Business Information Systems - Assignment Example

Business Information Systems Name Date Course Business Information Systems Question 1: Identify and discuss the factors that are contributing to the increasing vulnerability of organizational information assets Vulnerabilities of assets refer to the flaws in the assets of an organization; or in the words of Lenaghan and Onwubiko (2007), it is the absence of controls in security that could result in a breach in security of the assets when they are exploited by threats. Various factors contribute to these vulnerabilities. The attacks are dependent on the flaw or susceptibility of the system, the access of the attacker to this flaw and the ability of the attacker to exploit the flaw. When the system is susceptible, it is easy for the attacker to launch an attack to the assets. One factor that contributes to this susceptibility is stated by Whitman (2003) that organizations’ managers and employees have ignored information security. While security to information has been pointed out as an important issue, executives do not consider it as being critical (Whitman, 2003). In the present world, the business environment has become increasingly interconnected, interdependent and the network has become wireless. This has increased susceptibility. In addition to this, the number of organized crime has taken over the number of cyber crimes. This implies that individuals set out targets and launch their attacks. Another factor that has contributed to this vulnerability is the rolling out of new technology which has led to changes in identifying new threats. Computers as well as storage devices have become faster, smaller and cheaper. A combination of these factors increases the susceptibility of the organization’s assets. Question 2: Contrast unintentional and deliberate threats to an information resource. Provide two (2) examples of both Unintentional threats refer to acts that are performed by individuals without any malicious intentions to the security of information. One such threat is human error. According to Whitman (2004), the biggest threat to the information assets of an organization are the employees of the company. In fact, employees who work in the departments of information systems and human resource pose the greatest threat. This is because they have access and controls to very sensitive information of the company. This implies that any error by them could prove very fatal to the security of the organization’s assets. The employees go across the greater depth breadth of the organization. The higher the employee’s level, the greater the threat they pose to the security of the organization. The errors that these employees could create include carelessness with their laptops and other computing devices, opening up of emails that are questionable, surfing the internet carelessly and poor selection of their passwords. Deliberate threats are dangers that are aimed at exploiting the security of information. The dangers are intentional and the purpose is to attack the system. Such dangers can be as a result of acts of espionage or trespass by the attackers. Such acts involve access by unauthorized individuals to information that is protected. In other instances, hackers use their skills, fraud or guile to get past controls that protect organization’s information. Cyber terrorism and warfare can also be classified as deliberate attacks (Vavoulas and Xenakis, 2010, pp. 2). Question 3: Explain each of the following types of remote attacks: virus, worm, phishing, and spear phishing. What approach could you use to mitigate these information security risks within an organization? Describe a scenario. Virus: a virus can be described as a part of the computer code that carries out malicious actions to the system by attaching itself to other computer programs. The malicious action affects the performance of the program. A worm is a part of the computer code that spreads in the information system and carries out malicious actions without getting attached to another program. Phishing involves use of deceptive messages to acquire sensitive and personal information by appearing to be genuine or official messages or emails. The message is aimed at convincing the reader that they are reading the right details and in the process, they provide personal information to the attacker. Spear phishing is a fraud attempt that is email spoofing and is aimed at getting illicit access to confidential information of a specific organization. Usually, the attempt is not initiated by hackers but is conducted by individual perpetrators who are out to gain financially (Rouse, 2011). To mitigate the risks, various practices can be used. Investing in anti-spyware and anti-viruses and maintaining them by updating can be used to identify the worms and viruses. In addition, cyber intelligence services can be used in identifying on-line threats. Along with that, organizations should invest in security awareness so that they can be aware of the security risks faced. For instance, phishing is targeted to the end-users. By educating the users, the profile of the risk is raised and the users will understand how to cope with the danger (Walker, 2013). Question 4: Define and contrast - risk acceptance, risk limitation, and risk transference Risk acceptance is a technique that is deployed in response to a risk when the risk is unavoidable and the response team decides to accept the risk before determining the best ways of dealing with the situation. By accepting the risk, the organization is better placed to handle the risk since it can devise ways of dealing with it based on the effects it experiences from the risk (Rainer and Cegielski, 2010, pp. 100). Risk limitation refers to the extent to which the organization can be exposed to the risk. It implies that the risk posed to the organization can only be allowed to get to some extent beyond which the risk cannot be taken by the organization. In essence, risk limitation entails the extent beyond which the risk cannot be taken anymore. It creates a boundary that states the extent of the risk faced by the organization (Rainer and Cegielski, 2010, pp. 100). Risk transference- is a response technique to risks and is used for threats that encompass transferring the impact of the risk to a third party together with owning the risk responses. It involves shifting the burden of the loss due to a risk to another party by act of contract or legislation or insurance. The aim of this technique is to help in protecting the organization from the risk faced by sharing the risk with another party. As a result, the organization could handle the risk without any fear of major losses since the loss is shared with another party (CNA, 2010, pp. 3). Part B Claim Sensitive FBI data is not secure from attack Data Various warnings have been issued by the FBI to institutions on the threats posed by cyber attacks, cyber crimes and other attacks to information. In the FBI website, various former attacks have been posted to inform the public on how attacks are carried out by individuals. The FBI also indicates that it also prone to these attacks hence the need to continuously investigate the various attacks and post them on the website so as to effectively find ways of combating them (The FBI, 2013). Warrant FBI staff is human beings just like other employees. While they are highly trained in every aspect of security, they are not perfect in combating certain aspects of the threats they face, they can be exposed to certain aspects of human error and this exposes the whole system to the risk. In other cases, the FBI has adopted risk acceptance as a tool of handling the threats faced. This indicates that the FBI recognizes that it is also prone to the attacks by cyber crimes and other attacks to information and therefore the need to devise other ways of tackling the issue within the organization and outside. Backing The FBI has been advised to adopt risk management plan in dealing with its security issues. In fact, risk acceptance has been used as an approach to the threats faced. This indicates that the FBI recognizes that there are threats to its information and data. It is this recognition that makes the FBI work better towards combating the threats it faces. Rebuttal The FBI has in the past worked to increase its abilities to handle cyber crimes and other attacks to information. It has been successful in investigating various cyber crimes and this indicates that they have the technology to help combat security threats to information. McGroddy and Herbert (2004) stated that the FBI has improved the technology it uses in combating cyber crimes. The various warnings that the FBI issues to organizations on the threats posed to them indicates that the technology is appropriate in identifying the threats and as a result it can effectively curb the threats. Qualifier Various statements have been made by the FBI in giving warnings to organizations and institutions about the threats they face. For instance, Robert Mueller, the director of FBI in San Francisco stated that there are various applications that can be used in ensuring that computer devices and mobile devices are secured. This was aimed at fighting threats in the information system world by outsmarting hackers, terrorists and spies. In addition, the FBI website provides information on the various types of cyber attacks that occur in various parts of the world. Access to this information is useful in informing people about the various threats and as a result they are aware of the ways to be safe. Your Opinion The FBI is not free from cyber attacks because they use various information technology tools. The devices they use in their work are not free from attacks. However, the FBI works towards ensuring that the devices used are protected. In addition, the systems used kept up to date so as to ensure that any threats are identified on time. This indicates that the FBI makes every effort to ensure that attacks to its data are kept at minimal. No institution can be perfect; therefore, the best can only be done in limiting the threats. Bibliography CNA, 2010, Risk Transfer: A Strategy to help protect your Business, New York, USA. Lenaghan, A. & Onwubiko, C. 2007, Managing Security Threats and Vulnerabilities for Small to Medium Enterprises, IEEE International Conference on Intelligence and Security Informatics, London, UK. McGroddy, J. & Herbert, L. 2004, A Review of the FBI's Trilogy Information Technology Modernization Program, Washington, National Academies Press. Rainer, K. & Cegielski, C., 2010, Introduction to Information Systems: Enabling and Transforming Business, 3rd Edition, USA, John Wiley and Sons. Rouse, M., 2011, Spear Phishing, Accessed online on September 1 2013 from: . The FBI, 2013, New E-Scams & Warnings, Accessed on September 1, 2013 from: . Vavoulas, N. & Xenakis, C., 2010, A Quantitative Risk Analysis Approach for Deliberate Threats, University of Piraeus, Greece. Walker, J. 2013, How can Organizations Guard against Phishing Scams? Accessed online on September 1, 2013 from: . Whitman, M., 2003, Enemy at the Gate: Threats to Information Security, Communications of the ACM, Vol. 46, No. 8. Whitman, M., 2004, In Defense of the Realm: Understanding the Threats to Information Security, International Journal of Information Management, 24: 43–57. Read More