Oscar Calle

Quantitative Information Security Risk Analysis is when you are able to examine a risk by looking at its risk factors in order to place a dollar amount or another type of value to the specific risk.

An example is having 100 employee’s sensitive bank account numbers, bank router numbers, and other direct deposit information in a database in order to allow the employees to directly deposit their pay-checks into their accounts. When the board of directors analyzed the option to allow the employees to use direct deposit or not, they determined that if this data was stolen, it would cost the company $500 per employee. This $500 dollar cost is an average that was calculated by looking at a population/sample of people, their bank account info (like amount), and several other factors. The $500 amount would include: investigating to determine exactly which employees were affected, contacting the employees to notify them, replenishing the amount of actual money stolen, and the cost it would take to pay for the employee to change the information that was stolen. The max loss for this particular risk is $50,000.

In my above example, I made the risk value in terms of a dollar amount and I made the elements of the risk fairly simple. This is not always the case. In fact, risk can have more elements and there is not always an element that you can put a dollar amount to. Complexity of risk and the likelihood of partial or full risk loss are two factors that also make risk difficult to quantify. Lastly, there is no standard in each industry that tells you what each risk element is worth in terms of money or any type of value and that makes determining the quantitative risk value very difficult because each risk situation is unique.

In your simplified example, how might you approach attempting to quantify the loss to the business of “good will” from a data loss scenario (i.e. hacking data)? Would the business have to also quantify the loss due to compliance lawsuits like Target did in its security breach a couple years ago?

Sean to answer your query, you can study provided by one of SANS whitepaper, Quantitative Risk Analysis Step- by- Step
[ https://www.sans.org/reading-room/whitepapers/auditing/quantitative-risk-analysis-step-by-step-849 ]

To summarize the steps are as below,

1. Determine risk factors
2. Determine values of assets under risk
3. Determine historical data of incident occurrence and loss
4. Determine Annualized rate of occurrence (ARO)
5. Determine counter measures to overcome risk
6. Determine Annualized Loss Expectancy (ALE)
7. Conduct safeguard cost analysis by calculating difference between ALE before and after implementing countermeasures
8. Using values in step 6 & 7 calculate Internal Rate of Return (IRR)
9. Present summarized results to management

Formulas you will need
Exposure factor (ex 40%), Single loss expectancy (ex 1000$ at 20% likelihood), Annualized Rate of occurrence (ex. 01. In 10 years), Annualized Loss Expectancy, Safeguard cost/benefit analysis,

To answer your question, “loss of goodwill” will come under calculating risk factor for intangible assets .
There is an example given in the whitepaper that you can read.

Quantitative Data-Data derived from mathematical and statistical figures
Risk Assessment-Process to identify potential risk to a business process.
So as the name suggest quantitative information security analysis is placing mathematical figure in terms of dollar value to the threat or asset involved in information security analysis.

An example of quantitative information security analysis is an organization XYZ is using a software or a tool worth $300 which has a risk of being hacked down by potential hackers.
The department analyzes that the hacking may result in 90% software corruption
So the true asset value is 300*90/100=270.
The organization may incur a loss of $270 in case of software being hacked and results are a part of information security analysis
Furthermore challenges involved in such risk measurement is posed in a question “How can you identify the estimate of loss occurred until the actual threat occurred”.The risk can be greater or even lesser than the actual threat estimated and there can be lot of other elements and subject getting involved when actual threat occurs

I agree with Shukla. Simply to say, the quantitative information security risk analysis is use mathematical and statistical way to figure out the potential risk of information of a business process. and the example is very clearly to show the risk and the loss. And I more think that this analysis is like a expect of loss, and the result will show the maximum outcome to us.

What is quantitative information security risk analysis? Provide an example of a measurement used in quantitative information security risk analysis. What challenges are involved in calculating such a measurement?
Quantitative information security risk analysis tries to estimate monetary value (dollar value) for each data leak event with potential data loss. Example: in case of health care company, Quantitative information security risk analysis produces estimated loss of 150K for every data loss of 10K patient personal information. Estimating expected loss requires calculating probability of data loss, and the extent of data loss if breach does happen.
Expected loss $ = Expected Consequence * Expected Frequency (probability)

What challenges are involved in calculating such a measurement?

The apparent issue will be accuracy of both measures needed to calculate Expected Loss $ (Consequence and Frequency) , in addition to difficulty calculating probability of breach event when multiple data loss events can and are interdependent.

When communicating metrics, it is important to remember that Baseline Defenses Coverage is not the only line of defense that an organization has. Looking through these numbers would frighten any executive who is being told that this firewall that they are spending a lot of money to maintain has flaws. They must be informed of the importance of having layers of security so that even if an attach breaches the firewall, they are prevented or detected in another way. Communicating metrics is a delicate conversation and using industry averages and numbers from outside trusted sources such as the Computer Security Institute is helpful for them to understand that the situation is not as bleak as the numbers initially may appear. knowing best practices and what others in the industry are doing can help when deciding if paying for various baseline defense technologies is worth it to an organization.

Magaly,

Great McDonalds example. The most difficult thing in economics is to put a cost on the impact of a policy. For example, how do you put a price on carbon dioxide put into the atmosphere? The risks of burning coal are known but putting a value on it and selling it to an emerging country is a difficult thing because all they see is short-term profits, rather than long-term tragedy.

Similar to companies who don’t value the risks of IT. It may not end well.

Information security is both a technical problem and a business problem in which both parties need to work together on establishing and solve. It’s a technical problem because the technical side know that without a proper framework in place, a business can go down if it’s not well protected against threats from technology or other outside forces. It’s a business problem because management is a key stakeholder and needs to work with the IT team to figure out how to keep the business safe. Management has the business knowledge, such as revenue and access to resources to help with these projects. IT Security alone can’t be an IT issue because they can only go so far to try and mitigate these problems. The business side has to get involved so they know how to provide ways to maintain it.

Information security is a technical problem and a business problem. Since information is digitized to such a degree today, its security is in the hands of IT professionals. Their training and expertise is needed to properly secure data and to create safe and reliable methods to access and transport data. The IT personnel need to develop training plans to train employees how to properly control information security at their individual levels and how to safeguard data in their control. IT personnel need to constantly stay up-to-date on the latest threats to the security of data and to institute physical and software updates to safeguard the data.

Information security is just as much in the hands of the rest of the business too. Again, with the digital nature of data today, businesses have a key role to safeguard data. The data plays a significant role in profitability to both its business and its competitors. Employees need to be properly trained to safeguard the data at all times, and to understand the importance of the integrity of the data. If employees are not properly trained, or get careless, their actions can cause significant interruptions to a business to the point of halting operations and potentially even as far as bankruptcy.

Since information security is both a technical and business wide issue, all employees should be invested with its importance. IT personnel can do everything possible on the technical side, but without employees doing their part in security the data can be lost, destroyed, or fall into a competitor’s hands. If employees have the keenest senses of security, but the IT personnel lack the ability to institute proper protocols and security measures, data can be just as easily, lost, destroyed, or fall into a competitor’s hands. Information security is a technical problem that the entire business must properly understand and address collectively to properly safeguard.

I agree with your opinion. An organization that can demonstrate an infrastructure protected by robust security mechanisms can potentially see a reduction in insurance premiums. A secure organization can use its security program as a marketing tool, demonstrating to clients that it values their business so much that it takes a very aggressive stance on protecting their information. Therefore, the company should combined the technical problem and business problem.

I agree with you. The company should provide security training for IT staff now and forever. Because management does not understand technology, they are not in a very good position to judge a person’s depth of knowledge and experience in the field. Decisions are often based on the certifications a person has achieved during his or her career. Many certifications require nothing more than some time and dedication to study and pass a certification test. IT staff meet the new technology, they will figure it out, however, a strong security posture requires significant training and experience. In addition, very few organizations have a stagnant infrastructure; employees are constantly requesting new software, and more technologies are added in an effort to improve efficiencies. Each new addition likely adds additional security vulnerabilities. (CAIS CH1)

Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.

Information security is a technical problem and a business problem. Information security is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction. If the company lost important data, it will be lead to business problem. When we implement any security mechanism, it should be placed on the scale where the level of security and ease of use match the acceptable level of risk for the organization. For example, employees can easily copy data from the devices to their devices to their home computers before the devices are returned. it easily lead to data leak. If the employees left their position, they may take the important information leave to competitor company. So the problem is the technique problem and the a technique problem. The company should invest employees’ background before recruiting, and it is important for an organization to establish policies outlining the acceptable use of these devices as well as implement an enterprise-grade solution to control how, when, or if data can be copied to them. Using some products that can protect against this type of data leak, such as DeviceWall from Frontrange Solutions and GFI Endpoint Security.

2. Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.

Information security is not solely a technical problem as it involves not just technical glitches but also the intention of the intruder. More that considering Information Security as a technical problem, I would consider it as an ethical issue where people tend to misuse the privileges for financial gains or getting proprietary ideas or are just ignorant of the best practices or want to try new things out of curiosity endangering critical and confidential data. It is a business problem as security of the confidential data or PII’s is important for the reputation of the firm and also building trust with the clients. If a company loses it credibility it looses it business.
The employees whether current, former employees or contractors who have the knowledge about the company policies, processes, procedures and technology can exploit this knowledge to provide the information to external attackers for gain or they themselves can facilitate attacks or accidently reveal information to potential attackers. A company can have the best infrastructure in place with the latest and the costliest security controls and still be a victim to data security breach because of one user who forgot to lock his machine while going for a break or by an employee who decides to save the PII content on his personal desktop which does not have the same security policies and is exposed to malwares and information theft.
Yes it is a technical issue with open ports available or no latest update on anti-virus protection in place which makes the system vulnerable for threats but more than that I think it is the human factor involved here that can make a difference. So everyone in the organization: management, IT department and employees should make sure that they are complaint with the organizations policies and make effort to make sure that their machines are compliant too. The management should educate its employees of the consequences and take necessary steps to mitigate the risks involved and thus provide a secure business to the client that they can rely on.

Question: Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.

The information security is a technical and a business problem. First of all, the information security of an organization requires some basic technical devices like hardware and software to protect the information assets. For example, in order to prevent the unethical hacking or unknown internet attack, a firewall is necessary for the core servers. Besides, the antivirus software on each PCs in the organization also needs technical support. From this perspective, the IS is a technical problem. Moreover, the IS is also a business problem. For example, according to the Sarbanes-Oxley Act, Section 302 and 404, the management of an organization must take the responsibility of Internal Control System in writing, and disclose the effectiveness and weakness of the organization’s internal control in the ICS report with confirmation from external auditor. After the accounting scandals in several major public corporations like Enron and Worldcom, the importance of the control environment and internal control of an organization was enhanced. Furthermore, a weak information security system may cause a huge loss of company’s information assets. For instance, without the data backup and disaster recovery plan, the organization may lose all information about contracts, orders, and clients’personal information by the damage of core servers. Therefore, the information security is both a technical and a business problem.

In an organization both technical and business problem of Information security must be solved.
Many businesses believe that by implementing secure infrastructure and utilizing security tools such as firewall, IDS and anti virus program, they can create secure organization. However, the security chain is as strong as the weakest link, and the weakest link in the IT security chain are the employees.

Security is process, all security products are as secure as people who configure and maintain them. In order to get most effective result of implementing security tool in an organization, IT strategy should be aligned with business strategy. For example, IT professionals mostly focus on technical view of security, and the management mainly focus on revenue, profitability and ROI.

IT professional should Implement the technical infrastructure in a cost-effective manner that would be beneficial to the organization.

Is information security a technical problem, a business problem that the entire organization must frame and solve, or both?  Explain the nature of the problem in the context(s) you chose. 

Information security is business problem that must be solved by an organization but it requires adequate technical support by the information security manager. A business needs the proper security in place to manage business risk and mitigate intrusion. The organization could face a huge risk in data breach if it does not maintain a clear perspective of all areas of business that require IS protection through collaboration with other department.

According to Computer and Information Security Handbook By John R. Vacca, “through collaboration with all business units, security manager must work security into the proves of all aspects of the organization, from employee training to research and development. Security is not an IT problem, it is a business problem.”

I agree with you Neil and Wenlin. Every business is different and thus the threats it will face be business dependent. That is why it is necessary for security team members to understand the business processes in order to formulate risk analysis and form a secure IT framework.

Also as rightly pointed out by Wenlin, robust security can be used for marketing. Acquiring certifications and being complaint to global standards increases brand value of the company. Adhering to the standard, company follows best practices and that helps gain trust from the users.

Information security is not just a technical problem anymore. It is a technical and business problem that the entire organization must frame and solve. Data breach has become a significant security risk to all business. I have done a case study of Home Depot data breach in 2014 which could be the largest breach after Target. They detected the crisis after 6 months. 56 million cards’ information were stolen and they lost at least $62 million. This is also an example of what might happen if organizations didn’t pay enough attention on their information security. Data breach is only one risk of information security and it can’t be protected only by IT department. Information is one of the most important asset in a company and many people have accesses, therefore it is hard to control and protect. Usually, many executives believe “information security” is the same as “IT security” and is therefore the responsibility of the IT manage. This belief might explain why the question “Is our information secure?” is often answered with “Yes, we have firewalls.” The lack of incentives for businesses to invest in cyber security and lack of understanding from business about the nature of information flows play important role in this. If any organizations want to completely protect their information, the whole organization needs to be aware of the threatens and look beyond the risk. Therefore, information is a business problem more than a technical problem now.

Question 2

Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.

In my opinion, information security is both a technical and business problem that an organization has to frame and solve. Information security, as most know, is the practice of protecting information from those who do not have authorized access. While the concept might sound simple, protecting information can require a great deal of technical skill since most information today is kept and transferred via computers and networks. Due to this, positions such as Chief Information Officers, Security Directors, and many others require employees to have the technical knowledge to prevent access to this information. What makes this a business problem as well is that information security is only as good as its weakest link, in which case in the non-technical computer user within an organization.

In protecting information, there is one limitation which is those who have authorized access to the information. Since you can’t restrict everyone from having access to that secured information, those who want to steal information generally take advantage of those who have this authorized access. This is often done through phishing scams or having susceptible users download malware. Regardless, since these authorized users have access to information but don’t necessarily have the technical skill to best protect valuable information, they are often the avenue that those trying to steal information go through. Even despite an organization have a well-designed IT policy, these users most of the time do not follow these IT policies and don’t care to understand the risk since they are not “technical”.

With all that being said, information security is certainly both a technical problem and business problem. You need to have technically skilled employees who have the computer and network knowledge to protect information from a wide range of attacks as well as create certain policies that prevent attacks. On top of that, there needs to be education and enforcement of these policies, making sure that even the least technical individual who has authorized access to information know the importance and consequences of not following the IT policies.

Information security is an everyone problem. Everyone at every level in an organization must work together to protect the information of an organization. A breach could come from anywhere in the organization, from a physical breach to the building, to a phishing scam, to a port breach. While protecting the information of an organization often times has a technical solution, that does not make it just a technical problem. If a breach occurs, it does not matter how the breach occurred, the entire organization will suffer as a result. Because the breach can come from anywhere, the entire organization must frame and solve the problem of protecting the information assets it possesses. The information that can be lost can affect the organization in a number of detrimental ways, reputational damage, competitors gaining proprietary information, using organizational resources for nefarious activities, and more. The entire organization must create a plan to define what they see as the highest risks and the most important to be addressed and a plan to address the risks. IT is used as a means to address many of these risks, and they will work together with the business to address them, but they alone cannot secure all of the organization’s information. Business processes must also be in place to secure the information and protect the organization from breaches.

I agree with Shahle, In the company security link, there has a lot of ways to protect the informationa safety by computer programs and employees. Like Vacca said in Computer and Information Security Handbook “Security is not an IT problem, it is a business problem.” IT problem can sloved by computer, but business problem need to slove by money and person. Company spent money and time to training their employees in order to decline the risk of the security.

I agree with Binue that think about the information security is a ethical issue. In fact, employees following the company framewor is like government staff fllowing the country rules, And under a complete system, there has a lot of rules to limit the staffs in order to decline the sefaty of a company. Employees may disclosure of confidential carelessly or on purpose for benefits, and the company will pay the loss. so it is a business decision that company need to have a baisc cost to imporve their employees` ethical.

Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.

Information security is a business and a technical problem. Organization must solve the information security due to it will cause many internal problems, such as data breach. In order to decline the risk of organization safety, organization should be training their employees about the information security aspect, which is not just a IT behavior at all.

Information security primarily being just a technical problem is indeed a myth. It all dials down to human behavior. The core security issue is that the computers were created without a thought to security and the computer users are unsophisticated but the people breaching security are very smart.

The role of IT from being in the basement as an “engine room” has changed and information/data has taken up the role of a business enabler. The value of a firm is in its data: customer details, product information, financial information’s CIA (confidentiality, integrity and availability) should be protected; failure to do so may result in legal repercussions & loss of goodwill in the market. Information is now the engine of global enterprise and information security should be viewed as a business problem and it should be a significant part organization’s overall enterprise risk management.

In addition to proper employee training, an organization’s information security must be aligned with its business goals and strategy.

Information security is both a technical problem and a business problem, however, is not necessarily a mutually exclusive argument. That is to say each individual security related event will always be a business problem, but not all security events will be a technical problem. Security can be compromised by a myriad of internal and external factors, some we can control while others are outside of any one human’s ability to control. While it is everyone’s responsibility inside the organization to be aware of and follow the policies and procedures put in place to minimize the vulnerability to a malicious attack there are certain events that can occur that no level of technical preparation or expertise would be able to prevent. For example, while it is critical to examine components such as environmental risks when creating a business continuity plan and determining where your most business critical information should be housed there is no guarantee that anyone can provide that there will be no force majeure to impact the datacenter location. As we all know, in recent years while we can do our best to predict where certain natural disasters can occur the exist is not exhaustive and definitive. Year after year additional exceptions are made and added. Therefore security risk can be strictly a business problem, but can never be strictly a technical problem because the analysis is always how it impacts the overall business.

Good point that the employee may become the weakest link in the IT security chain. Information security is a complex problem which related both technical and business. As what you mentioned about security process, IT professionals and the management sometimes focus on different strategies. Indeed, the technical tools like hardware, antivirus software, and firewall may cost a lot as a basic support for the IT security, but management should also realize the significance of protecting information assets instead of thinking the IT protection is wasting money. Therefore, I think employees and even management need to take a training about why information asset is so important for an organization and how to enhance the IT security.

Sean, thanks for the post. I think that people are the weakest link in any security program. Even with the right technology (hardware or software), if not configured or implemented correctly, can cause business disruptions. Like you have mentioned, IT personnel must stay abreast on all current attacks, vulnerabilities, and technology to become of any value to a company. It is no doubt that lack of training and awareness is a contributing factor with data breaches, but I don’t think it’s enough. Information security requires a certain mindset and a belief that nothing is ever completely secure. It requires a tone at the top, a organizational culture that is security sensitive. For example, how many times have we sat through cyber security PowerPoint and web applications that tells us not to open emails from unknown resources. Yet, a good amount of malware that are present in an organization’s network can be traced back to just that. Without strict enforcement of company’s policies, I believe that people just go through the motion.

Information Security is both a technical and a business problem that an organization must frame and solve. It doesn’t matter if you’re in IT, HR, or customer service. The information that you access to carry out your duties is the responsibility of the entire organization. IT(Technical) has the responsibility to secure that information within the bounds the organizations security policies. Their challenge is to provide a balance between security and accessibility. Even if IT have the resources and knowledge to employ all the latest and greatest security technology, it does not guarantee a 100% secure IT infrastructure. Intrusion Detection and Prevention Systems are only good for known vulnerabilities and cannot prevent Zero day attacks. In an effort to improve efficiency, companies will add new software and applications which adds new vulnerabilities to their security program.
Cybercriminals are far more sophisticated and persistent at finding new ways to exploit vulnerabilities with any given technology. If they can’t attack the system directly they will go to the next best thing, the people. People are the weakest link in any security program. They can be the victims and the perpetrators of adding malicious components into an organization’s network. Phishing, malware, and viruses can be added to an organizations network by unknowingly clicking a link on an email or downloading a word document.
The organization must create a security sensitive culture that enables collaboration between IT and its businesses. Technology can be implemented, but people need more than training and awareness. People need to be encouraged to practice security controls set forth in policies and processes. Having a policy is meaningless unless it is enforced and this has to be set from the tone at the top.

There is no doubt that information security is both a technical and business problem and everyone should be responsible for it.

From the technical view, physical protection is greatly needed, proper information protection infrastructure ought to be established, such as the technology of firewall, encryption, identification, etc, so as to achieve that valuable information within the organization is only accessible to those authorized group, even though it would cost extra steps to process which may lead to certain inconvenience.

From the business view, a favorable security environment is very helpful to strengthen awareness and attitude of personnel toward information security, complements professional training to prevent both intentional and unintentional information leakage. Besides, based on existent resources, after assessing risk and balancing return and costs, how to formulate a most favorable information security strategy is also a critical issue from business aspect. So, it is clear that information security is a multifaceted problem.

I agree with Binu. This is a very good example to show how information security is not just a technical but a business problem. The example which you gave about the current and ex employees of the organisation, I would like to add one more thing to your point.
It is important to keep the entries of the present as well ex employees up to date in the risk register. For example, If an employee leave the organisation, the status of the employee should be changed in the risk register so that there are no more access privileges available in the name of that employee. If the risk register is not updated, it can be a big security issue for the business as anyone can use the access rights to fetch information. This can be a big loss to the business if any important information goes into the hands of an unauthorized person.
Many organisations fail during the audits as they don’t keep their risk registers updated.

Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.
Information security is a technical problem and a business problem. IT security technical team ensures systems and network security through fortifying Operating Systems, firewalls, authentication and authorization systems. The business side should be concerned with human factor that may impact the company data. The business should have proper controls in place for data access and handling. Business develop policies for access data, levels of authorization, processes for data handling, in addition to business continuity planning in case of data leak. Business should be concerned with user’s education to prevent data leakage due to user’s error.
.
https://www.weforum.org/agenda/2015/03/why-information-security-is-not-just-a-technical-problem/

I believe that information security is both a technical problem and a business problem.
Information security is kind of IT issues. In term of risks, all the enterprise risk is related to IT. There is about 6 kind of enterprise risk, and they all have an IT component to IT. Like operational risks (the financial industry in the Basel II framework), Credit risk (poor IT security), strategic risk (enbler of new business initiatives) etc. IT risk should be treated like other key business problem. As business managers determine what IT needs to do to support their business and the use of IT can provide significant benefits to the enterprise, but also involves risk do, so IT issues is important, if IT risk occur, the failure of business objectives do as well.
The entire organization must frame and solve it.

Information security is not only a technical problem but also a business issue. It is true that for an organization to be very secure, some software and hardware may be needed to protect the assets of the company. However, as the book (VACCA) mentioned in chapter 1, thinking that information security is only a technical matter is a myth; “firewall […] antivirus program …are just some of the tools available to assist in protecting a network and its data” (pp9). In fact, most of the time employees are the main reason why there are data breaches in organizations. A lack of awareness and training on information security can lead to severe losses for the organization.
Similarly, failure to immediately terminate former employees’ access to data can potentially be dangerous for a company especially if the former employees work for competitors. Security measures can be implemented, but the human factor must be taken into consideration. Management should educate employees about their impact on security programs. That is why in addition to be a technical issue, information security should also be seen as a business problem that must be solved to prevent tremendous risks.

I agree with Wenlin. Good point raised. I have seen this happening in one of the organisation’s I have worked with. Not only employees but interns who were not permanent were allowed to use Personal USB Drives on their office laptops and computers.

In an incident one intern was caught copying some of important official data from project onto his personal USB drive. So this is a big security concern for which personal devices should not allowed in the premises of the organisation.

Rightly pointed Shahla. But just to say your point in a different way, employees are not the weakest link rather they can be the weakest link in an organisation if the organisation doesn’t have good security policies and standards.
I would like to quote an example to this to explain my point. I would differentiate the experiences which I had with two of the organisations I have worked. In my first organisation, Security policies were strong and employees were not allowed to enter inside the premises of the organisation without the ID’s and with any kind of personal devices such as pen drives. For this reason the environment was secure enough for any kind of security breach that may lead to data leakage.
On the other hand, with one more organisation I have worked with, there were some interns who were temporary and for the three months they worked, they were not issued any ID’s. They use to enter inside the office zone by just making an entry in the register. Also all the employees were allowed to bring any kind of personal devices. In this way due to weak standards and policies this organisation was vulnerable to any kind of security breach from employee’s end.

I agree, IT in general are merely tools used to make business process run quicker and smoother. IT itself can never cause any harm or damage to the business. It is usually the human operating the IT systems will cause harm.As you mentioned, employees who are negligent towards IT are one of the main reason for data breaches in an organization. This can be avoided by fostering proper IT awareness and culture within an organization. This will tremendously reduce the risk of IT failures internally.

On the other hand, in order to avoid external breaches, the employees responsible for IT within an organization should always be aware of their own IT system’s security. They have to constantly update and audit their own system to prevent external intrusions.

I agree. It is crucial to have the entire company invest in Information Security. There needs to be a cross department collaboration to successfully implement the company’s Information Security plan. It definitely is a technical issue as well but that is part of the company’s plan that directly affects the company’s business and the ability to conduct their business most efficiently.

I agree with Mengxue, Information security is a techical and a business probelm. Information security problem such as dara breach will cost company not only just economic loss, but also the company reputation. You said Information hard to control and protect due to people can accesses it. It is very clearly to show company managers should pay more attention to this part and need to spend more to decline the risk, that`s why we said infromatyion security is not just a techical problem but also treat as a business problem.

I agree with Mengxue, Information security is a technical and a business problem. Information security problem such as data breach will cost company not only just economic loss, but also the company reputation. You said Information hard to control and protect due to people can accesses it. It is very clearly to show company managers should pay more attention to this part and need to spend more to decline the risk, that`s why we said information security is not just a technical problem but also treat as a business problem.

At the two companies I have worked for, all employees (in all departments) were required to take training on “Safe computer use”, IT security, etc. The training went through many of the same things as the video and had the same corny jokes too haha! It was definitely needed though and I think it definitely did help a lot of the employees that were not in the IT department. I think along with this, putting controls in place to safeguard and make sure that employees are practicing what they were trained on is important to success.

I agree with your opinion that the information security both related technical and business problems. You mentioned the potential risk in information leak because of the authorized access issues. If management barely have basic understanding in technical operation, they might underestimate the importance of protecting information assets. Without an effective control environment, the organization may be hacked through ineffective information security protection, which may cause huge lose for organization’s information assets.

Good point in mobile device management (MDM). Indeed, mobile device has potential risks in data leak includes personal information or even sensitive business documents. If the mobile device with internet connection information is stolen, the remoter attacker may have the access authority and replace the firmware on a device like router and take complete control over it. Therefore, the MDM is very important to enhance the information security in an organization.

Paul,

I completely agree with you. I would say, that information security is both a technical and business problem. The two entities overlap in many instances within an organization and must conjoin together to frame and solve the information security problems at hand. Even though, in some instances the issue may start off as a technical issue, eventually it will protrude/ evolve into a business problem, vice versa.

An example being:
-leaky repositories: firewalls are implemented to prevent intrusive hacking yet information doesn’t also live in the digital environment but also in the business environment as a hard physical copy.

Laly,

Exactly. While physical copies of information might not be as easily accessible, they are still controlled as well with physical security. For large organizations, you have security monitoring who enters and exits the buildings as well as file rooms where the entrance to the room is locked by each department. Not only that, many companies try to implement a clean desk policy where all important information should be stored and locked when not at the desk. In fact, when I worked my Internal Audit internship, two of the auditors performed a walk through of the building to just see what exactly they could find that was out in plain site. Unfortunately, too much information was left out in the open and corrective actions had to be made. This is another example of how securing information is not only a technical problem but a business problem as a whole.

Paul,

You bring up a really good point that all information security is a business problem but not always a technical problem. You provided the example of a non-technical problem that can affect information security being how a natural disaster can affect a data center. Another example could be that a disgruntled worker who remains working for the organization and has access to information, decides to steal that information either to sell or damage the organization. No amount of technical knowledge could identify who is a disgruntled worker or not, therefore this would fall under as a business problem.

Great post, Tran!

I completely agree with you that if the latest and best security technology is being employed, it does not mean you are 100% safe. The new technology for now will become old obsolete in one day soon. Companies need to keep an eye on the zero day attack because it is hard to be detected by newest security.

When I was taking the cyber security class, I was taught that “people” is the weakest element because they like to click on insecure email or website and increase the profitability of getting hacked. Only through training sessions can really help people learn how to protect the organization from malwares and viruses.

Information security is a technical problem and a business problem everyone individual must be involved with the solution.

The technical problem lies with the equipment and network infrastructure. The proper system configurations, authentications, policies and security must be checked and tested on a regular basis to ensure proper functionality. It is a business problem because the business reputation is on the line. The business must protect all sensitive information to give, not just the shareholders, but also the stakeholders peace of mind. A security breach could ruin the reputation of an organization and raise doubt when using technological equipment from the company, from an investor, employee and customer aspect.

We can’t be passing the buck or keep saying, “it’s not my problem”. One of my favorite quotes from a movie is, “Information is the most valuable commodity in this world”. I may not agree with the character who said this but I do agree with the statement. Information is very valuable to many people and it needs to be protected by technological and business best practices.

Haozhu,

I strongly agree with you. There is a need of managers to proactively include information security in their risk management plan and make sure it is aligned with the organization’s objectives.

Ahbay,

I completely agree with your point that human factor is one of the biggest issue for information security. Every business is different so that an organization security is necessary to align with its business goals and strategy. How to defense the information from data breach is a technical problem. However, If the company lost its most valuable data, it will lead to a business problem such as loss of revenue, reputation and goodwill. Company should invest heavily on its internal training for those unsophisticated employees or the company can background check before recruiting to ensure the employees have basic security training and knowledge.

Yu Ming,

Yes, and in addition to training and workshops, I firmly believe that there has to be a mechanism in place that checks if they training is updated and in order to keep the employees updated, there should be half yearly or even quarterly security workshop setup by the IT team.

Rightly pointed out, Amanda. I too believe that it all comes down to human behavior. Even though an organization implements the highest security standards, if the employees are ignorant and are putting passwords on sticky notes, then there is very little standards and policies can do.

In my internship experience, even a top level executive had a habit to put his NetSuite ERP access information on his keyboard. And I agree, the mindset has to be changed and employees need to realize that not just the company’s information is at stake, it is also going to affect their identity.

Paul that’s a great point. I’m glad you guys agree with my stance. I think that it’s very easy for people that work in IT tend to start viewing things as tunnel vision when it’s absolutely critical that they keep an open mind and think outside of the box when analyzing problems or trying to determine where their vulnerabilities may lie. This is why social engineering is always a big part of any penetration testing that I sold through Verizon. It’s also definitely one of the most interesting subtopics in the overall umbrella of IT/IS Security posture.

In my opinion, ITACS students do represent information security vulnerabilities to Temple University, and Temple represents information security vulnerabilities to ITACS students as well.

Based on the readings, Information security vulnerabilities can be considered to anywhere, anyone and anytime. First, Temple students can access to secured and sensitive information easier through internal way. For example, an ITACS student studying at Temple University, has some access passwords and codes for some rooms, software and public laptops, etc., so he would steal some sensitive information of Temple University by accessing from internal internet through these ways, and Temple would lose its secured and sensitive information because of this ITACS student uses internal way, rather than other outside people use external way, which is harder. Second, the trust from a professor would also be an information security vulnerability. If a person has the trust from a professor, the professor may behave negligence by allowing this student to access to some accounts which would be considered not allow to students. For example, if a professor wants to show something through his account, the student is there to watch the professor to access the account, and then, the professor may act negligence by typing his account name and password in front of this student, and the account may be stolen easily. Third, students or professors may have bad behaviors and collude with classmates and friends to steal information of Temple University. The possibility of this is tiny small but I think it can be also considered as information security vulnerabilities to Temple University.

In addition, Temple University also represents information security vulnerabilities to ITACS students as well in several ways. First, Temple University experts who control sensitive information of students and colleges may behave negligence and errors of operations to exposure information. Second, Upper management of Temple University also has a possibility to behave badly if the person is angry and criminal. Third, the change of MIS department dean or upper management may also bring some information loss and errors, because if the previous management person left, he may not have everything (information, account passwords, or secret system controls) to the new person.

ITACS students and Temple University both represent information security vulnerabilities to each other. Temple University stores Personally Identifiable Information (PII) of each student, which include grades, and financial information, and in some instances health-care information. A data breach to Temple University could target student’s social security numbers, personal banking account information, and medical information if a student is enrolled in a university sponsored plan. Temple University stores large amounts of sensitive information about students, which creates an attractive target for cyber criminals. Medical identity theft is a growing exposure for Temple University because medical information is more lucrative than financial information. Not all students enroll in the sponsored plans, some do, and others may use a medical service during their tenure at Temple. Students trust the university with sensitive data, which poses a risk to Temple because it is now responsible to safeguard the data.
While Temple represents vulnerabilities to students, students also pose security risks to Temple. The university must create a tuportal account for every enrolled student, from which campus computers, and many other university services are accessed. There are over 30,000 students at Temple University, not including faculty and staff, which is a lot of accounts to monitor. Any student can find a flash drive on the ground, and then immediately connect it to a campus computer to download documents. Flashdrives can contain viruses and malware and can potentially spread to the network from a single access point. Prevalent use of removable storage is an important security vulnerability to Temple. Students can also access file attachments through email on the university network. If an attachment is infected with malware, it can now spread to the computer and then network. It would be difficult for Temple to limit access through the network because many departments rely on online software, require students to submit work online, and need to access data themselves. The same methods that are used to augment student academics also increase security vulnerabilities.

I think everyone at Temple University represents information security vulnerabilities to Temple University. In fact, ITACS students and regular students do more than sending emails while on Temple internet connection. Even though, the university blocks some sites it does not stop students to go to insecure sites. I have been seeing some students shopping on the school computers. Somebody can voluntary or involuntary download a virus on the computers or the network.
Also, the laptops in MIS labs in rooms 602 and 603 are not really password protected as everyone knows the password. The only really credentials you need is your TU access username and password for the Wi-Fi. Once again an ill-intentioned individual can take advantages of this system. He/she can do bad things without being traced.
Temple University and its third parties’ partners can represent information security vulnerabilities for its students. What will happen if someone can hack the university system? In fact, some students have received phishing emails asking them to provide their passwords. The University system contains a lot of sensitive information like medical records, payments information… If there is a data breach, more than 30,000 persons will be affected.

I believe when we are entering into any account, we might have lot of people around and we do enter our credentials in front of them. That is the reason why passwords are masked.
I agree with your point that eavesdropping can happen. Hence being alert while handling sensitive data is important.

ITACS students represent vulnerabilities to Temple university and vice versa.

Both entities have access to confidential and restricted data of each other.

Vulnerabilities that students bring in:
1. University provides wifi to all students. The laptops, mobiles phones via which they connect to wifi is a door for hackers to plan Wireless network attacks. ex. Denial of Service, man in the middle, eavesdropping on the wifi, If data is not encrypted they payload is exposed and a sniffer can capture emails, passwords etc

2. Students have access to confidential university data. If a student does not follow basic security practices university data like university intranet, contacts of faculty and other students, university news and events details is at threat.

3. Students have access to course work, assignments, lectures, power point presentations which are IP of the university.

4 Students can bring in visitors and if visitors if have malicious intend can cause harm.

5. If students use illicit software to develop a university software, it can cause huge damage.

How is student data vulnerable while it resides on university servers

1. University servers can be prone to data attacks on which student confidential and restricted data resides. Ex. student personal identifiers(SSN,address, contact numbers), financial details like bank details, transactions etc.

2. Student grades, resumes, photographs, medical information is also with the university. Data is present with the university not only in digital format but in form of paperwork which is easily vulnerable.

Am I the only one not being able to enter answer to other questions?

Anyways below is questions 2 and my answer :

Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.

Information security is not only a technical problem but also a business issue. It is true that for an organization to be very secure, some software and hardware may be needed to protect the assets of the company. However, as the book (VACCA) mentioned in chapter 1, thinking that information security is only a technical matter is a myth; “firewall […] antivirus program …are just some of the tools available to assist in protecting a network and its data” (pp9). In fact, most of the time employees are the main reason why there are data breaches in organizations. A lack of awareness and training on information security can lead to severe losses for the organization.
Similarly, failure to immediately terminate former employees’ access to data can potentially be dangerous for a company especially if the former employees work for competitors. Security measures can be implemented, but the human factor must be taken into consideration. Management should educate employees about their impact on security programs. That is why in addition to be a technical issue, information security should also be seen as a business problem that must be solved to prevent tremendous risks.

I agree with Priya, Temple represent information security vulnerabilities to students because they have sensitive data, such as social security or bank account number, about us. Should a data breach happen we will all suffer consequences.

Said made a good point here. Temple university system doesn’t seem to be well protected and i’m not sure not all students are aware of the importance of information security. I personally went couple of times to the computer lab and witnessed students watching movies on third party website, shopping or networking on social media. Logically , one would think that an ITACS student is aware of information security and should be careful. However, that is not always the case. Human beings can be negligent and this is why students represent information security vulnerabilities to Temple.

Good point Alexandra. While doing activities like online shopping or online banking, a cross site request forgery attack can be launched. CSRF is combination of social engineering along with.

It becomes easy to launch CSRF attack when user session cookie details are stored. ex. IP address or credentials. The server will not know if it is a forged request.

Sometimes a attack can be launched with a hidden image which executes while the page is loading. The user does not understand the difference. If credentials are already stored by the browser, it becomes easy to authenticate.

In my opinion ITACS students represent vulnerabilities to Temple university and vice versa. Temple ITACS students are vulnerabilities to the university because they are they constantly logged into the system and are active users and therefore, their actions while on the system affect the university directly. The users ability to nagviate through the web without domain regulations not only, contribute but enable threats such as malware, which may affect the computers operation systems and the protection of personal information. However, the students aren’t the only ones who provide vulnerabilies, the university has an abundant amount of personal files of its students and employees, which can be accessed through hacking and software breeches. Thus, versatile vulnerabilities that are result of ITACS students and the university are subjected to human error. Human errors affect both entities as a whole and therefore, they are both to blame for vulnerabilities.

Do ITACS students represent information security vulnerabilities to Temple University, each other, or both?

Explain the nature of the vulnerabilities ITACS students represent in the context(s) you chose?

I do believe that ITACS students represent information security vulnerabilities to Temple University and the other way round.

Some vulnerabilities that ITACS students may bring in to Temple:

1. Computer hardware that students bring in such as flash drives or laptops may contain viruses that could infect Temple’s system when the hardware connects to Temple’s computers or wifi.

2. ITACS students will eventually learn how to hack. A student may attempt to try their newly attained skill on Temple’s computers or sites which may or may not cause harm.

3. A student may accidentally download malware, spyware or virus into Temple’s system when the visit insecure sites or click on suspicious links.

Some vulnerabilities that Temple may bring to students:

1. Temple University is a host to all students data and private information. Students can link their bank information in order to pay their tuition bills. Student Personal identifiable information such as SSN, contact information and address are all in Temple’s database. This can post as a target to potential hackers.

2. Temple employees who have access to all students data may not adhere to Temple’s control and may perform activities that increase the risk of security threats

3. Temple employees may also be negligent when handling students’ data. Wrong data may be inputted which may cause a chain reaction that can affect the student.

I believe ITACS students represent information vulnerabilities to Temple University; on the other hand, Temple University represent information vulnerabilities to ITACS students as well.

As Temple students, we have access to Temple’s wifi and computers. Everyone could possibly bring viruses to Temple’s network system when he or she connects hardware such as USB drives to Temple computers. This not only damage the computer that has the viruses, but it will also spread the viruses to other computers in the school because they all sharing the same network. In addition, a student may accidentally entering a website when they are click on links that they are not aware of. It is very essential that students should have awareness of the websites they are viewing. In addition, one other vulnerabilities that students may bring into Temple University is we all have access to blackboard and MIS Community site, students are able to download or make a copy of any documents that they have and share it with someone else who are not a part of the class or even not a part of Temple community.

Of course, Temple University represent information vulnerabilities to ITACS students as well. Temple has not only students’ unrestricted and sensitive information, but also restricted information such as social security number, Temple University ID, as well as billing information. The database that Temple has storing student information can rise a major potential target to hackers

Do ITACS students represent information security vulnerabilities to Temple University, each other, or both? Explain the nature of the vulnerabilities.
The ITACS students represent information security vulnerabilities due to several reasons. The students connect different types of devices to network (Laptops, Cell phones) that may not be secured and potentially spread viruses, malware, smart dust, or BOTNET on temple network proper. Students access university wide network and applications from their personal devices, opening the door for data leakage in case student device is hacked.

ITACS students are a great vulnerability to Temple University. Vacca points out that power users, in this case students who have just started an advanced program, may know enough to install software while ignoring security policies. Bad guys looking to exploit vulnerabilities will target these users to get access to a network (Vacca, 4). Unless all students undergo security training, some may not understand the significance of some policies that are in place. There has been times where Temple has had to send out mass emails warning of phishing attacks targeted at Temple emails, meaning that someone must have let something bad in at some point. Another vulnerability that students have is their passwords. Some students may make theirs very weak or save them in obvious locations. The requirement to change your password every few months may make Temple systems less secure as students may lean towards easier passwords. An article I read a while ago showed how a hacker may try to decrypt hashed password files by comparing changes knowing that the user is only changing theirs slightly (https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes).
Temple University is a security vulnerability to ITACS students as well. Large organizations are seen as more lucrative targets for cybercrime groups. Temple holds a lot of PII, and for some students, PHI, which criminals can sell for a profit. Students need to trust that temple is taking all the steps to keep their information safe. Is Temple conducting background checks on IT employees? Are they spending money on security as a priority? Does Temple require IT professionals to continue to learn as the security environment changes? The real list that Temple has to do to stay secure is much longer than I can list here. The security issue is compounded by the multiple devices Temple must support. There are multiple buildings, multiple Wi-Fi networks across campus, and many new cellphones and tablets being hooked into the network every day. If a bad guy ever finds a way in, they can take a student’s information and exploit it.

Agreed. Bringing in visitors may be a big concern to Temple University. because these people may be your friends, however, people’s behaviors are hardly to see clearly.

Software development is also a concern. Universities always develop new and professional students in the world. So if these kind of students want to try their solution of their new creation, Temple’s internal internet and all Temple computers and laptops may result in risks.

You are correct that Temple students are a security vulnerability to the university. On the other side, the university is also a security vulnerability to students. Temple stores a large amount of personal identifiable information on its students, from social security numbers to payment information and anything in between. Because the university has so many students and faculty connecting to its network with various personal devices, the university must be more vigilant in protecting its information. While students can bring viruses and other nefarious software to the university, the university has a lot more sensitive information about its students that if lost, would cost its students, and by result the university.

Your comment about larger organizations being more lucrative targets for cybercrime made me think about what a unique situation universities are in as opposed to other large organizations. In your average company the employees are supplied with the devices that they will use to connect to the organization’s network. At universities students all have their own devices. Even at organizations that have bring your own device policies, generally IT has some screening processes on the personal devices that are allowed to be used. The university has no control over what devices students are connecting to their network. They can monitor the traffic and prevent a student from downloading malware while on the network, but if they student picked up the malware while on another network and then connects to Temple’s network, Temple must have strong defenses in place to protect itself. Employees are also generally not downloading as many things from random websites on their work computers. People are generally more couscous with what they download onto their work computer than their personal computer. Since students are on their personal computers they may be less couscous with what they download.

As a student it is easy to see how your information is at risk and take that side. Priya, do you think that the university is more at risk with all of the students on their network or do you think that students are more at risk that their information could be stolen and held for ransom?

I just hope Temple practice what their Information Security professors teach. I hope that Temple invests an appropriate amount to keep their students’ data safe. I hope they invest in educating their employees and their students who are not in the IS field, I hope they have cross-department collaboration on this effort because successful Info Security takes an “all-in” approach. .

Hi Wenting,

I think you bring up some valid points as to how a data breach can be a problem with all the PII of students on the server. To go with that, restricting access to worker students is a huge issue too. For those say working in admissions, you need to make sure that access to PII is restricted from those student workers. Likewise, if students do have access to that information, you need to make sure that those student workers have the integrity to not steal that information or not be negligent enough to allow someone else access by not practicing standard computer security policies. A hacker can easily see a student worker as the weakest link and use them as an avenue to steal information.

I agree with you all. Not only ITACS students but everyone at Temple represents information vulnerabilities to Temple, and Temple represents information security vulnerabilities for all students as well because Temple stored our sensitive data in its database where it can be the target to hackers. Let’s say the “TUpay” got hacked, our payment card information including our account numbers or routing numbers may get stolen.

Temple should work with professors to offer workshops for students to learn about how to protect their personal information from being stolen at Temple.

Nice post Priya,

I just want to add some of my thoughts to your point 1. Temple provides wifi and printing services to all students. We can get access to the networked printing servers through Temple’s computers or our personal computer by sending email. It is easy, convenient and comfortable. However, the printer will store our documents in its hard drive which can easily become a target to hackers. Some students even print their sensitive information at Temple. We often ignore and overlook the vulnerability of the security of networked printer. Hacker with malicious intent may hack the printing system if it is not encrypted.

Yulun,

Great post! It reminded me about an incident that happened in one of the dorms at the Temple University. As you know that students living in dorms have access to use “TURESNET,” which is Temple’s own network for its dorm students. One of the students had connected his Xbox or Playstation onto the network and he got into an argument with a player online. Turns out that other player wanted to retaliate, and Temple student’s IP was tracked and there was a series of DDOS attacks, which disturbed the Temple’s network for a couple of days until they identified the cause. Student was not allowed to connect his Xbox/PlayStation on the network again.

This story was told by Prof. Larry Brandolph in the MIS intro class.

Ian,

Nicely point out, I think students are more at risks, and all personal or financial information might be stolen. I think these processes are not properly implemented and the network are properly secured!

Ian, I agree with Shahla

I also think that as students, we are more at risks.
The reason is that Temple has database that store over 30,000 students’s confidential data such as SSN# and bank information. If someone hack in Temple’s database, then it will bring a tremendous impact on students because all of their restricted information are stolen. In addition, Temple’s reputation will also be ruined.

Wow! Inspired me!!!!! My professor said in MIS 2501(Mart Doyle) before, you can always plug a cord to the internet of your apartment’s building and see what your neighbors do. Trust me, for majority (like 99% of our students and professors) are still good to trust!

Thanks for sharing!

I was going to bring that study up but see you already mentioned it. I’ve seen other studies conducted where the percentage was extremely high, The one I’m linking below shows that the Department of Homeland Security found 60% of ‘dropped’ flash drives plugged in. I think people see them as if someone dropped a wallet and want to check to see if they can find the owner by identifying the files on the drive. If its blank, its like picking up a lottery ticket. People who have never heard of these risks will just plug it in to check to see if they’ve won.

http://www.slate.com/blogs/future_tense/2013/07/30/don_t_touch_that_flash_drive_you_have_no_idea_where_it_s_been.html