Managing Information
Systems
Information Systems Security and Control
Part 1
Dr. Stephania Loizidou Himona
ACSC 345
Objectives
 Demonstrate the differences in vulnerability
between traditional systems and
Information Systems
 Demonstrate the impact of Information
System vulnerability
 Demonstrate why Information Systems are
vulnerable
Dr. S. Loizidou - ACSC345
2
Protecting Information Systems
 Information Systems are now very important
within organisations
 Disabling or corrupting these Information
Systems can lead to significant loss
– Financial impact
– Loss of life / health and safety issues
Dr. S. Loizidou - ACSC345
3
On-line Auction Site
8 Hour Downtime
Type of Loss
Value
Direct revenue loss
$341,652
Compensatory loss
$943,521
Depreciation costs
Lost future revenues
Worker downtime loss
Contract labour loss
$6,279
$1,024,95
5
$46,097
$52,180
Delay-to-market loss
Total
$358,734
$2,773,41
Technology Spotlight: The Financial Impact of Site Outages. The Industry Standard,
1999
8
Dr. S. Loizidou - ACSC345
4
Vulnerability
 Why are Information Systems more
vulnerable than paper-based systems?
Dr. S. Loizidou - ACSC345
5
Vulnerability
 Paper-based systems
– Documents / data stored in filing cabinets
– Secured by physical access
 Information systems:
– Data stored electronically
– Logical, rather than physical, access
Dr. S. Loizidou - ACSC345
6
Vulnerability
 Information Systems open to more
vulnerabilities than paper-based systems
Dr. S. Loizidou - ACSC345
7
Security
 What examples of threats to Information
Systems can you think of?
Dr. S. Loizidou - ACSC345
8
Malicious Intent
 Hackers
– Person who gains unauthorised access to a
system for profit, criminal purpose or pleasure
– Trojan horse
 Program that has hidden, secondary purpose
– Denial of service
 Overwhelm server with requests to disable
 (Partially) countered by security procedures
Dr. S. Loizidou - ACSC345
9
Malicious Intent
 Viruses
– Software that is difficult to detect, spreads
rapidly, destroys data, processing and memory
– Logic bomb
 Timed virus
 (Partially) countered by anti-virus software
Dr. S. Loizidou - ACSC345
10
Malicious Intent?
 The vulnerability of Information Systems is
not just restricted to external security threats
Dr. S. Loizidou - ACSC345
11
Vulnerability
 What other types of vulnerability do
Information Systems have?
Dr. S. Loizidou - ACSC345
12
Vulnerability
 Threats:
– Hardware failure (disk crash, Pentium bug)
– Software failure (bugs, design flaws)
– Personal actions (accidental, malicious)
– Terminal access penetration (hacking)
– Theft of data, services or equipment (virus)
Dr. S. Loizidou - ACSC345
13
Vulnerability
 Threats:
– Fire (also true of paper-based systems)
– Electrical problems (downtime)
– User errors (wrong data)
– Program changes (upgrades, assumptions)
– Telecommunications (Internet, wireless)
Dr. S. Loizidou - ACSC345
14
Concerns
 Disaster:
– Hardware, software, data destroyed by fire,
flood, power failures, etc.
– Software and data may not be replaceable
– Significant (financial) loss
 Backup, fault tolerance
 Disaster recovery planning
– Standby sites, equipment, personnel
Dr. S. Loizidou - ACSC345
15
Concerns
 Security
– Policies, procedures, technical measures
– Prevent unauthorised access, theft, damage
 Errors
– Software bugs can cause significant loss
– Financial: rounding errors?
– Life: missile systems
Dr. S. Loizidou - ACSC345
16
Data Quality
 Data quality problems:
–
–
–
–
–
–
–
Data preparation
Conversion
Input
Form completion
On-line data entry
Keypunching
Scanning
–
–
–
–
–
–
Validation
Processing
File maintenance
Output
Transmission
Distribution
Dr. S. Loizidou - ACSC345
17
Software Quality
 What types of problems may a software
system have?
Dr. S. Loizidou - ACSC345
18
Software Quality
 Software problems
– Bugs
– Defects (wrong requirements)
– Misinterpretation of requirements
– Incorrect assumptions
Dr. S. Loizidou - ACSC345
19
Software Quality
 The more complex a system is, the less
likely it is to be bug free
 Impractical to test all paths of complex code
– Difficult to test
– Too much time required
 Total Quality Management
– Can only improve quality, not eliminate bugs
– Uncertain what bugs remain and their impact
Dr. S. Loizidou - ACSC345
20
Maintenance
 Maintenance of software systems should be built
into the design
 Maintenance is the most expensive phase of a
system
– Complexity
– Associated organisational changes
– (Regression) testing overheads
 More expensive to fix bugs as implementation
proceeds
Dr. S. Loizidou - ACSC345
21