PhD Thesis on Information Security
This PhD thesis chapter is based on the security of data and how it can be a problem for large corporations, and what can companies do to manage their data and resources properly. Information today has become one of business worlds and society's most important resources, and managing this information has become a major challenge. It is for this reason that the security of data is very important to corporations. The desire to control and protect information is rooted in the notion that information has value. The value of quality in information will enable the business to make sound decisions and conversely the presence of errors will undermine the credibility and therefore the value of the information (Marschak 1968).
This means corporations must be able to handle and administer information safely and securely. "Prior to the introduction of computers in the corporate world, business would store its information in locking file cabinets. This is now on the computer system for easy access and use by authorized users. The value of that information to a company has not changed since it was taken out of the file cabinets and put on the computer system therefore the security concerns for that information should not have changed" (Hendershot 1993). The security of data should be very important to large corporations and if it is undermined then they are more likely to be vulnerable to threats, which could result in big problems for companies.
According to The UK Audit Commission (1998) the different types of threats can be categorized under five main headings:
- The first threat is theft. Theft is an act of taking unauthorized copies of intangible assets such as data and software from the organization.
- The second threat is fraud. Fraud is the taking of assets by deception, let's say, hide his or her activities by making all the records look consistent and "normal".
- The third is malicious damage. This is attacking a system by rogue program such as computer viruses
- The fourth is incompetence and mistakes. This is when routine users cause errors or failures in the system by accident due to carelessness or unawareness.
- The fifth is accidents and disasters. These can be unpredictable accidents or natural disasters, which destroy computer systems.
To put this into perspective, a survey taken from Bocij et al (1999), was carried out about the extent of these threats with regards to the loss of information in a 1996 Business Technology Survey by Ernst & Young. "This survey found that 59 per cent of companies surveyed had experienced a security breach." (Bocij et al, 1999: p538).
It may be thought that our society in general is becoming increasingly "data-unsafe". However, this is not to imply that we are all exceedingly vulnerable as considerable efforts have indeed been made in this field, and more attention is being focused here. Nevertheless, it must be bared in mind that this does not mean that the situation is in full control.
As the dependence of businesses on IS increases, so does the range and severity of the threats which can arise. This can happen for a number of reasons. The first being the scale at which the business is dependent on IS, as systems increasingly operate on a national or international scale. For example, a failure in a bank's computer centre can put all its automated teller machines offline.
A second reason is the speed of IS in an advanced technological environment. For instance previously, before computer-based information system, it may take for fire, flood or malicious damage to destroy records. Large computer files, on the other hand, can de deleted or corrupted electronically in matter of seconds. Similarly, unauthorised transmission or copying of data can be carried out almost instantaneously.
Another reason is technical innovation. New technology changes all the ground-rules, and many employees may not understand them well. Previously, it was reasonable to rely, to a large extent on employees' good sense (for example, in not leaving filing cabinets unlocked). With IT-based systems, they may not even realise that they are taking unacceptable risks. On the other hand, at the opposite end of the skills spectrum, there are highly talented technicians who regard it as a challenge to invade and disrupt systems. They can conduct their attacks from the other parts of a network-without needing to go anywhere near the premises they are attacking.
The fourth reason that may increase the range and severity of threats on IS could be hidden causes. For example, sometimes it is difficult to trace back to cause of a problem in complex systems. "For example, on 1 Jan 1985, customers trying to use the cash machines of two major clearing banks, which normally accepted each others' cards, found themselves getting unpredictable results. The problem was eventually traced to erroneous updating of the magnetic strips on the cards by one of the banks. It seems that some of the bank's software had failed to recognise that 1984 was a leap year, and entered date information on the cards, which then confused other parts of the system." (Hawker, 2000: p18).
The security of data can be a big problem for large corporation as, defining the contents of an international information security policy as an associated set of security controls is one problem, however to enforce them may be an even bigger one (Solms,1999). Also another problem that large corporations may face is remaining competitive and having a long-term future ahead with a lack of security of data. Solms states that if an organisation is found secure enough by others, it will be welcomed to join, if not it may be excluded and left in the cold. This discussion proves that in the era of electronic commerce, proper information protection and proof of it may be demanded among business partners.
Data and information security can result in a big problem for large corporations if security policies are not implemented in the correct manner. It is very important that firms recognise this, as it may well prove far more expensive not to invest in security measures than the measures themselves would have cost. Increased security means increased possibilities of safe guarding a company's assets, through reducing or eliminating the danger of financial loss. As a result of this companies need to manage their data and resources properly.
Information technology does not only bring the benefits of better ways of storage and accessibility of data but with it comes the managerial responsibility, which is control of files and resources.
There two major management responsibilities that companies need to manoeuvre in order to control their information so that their data is secure and they can make the most out of the resources they have invested in. These measures and responsibilities are physical and procedural. Under each of these, there are several components that make up these controls.
Firstly, physical protection is an important control. Physical barriers are aimed at protecting equipment, accessories against theft and unauthorised access, and so that sources of possible damage are eliminated. If access to rooms with equipment were restricted, the risk of theft and vandalism may be reduced.
A second control that could be used by some firms is biometric controls. These controls make use of the unique characteristics of individuals in order to restrict access to sensitive information or equipment. The technique has scanners that check on fingerprints, voiceprints and retinal patterns. Until recently this technique was not accessible to many organisations, partly because of the cost involved and secondly because companies used to have doubts about the accuracy of the technique. Both of these concerns have been addressed and been solved by technological advances in software and hardware. An example of companies that could use this type of control to increase security and manage their resources properly is banks and more specifically their ATMs where customers are able identify customers by fingerprints or retinal patterns.
Thirdly procedure controls are also very important to take into consideration. Procedural controls include controls such as data security controls, failure controls, and auditing and security policy.
Data security controls help to identify and verify the users. For instance system software can be used so that passwords are assigned to only authorised individuals. No one can log on to the system without a valid password, furthermore additional sets of passwords and security restrictions can be developed for specific systems and applications. Laudon & Laudon (2001) give an example, that data security software can limit access to specific files, such as the files for the accounts receivable system. It can restrict the type of access so that only individuals authorized to update these specific files will have the ability to do so. All others will only be able to read the files or will be denied access altogether.
Another procedural control is failure controls. These controls are necessary especially in large corporations, to avoid damage caused by failure of an information system. The techniques of failure control are regular back-ups of data and recovery procedure. For example, everyday transactions in a bank such as deposit, and withdrawals are stored on a daily basis as backup. Another recovery procedure which is important to companies is having a disaster recovery or contingency plan which is a strategy concerned with ensuring that a disaster of a information system is restored as quickly as possible, with little disruption to the organisation as possible.
Auditing could be another way in which companies may protect information systems against security breaches. Auditing involves making physical checks of hardware, software and data at regular intervals. Audits can be carried out automatically for software and data with an appropriate program.
Auditing software works by scanning the hard disk drives of any computers, terminals and servers attached to a network system. As each hard disk is scanned, the names of any programs found are added to a log. This log is then compared to a list of the programs that are owned by the company. The log gives information as to where to find the program. It is then simple to determine the location of any unauthorised programs.
In many organisations auditing programs are also used to keep track of software licences, which allow companies to ensure that they are operating within the terms of their licence agreement.
Other types of controls that may help companies to manage their resources properly are legal controls. Legal controls exist to prevent security breaches. Computer Misuse Act (1990), covers unauthorised access to information systems. Unauthorised access to information systems is referred to as hacking, and any breach of security by a third party invokes this Act for which the culprit may be prosecuted.
Another legal protection, which companies need to comply with, is the Data Protection (1984). This Act is mainly intended to cover the individuals' rights to view the information the company holds about them. For companies this is a strong message that only factual information should be held and the information should be relevant. In addition and also very important the Act restricts disclosure of information about the files a company holds about individuals to third parties. Special rules apply to this clause and it is the company's responsibility to ensure that these are followed. For example a finance company may request the account holder to set up a passed for a spouse to discuss general information but the liability lies with the company should the information get into the wrong hands resulting in fraud.
Formal Security Policy is another way in which companies can protect their data. Companies are now required by law to make existing and new employees sign a security policy. This is a benefit to both the company and the employee if the policy is explained. The security policy document would include things such as what the company considers to be acceptable use of the information system, what is considered unacceptable use, disciplinary action for non-compliance and details of the controls in place. However it important that management support is essentially there to ensure that employees follow the guidelines contained in this policy.
An article from the Financial Times (1998) in Bocij et al, hinted that many fraudsters rely on human behaviour rather than technology. A senior manager of a UK based company; Forensic Investigations stresses the importance of the IT department in keeping abreast with the latest developments and maintaining regular security revisions across the organisation.
Another example is an UK based company, Priority Data Group (PDG), whose clients include Citibank, computer services company EDS and General Motors has developed a system that automatically blanks a PC screen when the user is away from it and then is reactivated by a password.
Also, US based company Finjan has developed a program called Surflinshield Corporate, to protect computers against rogue programs attached to Active X or Java created programs. Surfinshield monitors the behaviour of the downloaded program and if attempts to breach computer security system are found, the program is eliminated. These are all examples of how companies manage their data and resources properly.
Increased security means increased possibilities of safeguarding a company's assets, through reducing or indeed eliminating the danger of financial loss. Investment in relevant and suitable security measures can prevent damage to EDP equipment, technical installations and premises, reduce the chances of information being tampered with and fraud being attempted, ensures reliable data processing by seeing to it that errors, inaccuracies, mishaps and omissions are deleted more easily or prevented, and ensure that the situation is revised as soon as possible, should anything happen.
All this means that it may well prove far more expensive not to invest in security measures than the measures themselves would have cost. In fact investing in data security should be considered a form of insurance. On the other hand, in themselves security measures can never be a foolproof guarantee against damage and accidents. They will have to harmonize with the company's overall profile and atmosphere. Both staff and management must have an active, positive attitude towards the security aspect. Such an attitude will in itself have a preventive effect.
In working to improve security, it is important to realize that even the most comprehensive measures can never manage to remove each and every possible risk involved in using new technology.
Moreover, maintaining a very high level of security is a costly affair. In conclusion, then, a certain degree of risk will have to be accepted, and not every irregularity should be seen as a major problem.
This is a small excerpt from PhD thesis paper on Information Security topic. As free PhD thesis examples and PhD thesis proposal samples are plagiarized we recommend you not to use it in your own PhD thesis paper or dissertation. Why not to get online PhD thesis writing help on Information Security from professional thesis writing service? Certified PhD academic writers will write a custom PhD thesis project on any topic and discipline from scratch!
_________________________ Enjoy our PhD Thesis Writing Service! _________________________