In learning how to think constructively about managing risks, often the following common sense vocabulary is used:Asset: something important that needs protectionRisk: likelihood of threat leading to actual abuseCost (1): reduction in value of abused assetCost (2): amount of resources required to use security measures to protect an assetBenefit: the value of a security measureIt would be great if these terms asset, value, threat, risk, cost, benefit could be used scientifically, but when it comes to information systems, most of them are pretty squishy. Nevertheless, even a best guess is remarkably useful. If guesses about relative value and likelihood are consistently applied, then it is usually possible to decide on the priority of potential improvements in information security. Cost becomes a matter of budget.
Most people with authority over funds for security can, if properly informed, make good decisions about how to allocate the budget. In many instances, it is possible to analyze whether the incremental value of a high budget would be significant. Understanding of information security technology is necessary to make informed judgements like these. Fortunately, the essential technological aspects are not rocket science.
There are several types of security issues: data security, computer security, system security, communication security, and network security. The term information security is often used to encompass all of them and to distinguish them from closely related and important issues such as physical security, operational security, and personnel security that do not rely primarily on computing technology. Computing is as risky as any other aspect of modern life, and in some sense more so because of the complexity of computing systems. Vulnerabilities exist at all levels: network, operating system, middleware and application because all software has bugs, administration is error-prone and users are unreliable. It is virtually impossible to develop any significant system without some errors in it. We know how to build bridges so the imperfections are tolerable.
That is, we can build bridges that do not crash (if proper engineering methodology is followed), but we cannot build systems and applications that do not crash. In computing systems, flaws are often bugs repeatable situations in which the system behaves in an unintended manner. Each bug can also be a security vulnerability, if the bug can be used in a way that allows a failure of security: either authorized users exceeding their privileges, or unauthorized users gaining access to systems. Furthermore, the complexities of modern computing systems make them difficult to manage. Configuration and administrative errors also create security vulnerabilities.
It can be difficult to determine whether the system is properly configured. For example, to harden Windows NT for usage on the Internet, Microsoft recommends over a hundred specific configuration changes that effectively turn off many features that led people to want to use NT. In addition, security experts have other recommendations in addition to those described by Microsoft. Computing, like life, has many threats. But what are the risks? Given the wide rage of threats, the sheer number of vulnerabilities, and the ever-increasing number of attackers, the risk is nearly 100 per cent that some incident will occur if information security is not addressed in a systematic manner. There are many different avenues of attack.
Inadequate data security can provide unauthorized users access to sensitive information. Inadequate computer security can result from the use of weak passwords and allow abuse of user accounts. Applications filled with bugs can allow unauthorized transactions. Inadequate system security can result from a mis-configured operating system and allow unintended network access. Eavesdropping and password reuse are examples of inadequate communication security which can result in impersonation of individuals.
Inadequate network security can lead to unintended Internet access to private systems. There are many examples of inadequate security. Who is hurt by these attacks? Internet access in this scenario affects the on-line consumer greatly, sometimes in