threats to information systems: today's reality, yesterday...

Computer Security

Threats toInformation Systems:Today's Reality,Yesterday'sUnderstanding

By: Karen D. LochDepartment of Decision SciencesGeorgia State UniversityAtianta, Georgia 30303 U.S.A.

Houston H. CarrDepartment of iUlanagementAuburn UniversityAuburn University, Aiabama

36849-5241 U.S.A.

Merriii E. WarkentinDepartment of Computer

information SystemsBryant Coiiege1150 Dougias PiiceSmithfieid, Rhode isiand

02917-1284 U.S.A.

AbstractInformation systems security remains high on thelist of key issues facing information systems ex-ecutives. Traditional concerns range from forcedentry into computer and storage rooms todestruction by fire, earthquake, flood, and hur-ricane. Recent attention focuses on protecting in-formation systems and data from accidental orintentional unauthorized access, disclosure,modification, or destruction. The consequencesof these events can range from degraded ordisrupted service to customers to corporatefailure. This article reports on a study in-vestigating MIS executives' concern about avariety of threats. A relatively new threat, com-puter viruses, was found to be a particular con-cern. The results highlight a gap between the useof modern technology and the understanding ofthe security implications inherent in Its use. Many

of responding information systems managershave migrated their organizations into the highlyinterconnected environment of modern tech-nology but continue to view threats from aperspective of a pre-connectivity era. They ex-pose their firms to unfamiliar risks of which theyare unaware, refuse to acknowledge, or are oftenpoorly equipped to manage.

Keywords: Threats, information systems securi-ty, computer viruses, computersecurity, computer iaws, informationresources management

ACiVI Categories: K.4.2, K.5.2, K.6.m

introductionMany organizations have become so dependenton computer-based and teiecommunications-intensive information systems that disruptions ofeither may cause outcomes ranging from in-convenience to catastrophe (Meaii, 1989). Ourreliance on computer and telecommunicationssystems has redefined corporate risk. l\̂ anage-ment now recognizes that threats to continuingoperations inciude technological issues seldompreviously considered (Szuprowicz, 1988). A re-cent survey of U.S. insurance companies is il-lustrative. The study found that 90 percent ofthese firms, which are dependent upon data pro-cessing systems, would fail after a significant lossor disruption of the EDP facility (Carter, 1988).Protecting the corporation's information systemand data warrants management's attention.

Management's concern with information systemssecurity has changed over recent years. In 1981it ranked as the 14th most important informationmanagement topic (Ball and Harris, 1982). By1985, it had moved to fifth place (Hartog andHerbert, 1986), but a 1986 study (Brancheau andWetherbe, 1987) reported security in 18th place.By 1989, the issue had dropped to 19th place(Neiderman, et ai., 1991), seeming to indicatethat the MIS executives believed either thatsecurity was less of an issue, or they had im-plemented greater control. However, a majorstudy conducted during 1989-1990 by the Na-tional Research Council (1991) concludes that,"the state of computer security in the USA is amess."

MIS Ouarterly/June 1992 173

Computer Security

Considerably less information is available regar-ding information systems management'sperspective on specific risks. We investigatedMIS executives' concern for 12 threats, includinga new and special threat, computer viruses. Wealso evaluated MIS executives' perception ofthreats for microcomputer, mainframe computer,and network environments. This article reportsour results.

Evoiution of ComputerSecuritySecurity once meant safe storage of materials,equipment, and money. Today the primary threatis to corporate data. The computing environmentwas historically controlled by a few knowledge-able professionals in a centralized batch process-ing mode. Physical security was of paramountimportance. Today, almost unlimited access bya large, knowledgeable community of end usersfrom desktop, dial-in, and network facilitiescreates a new and extremely vulnerable environ-ment. The threats to data and system security in-ciude natural and man-made disasters, errors byloyal employees, and the overt acts of com-petitors, hackers, and creators of computerviruses. The resuits of and reactions to theHinsdale fire. Hurricane Hugo, the San Franciscoearthquake, the Chicago flood, the Internet worm,and the arrest of a national hacker ring reinforcethese concerns and underline the seriousness ofthe situation.

We watched on television the awesome force ofHurricane Hugo as it destroyed power andtelecommunications iines, equipment, homesand businesses. In Hinsdaie, Illinois, manyresidents and organizations remember the firethat left them without telephone service for days,weeks, and even months. The San Franciscoearthquake began by shaking the stands atCandlestick Park and ended tumbling buildings,bridges, and power transmission facilities. Themuddy flood waters in Chicago reminded us thatcomputer rooms are much too important fororganizations to be located in basements andother low-lying areas. When Robert Morrisplanted a worm in the internet networks he ap-parently did not mean to halt the productive workof thousands of computers and its attached net-works, but it happened. And finally, hackers,whether they are out for a joy ride on your net-

work or intend to steai processing and networkpaths or destroy data, continue to do their devilishdeeds. We doubt the artist Michelangelo ever en-visioned the anniversary of his birth being usedas an excuse to overtly attempt to destroy aii ofthe data on as many small computers as in-humaniy possible.

"The ultimate aim of any computer security poiicymust be to protect the integrity, availability, andconfidentiaiity of the electronic data held withinthe system" (Smith, 1989). We protect oursystems and data from the risk of change ordestruction, a risk due to the presence of threats(McGaughey, et ai., 1991). We tend to equate riskwith something done to us. Naturai disastersdisrupt our power, our ability to produce, or ourtransportation capabiiity. Less obvious is the riskwe create in our actions, such as the installationof a new computer-based system, distribution ofour processing and data storage across a coun-try or world, or, as in the case of the banking in-dustry, the movement from batch processing totelecommunications intensive real-time onlineprocessing.

Risk, according to the dictionary, is "the possibili-ty of loss or injury" and "the probabiiity of suchioss" (Merriam-Webster, 1989). Risk includesthreats, resources, modifying factors, and con-sequences (Crockford, 1980). The componentsof risk are iilustrated in Figure 1. Multiple forcesexert infiuenee on the organization; threats area broad range of forces capable of producingadverse consequences. Resources consist of theassets, people, or earnings potentially affectedby threats. Modifying factors are the internal andexternal factors that influence the probabiiity ofa threat becoming a reality or the severity of con-sequences when the threat does become a reali-ty. Consequences are the ways a realized threatimpacts the resources (Crockford, 1980).

An aiternative threat model inciudes sources,motives, acts, resuits, and losses (Parker 1981).Here the concept of risk is included within thelosses category. Similar lists have been proposedby others (Busch, 1978; Courtney, 1981; Fisher,1984; Fitzgerald, 1978; Mair, et ai., 1978; Mar-tin, 1973). Contrasting these lists with our focuson threats resuits in the four-dimensionai modeifor IS security, shown in Figure 2. A list of 12security threats based on this modei is shown inFigure 3. The list is derived from the MISliterature and informai interviews with MIS faculty.

174 MIS Ouarterly/June 1992

Computer Security

Forces

Non-Threats

Threats Probability

ReductionProtectionTransferFinancing

Modifying Factors

Consequences Resources

DisclosureModificationDestructionDenial of Use

ManifestExtentSeverity

AssetsPeopleEarning

Figure 1 . The Components of Risk

Table 1 categorizes these threats by source andperpetrator. Following the model in Figure 2, athreat can be internal to the organization as theresult of employee action or failure of anorganizational process, or from the external en-vironment. The most obvious external threats tocomputer systems and the resident data arenatural disasters: hurricanes, fires, fioods, andearthquakes. Wide use of telecommunicationsposes a threat of a different type—access to in-ternal data from external sources by competitorsand computer hackers. A recent, growing threatis the computer virus (Schweitzer, 1989). Firstreported in the academic literature in 1987 (Davisand Gantenbein, 1987), viruses have receivedconsiderable recent attention (Alexander, 1990a;Baskerville, 1991; Hoffer and Straub, 1989; Na-tional Research Council, 1991).

Another dimension of the threat is that of theperpetrator; human versus non-human. For ex-ample, many of the threats listed in Figure 3 arethe result of human actions. Other are the resultof natural, or non-human, events. It can beargued as to whether a virus is the result ofhuman action (its creator) or its own non-humanperformance. We choose the latter.

Next, actions of the perpetrator may be acciden-tal or intentional, irrespective of the source. Com-petitors typically would be interested in

information access, while hackers' mischievousbehavior may cause the full range of conse-quences. Also, computer viruses and programproblems are differentiated by their creators' in-tent. Computer viruses are defined as malicioussoftware written to produce an undesirable effectto the system, user, or organization. Programproblems are most commonly the result of over-sights by the programmers/analysts. All four con-sequences in Figure 2 are potentially hazardousto the well-being of the organization.

Research Objective andi\/lethodoiogyThis research addressed two questions: (1) Whatare the threats to information systems and resi-dent data? and (2) Which of these are the mostserious threats? We first drew from the literaturea list of threats^ and presented them to ISsecurity executives and consultants. Modifica-tions to the instrument were made based on thereviewers' comments.

' In creating the list of tiireats, we beiieved that their impor-tance would vary by the three computer environments:microcomputer, mainframe computer, and network systems.We included this distinction because we have not seen itdone in other studies.


Computer Security

Sources Perpetrators

i— Human-

r- Internal

^ Non-Human

r— Human-

— External-

'— Non-Human

Intent

I— Accidentai

^ Intentional

r~ Accidental

— Intentional

|— Accidental

^ Intentional

I— Accidental

^ Intentional

Consequences

- Disclosure- Modification- Destruction"— Denial of Use

(— DisclosureModification

- Destruction'— Denial of Use

f— DisclosureModification

- Destruction^ Denial of Use

|— DisclosureModification

- Destruction'— Denial of Use

|— DisclosureModification

— Destruction'— Denial of Use

n DisciosureModification

— Destruction^ Denial of Use

[— DisclosureModification

— Destruction'— Denial of Use

r- DisclosureModification

— Destruction*— Denial of Use

Figure 2. The Four Dimensions of Information Systems Security


Computer Security

Micro- Main-computer frame Networic Threats

Accidental entry of "bad" data by employeesIntentional entry of "bad" data by employeesAccidental destruction of data by employeesIntentional destruction of data by employeesUnauthorized access to data/system by employeesInadequate control over media (disks, tapes)Poor control over manual handling of I/OAccess to data/system by outsiders (hackers)Access to data/system by outsiders (competitors)Entry into system of computer viruses, wormsWeak, ineffective, inadequate physical controlNatural disaster: fire, flood, loss of power, communicationsOther: . ^

Figure 3. Threats to information Systems Security

For a pilot study, we sent questionnaires to MISdirectors or MIS security managers in 58organizations, randomly drawn from the Atlanta,Georgia, entries in the Directory of Top ComputerExecutives.^ Nineteen responded. The pilot metour initial expectations and required no furthermodification. We then sent the questionnaire toa random sample of 657 senior MIS managersin the U.S.^ The organizations were again ran-domly drawn from the Directory of Top ComputerExecutives. With the help of a follow-up postcard,131 organizations responded (20.0 percent).Some participants may have elected to not re-spond due to the sensitive nature of the subject,even though confidentiality was assured. Severalrespondents refused to respond to selected ques-tions "for security reasons."

Respondents were asked to, "Rank the top threeof the following (12) threats to the security of yourorganization's information system(s), formicrocomputers, mainframes, and networks." Asshown in Figure 3, the first seven threats wereof concern for microcomputer and mainframecomputers only, whereas the last five threats

' Directory of Top Computer Executives, (September 1988)East & West Edition, defines the top computer executive as"the person who provides overall planning and direction ofall EDP activities" and has an annual DP budget responsibili-ty of $250,000 or more. All companies were in the Fortune(April 1989) 1,000 list.

' This research was conducted in the spring of 1990,

were also appropriate for networks. Respondentswere allowed to disagree with this classificationscheme and to consider all threats appropriatefor all environments." Almost without exception,the respondents concurred with the proposedscheme. Respondents were asked to identify thetop three threats in each environment.

We used three methods of anaiysis—weightedvotes, the number of first place votes, and unitvotes—to describe the overall meaning of in-cluding a threat in any of the three positions.^Our results are presented in each table.

AnalysisDemographicsTable 2 shows the distribution of the respondingorganizations by size as measured by number of

' Space was provided to enter threats not listed, but there wasno consistency in the few additions,

' Weigtited Votes are calculated by assigning three points fora first place rani<ing, two for a second, and one for third.These were then added for each threat by environment.Number of First Piace Votes are calculated by totaling thenumber of times each threat is listed as the number onethreat. Unit Votes are a different perspective of the impor-tance of a threat as shown by the number of respondentswho listed the threat in any position (called unit vote). Theunit vote shows the totai number of responses listing thatthreat in either first, second, or third place.


Computer Security

Table 1. Source and Perpetrator of Threats to Information Systems Security

Source

Internal Threats

External Threats

Human

Acts by employeesAdministrative procedures

CompetitorsHackers

Perpetrator

Non-Human

Mechanical and electrical failuresProgram problems

Natural disastersComputer viruses

Table 2. Size (in Employees) of Organizations Responding

Size

Total Number

1-100

26

101-500

26

501-1,000

11

1,001-5,000

49

Over 5,000

17

Total

129

employees.* The industries responding mostwere manufacturing (25 percent), financial ser-vices (14 percent), education and training (12 per-cent), and information services (10 percent). Thesize distribution is fairly even with fewer com-panies in the 501-1,000 employees category.One-half of the respondents has sales of $100million or iess, and one-half has over $100 million.

Data on DP budgets as a percent of sales/budgetwas also collected. Forty-seven percent of theorganizations reported their DP budget in the 1percent to 4.99 perecent range. Additionally, 74respondents provided the size of the IS securitybudget as a percent of the DP budget. Theaverage IS security budget represents 1.3 per-cent of the total IS budget and ranged from 0.1percent to over 10 percent. Thus, the IS securitybudget often is to the DP budget as the DPbudget is to saies.

ConnectivityAs iliustrated in the movie War Games, connec-tivity increases the risk to a given computer, andto its network, beyond that present with a stand-alone machine. To see the relationship bsttveenconnectivity and perception of threats, we askedthe respondents to note their degree of con-nectedness (percentage of systems). As shown

° Sales figures were also provided by profitoriented firms andbudget figures were provided by not-for-profit organizations.Size of organization is not shown but compared directly withsize by number of employees.

in Table 3, the microcomputer environment ofthese organizations was internally connectedabout one-half of the time but externally con-nected less, with one in three machines havingconnectivity. Mainframes are connected internal-ly or externally in two of three installations, con-nected in both environments one-half of the time,and in a stand-alone configuration in only one infive installations. Thus, most of the respondingorganizations were familiar with networkedenvironments.

ThreatsOverail Risk of Computer Disruption

We asked the participants to, "Piease evaluateyour organization's overall risk of computerdisruption." The overall mean was 3.7 on a scaleof one (low risk) to seven (high risk); the standarddeviation was 1.2. Respondents were then askedto evaluate their organization's risk of computerdisruption by each architectural environment.Table 4 shows the means and standard devia-tions for the different environments. The networkenvironment was further broken down by whetherthe organization used networks within theirorganization, networks connected to the outsideworld, or both. The microcomputer environmentand the external network environment were seento represent the greatest level of risk. Whilesecurity experts warn that the greatest threatscome from inside the organization (Collins, 1988;Mylott, 1985), the respondents indicated that they


Computer Security

Environment

MicrocomputerMainframe

Table 3. Percent

Stand-Alone(No Connectivity)

37.5%20.0%

of Computer

internaiiyConnectec

46.3%68.6%

Connectivity

Externaiiy1 Connected

15.0%61.9%

Internai andExternai

23.70/0

55.8%

Note: Total percentages exceed 100 percent because organizations reported connectivity levels forall four categories.

perceived a very low level of risk with their inter-nal networks. The range of means between 1.70and 4.40 is an indication of a low to moderateperceived risk. In other words, the respondentsbelieved they were generally not at risk.

Respondents consistently saw themselves to beat greater risk in the microcomputer environmentthan in the mainframe environment. Fifty-six per-cent of the respondents viewed their organiza-tion's risk of computer disruption in the micro-computer environment to be moderate/high tohigh risk (5 to 7 on a seven-point scale). In con-trast, 62 percent perceived their organization'srisk of computer disruption in the mainframe en-vironment to be low risk (1 to 3 on a seven-pointscale) across all types of connectivity. The sen-sitivity within the microcomputer environmentmay be in part explained by its recency in com-parison to the mainframe environment. Admin-istrative procedures and physical controlmechanisms for mainframes are well-understoodand in force in most organizations. For microcom-puters and related peripherals, however, suchcontrols may be weak or easily ignored.

Our respondents generally believed that exter-nal networks represented the greatest risk.Nevertheless, they exhibit a low level of concern.The point of entry to external networks is usual-

Table 4. Perceived RIsit Levei forComputer Disruption, Overali

and by Environment(Low RIsic = 1; High Risic = 7)

Environments

OverallMicrocomputerMainframeInternal NetworksExternal Networks

iVIean

3.74.43.51.74.1

Std.

1.21.71.51.51.6

ly the mainframe system, systems they believeto be relatively secure. In one organization for in-stance, all communications come into theorganization by the mainframe with securitypassword access and caii-back modem. Thisrespondent saw little cause for concern.

Respondents admitted that there must be moreconsistent enforcement of what measures andpolicies are in place in organizations. Theyevaluated management's commitment to enforc-ing IS security policies as moderate (mean = 4.4,std. dev. = 1.7; 1=iow commitment, 7 = highcommitment). In turn, they believed their currentIS policies to be moderately good (mean = 4.6,std. dev. = 1.4; 1 =very poor, 7 = exceptionallygood).

Ranking Tiireats Across Environments

Respondents were asked to, "Rank the top threeof the following (12) threats to the security of yourorganization's information system(s), formicrocomputers, mainframes, and networks."The results across methods of analysis shown inTabie 5 were highly consistent for the leadingthreats. Natural disasters and employee acciden-tal actions ranked among the top three threatsby all three methods. Using the weighted votemethod, natural disasters received 19.8 percentof the possible votes.^ Natural disasters wasdisplaced in first place by accidental entry of baddata by employee and accidental destruction ofdata by employee under the first place and unitvote methods respectively.

Tables 5 and 6 show which threats are internalin source and which are external. Table 6 placesthe threats in the source/perpetrator schema bythe weighted vote method. The perpetrator may

' One hundred thirty-one respondents could distribute threevotes that translate to six weighted votes in each of threeenvironments, for a total of 2,358 weighted votes. Some par-ticipants did not cast all votes.


Computer Security

Table 5. Threat Ranking for All Environments

Threats (All Environments)

Natural disasters

Accidental entry baddata by employees

Accidental destructiondata by employees

Weak/ineffective controls

Entry of computerviruses

Access to system byhackers

Inadequate control overmedia

Unauthorized access byemployees

Poor control of I/O

Intentionai destructiondata by employees

Intentional entry bad databy employee

Access to system bycompetitors

Other threats

External/Internal

E

1

1

1

E

E

1

1

1

1

1

E

J

Weighted Votes

Nr.

324

270

252

149

128

123

96

93

67

58

36

31

10

1637

%Tot

19.8%

16.5%

15.4%

9.1%

7.8%

7.5%

5.9%

5.7%

4.10/0

3.5%

2.2%

1.9%

0.6%

Rank

1

2

3

4

5

6

7

8

9

10

11

12

13

1st

Nr.

* 63

+ 62

+ 40

* 24

* 21

* 18

+ 17

+ 11

+ 6

+ 7

+ 4

* 5

2

280

Place Votes

% Max

16.0%

23.7%

15.3%

6.1%

5.3%

4.6%

6.5%

4.20/0

2.30/0

2.70/0

1.50/0

1.30/0

0.5%

Rank

2

1

3

5

6

7

4

8

10

9

11

12

13

Unit Votes

Nr.

* 159

+ 115

+ 130

* 77

* 68

* 66

+ 51

+ 53

+ 44

+ 33

+ 22

* 16

5

839

% Max

40.50/0

43.90/0

49.60/0

19.60/0

17.30/0

I6.80/0

19.50/0

20.20/0

I6.80/0

I2.60/0

8.40/0

4.10/0

1.30/0

Rank

3

2

1

5

7

8

6

4

8

10

11

12

13

+ Max N = 262; *Max N = 393.

Note: The 131 organizations could cast a maximum of 262 votes for the seven threats listed for microcom-puter and mainframe computers-only environments (identified in Table 5 with a +) and a maximum of393 votes for the five threats in all three environments (identified in Table 5 with an *). By consideringthe organizations that indicated an awareness of the threat, as a percent of the possible number thatcould show an interest, a relative standing is achieved.

be human or non-human. External threats re-ceived 37.0 percent of the weighted votes andthe internal threats received 62.4 percent of theweighted votes, giving internal threats almost a2 to 1 value over external. These results confirmexperts' ciaims (Collins, 1988) that the greatestthreats come from inside the organization.

Ranking of Threats by Environment

Of particuiar interest were the susceptibility tothreats within each of the three computer en-vironments and the importance of each threatwithin the various environments. We first asked

the participants to, "Please distribute 100 pointsacross these three environments to show theseriousness of threats."^ Table 7 shows therelative risk to all threats by environment, byspreading 100 points. The network environmentwas noted to be, on average, the least risky en-vironment (with 23.9 of 100 points); however.

' The use of the point-spread method, the distribution of aiimited amount of points over a fieid of choices, is referredto as an ipsative approach, "in which each vaiue is measuredat the expense of the others" (Hicl<s, 1970). The ipsative ap-proach computes reiative scores whereas the weightedmethod determines a piacement vote.


Computer Security

Table 6. Threats to Computer Systems and Data by Weighted Votes

Source

InternalThreats

(62.40/0)

ExternalThreats(37.00/0)

Human (71.8%)

Accidental entry bad data

Perpetrator

(16.50/0)

Accid. dest. data by employees(15.4o/o)Weak/ineffect. physical controlIntent, dest. data by employee;Unauth. access by employeesIntent, entry bad data by

employeesInadequate control over mediaPoor control of I/O

TOTAL = (62.40/0)

Access by competitorsAccess by hackers

TOTAL = (9.40/0)

(9.1%)5 (3.50/0)

(5.70/0)

(2.20/0)

(5.90/0)(4.10/0)

(1.90/0)

(7.5)

Non-Human (27.6%)

Natural disaster (I9.80/0)Computer viruses (7.8o/o)

TOTAL = (27.60/0)

large standard deviations refiect disparity amongthe respondents. This method provides an indica-tion of the relative level of overall threat to eachenvironment. Table 8 shows the weighted voteresuits by threat for each environment.

Microcomputer Environment. Four of the fivethreats leading the list for microcomputers werethe same as the leading threats across en-vironments (see Table 5). The ordering, however,differs. Many respondents seemed to believe thatdata run the same risk of accidental entry anddestruction on microcomputers as it does forlarger computers. Administrative proceduresranked third and fourth, suggesting that therelatively recent proliferation of microcomputertechnology and resulting organizational respon-sibilities have not been satisfactorily addressed.The concern for computer viruses in a micro-

Table 7. Risk to Ali Threats byEnvironment—Spread of 100 Points Across

Three Environments

EnvironmentStd.

iUiean Dev. iViedian

Microcomputer 37.9 21.4 40Mainframe/mini 35.1 22.7 30Network system 23.9 13.2 30

computer-only environment (#6) was not as greatas was expected.^

Mainframe Computer Environment. The topthree threats to mainframe computers were thesame as for microcomputers, though the threatof natural disasters appears to be of greater con-cern for the mainframe environment than formicrocomputers. The higher ranking of naturaldisasters and the introduction of the threat ofunauthorized access by employees may reflectthe growing trend to use mainframes as largedata repositories for critical data and expandedaccess capability.

Network Environment. The threat of naturaldisasters tops the list for networks, with accessto system by hackers ranking second. The threatof hackers ranked significantly lower in themicrocomputer (#10) and mainframe (#8) en-vironments. Respondents saw little threat fromtheir employees or competitors. Intentional actsby employees (ranging from 1.6 percent to 5.5percent of total weighted votes) or competitorsconducting industrial espionage (ranging from 0.9percent to 4.3 percent of total weighted votes) areviewed as small threats.

' It was the concern tor computer viruses in a networkedmicrocomputer environment that raised this threat to fifthpiace across environments.


Computer Security

Table 8. Threat Ranking for Each Environment (Weighted Vote Method)

Threats (by Environments)

Natural disasters

Accidentai entry baddata by employees

Accidental destructiondata employees

Weak/ineffective controls

Entry of computerviruses

Access to system byhackers

Inadequate control overmedia

Unauthorized access byemployees

Poor control of I/O

Intentional destructiondata by employees

Intentional entry bad databy employees

Access to system bycompetitors

Other threats

External/Internal

E

1

1

1

E

E

1

11

1

1

E

1J

iViicrocomputers

Weighted VotesNr.

74

112

137

52

50

16

80

38

31

23

10

9

2

634

%Tot

11.7%

17.70/0

21.60/0

8.20/0

7.90/0

2.5%

12.6%

6.00/0

4.90/0

3.60/0

I.60/0

1.40/0

0.30/0

Rank

4

2

1

5

6

10

3

7

8

9

11

12

13

iMainframeComputers

Weighted VotesNr.

135

158

115

17

13

20

16

55

36

35

26

6

3

635

%Tot

21.30/0

24.90/0

18.10/0

2.70/0

2.00/0

3.10/0

2.50/0

8.70/0

5.70/0

5.50/0

4.10/0

0.90/0

0.50/0

Rank

2

1

3

9

11

8

10

4

5

6

7

12

13

Networks

Weighted VotesNr.

115

-

-

80

65

87

-

-

-

-

-

16

5

368

%Tot

31.30/0

-

-

21.7%

17.70/0

23.60/0

-

-

-

-

-

4.30/0

1.40/0

Rank

1

-

-

3

4

2

-

-

-

-

-

5

6

The threat of natural disasters has existed sincethe introduction of computer information systems,but consequences continue to increase asorganizations become more dependent upon thereliable, real-time functioning of their systems andready access to large databases. A fire thatknocked out an electrical substation in lowerManhattan on August 14, 1990, publicly il-lustrated the financial service industry'svulnerability to natural disasters interruptingtelecommunications-intensive systems.

Computer virusesWe were particularly interested in how managersviewed computer viruses relative to other threats.Viruses were ranked as the #4 threat in the net-work environment and #6 threat in the microcom-

puter environment. For mainframes, however,viruses were not viewed as an important threat.As one respondent noted, "Viruses are mostlya concern for microcomputer users."

We asked respondents three questions aboutcomputer viruses. First, "Has your organizationhad any verified incidents of computer disruptiondue to the intrusion of computer viruses orworms?" Twenty-two percent of the respondentsreported verified incidents of a computer virus.Not surprisingly, larger companies were morelikely to report an incidence. Three industries,education and training, information services, andmanufacturing, represented 68 percent of allreported incidents. Education and training led bya significant margin, with 60 percent reporting averified incident. Thirty-four percent of the IS


Computer Security

firms and 19 percent of the manufacturing firmsreported verified virus incidents.

Second, "Please evaluate [on a seven-pointscale with 1 = very low and 7 = very high] yourorganization's risk of computer disruption on yourinformation system due to the intrusion of com-puter viruses, worms, etc." Seventy-four percentof the respondents replied with a value of threeor less; the average response was 2.7. In con-trast, they view other organizations' risk to besignificantly greater (mean = 4.3). Organizationsthat had experienced a virus attack saw the threatas greater than those that had not.^oNonetheless, in both cases their view of risk wasstill relatively low.

Third, "The issue of computer viruses is not amajor concern in my organization [a seven-pointscale with 1 = strongly disagree, 4 = neutral,and 7 = strongly agree]," Overall, the respond-ents were indifferent about viruses; the medianand mean values were 4 and 4.2 respectively.Eighteen percent of the respondents neitheragreed nor disagreed with this statement, select-ing a value of 4. Those organizations that hadnot experienced a virus incident more stronglydisagreed with this statement, indicating a slightlygreater concern for computer viruses. In contrast,organizations who reported an incident wereevenly divided between moderate and no/lowconcern. It may be that those who had experi-enced a virus now felt more comfortable because

(1) they had been through the experience, and(2) believed they had addressed their weak-nesses in security. Not only do they believe thatthey are at low risk (mean = 2.68), they alsobelieve that other organizations' risk of computerdisruption due to computer viruses (mean =4.32) is significantly greater than their own (p =.00001).

Prevention of Computer Viruses

We then focused on the prevention of computerviruses, asking respondents to rank possible ac-tions designed to prevent infection by computerviruses, worms, etc. Table 9, a list drawn fromthe MIS literature, shows that passwords, regularbackups, and employee education are by farbelieved to be the most effective preventivemeasures for viruses. Less than 2 percent of the

° A T-test of these data showed significant differences (p =0.02); mean for no incident = 2.47; mean for incident = 3.42.

responding organizations conducted ethicstraining.

Sanctions for Computer Viruses

It has been estimated (Alexander, 1990a) thatbusinesses report only about 6 percent ofcriminal acts aimed at their computer systems forfear that the publicity will hurt business or attractcopycat crooks. Despite our guarantee ofanonymity and confidentiality, several respon-dents refused to answer specific questions "forsecurity reasons"; others questioned our promiseof anonymity. Twenty-two percent of the respon-dents reported a verified computer virus incident;50 percent of those could identify the source ofthe virus. Only four companies reported takingaction against the responsible party. One com-pany took legal action, two companies repri-manded the party, and one took multiplemeasures: legal, reprimand, and dismissal.

Penalties and laws

To determine the respondents' view of the severi-ty of disruptive actions, we asked about thedesirable level of penalties for unauthorized ac-cess, the destruction of data through directmanipulation, and the destruction of data by avirus. The penalties ranged from a warning (1),to a misdemeanor (4), to a felony charge (7) ona one-to-seven-point scale. The respondents diddifferentiate between the seriousness of the ac-tions. Only 55 percent were willing to invokeharsh penalties (6 or 7) for unauthorized access,whereas 86.5 percent believed destruction ofdata whether by manipulation or by a computervirus warranted harsh penalties. In general,unauthorized access is viewed as less seriousthan the overt, malicious actions of datamanipulation and computer viruses.

Respondents were also asked if there was a needfor federal and state computer security laws.Their responses were significantly correlated withpenalties for all three actions described above.The respondents generally felt that federal com-puter security laws were more necessary thancomputer laws at the state level. Sixty percentof the respondents did not know whether theirstate had laws about computer security; 14 per-cent said that there were no state laws in theirstate. Respondents were apparently poorly in-formed because 48 states have enacted lawsdealing with computer crime and the other two


Computer Security

Tabie 9. Raniting of Preventive Measures Against Computer Viruses

Virus infectionPreventive iMeasures

Use of passwordsBackup procedures schedulesEmployee educationConsistent security policiesCompany provided software onlyUse of virus scanning softwareAudit procedures strengthenedMonitor computer usageAuto terminal/account logoffShrinkwrap software onlyNo outside BBS connectionsPublish formal standardsReporting violations encouragedControl of workstationsOtherEthics training

Votes

136847557504242282426281919765

Weighted

iVIean

2.341.832.271.972.081.912.001.561.712.002.551.731.901.402.001.67

Votes

Std. Dev.

0.780.710.840.910.830.810.770.700.830.820.690.790.740.551.000.58

UnitVotes

58463329242221181413111110533

are currently considering such legislation (Alex-ander, 1990b). Only those respondents who hadnot experienced a computer virus felt there wasno need for federal computer security laws.

Summary and ConclusionsModern organizations increasingly will rely ontelecommunications to extend their traditionalsystems' boundaries to share information andother resources. Placing systems and data inremote locations and accessing them viatelecommunications can define business, com-petition, and security. Organizations are sodependent on computer-based and telecommu-nications-intensive information systems that theymay not survive a significant disruption of eithercapability. This research captures the views ofMIS management about threats to informationsystems and data security. Some readers will findmany results to be predictable: natural disastersremain a force with which to contend; employeesand internal organizational procedures are agreater threat than competitors; and themicrocomputer environment is not as secure asthe mainframe computer. Other readers mayshare our surprise by attitudes concerning thenewest threat, the computer virus. In brief, these

respondents believe themselves to be at low riskfrom viruses, whether they were in the 22 per-cent of the sample that experienced one or not,and, simultaneously, believe other organizationsare at greater risk than themselves.

The respondents are deeply involved withtelecommunications (Table 3), yet they don'tseem to connect conceptually the level of con-nectivity (increased number of points of entry in-to the system) and level of risk (Table 4). Whilethey did differentiate between stand-alone andconnected environments, they viewed their inter-nal networks to be relatively secure (Table 4).Strong evidence supporting that the greatest riskis for employees within the organization (Table5) suggests that this perception is naive. Further-more, although they acknowledged the potentialrisk for external networks, respondents perceivedthemselves to be at low risk (Table 4). Their lowlevel of concern can be explained by several fac-tors. First, most of their external networks in-volved mainframe systems, which they believedwere secure." Second, informal comments sug-

" Some managers may be lured into complacency by the ex-istence of security groups within their organizations. Suchan office permits the rest of the organization to abrogate theirresponsibility for security.


Computer Security

gest that they believe the mainframe environmentto be impervious to the threat of computerviruses. This perception also indicates a lack ofawareness on their part; mainframe viruses havebeen documented (Price Waterhouse, 1989;Virus List Digest, 1989; 1990).

Although the respondents were all senior MISmanagers, they were not familiar with state andfederal laws concerning computer crimes. Theydid have strong opinions as to appropriatepenalties for unauthorized access and destruc-tion of data by direct manipulation and use ofcomputer viruses. While some responses werecontradictory to their experiences, these mana-gers saw disruption of systems and destructionof data as serious actions warranting seriouspunishment. Although they were generallycavalier about viruses, they strongly supportedthe need for laws against destroying data witha computer virus. Ironically, many firms appearedhesitant to apply punishment in practice.

Our findings reveal ironies of computer securi-ty. Our respondents seemed well aware of thethreats but viewed their risk to be moderatelylow.^^ They also believed that their employeesand competitors operate in good faith; intentionalactions were consistently ranked as the least like-ly threats. Furthermore, they viewed their neigh-bor to be at greater risk than they were, exhibitinga rather naive belief that bad things only happento other people.

The growth of connectivity and dispersion oftechnology within or between organizations willcontinue. Our results suggest that managementneeds to (1) become more informed of the poten-tial for security breaches in the mainframe en-vironment and via employees' and competitors'actions; (2) increase their awareness in keyareas, such as penalties and laws; and (3)recognize that their overall level of concern forsecurity may underestimate the potential risk in-herent in the highly connected environment inwhich they operate.

ReferencesAlexander, M. "Computer Crime: Ugly Secret for

Business," Computerworld (24:11), March 12,1990a, pp. 1, 104.

" See Straub (1990) for a discussion on the seeming contradic-tion between managers' awareness of or personal ex-perience with certain kinds of system misuse.

Alexander, M. "Lax Security Invites LiabilityNightmare," Computerworld (24:13), March26, 1990b, pp. 1, 127,

Ball, L. and Harris, R. "SMIS Member: AMembership Analysis," MIS Ouarterly (6:1),March 1982, pp. 19-38.

Baskerville, R. "Risk Analysis: An InterpretiveFeasibility Tool in Justifying InformationSystems Security," European Journal of In-formation Systems (1:2), 1991, pp. 121-130.

Brancheau, J.C. and Wetherbe, J.C. "Key issuesin information Systems Management," MISOuarterly (12:2), March 1987, pp. 23-36.

Busch, J.C, Jr., and Sardinas, J.L, Jr. ComputerControl and Audit: A Total Systems Approach,John Wiley & Sons, New York, NY, 1978.

Carter, R. "Dependence and Disaster—Recovering from EDP Systems Failure,"Management Services (UK) (32:12),December 1988, pp. 20-22.

Collins, L.J. "Workers Are Top Threat to Com-puter Data," Business Insurance (22:18), May2, 1988, p. 60.

Courtney, R.H., Jr. "Security Risk Assessmentin Electronic Data Processing Systems," IBMPublication TR21,700-A, revised March 1981,IBM Corporation, Armonk, NY,

Crockford, N. An Introduction to Risk Manage-ment, Woodhead-Faulkner Limited, Cam-bridge, England, 1980.

Davis, F.G.F. and Gantenbein, R.E. "Recover-ing from a Computer Virus Attack," Journalof Systems & Software (7:4), December 1987,pp. 253-258.

Fisher, R.P. Information Systems Security, Pren-tice Hall, Inc., Englewood Cliffs, NJ, 1984.

Fitzgerald, J. "EDP Risk Analysis for Contingen-cy Planning," EDPACS (6:2), August 1978,pp. 6-8.

Hartog, C. and Herbert, M. "1985 Opinion Surveyof MIS Managers: Key Issues," MIS Ouarter-ly (10:4), December 1986, pp. 351-361.

Hicks, L.E. "Some Properties of Ipsative, Nor-mative, and Forced-Choice NormativeMeasures," Psychological Bulletin (74), 1970,pp. 167-184.

Hoffer, J. and Straub, D.W., Jr. "The 9 to 5Underground: Are You Policing ComputerCrimes?" Sloan Management Review, Sum-mer 1989, pp. 35-43.

Mair, W.C, Wood, W.R., and Davis, K.W. Com-puter Control and Audit (11 A), 1978, p. 363.


Computer Security

Martin, J. Security, Accuracy and Privacy in Com-puter Systems, Prentice-Hall, Inc., EnglewoodCliffs, NJ, 1973.

McGaughey, R.E., Carr, H.H., Rainer, R.K., Jr.,and Snyder, CA. "Competitive Advantageand Risk Using Information Technology,"working paper, MIS-03, Department ofManagement, Auburn University, AuburnUniversity, AL, 1991.

Meall, L. "Survival of the Fittest," Accountancy(UK) (103:1147), March 1989, pp.140-141.

Merriam-Webster. Webster's Ninth New Col-legiate Dictionary, G. & C. Merriam Company,Springfield, MA, 1989.

Mylott, T.R., III. "Computer Security and theThreats from Within," Office (101:3), March1985, pp. 45-46, 190.

National Research Council. Computers at Risk,National Adacemy Press, Washington, DC,1991.

Niederman, F., Brancheau, J.C, and Wetherbe,J.C. "Information Systems ManagementIssues for the 1990s," MIS Ouarterly (15:4),December 1991, pp. 475-502,

Parker, D.B. Computer Security Management,Reston Publishing Co., Reston, VA, 1981.

Price Waterhouse. The Computer Handbook,Price Waterhouse, New York, NY, 1989.

Schweitzer, J.A. "Virus: A Strain on the System,"Security Management (33:3), March 1989, pp.17A-18A.

Smith, M. "Computer Security—Threats,Vulnerabilities and Countermeasures," Infor-mation Age (UK) (11:4), October 1989, pp.205-210.

Straub, D.W., Jr. "Effective IS Security: An Em-pirical Study," Information Systems Research(1:3), September 1990, pp. 255-276.

Szuprowicz, B.O. "Technological Vulnerability:How Serious a Threat to Your Business?"Canadian Datasystems (20:10), October 1988,pp. 96-99.

Virus List Digest. "DIR Exec on VM," (2:248,249), electronic journal accessible at [email protected], November 27,1989.

Virus List Digest. "Documented Mainframe ViralAttacks," (3:114), electronic journal accessi-ble at Virus-L@IBM1 .cc.lehigh.edu, June 15,1990.

About the AuthorsKaren D. Loch is assistant professor of decisionsciences in the Coiiege of Business at GeorgiaState University in Atlanta, Georgia. She receivedher Ph.D. in management information systemsfrom the University of Nebraska. She haspresented papers at national conferences ofDecision Sciences Institute, the Institute ofManagement Science, and Hawaii InternationalConference on System Sciences and publishedin the areas of simulation and management ofinformation resources. She is co-editor of GlobalInformation Technology Education: Issues andTrends (Idea Group Publishing, 1992). Herresearch interests include international manage-ment of information technology, telecommunica-tions, and management support systems.

Houston H. Carr is associate professor ofmanagement (MIS) and associate director of theThomas Walter Center for Technology Manage-ment at Auburn University, Alabama. Beforecompleting his doctorate in information systems,he spent 21 years in industry, the last nine ofwhich were active in analysis, design, and con-sulting on computer-based pricing and proposalmonitoring systems. His research interests in-clude the information center concept for support-ing end-user computing, telecommunicationsmanagement, and the user-friendliness of com-puter applications. Dr. Carr has published in MISOuarterly, Data Base, Information and Manage-ment, Journal of Management InformationSystems, and Data Management. He recentlypublished Managing End User Computing withPrentice Hall (1988).

Merrill E. Warkentin is associate professor ofcomputer information systems at Bryant Collegein Smithfieid, Rhode Island. Dr. Warkentin'sresearch interests are in the areas of knowiedgeengineering, computer system security manage-ment, and applications of DSS and Ai technology.His research has appeared in Decision Sciences,Al and Medicine, Expert Systems, AgroforestrySystems, and in several books. He is co-authorof Emerging Information Technologies (PrenticeHall, 1992) and an associate editor of the newACM journal Applied Computing Review.


threats to information systems: today's reality, yesterday...

Documents