia (2002). A crackeris a malicious hacker, who may represent a serious problem for a corporation.Hackers and crackers may involve unsuspecting insiders in their crimes. In astrategy called social engineering, computer criminals or corporate spies buildan inappropriate trust relationship with insiders for the purpose of gainingsensitive information or unauthorized access privileges. For description of socialengineering and some tips for prevention see Damle (2002) and Online File W15.5.

Computer criminals, whether insiders or outsiders, tend to have a distinctprofile and are driven by several motives (see Online File W15.6). Ironically, manyemployees fit this profile, but only a few of them are criminals. Therefore, it isdifficult to predict who is or will be a computer criminal. Criminals use variousand frequently innovative attack methods.

A large proportion of computer crimes are performed by insiders. Accord-ing to Richardson (2003) the likely sources of attacks on U.S. companies are:independent hackers (82%), disgruntled employees (78%), U.S. competitors(40%), foreign governments (28%), foreign corporations (25%).

In addition to computer criminals against organizations there is an alarm-ing increase of fraud done against individuals, on the Internet. These are a partof cybercrimes.

CYBERCRIMES. The Internet environment provides an extremly easylandscape for conducting illegal activities. These are known as cybercrimes,meaning they are executed on the Internet. Hundreds of different methods and

Computer Crimes

0006D_c15_679-731.qxd 16/10/03 17:25 Page 693


“tricks” are used by innovative criminals to get money from innocent people,to buy without paying, to sell without delivering, to abuse people or hurt them,and much more.

According to Sullivan (2003), between January 1, and April 30, 2003, agen-cies of the U.S. government uncovered 89,000 victims from whom Internetcriminals bilked over $176 million. As a result, on May 16, 2003, the U.S. Attor-ney General announced that 135 people were arrested nationwide and chargedwith cybercrime. The most common crimes were investment swindles and iden-tity theft. The Internet with its global reach has also resulted in a growingamount of cross-border fraud (see A Closer Look 15.2).

Identity Theft. A growing cybercrime problem is identity theft, in which acriminal (the identity thief ) poses as someone else. The thief steals Social Securitynumbers and credit card numbers, usually obtained from the Internet, to com-mit fraud (e.g., to buy products or consume services) that the victim is requiredto pay for later. The biggest damage to the person whose identity was stolen isto restore the damaged credit rating. For details and commercial solutions seeidthief.com.

CYBERWAR. There is an increasing interest in the threat of cyberwar, inwhich a country’s information systems could be paralyzed by a massive attackof destructive software. The target systems can range from the ISs of business,industry, government services, and the media to military command systems.

One aspect of cyberwar in cyberterrorism, which refers to Internet terroristattacks. These attacks, like cyberwar, can risk the national information infra-structure. The U.S. President Critical Infrastructure Protection Board (CIPB) ispreparing protection plans, policies, and strategies to deal with cyberterrorism.The CIPS is recommending investment in cybersecurity programs. Some of theareas of the CIPB report are: a general policy on information security; asset pro-tection requirements, including controls to ensure the return or destruction ofinformation; technology insurance requirements; intellectual property rights; theright to monitor, and revoke, user activity; specification of physical and techni-cal security standards; and communication procedures in time of emergency.(For more details and debates, see cdt.org/security/critinfra and ciao.gov. For moredetails on cyberterrorism, see Verton and Brownlow, 2003.)

There are many methods of attack, and new ones appears regularly. Of themany methods of attack on computing facilities, the CSI/FBI reports (perRichardson, 2003) the following as most frequent (percentage of respondingcompanies): virus (82%), insider abuse of Internet access (80%), unauthorizedaccess by insiders (45%), theft of laptop (59%), denial of service (DoS) attack(42%), system penetration (36%), sabotage (21%), and theft of proprietaryinformation (21%). In this section we look at some of these methods. Two basicapproaches are used in deliberate attacks on computer systems: data tamperingand programming attack.

Data tampering, the most common means of attack, refers to enteringfalse, fabricated, or fraudulent data into the computer or changing or deletingexisting data. This is the method often used by insiders. For example, to pay forhis wife’s drug purchases, a savings and loan programmer transferred $5,000into his personal account and tried to cover up the transfer with phony debitand credit transactions.

Methods of Attackon Computing

Facilities

0006D_c15_679-731.qxd 16/10/03 17:25 Page 694


As the Internet grows, so do cross-border scams.According to the U.S. Federal Trade Commission

(FTC), there was an increase in the complaints filed byU. S. consumers about cross-border scams, of 74 percentin 2002 (to 24,213) (Davidson, 2003). Most complaintsinvolved advance-fee loans, foreign cash offers, andsweepstakes. Scammers based in one country eludeauthorities by victimizing residents of others, using theInternet.:

For example, David Lee, a 41-year-old Hong Kong res-ident, replied to an advertisement in a respected businessmagazine that offered him free investment advice. Afterhe replied, he received professional-looking brochuresand a telephone sales speech. Then he was directed to theWeb site of Equity Mutual Trust (Equity) where he wasable to track the impressive daily performance of a fundthat listed offices in London, Switzerland, and Belize.From that Web site he was linked to sister funds and busi-ness partners. Lee also was linked to what he believedwas the well-known investment-fund evaluator companyMorningstar (morningstar.com). Actually, the site was animitation that replicated the original site. The imitationsite provided a very high, but false, rating on the EquityMutual Trust funds. Finally, Lee was directed to readabout Equity and its funds in the respected InternationalHerald Tribune’s Internet edition; the article appeared tobe news but was actually an advertisement.

Convinced that he would receive super short-termgains, he mailed US$16,000, instructing Equity to investin the Grand Financial Fund. Soon he grew suspiciouswhen letters from Equity came from different countries,telephone calls and e-mails were not answered on time,and the daily Internet listings dried up.

When Lee wanted to sell, he was advised to increasehis investment and shift to a Canadian company, Mit-Tec,allegedly a Y2K-bug troubleshooter. The Web site he wasdirected to looked fantastic. But this time Lee was care-ful. He contacted the financial authorities in the Turks andCaicos Islands—where Equity was based at that time—and was referred to the British police.

Soon he learned that chances were slim that he wouldever see his money again. Furthermore, he learned thatseveral thousand victims had paid a total of about $4 bil-lion to Equity. Most of the victims live in Hong Kong,Singapore, and other Asian countries. Several said thatthe most convincing information came from the Websites, including the “independent” Web site that ratedEquity and its funds as safe, five-star funds.

According Davidson (2003) the FTC admitted that thelaws in the United States and other countries) are set upbased on an old-economy view and are not effectiveenough in cross-border cases involving new-economy real-ities. To solve the problem, some countries (e.g., Germany,Netherlands) rely on self-regulatory business groups thatcan merely urge an offending company to change its prac-tice. Some countries try to bar rogue marketers from con-ducting unethical or even illegal marketing activities, butcannot even impose financial sanctions. Offending compa-nies are simply looking for jurisdictions of convenience.(Incidentally, the same situation exists with companies thatsupport free file sharing, such as Kaaza; they are operatingfrom outside the United States and so are not subject toU.S. laws, however outdated they may be.)

What can be done? In June 2003, 29 nations belong-ing to the Organization for Economic Cooperation andDevelopment (OECD) announced an agreement on uni-fied guidelines for far greater cooperation in persecutingonline scammers, and in enforcement of existing laws.There will be information sharing and collaborationamong investigators from different countries (e.g., relax-ing privacy rules that in most nations, including theUnited States, now strictly limit the information that canbe shared). Participating countries will try to pass lawsadopting the guidelines. For example, in the UnitedStates, which has the most victims of cross-border fraud,a pending bill in Congress would give the FTC newauthority to prosecute cross-border fraud.

Sources: Compiled from Davidson (2003), from ftc.org, and a newsitem in South China Morning Post (Hong Kong, May 21, 1999).

A CLOSER LOOK15.2 CROSS-BORDER CYBERCRIMES

Programming attack is popular with computer criminals who use pro-gramming techniques to modify a computer program, either directly or indirectly.For this crime, programming skills and knowledge of the targeted systemsare essential. Programming attacks appear under many names, as shown in

0006D_c15_679-731.qxd 16/10/03 17:25 Page 695


TABLE 15.3 Methods of Programming Attack on Computer Systems

Method Definition

Virus Secret instructions inserted into programs (or data) that are innocently run during ordinarytasks. The secret instructions may destroy or alter data, as well as spread within orbetween computer systems.

Worm A program that replicates itself and penetrates a valid computer system. It may spreadwithin a network, penetrating all connected computers.

Trojan horse An illegal program, contained within another program, that “sleeps” until some specificevent occurs, then triggers the illegal program to be activated and cause damage.

Salami slicing A program designed to siphon off small amounts of money from a number of largertransactions, so the quantity taken is not readily apparent.

Superzapping A method of using a utility “zap” program that can bypass controls to modify programs ordata.

Trap door A technique that allows for breaking into a program code, making it possible to insertadditional instructions.

Logic bomb An instruction that triggers a delayed malicious act.Denial of services Too many requests for service, which crashes the site.Sniffer A program that searches for passwords or content in a packet of data as they pass through

the Internet.Spoofing Faking an e-mail address or Web page to trick users to provide information or send money.Password cracker A password that tries to guess passwords (can be very successful).War dialing Programs that automatically dial thousands of telephone numbers in an attempt to identify

one authorized to make a connection with a modem; then one can use that connectionto break into databases and systems.

Back doors Invaders to a system create several entry points; even if you discover and close one, theycan still get in through others.

Malicious applets Small Java programs that misuse your computer resources, modify your file, send fakee-mail, etc.

Table 15.3. Several of the methods were designed for Web-based systems.Viruses merit special discussion here due to their frequency, as do denial of ser-vice attacks, due to the effects they have had on computer networks.

VIRUSES. The most publicized and most common attack method is the virus.It receives its name from the program’s ability to attach itself to (“infect”) othercomputer programs, without the owner of the program being aware of the infec-tion (see Figure 15.2). When the software is used, the virus spreads, causingdamage to that program and possibly to others.

According to Bruno (2002), 93 percent of all companies experienced virusattacks in 2001, with an average loss of $243,845 per company. A virus can spreadthroughout a computer system very quickly. Due to the availability of public-domain software, widely used telecommunications networks, and the Internet,viruses can also spread to many organizations around the world, as shown in theincidents listed earlier. Some of the most notorious viruses are “international,”such as Michelangelo, Pakistani Brain, Chernobyl, and Jerusalem. (For the his-tory of viruses and how to fight them, see Zetter and Miastkowski, 2000.)

When a virus is attached to a legitimate software program, the legitimatesoftware is acting as a Trojan horse, a program that contains a hidden func-tion that presents a security risk. The name is derived from the Trojan horse in

0006D_c15_679-731.qxd 16/10/03 17:25 Page 696


Greek legend. The Trojan horse programs that present the greatest danger arethose that make it possible for someone else to access and control a person’scomputer over the Internet.

We’ll look at viruses and how to fight them later in the chapter, when wedescribe security on networks.

DENIAL OF SERVICE. The opening case of this chapter described a denial ofservice incident. In a denial-of-service (DoS) attack, an attacker uses special-ized software to send a flood of data packets to the target computer, with theaim of overloading its resources. Many attackers rely on software that has beencreated by other hackers and made available free over the Internet.

With a distributed denial of service (DDoS) attack, the attacker gainsillegal administrative access to computers on the Internet. With access to a largenumber of computers, the attacker loads the specialized DDoS software ontothese computers. The software lies in wait for a command to begin the attack.When the command is given, the distributed network of computers begins send-ing out requests to one or more target computers. The requests can be legiti-mate queries for information or can be very specialized computer commandsdesigned to overwhelm specific computer resources.

The machines on which DDoS software is loaded are known as zombies(Karagiannis, 2003). Zombies are often located at university and governmentsites. Increasingly, with the rise of cable modems and DSL modems, home com-puters that are connected to the Internet and left on all the time have becomegood zombie candidates.

DoS attacks are not new. In 1996, a New York Internet service provider hadservice disrupted for over a week by a DoS attack, denying service to over 6,000users and 1,000 companies. A recent example of a DoS attack is the one onRIAA (Recording Industry Association of America) whose site (riaa.org) was ren-dered largely unavailable for a week starting January 24, 2003. The attack wasdone mainly by those who did not like the RIAA’s attempts to fight pirated

Just as a biological virus disrupts living cells to cause disease, a computer virus—introduced maliciously—invades the inner workings of computers and disrupts normal operations of the machines.

A virus starts when a programmer writes a program that embeds itself in a host program.

1

The virus attaches itself and travels anywhere that the host program or piece of data travels, whether on floppy disk, local area networks, or bulletin boards.

2

The virus is set off by either a time limit or some set of circumstances, possibly a simple sequence of computer operations by the user. Then it does whatever the virus programmer intended, whether it is to print “Have a nice day” or erase data.

3

FIGURE 15.2 How acomputer virus canspread.

0006D_c15_679-731.qxd 16/10/03 17:25 Page 697


music done by file sharing. Due to the widespread availability of free intrusiontools and scripts and the overall interconnectivity on the Internet, the intruderpopulation now consists of virtually anyone with minimal computer experience(often a teenager with time on his hands). Unfortunately, a successful DoSattack can literally threaten the survival of an EC site, especially for SMEs.

ATTACKS VIA MODEMS. In many companies employees who are on the road usemodems for dial-in access to the company intranet. Two types of modems exist:authorized and not authorized (known as rogue modems). The latter are installedby employees when there are no authorized modems, when it is inconvenientto use the authorized modems, or when the authorized modems provide onlylimited access.

Modems are very risky. It is quite easy for attackers to penetrate them, andit is easy for employees to leak secret corporate information to external net-works via rogue modems. In addition, software problems may develop, such asdownloading programs with viruses or with a “back door” to the system. Backdoors are created by hackers to repenetrate a system, once a successful pene-tration is made. For ways to protect systems that use modems, see White (1999.)

15.4 PROTECTING INFORMATION RESOURCES: FROM NATIONAL

TO ORGANIZATIONAL EFFORTS

Organizations and individuals can protect their systems in many ways. Let’s lookfirst at what protections the national efforts can provide. Then we will look atwhat organizations can do to protect information resources.

A “crime” means breaching the law. In addition to breaking regular law relatedto physically stealing computers or conducting fraud, computer criminals maybreak the specially legislated computer crime laws. According to the FBI, anaverage robbery involves about $3,000; an average white-collar crime involves$23,000; but an average computer crime involves about $600,000. Table 15.4lists some key U.S. federal statutes dealing with computer crime. (For more onthese laws, see epic.org/security.

Legislation can be helpful but not sufficient. Therefore, the FBI has formedthe National Infrastructure Protection Center (NIPC). This joint partnership betweengovernment and private industry is designed to prevent and protect the nation’sinfrastructure—its telecommunications, energy, transportation, banking andfinance, and emergency, and governmental operations. The FBI has also estab-lished Regional Computer Intrusion Squads, which are charged with the task ofinvestigating violations of the Computer Fraud and Abuse Act. The squads’activities are focused on intrusions to public switched networks, major computernetwork intrusions, privacy violations, industrial espionage, pirated computersoftware, and other cybercrimes.

Another national organization is the Computer Emergency Response Team (CERT)at Carnegie Mellon University (cert.org). The CERT Coordination Center (CC)consists of three teams: the Incident Handling Team, the Vulnerability HandlingTeam, and the Artifact Analysis Team. The Incident Handling Team receives inci-dent reports of cyberattacks from Internet sites and provides information and

RepresentativeFederal LawsDealing with

Computer Crimeand Security

0006D_c15_679-731.qxd 16/10/03 17:25 Page 698

15.4 PROTECTING INFORMATION RESOURCES: FROM NATIONAL TO ORGANIZATIONAL EFFORTS 699

guidance to the Internet community on combatting reported incidents. The Vul-nerability Handling Team receives reports on suspected computer and networkvulnerabilities, verifies and analyzes the reports, and works with the Internetcommunity to understand and develop countermeasures to those vulnerabilities.The Artifacts Analysis Team focuses on the code used to carry out cyberattacks(e.g., computer viruses), analyzing the code and finding ways to combat it.

Information security problems are increasing rapidly, causing damages to manyorganizations. Protection is expensive and complex. Therefore, companies mustnot only use controls to prevent or detect security problems, they must do soin an organized way, assigning responsibilities and authority throughout theorganization (e.g., see Talleur, 2001 and Atlas and Young, 2002). Any programthat is adopted must be supported by three organizational components: people,technology, and process (see Doughty, 2003).

One way to approach the problem of organizing for security is similar tothe familiar total quality management approach—namely, recognizing theimportance of a corporatewide security program, which will deal with all kindsof security issues, including protecting the information assets. Doll et al. (2003),presents this approach as having six major characteristics:

● Aligned. The program must be aligned with the organizational goals.

● Enterprisewide. Everyone in the organization must be included in the securityprogram.

TABLE 15.4 Key U.S. Federal Statutes Dealing with Computer Crime

Federal Statute Key Provisions

Counterfeit Access Device andComputer Crime Control Act(passed in October 1984)

Computer Fraud and Abuse Act(1986), 18 USC, section 1030

Computer Abuse Amendment Prohibits knowing transmission of computerAct of 1994 viruses

Computer Security Act of 1987Digital Privacy Act of 2000Electronic Communications

Privacy Act of 1986Electronic Freedom of

Information Act, 1996Gramm Leach Bliley Act of 1999National Information

Infrastructure ProtectionAct of 1996

Patriot Act of 2001Privacy Act of 1974Electronic Funds Transfer

Act of 1980Video Privacy Protection

Act of 1988

Organizing forInformation Security

0006D_c15_679-731.qxd 16/10/03 17:25 Page 699


● Continuous. The program must be operational all the time.

● Proactive. Do not wait for trouble; be aware and ready; use innovative, pre-ventive, and protective measures.

● Validated. The program must be tested and validated to ensure it works.

● Formal. It must be a formal program with authority, responsibility, and ac-countability.

A corporate security model proposed by Doll et al. (2003 is illustrated inFigure 15.3. Obviously, only very large organizations can afford such a com-prehensive security model. We will present several of the components andconcepts in the figure in the remaining portions of this chapter. A case studyfor implementing enterprise security is provided by Doughty (2003). A majorissue is the role the person responsible for security (the chief security officer)is going to assume (see Robinson, 2003).

Knowing about major potential threats to information systems is necessary, butunderstanding ways to defend against these threats is equally critical (see cert.organd sans.com). Defending information resources is not a simple nor inexpensivetask. The major difficulties of protecting information are listed in Table 15.5.Because of its importance to the entire enterprise, organizing an appropriatedefense system is one of the major activities of any prudent CIO and of thefunctional managers who control information resources. As a matter of fact, ITsecurity is the business of everyone in an organization. (see Pooley, 2002).

Protection of information resources is accomplished mostly by insertingcontrols (defense mechanisms) intended to prevent accidental hazards, deter

Security Officer

Public MediaGovernment Relations

Privacy Officer

Physical Security

Continuity Planning

Asset Management

Asset Management

Service Management

Public MediaGovernment Relations

CEO

MonitoringOperationsArchitecturePlanning

● Business Requirements● Education● Formal Communications● Governance Policies● Project Management● Risk Assessment

● Request for Proposals (RFP)● Standards & Guidelines● Technical Requirements/ Design● Technical Security Architecture● Technology Solutions

● Incident Response● Access Control/ Account Management● Investigations● Standards/Solutions Deployment● Training & Awareness● Vulnerability/ Management

● Auditing● Reporting● Systems Monitoring● Security Testing

FIGURE 15.3 Corporatesecurity plan. (Source: Dollet al., 2003.)

Controlsand Awareness

0006D_c15_679-731.qxd 16/10/03 17:25 Page 700


intentional acts, detect problems as early as possible, enhance damage recovery,and correct problems. Controls can be integrated into hardware and softwareduring the system development phase (a most efficient approach). They can alsobe added on once the system is in operation, or during its maintenance. Theimportant point is that defense should stress prevention; defense does no goodafter the crime.

In addition to controls a good defense system must include security aware-ness. All organizational members must be aware of security threats and watchfor potential problems and crimes constantly. Suggestions of how to developsuch programs are offered by security consultants (e.g., see Wiederkehr, 2003).Awareness training is recommended by Talleur (2001).

Since there are many security threats, there are also many defense mecha-nisms. Controls are designed to protect all the components of an informationsystem, specifically data, software, hardware, and networks. In the next section,we describe the major ones.

The selection of a specific defense strategy depends on the objective of thedefense and on the perceived cost-benefit. The following are the major objec-tives of defense strategies:

1. Prevention and deterrence. Properly designed controls may prevent errorsfrom occurring, deter criminals from attacking the system, and better yet,deny access to unauthorized people. Prevention and deterrence are espe-cially important where the potential damage is very high. (see Scalet,2003).

2. Detection. It may not be economically feasible to prevent all hazards, and de-terrence measures may not work. Therefore, unprotected systems are vul-nerable to attack. Like a fire, the earlier an attack is detected, the easier it isto combat, and the less damage is done. Detection can be performed in manycases by using special diagnostic software.

TABLE 15.5 The Difficulties in Protecting Information Resources

● Hundreds of potential threats exist.● Computing resources may be situated in many locations.● Many individuals control information assets.● Computer networks can be outside the organization and difficult to protect.● Rapid technological changes make some controls obsolete as soon as they are

installed.● Many computer crimes are undetected for a long period of time, so it is difficult

to learn from experience.● People tend to violate security procedures because the procedures are inconvenient.● Many computer criminals who are caught go unpunished, so there is no deter-

rent effect.● The amount of computer knowledge necessary to commit computer crimes is usu-

ally minimal. As a matter of fact, one can learn hacking, for free, on the Internet.● The cost of preventing hazards can be very high. Therefore, most organizations

simply cannot afford to protect against all possible hazards.● It is difficult to conduct a cost-benefit justification for controls before an attack

occurs since it is difficult to assess the value of a hypothetical attack.

Defense Strategy:How Do We

Protect?

0006D_c15_679-731.qxd 16/10/03 17:25 Page 701


3. Limitation of damage. This strategy is to minimize (limit) losses once a mal-function has occurred. This can be accomplished by including a fault-tolerantsystem that permits operation in a degraded mode until full recovery is made.If a fault-tolerant system does not exist, a quick (and possibly expensive) re-covery must take place. Users want their systems back in operation as quicklyas possible.

4. Recovery. A recovery plan explains how to fix a damaged information sys-tem as quickly as possible. Replacing rather than repairing components isone route to fast recovery.

5. Correction. Correcting the causes of damaged systems can prevent the prob-lem from occurring again.

6. Awareness and compliance. Alls organization members must be educatedabout the hazards and must comply with the security rules and regulations.

Any defense strategy that aim to atttain one or more of these objectives,may involve the use of several controls. The defense controls are divided in ourdiscussion into two major categories: general controls and application controls. Eachhas several subcategories, as shown in Figure 15.4. General controls are estab-lished to protect the system regardless of the specific application. For example,protecting hardware and controlling access to the data center are independentof the specific application. Application controls are safeguards that areintended to protect specific applications. In the next two sections, we discussthe major types of these two groups of information systems controls.

Defense Control

General Application

Physical

Data Security

Communication

Administrative

Other

Access

Web Controls

Biometrics

Encryption

Cable Testers

Firewalls

Virus Protection

Authentication Biometrics

Input

Output

Processing

FIGURE 15.4 Majordefense controls.

0006D_c15_679-731.qxd 16/10/03 17:25 Page 702


The major categories of general controls are physical controls, access controls,data security controls, communications (networks) controls, and administrativecontrols.

PHYSICAL CONTROLS. Physical security refers to the protection of computerfacilities and resources. This includes protecting physical property such as com-puters, data centers, software, manuals, and networks. Physical security is thefirst line of defense and usually the easiest to construct. It provides protectionagainst most natural hazards as well as against some human hazards. Appro-priate physical security may include several controls such as the following:

● Appropriate design of the data center. For example, the site should be non-combustible and waterproof.

● Shielding against electromagnetic fields.

● Good fire prevention, detection, and extinguishing systems, including sprin-kler system, water pumps, and adequate drainage facilities. A better solutionis fire-enveloping Halon gas systems.

● Emergency power shutoff and backup batteries, which must be maintainedin operational condition.

● Properly designed, maintained, and operated air-conditioning systems.

● Motion detector alarms that detect physical intrusion.

Another example of physical controls is the need to protect against theft ofmobile computers. Such protection is important not only because of the loss ofthe computer but also because of loss of data. Several interesting protectiondevices are offered by targus.com.

ACCESS CONTROL. Access control is the restriction of unauthorized user accessto a portion of a computer system or to the entire system. It is the major defenceline against unauthorized insiders as well as outsiders. To gain access, a usermust first be authorized. Then, when the user attempts to gain access, he or shemust be authenticated.

Access to a computer system is basically consists of three steps: (1) physi-cal access to a terminal, (2) access to the system, and (3) access to specific com-mands, transactions, privileges, programs, and data within the system. Accesscontrol software is commercially available for large mainframes, personalcomputers, local area networks, mobile devices and dial-in communicationsnetworks. Access control to networks is executed through firewalls and will bediscussed later.

Access procedures match every valid user with a unique user-identifier (UID).They also provide an authentication method to verify that users requestingaccess to the computer system are really who they claim to be. User identifica-tion can be accomplished when the following identifies each user:

● Something only the user knows, such as a password.

● Something only the user has, for example, a smart card or a token.

● Something only the user is, such as a signature, voice, fingerprint, or retinal(eye) scan. It is implemented via biometric controls, which can be physiologi-cal or behavirol (see Alga, 2002) and whose cost is relativly very small.

General Controls

0006D_c15_679-731.qxd 16/10/03 17:25 Page 703


Biometric Controls. A biometric control is an automated method of ver-ifying the identity of a person, based on physiological or behavioral character-istics. The most common biometrics are the following:

● Photo of face. The computer takes a picture of your face and matches it witha prestored picture. In 2002, this method was successful in correctly identi-fying users except in cases of identical twins.

● Fingerprints. Each time a user wants access, matching a fingerprint (fingerscan) against a template containing the authorized person’s fingerprint iden-tifies him or her. Note that in 2001 Microsoft introduced a software program,now a part of Windows, that allows users to use Sony’s fingerprint recogni-tion device. Computer manufacturers will start shipping laptops securedby fingerprint-scanning touchpads in 2004. These devices will reject unau-thorized access. (see synaptics.com).

● Hand geometry. This biometric is similar to fingerprints except that the ver-ifier uses a television-like camera to take a picture of the user’s hand. Certaincharacteristics of the hand (e.g., finger length and thickness) are electroni-cally compared against the information stored in the computer.

● Iris scan. This technology uses the colored portion of the eye to identify in-dividuals (see iriscan.com). It is a noninvasive system that takes a photo ofthe eye and analyzes it. It is a very accurate method.

● Retinal scan. A match is attempted between the pattern of the blood vesselsin the back-of-the-eye retina that is being scanned and a prestored pictureof the retina.

● Voice scan. A match is attempted between the user’s voice and the voice pat-tern stored on templates.

● Signature. Signatures are matched against the prestored authentic signature.This method can supplement a photo-card ID system.

● Keystroke dynamics. A match of the person’s keyboard pressure and speedagainst prestored information.

Several other methods, such as facial thermography, exist.Biometric controls are now integrated into many e-commerce hardware and

software products (e.g., see keywaretechnologies.com). For an overview and com-parison of technologies, see Jain et al. (1999 and 2000) and Alga (2002). Bio-metric controls do have some limitations: they are not accurate in certain cases,and some people see them as an invasion of privacy (see Caulfield, 2002).

DATA SECURITY CONTROLS. Data security is concerned with protecting datafrom accidental or intentional disclosure to unauthorized persons, or from unau-thorized modification or destruction. Data security functions are implementedthrough operating systems, security access control programs, database/data com-munications products, recommended backup/recovery procedures, applicationprograms, and external control procedures. Data security must address the fol-lowing issues: confidentiality of data, access control, critical nature of data, andintegrity of data.

Two basic principles should be reflected in data security.

● Minimal privilege. Only the information a user needs to carry out an as-signed task should be made available to him or her.

0006D_c15_679-731.qxd 16/10/03 17:25 Page 704


● Minimal exposure. Once a user gains access to sensitive information, he orshe has the responsibility of protecting it by making sure only people whoseduties require it obtain knowledge of this information while it is processed,stored, or in transit.

Data integrity is the condition that exists as long as accidental or inten-tional destruction, alteration, or loss of data does not occur. It is the preservationof data for their intended use.

COMMUNICATIONS AND NETWORKS CONTROLS. Network protection isbecoming extremely important as the use of the Internet, intranets, and elec-tronic commerce increases. We will discuss this topic in more detail in Section15.5.

ADMINISTRATIVE CONTROLS. While the previously discussed general controlswere technical in nature, administrative controls deal with issuing guidelinesand monitoring compliance with the guidelines. Representative examples ofsuch controls are shown in Table 15.6.

OTHER GENERAL CONTROLS. Several other types of controls are consideredgeneral. Representative examples include the following:

Programming Controls. Errors in programming may result in costly prob-lems. Causes include the use of incorrect algorithms or programming instruc-tions, carelessness, inadequate testing and configuration management, or laxsecurity. Controls include training, establishing standards for testing and configu-ration management, and enforcing documentation standards.

Documentation Controls. Manuals are often a source of problems becausethey are difficult to interpret or may be out of date. Accurate writing, stan-dardization updating, and testing are examples of appropriate documentationcontrol. Intelligent agents can be used to prevent such problems.

System Development Controls. System development controls ensure that asystem is developed according to established policies and procedures. Confor-mity with budget, timing, security measures, and quality and documentationrequirements must be maintained.

TABLE 15.6 Representative Administrative Controls

● Appropriately selecting, training, and supervising employees, especially inaccounting and information systems

● Fostering company loyalty● Immediately revoking access privileges of dismissed, resigned, or transferred

employees● Requiring periodic modification of access controls (such as passwords)● Developing programming and documentation standards (to make auditing easier

and to use the standards as guides for employees)● Insisting on security bonds or malfeasance insurance for key employees● Instituting separation of duties, namely dividing sensitive computer duties among

as many employees as economically feasible in order to decrease the chance ofintentional or unintentional damage

● Holding periodic random audits of the system

0006D_c15_679-731.qxd 16/10/03 17:25 Page 705


General controls are intended to protect the computing facilities and providesecurity for hardware, software, data, and networks regardless of the specificapplication. However, general controls do not protect the content of each specificapplication. Therefore, controls are frequently built into the applications (thatis, they are part of the software) and are usually written as validation rules.They can be classified into three major categories: input controls, processing con-trols, and output controls. Multiple types of application controls can be used, andmanagement should decide on the appropriate mix of controls.

INPUT CONTROLS. Input controls are designed to prevent data alteration orloss. Data are checked for accuracy, completeness, and consistency. Inputcontrols are very important; they prevent the GIGO (garbage-in, garbage-out)situation.

Four examples of input controls are:

1. Completeness. Items should be of a specific length (e.g., nine digits for aSocial Security number). Addresses should include a street, city, state, andZip code.

2. Format. Formats should be in standard form. For example, sequences mustbe preserved (e.g., Zip code comes after an address).

3. Range. Only data within a specified range are acceptable. For example, Zipcode ranges between 10,000 to 99,999; the age of a person cannot be largerthan say, 120; and hourly wages at the firm do not exceed $50.

4. Consistency. Data collected from two or more sources need to be matched.For example, in medical history data, males cannot be pregnant.

PROCESSING CONTROLS. Processing controls ensure that data are complete,valid, and accurate when being processed and that programs have been prop-erly executed. These programs allow only authorized users to access certain pro-grams or facilities and monitor the computer’s use by individuals.

OUTPUT CONTROLS. Output controls ensure that the results of computer pro-cessing are accurate, valid, complete, and consistent. By studying the nature ofcommon output errors and the causes of such errors, security and audit staffcan evaluate possible controls to deal with problems. Also, output controlsensure that outputs are sent only to authorized personnel.

ApplicationControls

15.5 SECURING THE WEB, INTRANETS, AND WIRELESS NETWORKS

Some of the incidents described in Section 15.3 point to the vulnerability of theInternet and Web sites (see Sivasailam et al. 2002). As a matter of fact, the morenetworked the world becomes, the more security problems we may have.Security is a race between “lock makers” and “lock pickers.” Unless the lockmakers have the upper hand, the future of the Internet’s credibility and ofe-business is in danger.

Over the Internet, messages are sent from one computer to another (ratherthan from one network to the other). This makes the network difficult to pro-tect, since at many points people can tap into the network and the users maynever know that a breach had occurred. For a list of techniques attackers can

0006D_c15_679-731.qxd 16/10/03 17:25 Page 706

15.5 SECURING THE WEB, INTRANETS, AND WIRELESS NETWORKS 707

use to compromise Web applications, in addition to what was described in Sec-tion 15.3, see Table 15.7. The table covers the major security measures of theInternet. Security issues regarding e-business are discussed in Chapters 5 and 6.

McConnell (2002) divides Internet security measures into three layers:border security (access), authentication, and authorization. Details of these layersare shown in Figure 15.5. Several of these are discussed in some detail in theremainder of this chapter. Some commercial products include security measurefor all three levels all—in one product (e.g., WebShield from McAfee, and Fire-wall/VPN Appliance from Symantec).

Many security methods and products are available to protect the Web. Webriefly describe the major ones in the following sections.

The major objective of border security is access control, as seen in Figure 15.5.Several tools are available. First we consider firewalls.

FIREWALLS. Hacking is a growing phenomenon. Even the Pentagon’s system,considered a very secure system, experiences more than 250,000 hacker infil-trations per year, many of which are undetected (Los Angeles Times, 1998). It is

TABLE 15.7 Attacking Web Applications

Category Description

SQL injection Passing SQL code into an application that was not intended to receive itParameter tampering Manipulating URL strings to retrieve informationCookie poisoning Altering the content of a cookieHidden manipulation Changing hidden field valuesBackdoor and debug options Executing debug syntax on URLsBuffer overflow Sending large numbers of characters to a Web site form/fieldStealth commanding Attempting to inject Trojan horses in form submissions and run malicious or

unauthorized code on the Web serverThird-party misconfiguration Attempting to find programming errors and explit them to attack

systemvulnerabilitiesKnown vulnerability Exploiting all publicly known vulnerabilitiesCross-site scripting Entering executable commands into Web site buffersForceful browsing Attempting to browse know/default directories that can be used in constructing

an attack

Source: Modified from Stasiak (2002), Table 2.

Border security

Network layer security

1st layer

● Virus scanning● Firewalls● Intrusion● Virtual private networking● Denial-of-service protection

Authentication

Proof of identity

2nd layer

● Username/passworg● Password synchronization● Public key● Tokens● Biometrics● Single sign on

Authorization

Permissions based on identity

3rd layer

● User/group permissions● Enterprise directories● Enterprise user administration● Rules-based access control

FIGURE 15.5 Three layersof Internet security mea-sures. (Source: McConnell,2002.)

Border Security

0006D_c15_679-731.qxd 16/10/03 17:25 Page 707


believed that hacking costs U.S. industry several billion dollars each year.Hacking is such a popular activity that over 80,000 Web sites are dedicated toit. Firewalls provide the most cost-effective solution against hacking. (see Fadia,2002).

A firewall is a system, or group of systems, that enforces an access-controlpolicy between two networks. It is commonly used as a barrier between thesecure corporate intranet, or other internal networks, and the Internet, whichis assumed to be unsecured.

Firewalls are used to implement control-access policies. The firewall followsstrict guidelines that either permit or block traffic; therefore, a successful firewallis designed with clear and specific rules about what can pass through. Severalfirewalls may exist in one information system.

Firewalls are also used as a place to store public information. While visitorsmay be blocked from entering the company networks, they can obtain infor-mation about products and services, download files and bug-fixes, and so forth.Useful as they are, firewalls do not stop viruses that may be lurking in net-works. Viruses can pass through the firewalls, usually hidden in an e-mailattachment.

VIRUS CONTROLS. Many viruses exist (about 100,000 known in 2003) and thenumber is growing by 30 percent a year according to the International Com-puter Security Association (reported by statonline, 2003). So the question is, Whatcan organizations do to protect themselves against viruses? Some solutionsagainst virus penetrations are provided in Zenkin (2001) and in Table 15.8. Themost common solution is to use antivirus software is (e.g., from symantec.com).However, antivirus software provides protection against viruses only after theyhave attacked someone and their properties are known. New viruses are diffi-cult to detect in their first attack.

The best protection against viruses is to have a comprehensive plan such asshown in A Closer Look 15.3.

INTRUSION DETECTING. Because protection against denial of service (see theopening vignette) is difficult, the sooner one can detect an usual activity, the bet-ter. Therefore, it is worthwhile to place an intrusion detecting device near the

TABLE 15.8 Protecting Against Viruses

Possible Mode of Entrance Countermeasure

● Viruses pass through firewalls undetected ● User must screen all downloaded programs and(from the Internet). documents before use.

● Virus may be resident on networked server; ● Run virus scan daily; comprehensive backup to restoreall users are at risk. data; audit trail.

● Infected floppy; local server system at risk; files ● Use virus checker to screen floppies locally.shared or put on server can spread virus.

● Mobile or remote users exchange or update large ● Scan files before upload or after download; makeamounts of data; risk of infection is greater. frequent backups.

● Virus already detected. ● Use a clean starter disk or recovery disk.

Source: Compiled from Nance (1996, updated 2003), p. 171.

0006D_c15_679-731.qxd 16/10/03 17:25 Page 708


entrance point of the Internet to the intranet (close to a firewall). The objectiveis early detection, and this can be done by several devices (e.g., BladeRunnerfrom Raytheon, Praesidium from HP, Caddx from Caddx Controls, and IDS fromCisco). Intrusion detecting is done by different tools, such as statistical analysisor neural networks. Biermann et al. (2001) provide a comparison of 10 differ-ent methods and discuss which methods are better at detecting different typesof intrusions.

PROTECTING AGAINST DENIAL OF SERVICE ATTACKS. After the February 6,2000, DOS attack, the industry started to find solutions. A special task force ofexperts was formed at the Internet Engineering Task Force (IETF); it includedvendors and companies that were attacked. The IETF group developed proce-dures on what to do in the event of such attack. One approach suggested was

To minimize the damage from viruses, take the fol-lowing preventive actions:

1. Install a good antivirus program. These are also knownas gateway virus scanners. (e.g., Norton AntiVirus,McAfee, VirusScan).

2. Scan the hard drive for viruses at least weekly.

3. Write-protect your floppy disks and scan them beforeusing them.

4. Write-protect your program disks.

5. Back up data fully and frequently.

6. Don’t trust outside PCs.

7. Virus scan before “laplinking” or synchronizing files.

8. Develop an antivirus policy.

9. Identify the areas of risk in case of virus attack. Theseare:

a. Direct losses (e.g., time spent to restore systems)b. Losses your customers and suppliers suffer when

your system is downc. Losses to a third party to which your company had

passed on a virus, possibly due to your employees’negligence

10. Minimize losses by the following measures:

a. Install strict employees’ guidelines dealing withe-mail viruses.

b. Use a service provider to handle virus detection andcontrol. This way you get the latest technology,make it more difficult for insiders to perform crimes,and may transfer the risk to the service provider.

c. Have contracts that will protect you from a legal ac-tion by your customers/suppliers who suffer dam-age when your systems are damaged (called a“force majeure” clause).

d. Instruct your employees on how to scan all outgo-ing e-mails to your business partners.

11. The SANS Institute (sans.org) is an IT cooperative re-search and education organization for system adminis-trators and security professionals; it has more than96,000 members. SANS recommends the followingguidelines for action during virus attacks:

a. Preparation. Establish policy, design a form to befiled when a virus is suspected (or known), and de-velop outside relationships.

b. Identification. Collect evidence of attack, analyze it,notify officals (e.g., at cert.org).

c. Containment. Back up the system to capture evi-dence, change passwords, determine the risk ofcontinuing operations.

d. Eradication. Determine and remove the cause, andimprove the defense.

e. Recovery. Restore and validate the system.f. Follow up. Write a follow-up report detailing les-

sons learned.

12. Get information and sometimes free software at thefollowing sites:

Antivirus.com cert.org pgp.com

symantec.com ncsa.com rsa.com

mcafee.com iss.net tis.com

A CLOSER LOOK15.3 HOW TO MINIMIZE THE DAMAGE FROM VIRUSES

0006D_c15_679-731.qxd 16/10/03 17:25 Page 709


tracking the attacker in real time (e.g., by tracking the flow of data packetsthrough the Net).

Automated Attack Traceback. Investigation to find attackers can be donemanually, or can be automated. Attack traceback refers to a system thatwould identify the person responsible for a virus, DOS, or other attacks. Forexample, it would identify the computer host that is the source of the attack.Attackers usually try to hide their identity. The automatic traceback attemptsto circumvent the methods used by attackers (such as zombies, discussed ear-lier). According to Lee and Shields (2002), however, the use of automaticattack traceback programs may raise legal issues (e.g., what data you canlegally track).

VIRTUAL PRIVATE NETWORKING (VPN). The last major method of border secu-rity is a Virtual Private Network (VPN). A VPN uses the Internet to carry infor-mation within a company that has multiple sites and among known businesspartners, but it increases the security of the Internet by using a combination ofencryption, authentication, and access control. It replaces the traditional privateleased line and/or remote access server (RAS) that provide direct communica-tion to a company’s LAN (see Technology Guide 4). According to PrometheumTechnologies (2003), costs can be reduced by up to 50 percent by using the VPNwhich can also be used by remote workers (here the savings can reach 60–80percent). Confidentiality and integrity are assured by the use of protocol tun-neling for the encryption. McKinley 2003). For further details on VPNs, seeGarfinkel (2002), Fadia (2002), and McKinley (2003).

As applied to the Internet, an authentication system guards against unautho-rized dial-in attempts. Many companies use an access protection strategy thatrequires authorized users to dial in with a preassigned personal identificationnumber (PIN). This strategy is usually enhanced by a unique and frequentlychanging password. A communications access control system authenticates theuser’s PIN and password. Some security systems proceed one step further,accepting calls only from designated telephone numbers. Access controls alsoinclude biometrics.

HOW AUTHENTICATION WORKS. The major objective of authentication is theproof of identity (see Figure 15.5). The attempt here is to identify the legitimateuser and determine the action he/she is allowed to perform, and also to findthose posing as others. Such programs also can be combined with authoriza-tion, to limit the actions of people to what they are authorized to do with thecomputer once their identification has been authenticated.

Authentication systems have five key elements (Smith, 2002): (1) a person(or a group) to be authenticated; (2) a distinguishing characteristic that differ-entiates the person (group) from others; (3) a proprietor responsible for the sys-tem being used; (4) an authentication mechanism; and (5) an access controlmechanism for limiting the actions that can be performed by the authenticatedperson (group).

A stronger system is two-factor-authentication, which combines somethingone knows (password, answer to a query) with something one has (tokens,

Authentication

0006D_c15_679-731.qxd 16/10/03 17:25 Page 710


biometrics). An access card is an example of a passive token, carried to enterinto certain rooms or to gain access to a network. Active tokens are electronicdevices that can generate a one-time password after being activated with a PIN.Note that public key systems (PKI, see Chapter 5) include an authenticationfeature.

Authorization refers to permission issued to individuals or groups to do cer-tain activities with a computer, usually based on verified identity. The securitysystem, once it authenticates the user, must make sure that the user operateswithin his/her authorized activities. This is usually done by monitoring useractivities and comparing them to the list of authorized ones.

Other methods of protecting the Web and intranets include the following.

ENCRYPTION. As discussed in Chapter 5, encryption encodes regular digitizedtext into unreadable scrambled text or numbers, which are decoded uponreceipt. Encryption accomplishes three purposes: (1) identification (helps iden-tify legitimate senders and receivers), (2) control (prevents changing a transac-tion or message), and (3) privacy (impedes eavesdropping). Encryption is usedextensively in e-commerce for protecting payments and for privacy.

A widely accepted encryption algorithm is the Data Encryption Standard(DES), produced by the U.S. National Bureau of Standards. Many software prod-ucts also are available for encryption. Traffic padding can further enhance encryp-tion. Here a computer generates random data that are intermingled with realdata, making it virtually impossible for an intruder to identify the true data.

To ensure secure transactions on the Internet, VeriSign and VISA developedencrypted digital certification systems for credit cards. These systems allowcustomers to make purchases on the Internet without giving their credit cardnumber. Cardholders create a digital version of their credit card, called virtualcredit card (see Chapter 5) VeriSign confirms validity of the buyer’s credit card,and then it issues a certificate to that effect. Even the merchants do not seethe credit card number. For further discussion of encryption, see sra.co andverisign.com.

TROUBLESHOOTING. A popular defense of local area networks (LANs) is trou-bleshooting. For example, a cable tester can find almost any fault that can occurwith LAN cabling. Another protection can be provided by protocol analyzers,which allow the user to inspect the contents of information packets as theytravel through the network. Recent analyzers use expert systems, which interpretthe volume of data collected by the analyzers. Some companies offer integratedLAN troubleshooting (a tester and an intelligent analyzer).

PAYLOAD SECURITY. Payload security involves encryption or other manipulationof data being sent over networks. Payload refers to the contents of messages andcommunication services among dispersed users. An example of payload secu-rity is Pretty Good Privacy (PGP), which permits users to inexpensively createand encrypt a message. (See pgp.com for free software.)

Authorization

Other Methodsof Protection

0006D_c15_679-731.qxd 16/10/03 17:25 Page 711


HONEYNETS. Companies can trap hackers by watching what the hackers aredoing. These traps are referred to as honeypots; they are traps designed towork like real systems and attract hackers. A network of honeypots is called ahoneynet. For details, see Piazza (2001) and honeynet.org.

Your PC at home is connected to the Internet and needs to be protected (Luhnand Spanbauer, 2002). Therefore, solutions such antivirus software (e.g., NortonAntivirus 2002) and a personal firewall are essential. (You can get a free Inter-net connection firewall with Microsoft Windows or pay $30–$50 for productssuch as McAfee Firewall).

If you use a gateway/router at home, you need to protect them as well, ifthey do not have built-in protection. You need protection against stealthwareas well. Stealthware refers to hidden programs that comes with free softwareyou download. These programs track your surfing activities, reporting it to amarketing server. Programs such as Pest Control and Spy Blocker can help.Finally you need an antispam tool (e.g., SpamKiller).

All of the tools just mentioned can be combined in suites (e.g., InternetSecurity from McAFee or Symantec).

Wireless networks are more difficult to protect than wireline ones. While manyof the risks of desktop Internet-based commerce will pervade m-commerce,m-commerce itself presents new risks. This topic was discussed in Chapter 6. Inaddition, lately there is a recognition that malicious code may penetrate wirelessnetworks. Such a code has the ability to undermine controls such as authenti-cation and encryption (Ghosh and Swaminatha, 2001 and Biery and Hager,2001). For a comprehensive commercial suite to protect wireless networks, seeMebiusGuard at symbal.com.

SUMMARY. It should be clear from this chapter how important it is for organ-izations to secure networks. What do organization actually do? What securitytechnologies are used the most? According to CSI/FBI report (Richardson,2003), 99 percent of all companies use anti-virus software, 92 percent use accesscontrol, 98 percent use firewalls, 91 percent use physical security, 73 percentuse intusion detection, 69 percent use encrypted files, 58 percent use encryptedlogin, 47 percent use reusable passwards, and only 11 percent use biometrics.While some measures are commonly used, others, especially new ones such asbiometrics, are not yet in regular use.

Securing WirelessNetworks

15.6 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING

Disasters may occur without warning. According to Strassman (1997), the bestdefense is to be prepared. Therefore, an important element in any security sys-tem is the business continuity plan, also known as the disaster recoveryplan. Such a plan outlines the process by which businesses should recoverfrom a major disaster. Destruction of all (or most) of the computing facilitiescan cause significant damage. Therefore, it is difficult for many organizationsto obtain insurance for their computers and information systems withoutshowing a satisfactory disaster prevention and recovery plan. It is a simple

Securing Your PC

0006D_c15_679-731.qxd 16/10/03 17:25 Page 712

15.6 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING 713

concept, an advance crisis planning can help minimize losses (Gerber andFeldman, 2002). The comprehensiveness of a business recovery plan is shownin Figure 15.6.

Disaster recovery is the chain of events linking the business continuity plan toprotection and to recovery. The following are some key thoughts about theprocess:

● The purpose of a business continuity plan is to keep the business running af-ter a disaster occurs. Both the ISD and line management should be involvedin preparation of the plan. Each function in the business should have a validrecovery capability plan.

● Recovery planning is part of asset protection. Every organization should assignresponsibility to management to identify and protect assets within theirspheres of functional control.

● Planning should focus first on recovery from a total loss of all capabilities.

● Proof of capability usually involves some kind of what-if analysis that showsthat the recovery plan is current (see Lam 2002).

● All critical applications must be identified and their recovery procedures ad-dressed in the plan.

● The plan should be written so that it will be effective in case of disaster, notjust in order to satisfy the auditors.

● The plan should be kept in a safe place; copies should be given to all keymanagers; or it should be available on the Intranet and the plan should beaudited periodically.

For a methodology of how to conduct business continuity planning, see A CloserLook 15.4. Other methodologies can be found in Devargas (1999) and Rothstein(2002).

Disaster recovery planning can be very complex, and it may take severalmonths to complete (see Devargas, 1999). Using special software, the planningjob can be expedited.

Business ContinuityPlanning

Total Continuity Program Management

Business ContinuityProgram Design

• Overall project management• Crisis management

• Risk management• Industry benchmark

• Understand business & IT requirements• Evaluate current capabilities• Develop continuity plan

IT RecoveryProgram Execution

• Recovery tasks• Testing• Other functional exercise of recovery plan & procedure

IT RecoveryProgram Design

• Assess IT capabilities• Develop recovery procedures• Design solutions

FIGURE 15.6Business continuityservices managedby IBM. (Source:IBM, BusinessContinuity andRecovery Services,January 2000, pro-duced in Hong Kong.Courtesy of IBM.)

0006D_c15_679-731.qxd 16/10/03 17:25 Page 713


One of the most logical way to deal with loss of data is to back it up. A busi-ness continuity plan includes backup arrangements. We all make a copy ofall or important files and keep them separately. In addition to backing up datawe are interested in quick recovery. Also, as part of business continuity onecan backing up an entire computer or data centers. Let’s look at these twoarrangements.

BACKING UP DATA FILES. While everyone knows how important is to backup data files, many neglect to do so because the process is cumbersome andtime consuming. Several programs make this process easier, and some restore

There are many suggestions of how to conduct busi-ness continuity planning (BCP). Lam (2002) suggests

an 8-step cyclical process shown in the figure below.In conducting BCP one should device a policy which

is central to all steps in the process. One also must testthe plan on a worst-case scenario, for each potential dis-aster (e.g., system failure, information hacking, terroristattack). Disruptions are analyzed from their impact ontechnology, information, and people.

Finally, it is important to recognize the potential pit-falls of BCP. These include:

● An incomplete BCP (may not cover all aspects).

● An inadequate or ineffective BCP (unable to provideremedy).

● An impractical BCP (e.g., does not have enough timeand money).

● Overkill BCP (usually time consuming and costly).

● Uncommunicated BCP (people do not know where tofind it, or its details).

● Lacking defined process (not clearly defined, chain ofneeded events not clear).

● Untested (may looks good on paper, but no oneknows, since it was never tested).

● Uncoordinated (it is not a team’s work, or the team isnot coordinated).

● Out of date (it was good long ago, but what abouttoday?).

● Lacking in recovery thinking (no one think from A toZ how to do it).

For details see Lam (2002).

A CLOSER LOOK15.4 HOW TO CONDUCT BUSINESS CONTINUITY PLANNING

8Review businesscontinuity plan

7Test businesscontinuity plan

6Define business

continuity process

5Design businesscontinuity plan

Reviewrecovery plan

Testrecovery plan

Define recoveryprocess

Designrecovery plan

Establishrecovery team

4Establish business

continuity plan

Businesscontinuity

policy3

Conduct riskanalysis

2Identify business

threat

1Initiate BCP

projectBusinesscontinuityplanning

Businessrecoveryplanning

Business Continuity Plan

BackupArrangements

0006D_c15_679-731.qxd 16/10/03 17:25 Page 714

15.6 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING 715

data as well (e.g., Ontrack.com provide EasyRecovery and File repair,10mega.com provides QuickSync, and Officerecovery.com provides for officerecovery). For tips how to avoid data loss by backing up data files, see Spec-tor (2002). Backup arrangements may also include the use of network attachedstorage (NAS) and storage area networks (NAS) (see Technology Guide 4 andHunton, 2002).

BACKING UP COMPUTER CENTERS. As preparation for a major disaster, suchas in the 9/11 case, it is often necessary for an organization to have a backuplocation. External hot-site vendors provide access to a fully configured backup datacenter.

To appreciate the usefulness of a hot-site arrangement, consider the fol-lowing example: On the evening of October 17, 1989, when a major earthquakehit San Francisco, Charles Schwab and Company was ready. Within a few min-utes, the company’s disaster plan was activated. Programmers, engineers, andbackup computer tapes of October 17 transactions were flown on a charteredjet to Carlstadt, New Jersey. There, Comdisco Disaster Recovery Service pro-vided a hot site. The next morning, the company resumed normal operations.Montgomery Securities, on the other hand, had no backup recovery arrange-ment. On October 18, the day after the quake, the traders had to use telephonesrather than computers to execute trades. Montgomery lost revenues of $250,000to $500,000 in one day.

A less costly alternative arrangement is external cold-site vendors that pro-vide empty office space with special flooring, ventilation, and wiring. In anemergency, the stricken company moves its own (or leased) computers to thesite.

One company that did its disaster planning right is Empire Blue Cross andBlue Shield, as explained in IT At Work 15.2.

Physical computer security is an integral part of a total security system. CrayResearch, a leading manufacturer of supercomputers (now a subsidiary of Sili-cone Graphics, Inc.), has incorporated a corporate security plan, under whichthe corporate computers are automatically monitored and centrally controlled.Graphic displays show both normal status and disturbances. All the controlleddevices are represented as icons on floor-plan graphics. These icons can changecolors (e.g., green means normal, red signifies a problem). The icons can flashas well. Corrective-action messages are displayed whenever appropriate. Thealarm system includes over 1,000 alarms. Operators can be alerted, even atremote locations, in less than one second.

Of special interest is disaster planning for Web-based systems, as shown inan example in Online File W15.7. For some interesting methods of recovery, seethe special issue of Computers and Security (2000). Finally, according to Brassil(2003) mobile computing and other innovations are changing the business con-tinuity industry by quickly reaching a large number of people, wherever theyare, and by the ability of mobile devices to help in quick restoration of service.

DISASTER AVOIDANCE. Disaster avoidance is an approach oriented towardprevention. The idea is to minimize the chance of avoidable disasters (such as fireor other human-caused threats). For example, many companies use a devicecalled uninterrupted power supply (UPS), which provides power in case of a poweroutage.

0006D_c15_679-731.qxd 16/10/03 17:25 Page 715


they were able to log on as if they were sitting at theirdesks in the WTC.

The disaster recovery protocol, which is shown in thenearby figure, worked without a glitch. Calls to the cus-tomer support center in the WTC were rerouted to centersin Albany and Long Island; customers accessing the Website experienced no interruptions; and 150 servers, 500laptops, and 500 workstations were ordered within anhour of the attack. In off-facility sites, the main data centerwas not affected; the backup tapes allowed full restorationof data; the network resturctured automatically when theprivate enterprise network was destroyed; and, all neces-sary information needed at the main off-site data centerwas rerouted, bypassing the WTC.

Besides building in the redundancy in the system, thecompany had also been testing different disaster scenariosfrequently, making sure everything worked. As a result,the company and the technoloy were prepared to dealwith the disaster. Everything was backed up, so once theservers were rebuilt, all information was available and allapplications were functioning within days thanks to a300-member IT team working around the clock. Threedays after the attack, a new VPN was running enablingemployees to work at home.

Since that experience, Empire has made even more use ofInternet technology to connect the staff that is dispersedamong five temporary offices in Manhattan, and does morebusiness by Internet-based videoconferencing, Webcasting,and IP-based phones.

Empire Blue Cross and Blue Shield provides health in-surance coverage for 4.7 million people in the north-

eastern United States. It is a regional arm of the BlueCross/Blue Shield Association (bcbs.com). On September11, 2001, the company occupied an entire floor of theWorld Trade Center (WTC). Information assets there in-cluded the e-business development center as well as theenterprise network of 250 servers and a major Web-enabled call center. Unfortunately, nine employees andtwo consultants lost their lives in the terrorist attack.But, the company’s operations were not interrupted.Let’s see why.

The company had built redundancy into all its applica-tions and moved much of its business to Internet technol-ogy, for connecting workforce, clients, and partners. Fortyapplications are available on its corporate intranet; Web-enabled call centers handle 50,000 calls each day; andWeb-based applications connect the huge system of hos-pitals and health-care providers. Michael Galvin, chief in-frastructure officer of the company, evacuated his 100employees from the thirtieth floor and tried to contactstaff at other locations to initiate the disaster recoveryplan. It was well over an hour later when he was finallyable to get through jammed communication lines to findout that a quick decision made by a senior server special-ist in Albany, NY, had already switched the employee pro-files to the Albany location. This action saved the com-pany days of downtime and the need to rebuild theprofiles by hand. As employees moved to temporary offices,

IT At Work 15.29/11 DISASTER RECOVERY AT EMPIREBLUE CROSS/BLUE SHIELD

15.7 IMPLEMENTING SECURITY: AUDITING AND RISK ANALYSIS

Implementing controls in an organization can be a very complicated task, par-ticularly in large, decentralized companies where administrative controls maybe difficult to enforce. Of the many issues involved in implementing controls,three are described here: auditing information systems, risk analysis, andadvanced intellignet systems.

Controls are established to ensure that information systems work properly.Controls can be installed in the original system, or they can be added once asystem is in operation. Installing controls is necessary but not sufficient. It is alsonecessary to answer questions such as the following: Are controls installed asintended? Are they effective? Did any breach of security occur? If so, whatactions are required to prevent reoccurrence? These questions need to beanswered by independent and unbiased observers. Such observers perform theinformation system auditing task.

0006D_c15_679-731.qxd 16/10/03 17:25 Page 716

15.7 IMPLEMENTING SECURITY: AUDITING AND RISK ANALYSIS 717

Galvin emphasized that the most important part of this,or any disaster is the people who act within minutes to getthings done without direct guidance of senior manage-ment. The new corporate headquarter was open in May2003 in Brooklyn, NY.

Source: Compiled from Levin (2002).

For Further Exploration: Explore the usefulness ofInternet technology for disaster planning. What is itsadvantage over older technology? Why are people themost important part when a disaster strikes?

Blue Cross

An audit is an important part of any control system. In an organizational set-ting, it is usually referred to as a periodical examination and check of financialand accounting records and procedures. Specially trained professionals executean audit. In the information system environment, auditing can be viewed as anadditional layer of controls or safeguards. Auditing is considered as a deterrentto criminal actions (Wells, 2002), especially for insiders.

TYPES OF AUDITORS AND AUDITS. There are two types of auditors (andaudits): internal and external. An internal auditor is usually a corporate employeewho is not a member of the ISD.

An external auditor is a corporate outsider. This type of auditor reviews thefindings of the internal audit and the inputs, processing, and outputs of infor-mation systems. The external audit of information systems is frequently a partof the overall external auditing performed by a certified public accounting (CPA)firm.

Auding InformationSystems

0006D_c15_679-731.qxd 16/10/03 17:25 Page 717


IT auditing can be very broad, so only its essentials are presented here.Auditing looks at all potential hazards and controls in information systems. Itfocuses attention on topics such as new systems development, operations andmaintenance, data integrity, software application, security and privacy, disasterplanning and recovery, purchasing, budgets and expenditures, chargebacks, ven-dor management, documentation, insurance and bonding, training, cost control,and productivity. Several guidelines are available to assist auditors in their jobs.SAS No. 55 is a comprehensive guide provided by the American Institute of Cer-tified Public Accountants. Also, guidelines are available from the Institute ofInternal Auditors, Orlando, Florida. (See Frownfelter-Lohrke and Hunton, 2002for a discussion of new directions in IT auditing.)

Auditors attempt to answer questions such as these:

Are there sufficient controls in the system? Which areas are not covered bycontrols?

Which controls are not necessary?

Are the controls implemented properly?

Are the controls effective; that is, do they check the output of the system?

Is there a clear separation of duties of employees?

Are there procedures to ensure compliance with the controls?

Are there procedures to ensure reporting and corrective actions in case ofviolations of controls?

Other items that IT auditors may check include: the data security policies andplans, the business continuity plan (Von-Roessing, 2002), the availability of astrategic information plan, what the company is doing to ensure compliancewith security rules, the responsibilities of IT security, the measurement of suc-cess of the organization IT security scheme, the existence of security awarenessprogram, and the security incidents reporting system.

Two types of audits are used to answer these questions. The operational auditdetermines whether the ISD is working properly. The compliance audit determineswhether controls have been implemented properly and are adequate. In addi-tion, auditing is geared specifically to general controls and to application con-trols (see Sayana, 2002). For details on how auditing is executed, see Online FileW15.8.

AUDITING WEB SYSTEM AND E-COMMERCE. According to Morgan and Wong(1999), auditing a Web site is a good preventive measure to manage the legalrisk. Legal risk is important in any IT system, but in Web systems it is evenmore important due to the content of the site, which may offend people or bein violation of copyright laws or other regulations (e.g., privacy protection).Auditing EC is also more complex since in addition to the Web site one needto audit order taking, order fulfillment and all support systems (see Blanco,2002). For more about IT auditing see Woda (2002).

It is usually not economical to prepare protection against every possible threat.Therefore, an IT security program must provide a process for assessing threatsand deciding which ones to prepare for and which ones to ignore, or providereduced protection. Installation of control measures is based on a balance

Risk Managementand Cost-Benefit

Analysis

0006D_c15_679-731.qxd 16/10/03 17:26 Page 718


between the cost of controls and the need to reduce or eliminate threats. Suchanalysis is basically a risk-management approach, which helps identify threatsand selects cost-effective security measures (see Hiles, 2002).

Major activities in the risk-management process can be applied to existingsystems as well as to systems under development. These are summarized in Fig-ure 15.7. A more detailed structure for a strategic risk management plan sug-gested by Doughty (2002) is provided in Online File W15.9.

RISK-MANAGEMENT ANALYSIS. Risk-management analysis can be enhanced bythe use of DSS software packages. A simplified computation is shown here:

Expected loss � P1 � P2 � L

where:

P1 � probability of attack (estimate, based on judgment)P2 � probability of attack being successful (estimate, based on judgment)L � loss occurring if attack is successful

Example:

P1 � .02, P2 � .10, L � $1,000,000

Then, expected loss from this particular attack is:

P1 � P2 � L � 0.02 � 0.1 � 1,000,000 � $2,000

The expected loss can then be compared with the cost of preventing it. Thevalue of software programs lies not only in their ability to execute complex com-putations, but also in their ability to provide a structured, systematic frameworkfor ranking both threats and controls.

FIGURE 15.7 The riskmanagement process.

Step 1. Assessment of Assets

Determine the value and importance of assets such as data, hardware, software, and networks.

Step 2. Vulnerability of Assets

Record weaknesses in the current protection system in view of all potential threats.

Step 3. Loss Analysis

Assess the probability of damage and specify the tangible and intangible losses that may result.

Step 4. Protection Analysis

Provide a description of available controls that should be considered, their probability of successful defense, and costs.

Step 5. Cost–Benefit Analysis

Compare costs and benefits. Consider the likelihood of damage occurring and thesuccessful protection from that damage. Finally, decide on which controls to install.

0006D_c15_679-731.qxd 16/10/03 17:26 Page 719

HOW MUCH TO SECURE? The National Computer Security Center (NCSC) ofthe Department of Defense published guidelines for security levels. The gov-ernment uses these guidelines in its requests for bids on jobs where vendorsmust meet specified levels. The seven levels are shown in Online File W15.10 atthe book’s Web site. Vendors are required to maintain a certain security leveldepending on the security needs of the job. The decision of how much to securecan be treated as an insurance issue (see Kolodzinski, 2002, and Gordon et al.,2003).

Computer control and security have recently received increased attention. Forexample, the story of the “I Love You” bug captured the headlines of most news-papers, TV, and computer portals in May 2000, and other wide-scale virusessince then have received similar media play. Almost 97 percent of the world’smajor corporations battled computer viruses in 2002. Several importantIT-security trends are discussed in this section.

INCREASING THE RELIABILITY OF SYSTEMS. The objective relating to reliabil-ity is to use fault tolerance to keep the information systems working, even ifsome parts fail. Compaq Computer and other PC manufacturers provide a fea-ture that stores data on more than one disk drive at the same time; if one diskfails or is attacked, the data are still available. Several brands of PCs include abuilt-in battery that is automatically activated in case of power failure.

Some systems today have 10,000 to 20,000 components, each of which cango million hours without failure, but a combined system may go only 100 hoursuntil it fails. With future systems of 100,000 components, the mathematical oddsare that systems will fail every few minutes—clearly, an unacceptable situation.Therefore, it is necessary to improve system reliability.

SELF-HEALING COMPUTERS. As computing systems become more complex,they require higher amounts of human intervention to keep operating. Sincethe level of complexity is accelerating (e.g., see Grid Computing in Chapter 2),there is an increasing need for self-healing computers. Ideally, recovery canbe done instantly if computers can find their problems and correct themthemselves, before a system crashes.

According to Van (2003), IBM is engaged in a project known as automaticcomputing, which aims at making computers more self-sufficient and less frag-ile. The basic idea is borrowed from the human body and its immune system.IBM’s first known self-healing computer is called eLiza; it is attached to ahuge supercomputer, called Blue Sky, at the National Center for AtmosphericResearch in the United States. For further discussion see Pescovitz (2002).

INTELLIGENT SYSTEMS FOR EARLY INTRUSION DETECTION. Detecting intru-sion in its beginning is extremely important, especially for classified informationand financial data. Expert systems and neural networks are used for this pur-pose. For example, intrusion-detecting systems are especially suitable for local areanetworks and client/server architectures. This approach compares users’ activi-ties on a workstation network against historical profiles and analyzes thesignificance of any discrepancies. The purpose is to detect security violations.

The intrusion-detecting approach is used by several government agencies(e.g., Department of Energy and the U.S. Navy) and large corporations (e.g.,


IT Security in theTwenty-first Century

0006D_c15_679-731.qxd 16/10/03 17:26 Page 720


Citicorp, Rockwell International, and Tracor). It detects other things as well, forexample, compliance with security procedures. People tend to ignore securitymeasures (20,000–40,000 violations were reported each month in a large aero-space company in California). The system detects such violations so thatimprovements can be made.

INTELLIGENT SYSTEMS IN AUDITING AND FRAUD DETECTION. Intelligent sys-tems are used to enhance the task of IS auditing. For example, expert systemsevaluate controls and analyze basic computer systems while neural networksand data mining are used to detect fraud (e.g., see Sheridan, 2002).

ARTIFICIAL INTELLIGENCE IN BIOMETRICS. Expert systems, neural computing,voice recognition, and fuzzy logic can be used to enhance the capabilities of sev-eral biometric systems. For example, Fuijitsu of Japan developed a computermouse that can identify users by the veins of their palms, detecting unautho-rized users.

EXPERT SYSTEMS FOR DIAGNOSIS, PROGNOSIS, AND DISASTER PLANNING.Expert systems can be used to diagnose troubles in computer systems and tosuggest solutions. The user provides the expert systems with answers to ques-tions about symptoms. The expert system uses its knowledge base to diagnosethe source(s) of the trouble. Once a proper diagnosis is made, the computerprovides a restoration suggestion. For example, Exec Express (e-exec.co.uk) sellsintranet-based business recovery planning expert systems that are part of a biggerprogram called Self-Assessment. The program is used to evaluate a corporation’senvironment for security, procedures, and other risk factors.

SMART CARDS. Smart card technology can be used to protect PCs on LANs.An example is Excel MAR 10 (from MacroArt Technology, Singapore), whichoffers six safety levels: identification of authorized user, execution of predeter-mined programs, authentication, encryption of programs and files, encryptionof communication, and generation of historical files. This product can also beintegrated with a fingerprint facility. The user’s smart card is authenticated bythe system, using signatures identified with a secret key and the encryptionalgorithm. Smart cards containing embedded microchips can generate uniquepasswords (used only once) that confirm a person’s identity.

FIGHTING HACKERS. Several products are available for fighting hackers. SecureNetworks (snc-net.com) developed a product that is essentially a honeynet, adecoy network within network. The idea is to lure the hackers into the decoyto find what tools they use and detect them as early as possible.

ETHICAL ISSUES. Implementing security programs raises many ethical issues(see Azari, 2003). First, some people are against any monitoring of individualactivities. Imposing certain controls is seen by some as a violation of freedomof speech or other civil rights. Reda (2002) cited a Gartner Group study thatshowed that even after the terrorist attacks of 9/11/2001, only 26 percent ofAmericans approved a national ID database. Using biometrics is considered bymany a violation of privacy. Finally, using automated traceback programs,described earlier, may be unethical in some cases or even illegal (Lee andShields, 2002).

0006D_c15_679-731.qxd 16/10/03 17:26 Page 721


➥ MANAGERIAL ISSUES1. To whom should the IS department report? This issue is related to the degree

of IS decentralization and to the role of the CIO. Having the IS departmentreporting to a functional area may introduce biases in providing IT prioritiesto that functional area, which may not be justifiable. Having the IS report tothe CEO is very desirable.

2. Who needs a CIO? This is a critical question that is related to the role of theCIO as a senior executive in the organization. Giving a title without authoritycan damage the ISD and its operation. Asking the IS director to assume aCIO’s responsibility, but not giving the authority and title, can be just asdamaging. Any organization that is heavily dependent on IT should have aCIO.

3. End users are friends, not enemies, of the IS department. The relationshipbetween end users and the ISD can be very delicate. In the past, many ISDswere known to be insensitive to end-user needs. This created a strong desirefor end-user independence, which can be both expensive and ineffective.Successful companies develop a climate of cooperation and friendshipbetween the two parties.

4. Ethical issues. The reporting relationship of the ISD can result in some un-ethical behavior. For example, if the ISD reports to the finance department,the finance department will have access to information about individuals orother departments that could be misused.

5. Responsibilities for security should be assigned in all areas. The moreorganizations use the Internet, extranets, and intranets, the greater are thesecurity issues. It is important to make sure that employees know who isresponsible and accountable for what information and that they understandthe need for security control. The vast majority of information resources isin the hands of end users. Therefore, functional managers must understandand practice IT security management and other proper asset managementtasks.

6. Security awareness programs are important for any organization, especiallyif it is heavily dependent on IT. Such programs should be corporatewide andsupported by senior executives. In addition, monitoring security measuresand ensuring compliance with administrative controls are essential to thesuccess of any security plan. For many people, following administrativecontrols means additional work, which they prefer not to do.

7. Auditing information systems should be institutionalized into the organiza-tional culture. Organizations should audit IS not because the insurancecompany may ask for it, but because it can save considerable amounts ofmoney. On the other hand, overauditing is not cost-effective.

8. Multinational corporations. Organizing the ISD in a multinational corpo-ration is a complex issue. Some organizations prefer a complete decentral-ization, having an ISD in each country or even several ISDs in one coun-try. Others keep a minimum of centralized staff. Some companies prefer ahighly centralized structure. Legal issues, government constraints, and thesize of the IS staff are some factors that determine the degree of decen-tralization.

0006D_c15_679-731.qxd 16/10/03 17:26 Page 722

CHAPTER HIGHLIGHTS 723

ON THE WEB SITE… Additional resources, including quizzes; online files of additional text,tables, figures, and cases; and frequently updated Web links to current articles and infor-mation can be found on the book’s Web site (wiley.com/college/turban).

KEY TERMSApplication controls •••

Attack traceback •••

Audit •••

Authorization •••

Biometric control •••

Business continuity plan •••

Chief information officer (CIO) •••

Cracker •••

Cybercrime •••

Cyberwar •••

Data integrity •••

Data tampering •••

Denial of service (DoS) •••

Distributed denial of service(DDoS) •••

Disaster avoidance •••

Disaster recovery •••

Encryption •••

Exposure •••

Fault tolerance •••

Firewall •••

General controls •••

Hacker •••

Honeynets •••

Honeypots •••

Identity theft •••

Information center (IC) •••

Informations resources management(IRM) •••

IT governance •••

Programming attack •••

Risk management •••

Self-healing computers •••

Service-level agreement(SLA) •••

Social engineering •••

Steering committee •••

Stealthware •••

Virus •••

Vulnerability •••

Zombies •••

CHAPTER HIGHLIGHTS (Numbers Refer to Learning Objectives)

� Information resources scattered throughout the or-ganization are vulnerable to attacks, and therefore aredifficult to manage.

� The responsibility for IRM is divided between the ISDand end users. They must work together.

� Steering committees, information centers, andservice-level agreements can reduce conflicts betweenthe ISD and end users.

� ISD reporting locations can vary, but a preferred loca-tion is to report directly to senior management.

� The chief information officer (CIO) is a corporate-levelposition demonstrating the importance and changingrole of IT in organizations.

� Data, software, hardware, and networks can be threat-ened by many internal and external hazards.

� The attack to an information system can be caused ei-ther accidentally or intentionally.

� There are many potential computer crimes; some re-semble conventional crimes (embezzlement, vandal-ism, fraud, theft, trespassing, and joyriding).

� Computer criminals are driven by economic, ideologi-cal, egocentric, or psychological factors. Most of the

criminals are insiders, but outsiders (such as hackers,crackers, and spies) can cause major damage as well.

� A virus is a computer program hidden within a regularprogram that instructs the regular program to changeor destroy data and/or programs. Viruses spread veryquickly along networks worldwide.

� Information systems are protected with controls suchas security procedures, physical guards, or detectingsoftware. These are used for prevention, deterrence, detec-tion, recovery, and correction of information systems.

� General controls include physical security, access con-trols, data security controls, communications (net-work) controls, and administrative controls.

� Biometric controls are used to identify users by check-ing physical characteristics of the user (e.g., finger-prints and retinal prints).

� Application controls are usually built into the soft-ware. They protect the data during input, processing,or output.

� Encrypting information is a useful method for protect-ing transmitted data.

� The Internet is not protected; therefore anything thatcomes from the Internet can be hazardous.

0006D_c15_679-731.qxd 16/10/03 17:26 Page 723


QUESTIONS FOR DISCUSSION1. What is a desirable location for the ISD to report to,

and why?

2. What information resources are usually controlled bythe ISD, and why?

3. Discuss the new role of the CIO and the implications ofthis role to management.

4. Why should information control and security be aprime concern to management?

5. Compare the computer security situation with that ofinsuring a house.

6. Explain what firewalls protect and what they do notprotect. Why?

7. Why is the purpose of biometrics? Why they arepopular?

8. Describe how IS auditing works and how it is related totraditional accounting and financial auditing.

9. Why are authentication and authorization importantin e-commerce?

10. Some insurance companies will not insure a businessunless the firm has a computer disaster recovery plan.Explain why.

11. Explain why risk management should involve the fol-lowing elements: threats, exposure associated witheach threat, risk of each threat occurring, cost of con-trols, and assessment of their effectiveness.

12. Some people have recently suggested using viruses andsimilar programs in wars between countries. What is thelogic of such a proposal? How could it be implemented?

� Firewalls protect intranets and internal systems fromhackers, but not from viruses.

� Access control, authentication, and authorization arein the backbone of network security.

� Disaster recovery planning is an integral part of effec-tive control and security management.

� Business continuity planning includes backup of dataand computers and a plan for what to do when disas-ter strikes.

� It is extremely difficult and expensive to protectagainst all possible threats to IT systems. Therefore, itis necessary to use cost-benefit analysis to decide howmany and which controls to adopt.

� A detailed internal and external IT audit may involvehundreds of issues and can be supported by both soft-ware and checklists.

QUESTIONS FOR REVIEW1. What are possible reporting locations for the ISD?

2. Why has the ISD historically reported to finance or ac-counting departments?

3. List the mechanisms for ISD—end users cooperation.

4. Summarize the new role of the CIO.

5. List Rockart’s eight imperatives.

6. What is a steering committee?

7. Define SLAs and discuss the roles they play.

8. What are the services to end users that are usually pro-vided by an information (help) center?

9. Define controls, threats, vulnerability, and backup.

10. What is a computer crime?

11. List the four major categories of computer crimes.

12. What is a cybercrime?

13. What is the difference between hackers and crackers?

14. Explain a virus and a Trojan horse.

15. Explain a corporatewide security system.

16. Define controls.

17. Describe prevention, deterrence, detection, recovery,and correction.

18. Define biometrics; list five of them.

19. Distinguish between general controls and applicationcontrols.

20. What is the difference between authorized and au-thenticated users?

21. Explain DOS and how to defend against it.

22. How you protect against viruses?

23. Define firewall. What is it used for?

24. Explain encryption.

25. Define a business continuity plan.

26. Define and describe a disaster recovery plan.

27. What are “hot” and “cold” recover sites?

28. Describe auditing of information systems.

29. List and briefly describe the steps involved in riskanalysis of controls.

0006D_c15_679-731.qxd 16/10/03 17:26 Page 724

GROUP ASSIGNMENTS 725

13. How important is it for a CIO to have an extensiveknowledge of the business?

14. Why is it necessary to use SLAs with vendors? Whatare some of the potential problems in such situations?

15. Compare TQM to a corporatewide security plan. Whatis similar? What is different?

16. Why do intelligent systems play an increasing role insecuring IT?

17. Why is cross-border cybercrime expanding rapidly?Discuss some possible solutions.

18. Discuss the relationships between grid computing andself-healing computers.

EXERCISES1. Examine Online File W15.4. Read some new material on

the CIO and add any new roles you find in your read-ing. Which of the roles in the table seem to have gainedimportance and which seem to have lost importance?

2. Assume that the daily probability of a major earthquakein Los Angeles is .07%. The chance of your computercenter being damaged during such a quake is 5%. If thecenter is damaged, the average estimated damage willbe $1.6 million.

a. Calculate the expected loss (in dollars).b. An insurance agent is willing to insure your facility

for an annual fee of $15,000. Analyze the offer, anddiscuss it.

3. The theft of laptop computers at conventions, hotels,and airports is becoming a major problem. Thesecategories of protection exist: physical devices (e.g.,targus.com), encryption (e.g., networkassociates.com), andsecurity policies (e.g., at ebay.com). Find more informa-tion on the problem and on the solutions. Summarizethe advantages and limitations of each method.

4. Expert systems can be used to analyze the profiles ofcomputer users. Such analysis may enable better intru-sion detection. Should an employer notify employeesthat their usage of computers is being monitored by anexpert system? Why or why not?

5. Ms. M. Hsieh worked as a customer support representa-tive for the Wollongong Group, a small software com-pany (Palo Alto, California). She was fired in late 1987.In early 1988, Wollongong discovered that someonewas logging onto its computers at night via a modemand had altered and copied files. During investigation,the police traced the calls to Ms. Hsieh’s home andfound copies there of proprietary information valued atseveral million dollars. It is interesting to note that Ms.Hsieh’s access code was canceled the day she was termi-

nated. However, the company suspects that Ms. Hsiehobtained the access code of another employee. (Source:Based on BusinessWeek, August 1, 1988, p. 67.)

a. How was the crime committed? Why were the con-trols ineffective? (State any relevant assumptions.)

b. What can Wollongong, or any company, do in orderto prevent similar incidents in the future?

6. Guarding against a distributed denial of service attack isnot simple. Examine the major tools and approachesavailable. Start by downloading software from nipc.gov.Also visit cert.org, sans.org, and ciac.llnl.gov. Write a reportsummarizing your findings.

7. Twenty-five thousand messages arrive at an organiza-tion each year. Currently there are no firewalls. On theaverage there are 1.2 successful hackings each year.Each successful hacking results in loss to the companyof about $130,000.

A major firewall is proposed at a cost of $66,000 anda maintenance cost of $5,000. The estimated useful lifeis 3 years. The chance that an intruder will breakthrough the firewall is 0.0002. In such a case, the dam-age will be $100,000 (30%) or $200,000 (50%), or nodamage. There is annual maintenance cost of $20,000for the firewall.

a. Should management buy the firewall?b. An improved firewall that is 99.9988 percent effec-

tive costs $84,000, with a life of 3 years and annualmaintenance cost of $16,000, is available. Shouldthis one be purchased instead of the first one?

8. In spring 2000 the U.S. government developed an inter-nal intrusion detection network ( fidnet.gov) to protectitself from hackers. The Center for Democracy andTechnology (cdt.org) objected, claiming invasion of pri-vacy. Research the status of the project (FIDNet) anddiscuss the claims of the center.

GROUP ASSIGNMENTS1. With the class divided into groups, have each group visit

an IS department. Then present the following in class:an organizational chart of the department; a discussionon the department’s CIO (director) and her or his re-

porting status; information on a steering committee(composition, duties); information on any SLAs the de-partment has; and a report on the extent of IT decen-tralization in the company.

0006D_c15_679-731.qxd 16/10/03 17:26 Page 725


2. Each group is to be divided into two parts. The first partwill interview students and business people and recordthe experiences they have had with computer securityproblems. The second part of each group will visit acomputer store (and/or read the literature or use theInternet) to find out what software is available to fightdifferent computer security problems. Then, each groupwill prepare a presentation in which they describe theproblems and identify which of the problems couldhave been prevented with the use of commerciallyavailable software.

3. Create groups to investigate the latest developmentin IT and e-commerce security. Check journals suchas CIO.com (available free online), vendors, and searchengines such as techdata.com. and google.com.

4. Research the Melissa attack in 1999. Explain how thevirus works and what damage it causes. Examine Mi-crosoft’s attempts to prevent similar future attacks. In-vestigate similarities between the 2003 viruses (Slam-mer, Bugbear, etc.) and earlier ones (e.g., “I Love You”and Melissa). What preventive methods are offered bysecurity vendors?

INTERNET EXERCISES1. Explore some job-searching Web

sites (such as brassring.com, and headh-unter.com), and identify job openingsfor CIOs. Examine the job require-ments and the salary range. Also visitgoogle.com and cio.com, and find some

information regarding CIOs, their roles, salaries, and soforth. Report your findings.

2. Enter scambusters.org. Find out what the organizationdoes. Learn about e-mail scams and Web site scams.Report your findings.

3. Access the site of comdisco.com. Locate and describe thelatest disaster recovery services.

4. Enter epic.org/privacy/tools.html, and examine the fol-lowing groups of tools: Web encryption, disk encryp-tion, and PC firewalls. Explain how these tools can beused to facilitate the security of your PC.

5. Access the Web sites of the major antivirus vendors(symantec.com, mcafee.com, and antivirus.com). Find outwhat the vendors’ research centers are doing. Alsodownload VirusScan from McAfee and scan your harddrive with it.

6. Many newsgroups are related to computer security(groups,google.com; alt.comp.virus; comp.virus; maous.comp.virus). Access any of these sites to find information onthe most recently discovered viruses.

7. Check the status of biometric controls. See the demoat sensar.com. Check what Microsoft is doing with bio-metric controls.

8. Enter v:l.nai.com/vil/default.asp. Find information aboutviruses. What tips does McAfee (mcafee b2b.com) givefor avoiding or minimizing the impact of viruses?

9. You have installed a DSL line in your home. You readin this chapter that you need a personal firewall. Entersecuritydogs.com, macafee.com, or symantec.com. Find threepossible products. Which one dp you like best? Why?

10. Access a good search engine (e.g., google.com or findarticles.com). Find recent articles on disaster planning. Pre-pare a short report on recent developments in disasterrecovery planning.

11. The use of smart cards for electronic storage of useridentification, user authentication, changing pass-words, and so forth is on the rise. Surf the Internet andreport on recent developments. (For example, try theWeb sites microsoft.com/windows/smartcards, litronic.com,gemplus.com, or scia.org.)

12. Access the Web site 2600.com and read the 2600 Maga-zine. Also try waregone.com and skynamic.com. Prepare areport that shows how easy it is to hack successfully.

13. Enter ncsa.com and find information about “why hack-ers do the things they do.” Write a report.

14. Enter biopay.com and other vendors of biometries andfind the devices they make that can be used to accesscontrol into information systems. Prepare a list ofmajor capabilities.

0006D_c15_679-731.qxd 16/10/03 17:26 Page 726

MINICASE 1 727

Home Depot is the world’s largest home-improvement re-tail, a global company that is expanding rapidly (about 200new stores every year). With over 1,500 stores (mostly inthe United States and Canada, and now expanding to othercountries) and about 50,000 kinds of products in eachstore, the company is heavily dependent on IT, especiallysince it started to sell online.

To align its business and IT operations, Home Depot cre-ated a business and information service model, known asthe Special Projects Support Team (SPST). This team col-laborates both with the ISD and business colleagues onnew projects, addressing a wide range of strategic and tac-tical needs. These projects typically occur at the intersec-tion of business processes. The team is composed of highlyskilled employees. Actually, there are several teams, eachwith a director and a mix of employees, depending on theproject. For example, system developers, system adminis-trators, security experts, and project managers can be on ateam. The teams exist until the completion of a project;then they are dissolved and the members are assigned tonew teams. All teams report to the SPST director, whoreports to a VP of Technology.

To ensure collaboration among end-users, the ISD andthe SPST created structured (formal) relationships. Thebasic idea is to combine organizational structure andprocess flow which is designed to do the following:

● Achieve consensus across departmental boundarieswith regard to strategic initiatives.

● Prioritize strategic initiatives.

● Bridge the gap between business concept and detailedspecifications.

● Result in the lowest possible operational costs.

● Achieve consistently high acceptance levels by theend-user community.

● Comply with evolving legal guidelines.

● Define key financial elements (cost-benefit analysis,ROI, etc.).

● Identify and render key feedback points for projectmetrics.

● Support very high rates of change.

● Support the creation of multiple, simultaneousthreads of work across disparate time lines.

● Promote known, predictable, and manageable work-flow events, event sequences, and change manage-ment processes.

● Accommodate the highest possible levels of opera-tional stability.

● Leverage the extensive code base, and leverage func-tion and component reuse.

● Leverage Home Depot’s extensive infrastructure andIS resource base.

Online File W15.11 shows how this kind of organizationworks for Home Depot’s e-commerce activities. There is aspecial EC steering committee which is connected to theCIO (who is a senior VP), to the VP for marketing and ad-vertising, and to the VP for merchandising (merchandisingdeals with procurement). The SPST is closely tied to theISD, to marketing, and to merchandising. The data center isshared with non-EC activities.

The SPST migrated to an e-commerce team in August2000 in order to construct a Web site supporting a nationalcatalog of products, which was completed in April 2001.(This catalog contains over 400,000 products from 11,000vendors.) This project required the collaboration of virtu-ally every department in Home Depot. (e.g., see finance/accounting, legal, loss prevention, etc., in the figure). Alsocontracted services were involved. (The figure in Online FileW15.11 shows the workflow process.)

Since 2001, SPST has been continually busy with ECinitiatives, including improving the growing Home Depotonline store. The cross-departmental nature of the SPSTexplains why it is an ideal structure to support the dy-namic, ever-changing work of the EC-related projects. Thestructure also considers the skills, strengths, and weak-nesses of the IT employees. The company offers both on-line and offline training aimed at improving those skills.Home Depot is consistently ranked among the best placesto work for IT employees.

Sources: Compiled from Alberts (2001) and from homedepot.com(2003).

Questions for Minicase 1

1. Read Chapter 9 (Sections 9.9 and 9.10) regarding team-based organizations. Explain why the team-based struc-ture at Home Depot is so successful.

2. The structure means that the SPST reports to both mar-keting and technology. This is known as a matrix struc-ture. What are the potential advantages and problems?

3. How is collaboration facilitated by IT in this case?

4. Why is the process flow important in this case?

Minicase 1Putting IT to Work at Home Depot

0006D_c15_679-731.qxd 16/10/03 17:26 Page 727


The Internet Security Alliance (isalliance.org) was formed inApril 2001. The alliance is a collaborative endeavor ofCarnegie Mellon University’s Software Engineering Insti-tute (SEI); its CERT Coordination Center (CEDRT/CC); theElectronics Industries Alliance (EIA), a federation of tradegroups; and other private and pubic member organizationsand corporatins. Their goal is to provide information shar-ing and leadership on information security and to repre-sent its members and regulators.

On September 9, 2002, the alliance released resultsfrom a recent security survey conducted jointly with theNational Association of Manufactures (NAM) and Red-Siren Technologies Inc. (Durkovich, 2002). The surveyasked 227 information security specialists worldwide tocompare their current attitudes towards information se-curity with their attitudes prior to the 9/11 terrorist at-tacks. Overall, the results showed that the security spe-cialists view information security as more of an issue nowand that they see it as crucial to the survival of their or-ganization or business. However, most answered thatthey still feel inadequately prepared to meet their currentsecurity challenges, and just as importantly, that mostlacked senior management commitment to address thesechallenges.

The following are some of the specific survey findings:

● 91 percent recognize the importance of informationsecurity.

● Most of the organizations reported at least one attackin the past year, with approximately 30 percent re-porting more than six attacks.

● 48 percent said that the 9/11 attacks made them moreconcerned about information security, while 48 per-cent said there had been no change in their attitudes.

● 47 percent said that their organization had increasedspending on information security since the attacks.

● 40 percent said that they had improved their physicalsecurity, electronic security, network security, andsecurity policies since the attacks.

● 30 percent indicated that their companies are still in-adequately prepared to deal with security attacks.

The Internet Security Alliance has identified 10 of thehighest priority and most frequently recommended prac-tices necessary for implementation of a successful securityprocess. The parctices encompass policy, process, people,and technology. They include (IS Alliance, 2002):

1. General management. Information security is a normalpart of everyone’s responsibilities � managers and

employees alike. Managers must ensure that there areadequate resources, that security policies are welldefined, and that the policies are reviewed regularly.

2. Policy. Security policies must address key areas such assecurity risk management, identification of of criticalassets, physical security, network security, authentica-tion, vulnerability and incident management, privacy,and the like. Policies need to be embedded in standardprocedures, practices, training, and architectures.

3. Risk management. The impacts of various risks need tobe identified and quantified. A management planneeds to be developed to mitigate those risks with thegreatest impact. The plan needs to be reviewed on aregular basis.

4. Security architecture and design. An enterprised-widesecurity architecture is required to protect criticalinformation assets. High-risk areas (e.g., power sup-plies) should employ diverse and redundant solutions.

5. User issues. The user community includes general em-ployees, IT staff, partners, suppliers, vendors, andother parties who have access to critical informationsystems.

6. System and network management. The key lines ofdefense include access control for all network devicesand data, encrypted communications and VPNs whererequired, and perimeter protection (e.g., firewalls)based on security policies. Any software, files, anddirectories on the network should be verified on aregular basis. Procedures and mechanisms must beput in place that ensure that software patches are ap-plied to correct existing problems; adequate levels ofsystem logging are deployed; systems changes are an-alyzed from a security perspective; and vulnerabilityaccessments are performed on a periodic basis. Soft-ware and data must also be backed up on a regularschedule.

7. Authentication and authorization. Strict policies mustbe formulated and implemented for authenticatingand authorizing network access. Special attentionmust be given to those employees accessing the net-work from home and on the road and to partners, con-tractors, and services who are accessing the networkremotely.

8. Monitor and audit. Security-breaching events andchanging conditions must be monitored, and the net-work must be inspected on a regular basis. Standardsshould be in place for responding to suspicious or un-usual behavior.

Minicase 2Managing Security

0006D_c15_679-731.qxd 16/10/03 17:26 Page 728

VIRTUAL COMPANY ASSIGNMENT 729

9. Physical security. Physical access to key informationassets, IT services, and resources should be controlledby two-factor authentication.

10. Continuity planning and disaster recovery. Businesscontinuity and recovery plans need to be implementedand periodically tested to ensure that they are effective.

Sources: Compiled from Durkovich (2002) and ISAlliance (2002).

Questions for Minicase 2

1. Why does the Internet Security Alliance include bothprivate and public members?

2. What is the mission of the Alliance?

3. Why is it beneficial to prioritize issues?

4. How would you justify the existence of the Alliance?Who should pay its costs?

Virtual Company Assignment

Adams, S., “Effective SLAs Define Partnership Roles,” Communicat-ions News, June 2000, comnews.com (accessed August 2003).

Agarwal R., and V. Sambamurthy, “Principles and Models for or-ganizing the IT function,” MIS Querterly Executive, March 2002.

Alberts, B., “Home Depot’s Special Projects Support Team PowersInformation Management for Business Needs,” Journal of Organiza-tion Excellence, Winter 2001.

Alga, N., “Increasing Security Levels,” Information Systems ControlJournal, March–April 2002.

Austin R.D., and C. A. R. Darby, “The Myth of Secure Computing,”Harvard Business Review, June 2003.

Atlas, R. I., and S. A. Young, “Planting and Shaping Security Suc-cess,” Security Management, August 2002.

Azari, R. (ed.), Current Security Managemnt and Ethical Issues of Infor-mation, Hershey PA: IRM Press, 2003.

Ball, L. D., “CIO on Center Stage: 9/11 Changes Everything,” In-formation Systems Management, Spring 2002.

Becker, D., “Equal Rights for CIOs,” CNET News.Com, June 16, 2003.

Biery K., and D. Hager, “The Risks of Mobile Communication,”Security Management, December 2001.

Biermann E., et al., “A Comparison of Intrusion Detection Sys-tems,” Computers and Security, Vol. 20, 2001.

Brassil, R. A., “The Changing realities of Recovery: How Onsiteand Mobile Options have Revolutionalize the Business ContinuityIndustry,” Information Systems Control Journal, March/April 2003.

Blanco L., “Audit Trail in an E-Commerce Environment,” Infor-mation Systems Control Journal, September–October 2002.

Bruno L., “Out, Out Damned Hacker!” Red Herring, January 2002.

“Bugbear Worm Steals Credit Card and Password Details,” Infor-mation Management and Computer Security, June 2003.

Caulfield, B., “The Trouble with Biometrics,” Business 2.0, Septem-ber 2002.

Cilli, C., “IT Governance: Why a Guideline?” Information SystemsControl Journal, May–June 2003.

Computers and Security, special issue, Vol. 19, No. 1, 2000.

Davidson P., “29 Nations Team Up Vs. Cross-border Scams,” USA.Today, (International issue), June 17, 2003.

Davis, J. L., “Using Authentication to Help Prevent Online Fraud,”Direct Marketing, October 2001.

Damle, P., “Social Engineering: A Tip of the Iceberg,” InformationSystems Control Journal, March–April 2002.

Devargas, M., “Survival Is Not Compulsory: An Introductionto Business Continuity Planning,” Computers and Security, Vol. 18,No. 1, 1999.

Diao Y., et al., “Using Fuzzy Control to Mazimize Profits in ServiceLevel Agreement, IBM Systems Journal, XYZ, 2002.

Doll, M. W., et al., Defending the Digital Frontier. New York: Wiley,2003.

Doughty, K., “Business Continuity: A Business Survival Strategy,Information Systems Control Journal, January–February, 2002.

Doughty, K.,“Implementing Enterprise Security,” Information Sys-tems Control Journal, May–June 2003.

Duffy, D., “Chief Executives Who Get IT,” CIO Magazine, July 15,1999.

Durkovich, C., et al. “Global Computer Security Survey–ResultsAnalysis,” September 9, 2002. redsiren,com/survey.html (accessedJuly 18, 2003).

Earl, M. J., “Blue Survivors (the CIO’s),” CIO Magazine, December15, 1999–January 1, 2000.

Fadia, A., Network Security: A Hacker’s Perspective. Boston, MA: Pre-mier Press, 2002.

Frownfelter–Lohrke, C., and J. E. Hunton, “New Opportunities forInformation Systems Auditors,” Information Systems Control Journal,May–June, 2002.

Garfinkel, S., Web Security, Privacy and Commerce. Sebastopal, CA:O’Reilly and Associates, 2002.

Gerber, J. A., and E. R. Feldman, “Is Your Business Prepared forThe Worst,” Journal of Accountancy, April 2002.

REFERENCES

0006D_c15_679-731.qxd 16/10/03 17:26 Page 729


Ghosh, A. K., and T. M. Swaminatha, “Software Security and Pri-vacy Risks in Mobile E-Commerce,” Communications of the ACM,February 2001.

Granger, S., ”Social Engineering Fundamentals. Part I: Hacker Tac-tics. ” December 18, 2001, online.securityfocus.com (accessed July 20,2003).

Hiles, A., Enterprise Risk Assessment and Business Impact Analysis.Rothstein Assoc., 2002.

Hinde, S., “The Law, Cybercrime, Risk Assessment and Cyber Pro-tection,” Computers and Security, February 2003.

Hunton, J. E., “Back Up Your Data to Survive a Disaster,” Journalof Accountancy, April 2002.

ISAlliance. “Common Sense Guide for Senior Managers.” InternetSecurity Alliance, July 2002, www.isalliance.org (accessed July 15,2003).

Jain, A., et al., “Biometric Identification,” Communications of theACM, February 2000.

Jain, A., et al. (eds.), Biometrics: Personal Identification in NetworkedSecurity. NewYork: Kluwer, 1999.

Jiang, J. J., et al., “Measuring Information Systems Service Qual-ity,” MIS Quarterly, June 2002.

Karagiannis, K., “DDoS: Are You Next?” PC Magazine, January 1,2003, pcmag.com/article2/0,4149,768385,00.asp (accessed August2003).

Kesner, R. M., “Running Information Services as a Business: Man-aging IS Commitments within the Enterprise,” Information Strategy:The Executive Journal, Summer 2002.

Kolodzinski, O., “Aligning Information Security Imperatives withBusiness Needs,” The CPA Journal, July 2002, luca.com/cpajournal/2002/0702/nv/nv10.htm (accessed August 2003).

Lam, W., “Ensuring Business Continuity,” IT Pro, June 2002.

Lee, S. C., and C. Shields, “Technical Legal and Societal Challengesto Automated Attack Traceback.” IT Pro, May/June 2002.

Leidner, D. E., et al., “How CIOs Manage IT During EconomicDecline: Surviving and Thriving Amid Uncertainty,” MIS QuarterlyExecutive, March 2003.

Levin, C., “The Insurance Plan that Came to the Rescue,” PC Mag-azine, January 29, 2002.

Los Angeles Times, April 24, 1998.

Loundy, D. L., Computer Crime, Information Warefare and EconomicEspionage. Durham, N.C: Carolina Academic Press, 2003.

Luhn, R., and S. Spanbauer, “Protect Your PC,” PC World, July2002.

Lux, A. G., and S. Fitiani, “Fighting Internal Crime Before It Hap-pens,” Information Systems Control Journal, May–June, 2002.

McConnell, M., “Information Assurance in the Twenty-first Cen-tury,” Supplement to Computer, February, 2002.

McKinley, E. “VPN Provides Rent-A-Center with a Multitude ofPositive Changes,” Stores, May 2003.

Mitnick, K., and W. Simon, The Art of Deception. New York: Wiley,2002.

Mitre, “CVE List Exceeds 5,000 Security Issues.” September 9,2002, cve.mitre.org/news/. (Accessed July 20, 2003.)

Morgan, J. P., and N. A. Wong, “Conduct a Legal Web Audit,”e-Business Advisor, September 1999.

Nance, B., “Keep Networks Safe from Viruses,” Byte, November1996, p. 171. Updated June 2003,

O’Harrow, R., “Financial Database to Screen Accounts,”Washington Post, May 30, 2002.

Pantry, S., and P. Griffiths, A Complete Guide for Preparing and Im-plementing Service Level Agreements, 2nd Ed. London: LibraryAssociation Publishing, 2002.

Pescovitz, D., “Helping Computers Help Themselves,” IEEE Spec-trum, September, 2002.

Piazza, P., “Honeynet Attracts Hacker Attack,” Security Management,November 2001.

Pooley, J., “Blocking Information Passes,” Security Management,July 2002.

Prometheum Technologies, “How Does a Virtual Private Network(VPN) Work?” April 2003, prometheum.com/m_vpn.htm (accessedAugust 2003).

Reda, S., “Brave New World of Biometrics,” Stores, May 2002.

Richardson, R., 2003 CSI/FBI Computer Crime and SecuritySurvey. San Francisco: Computer Security Insitute (gocsi.com),2003.

Robinson, C., “The Role of a Chief Security Officer,” CIO Asia, April2003 (cio-asia.com).

Rockart, J. F., et al., “Eight Imperatives for the New IS Organiza-tion,” Sloan Management Review, Fall 1996.

Ross, J. W., et al., “Develop Long-Term Competitiveness ThroughIT Assets,” Sloan Management Review, Fall 1996.

Ross, J. W., and D. F. Feeny, “The Evolving Role of the CIO,” inR. Zmud (ed.), Framing the Domain of IT Management. Cincinnati,OH: Pinnaflex Educational Resources, 2000.

Rothstein, P. J., Develop a Disaster Recovery/Business Continuity Plan.Brookfield, CT: Rothstein Assoc., 2002.

Sambamurthy, V., et al., “Managing in the Digital Era,” in G. Dick-son and G. DeSanctis, Information Technology and the Future Enter-prise. Upper Saddle River, NJ: Prentice-Hall, 2001.

sans.org. “The Twenty Most Critical Internet Security Vulnerabili-ties,” SANS Institute, sans.org/top20 (accessed April 2003).

Sayana, S.A., “ Auditing General and Application Controls,” In-formation Systems Control Journal, September/October 2002.

Scalet, S. D., “Immune Systems,” CIO Magazine, June 1, 2003.

Seddon, P. B., et al., “ Measuring Organizational IS Effectivness,”Data Base, Spring 2002.

Shand, D., “Service Level Agreements,” Computerworld, January22, 2001.

Sheridan, R. M., “Working the Data Mines,” Security Management,April 2002.

Sitonis, J. G., and B. Goldberg, “Changing Role of the CIO,” In-formationWeek, March 24, 1997.

Sivasailam, N., et al., “What Companies Are(n’t) Doing about WebSite Assurance,” IT Pro, May/June 2002.

Smith, R., Authentication: From Password to Public Keys. Boston:Addison Wesley, 2002.

South China Morning Post, news item Hong Kong, May 21, 1999.

Spector, L., “How to Avoid Data Disaster,” PC World, June 2002.

Stasiak, K., “Web Application Security,” Information Systems ControlJournal, November/December, 2002.

Statonline, “Technology Facts and Links,” statonline.com/technologies/facts.asp (accessed August 2003).

Strassman, P., “What Is the Best Defense? Being Prepared,”ComputerWorld, March 31, 1997.

Sullivan A., “U.S. Arrests 135 in Nationwide Cybercrime Sweep,”Yahoo!News, provided by Reuters, May 16, 2003.

Talleur, T., “Can Your Organization Survive a Cybercrime?” e-BusinessAdvisor, September 2001.

0006D_c15_679-731.qxd 16/10/03 17:26 Page 730

REFERENCES 731

Van, J., “Self Healing Computers Seen as Better Fix,” Chicago Tri-bune, January 2, 2003.

Verton, E., and J. Brownlow. Black Ice: The Invisible Threat of Cyber-terrorism. New York: McGraw Hill, 2003.

Von-Roessing, R., Auditing Business Continuity: Global Best Practices.Brookfield, CT: Rothstein Assoc., 2002.

Walsh, N. P., “Stolen Details of 6 Million Phone Users Hawked onMoscow Streets,” The Guardian, January 27, 2003.

Wells, J. T., “Occupational Fraud: The Audit as a Deterrent,”Journal of Accountancy, April 2002.

White, G. B., “Protecting the Real Corporate Networks,” ComputerSecurity Journal, Vol. 1, No. 4, 1999.

Whitemone, J. J., “A Method for Designing Secure Solutions, IBMSystems Journal, Vol. 40, #3, 2001.

Wiederkehr, B., “IT Securiy Awareness Programme,”InformationSystems Control Journal, May–June 2003.

Willcocks, L. P. and R. Sykes, “The Role of the CIO and IT Functionin ERP,” Communications. of the ACM, April 2000.

Williams, D., “Are You IT-Dependent?” CA Magazine, August, 2002.

Woda, A., “The Role of the Auditor in IT Governance,” InformationSystems Control Journal, vol. 2, 2002.

Zenkin, D., “Guidelines for Protecting the Corporate againstViruses,” Computers and Security, August 2001.

Zetter, K., and S. Miastkowski, “Viruses: The Next Generation,”PC World, December 2000.

0006D_c15_679-731.qxd 16/10/03 17:26 Page 731

mis - chapter 15 - managing information resources and security

Documents