Managing the Digital Firm, Seventh Canadian Edition
CHAPTER 8
Securing Information Systems
LEARNING OBJECTIVES
After reading this chapter, you will be able to answer the following questions:
1. Why are information systems vulnerable to destruction, error, and abuse?
Teaching Suggestions
The opening case, “You’re on LinkedIn? Watch Out!,” describes several different ways
information systems become vulnerable to malicious software— individual user’s
computers, their friends’ computers, and computers of LinkedIn-participating businesses.
Because of its huge user base, an easy-to-use Web site, and a community of users easily
linked to dozens or hundreds of other users, the popular business networking site has
become a huge security risk to individuals and businesses.
Section 8.1, “System Vulnerability and Abuse”
With data concentrated in electronic form and many procedures invisible through
automation, computerized information systems are vulnerable to destruction, misuse,
Managing the Digital Firm, Seventh Canadian Edition
error, fraud, and hardware or software failures. Corporate systems using the Internet are
especially vulnerable because the Internet is designed to be an open system. As wireless
systems become more popular, security challenges associated with them increase
WINDOW ON MANAGEMENT: STUXNET AND THE CHANGING
FACE OF CYBERWARFARE
Case Study Questions:
1. Is cyberwarfare a serious problem? Why or why not?
Cyberwarfare is becoming a very serious problem. Attacks have become much more
widespread, sophisticated, and potentially devastating. The U.S. Department of
Defense networks experience 250,000 probes every hour and cyberattacks on U.S.
federal agencies in general have increased 150 percent since 2008.
2. Assess the management, organization, and technology factors that have created
this problem.
Organization: It’s suspected that some of the cyberwarfare attacks have been
orchestrated by governments, including the Stuxnet worm that was launched with
nation-state support (probably from Israel and the United States). In each
Managing the Digital Firm, Seventh Canadian Edition
Technology: Tracing the identities of specific attackers through cyberspace is next to
3. What makes Stuxnet different from other cyberwarfare attacks? How serious a
threat is this technology?
To date, Stuxnet is the most sophisticated cyberweapon ever deployed. Stuxnet’s
mission was to activate only computers that ran Supervisory Control and Data
4. What solutions have been proposed for this problem in Canada? Do you think
they will be effective? Why or why not?
Canada has no clear strategy about how the country would respond to various levels
of cyberattacks. Mike McConnell, the former director of national intelligence, stated
Section 8.2, “Business Value of Security and Control”
Security and control are important but often neglected areas for information systems
investments. The majority of companies today are naïve about how vulnerable their
Managing the Digital Firm, Seventh Canadian Edition
Section 8.3, “Establishing a Framework for Security and Control”
Firms must use appropriate technologies to effectively protect their information
resources. The best place to start is by establishing a well-defined set of general and
application control. Ask your students to research what types of security and controls
methods are employed by their university or workplace. In groups, ask them to present
their findings in class.
Section 8.4, “Technologies and Tools for Protecting Information Resources”
While students or their employers may say they want software quality or controls in
information systems, few want to be bothered with the extra steps that quality assurance
requires, or the limits on their freedom, funds, and extra time it takes to install controls
and security.
Discuss with students how biometrics, such as the use of fingerprint imaging, retinal
scans, or voice maps to authenticate users, can increase security. Ask your students to
Managing the Digital Firm, Seventh Canadian Edition
WINDOW ON TECHNOLOGY: HOW SECURE IS YOUR
SMARTPHONE?
Case Study Questions
1. It has been said that a smartphone is “a microcomputer in your hand.” Discuss
the security implications of this statement.
Smartphones have many of the same computing features and capabilities as any
2. What management, organizational, and technology factors must be addressed by
smartphone security?
Management: Apple cannot effectively review new apps prior to their use. Thousands
of apps arrive each week at Apple. The iPhone does not inform users what information
Organization: Apple iTunes app rules make some user information available to all
app programs by default, including the user’s GPS position and name. Security on the
Technology: Botnet code is easily wrapped inside the app code making it much harder
to detect. Apple, Google and Rim (BlackBerry) offer over 1.25 million apps
3. What problems do smartphone security weaknesses cause for businesses?
Smartphones of all kinds are susceptible to browser-based malware that takes
advantage of vulnerabilities in all browsers. In addition, most smartphones, including
the iPhone, permit the manufacturers to remotely download configuration files to
Managing the Digital Firm, Seventh Canadian Edition
4. What steps can individuals and businesses take to make their smartphones more
secure?
Review Summary
1. Why are information systems vulnerable to destruction, error, and abuse?
2. What is the business value of security and control?
3. What are the components of an organizational framework for security and control?
4. What are the most important tools and technologies for safeguarding
information resources?
Key Terms
The following alphabetical list identifies the key terms discussed in this chapter.
The page number for each key term is provided.
Acceptable use policy (AUP) 257
Antivirus software 262
Click fraud 250
Computer crime 248
Managing the Digital Firm, Seventh Canadian Edition
Digital certifi cates 263
Disaster recovery planning 258
Distributed denial-of-service
Patches 253
Pharming 249
Phishing 249
Review Questions
1. Why are information systems vulnerable to destruction, error, and abuse?
List and describe the most common threats against contemporary information
systems.
The most common threats against contemporary information systems include:
technical, organizational, and environmental factors compounded by poor
management decisions. Figure 8-1 includes the following:
• Technical: Unauthorized access, introducing errors
Managing the Digital Firm, Seventh Canadian Edition
Define malware and distinguish among a virus, a worm, and a Trojan horse.
Malware (for malicious software) is any program or file that is harmful to a computer
user. Thus, malware includes computer viruses, worms, Trojan horses, and also
spyware programs that gather information about a computer user without permission.
• Virus: A program or programming code that replicates itself by being copied or
Define a hacker and explain how hackers create security problems and damage
systems.
A hacker is an individual who gains unauthorized access to a computer system by finding
weaknesses in security protections used by Web sites and computer systems. Hackers not
Define computer crime. Provide two examples of crime in which computers are
targets and two examples in which computers are used as instruments of crime.
The Department of Justice defines computer crime as “any violations of criminal law
that involve a knowledge of computer technology for their perpetration, investigation,
or prosecution.” Computer crime is defined as the commission of illegal acts through
the use of a computer or against a computer system. Table 8-2 provides examples of
computer crimes.
Computers as targets of crime:
• Breaching the confidentiality of protected computerized data
Managing the Digital Firm, Seventh Canadian Edition
• Theft of trade secrets
• Unauthorized copying of software or copyrighted intellectual property, such as
articles, books, music, and video
Define identity theft and phishing and explain why identity theft is such a big
problem today.
Identity theft is a crime in which an imposter obtains key pieces of personal
information, such as social security identification number, driver’s license number, or
credit card numbers, to impersonate someone else. The information may be used to
obtain credit, merchandise, or services in the name of the victim or to provide the
thief with false credentials.
Describe the security and system reliability problems created by employees.
The largest financial threats to business institutions come from employees. Some of
the largest disruptions to service, destruction of e-commerce sites, and diversion of
customer credit data and personal information have come from insiders. Employees
Managing the Digital Firm, Seventh Canadian Edition
Explain how software defects affect system reliability and security.
The software can fail to perform, perform erratically, or give erroneous results
because of undetected bugs. A control system that fails to perform can mean medical
equipment that fails or telephones that do not carry messages or allow access to the
2. What is the business value of security and control?
Explain how security and control provide value for businesses.
Security refers to the policies, procedures, and technical measures used to prevent
unauthorized access, alteration, theft, or physical damage to information systems.
Controls consist of all the methods, policies, and organizational procedures that
ensure the safety of the organization’s assets; the accuracy and reliability of its
account records; and operational adherence to management standards.
The business value of security and control:
• Firms relying on computer systems for their core business functions can lose sales
Describe the relationship between security and control and recent U.S.
government regulatory requirements and computer forensics.
Legal actions requiring electronic evidence and computer forensics also require firms to
pay more attention to security and electronic records management. Computer forensics is
the scientific collection, examination, authentication, preservation, and analysis of data
held on or retrieved from computer storage media in such a way that the information can
be used as evidence in the court of law. It deals with the following problems:
• Recovering data from computers while preserving evidential integrity.
• Securely storing and handling recovered electronic data.
Managing the Digital Firm, Seventh Canadian Edition
3. What are the components of an organizational framework for security and
control?
Define general controls and describe each type of general control.
General controls govern the design, security, and use of computer programs and the
security of data files in general throughout the organization’s information technology
Define application controls and describe each type of application control.
Application controls are specific controls unique to each computerized application.
They include both automated and manual procedures that ensure that only authorized
data are completely and accurately processed by that application.
Application controls can be classified as:
• Input controls: Check data for accuracy and completeness when they enter the
Describe the function of risk assessment and explain how it is conducted for
information systems.
Managing the Digital Firm, Seventh Canadian Edition
A risk assessment determines the level of risk to the firm if a specific activity or
process is not properly controlled. Business managers working with information
systems specialists can determine the value of information assets, points of
Define and describe the following: security policy, acceptable use policy, and
identity management.
A security policy consists of statements ranking information risks, identifying
acceptable security goals, and identifying the mechanisms for achieving these goals.
Explain how MIS auditing promotes security and control.