Module No.

1-2
Security Threats in Information systems

Course Title: Information Assurance and Course Code: ITF404

security
Instructor: Jeremy E. Ponce Term & AY: 1st Sem., AY 2020 -2021
Contact no. 0935-4538-772 E-mail add: jeremyeponce@reocpareview.ph

I. Overview

Information systems are frequently exposed to various types of threats which can cause different types of
damages that might lead to significant financial losses. Information security damages can range from
small losses to entire information system destruction. The effects of various threats vary considerably:
some affect the confidentiality or integrity of data while others affect the availability of a system.
Currently, organizations are struggling to understand what the threats to their information assets are and
how to obtain the necessary means to combat them which continues to pose a challenge. To improve
our understanding of security threats, we should start with the sub-topic “Classification of security threats
in information systems”

II. Intended Learning Outcomes (ILOs)

Upon completion of this module, the students should be able to:

A. grasp the security of the different components of information systems,

B. explain the different Security threat sources,
C. evaluate primary sources of information for their credibility, authenticity, and provenance.

III. Learning Resources and References

• Mouna Jouini et al. / Procedia Computer Science 32 ( 2014 ) 489 – 496
(https://www.sciencedirect.com/science/article/pii/S1877050914006528)
• - Bill Young et al./Information Assurance and Security(2015)
https://www.cs.utexas.edu/~byoung/cs361c/slides1-intro.pdf
-Erik Gregersen/5 components of Information System(2007)
https://www.britannica.com/list/5-components-of-information-systems
• -Ruf L, AG C, Thorn A, GmbH A, Christen T, Zurich Financial Services AG, Gruber B, Credit Suisse AG.,
Portmann R, Luzer H, Threat Modeling in Security Architecture - The Nature of Threats. ISSS Working
Group on Security Architectures,
http://www.isss.ch/fileadmin/publ/agsa/ISSS-AG-Security-Architecture_Threat-Modeling_Lukas-
Ruf.pdf
• McCue A. Beware the insider security threat, CIO Jury; 2008.
http://www.silicon.com/management/cio-insights/2008/04/17/bewaretheinsider-security-threat-
39188671/
• Tang J, Wang D, Ming L, Li X. A Scalable Architecture for Classifying Network Security Threats.
Science and Technology on Information System Security Laboratory; 2012.
• Shiu S, Baldwin A, Beres Y, Mont MC, Duggan G. Economic methods and decision making by security
professionals. The Tenth Workshop on the Economics of Information Security (WEIS); 2011.
• Ben Arfa Rabai L, Jouini M, Ben Aissa A, Mili A.. An economic model of security threats for cloud
computing systems. International Conference on Cyber Security, Cyber Warfare and Digital Forensic
(CyberSec); 2012. 100-105.
• Dr. Daniel Soper/ Introduction to Computer Security - Information
Security /https://youtu.be/zBFB34YGK1U

Page 1 of 10
IV. Lecture Content / Summary of Lesson

1) Introduction:
Suppose you visit an e-commerce website such as your bank, stockbroker, Lazada, etc. Before you
type in highly sensitive information, you’d like to have some assurance that your information will be
protected. Do you (have such assurance)? How can you know? What security-relevant things do you
want to happen, or not happen when you use such a website?
You might want:
 Privacy of your data
 Protection against phishing
 Integrity of your data
 Authentication
 Authorization
 Confidentiality
Non-repudiation
Availability
What else?
Which of these do you think fall under Information Assurance?
This course is about Information Assurance; so what is information? And How does information differ
from data?
“Information is data endowed with relevance and purpose. Converting data into information thus
requires knowledge. Knowledge by definition is specialized.” (Blyth and Kovacich, p. 17)
According to Raggad (pp. 14ff), the following are all distinct conceptual resources:
Data: raw facts with a known coding system
Information: processed data
Knowledge: accepted facts, principles, or rules of thumb that are useful for specific domains.
Knowledge can be the result of inferences and implications produced from simple information
facts.

2) Information Assurance
Information Assurance is such a broad field that there is no universally accepted definition. Researchers
often give their own spin to IA, usually reflecting their own concerns.

Different Views of IA
a. According to U.S. Department of Defense, Information Assurance (IA) is essentially protecting
information systems, and is often associated with the following five pillars:
1) availability,
2) integrity,
3) authentication,
4) confidentiality and
5) non-repudiation.
The following pillars can be applied in a variety of ways, depending on the sensitivity of the
information, or information systems within your organization. Currently, these five pillars are
used at the heart of the US Governments ability to conduct safe and secure operations in a
global environment.
1. Integrity
Integrity involves assurance that all information systems are protected and not tampered with.
IA aims to maintain integrity through means such as anti-virus software on all computer
system, and ensuring all staff with access to know how to appropriately use their systems to
minimize malware, or viruses entering information systems.
 IT Governance provides a variety of E-learning courses to improve staff awareness on topics
such as phishing and ransomware, as a means to reduce the likelihood of system being
breached, and data exposed.

2. Availability
Availability simply means those who need access to information, are allowed to access it.
Information should be available to only those who are aware of the risks associated with
information systems.

3. Authentication
Authentication involves ensuring those who have access to information, are who they say they
are. Ways of improving authentication involve methods such as two-factor authentication,
strong passwords, bio-metrics and other devices. Authentication may also be used to not only
identify users, but also other devices.

4. Confidentiality
IA involves the confidentiality of information, meaning only those with authorization may view
certain data. This step is closely mirrored by the six data processing principles of the General
Data Protection Regulation (GDPR), where by personal data must be processed in a secure
manner "using appropriate technical and oganizational measures" ("integrity and
confidentiality").

5. Nonrepudiation
The final pillar simply means someone with access to your organizations information system
cannot deny having completed an action within the system, as there should be methods in
place to prove that they did make said action.

b. According to Debra Herrmann (Complete Guide to Security and Privacy Metrics), IA should be
viewed as spanning four security engineering domains:
1. “Physical security refers to the protection of hardware, software, and data against
physical threats to reduce or prevent disruptions to operations and services and loss of
assets.”
2. “Personnel security is a variety of ongoing measures taken to reduce the likelihood and
severity of accidental and intentional alteration, destruction, misappropriation, misuse,
misconfiguration, unauthorized distribution, and unavailability of an organization’s
logical and physical assets, as the result of action or inaction by insiders and known
outsiders, such as business partners.”
3. “IT security is the inherent technical features and functions that collectively contribute
to an IT infrastructure achieving and sustaining confidentiality, integrity, availability,
accountability, authenticity, and reliability.”
4. “Operational security involves the implementation of standard operational security
procedures that define the nature and frequency of the interaction between users,
systems, and system resources, the purpose of which is to achieve and sustain a
known secure system state at all times, and prevent accidental or intentional theft,
release, destruction, alteration, misuse, or sabotage of system resources.”
The simple truth is that IT security cannot be accomplished in a vacuum, because there are a
multitude of dependencies and interactions among all four security engineering
domains.(Herrmann,p.10)
So threats/risks to IA should be considered along these dimensions as well.

Page 3 of 10
 c. According to Bel G. Raggad’s taxonomy of information security, a computing environment is
made up of five continuously interacting components:
• activities,
• people,
• data,
• technology,
• networks.

A comprehensive security plan must take all of these into account.

3) Information Systems
An asset is the resource being protected, including:
• physical assets: devices, computers, people.
• logical assets: information, data (in transmission, storage, or processing), and intellectual
property.
• System assets: any software, hardware, data, administrative, physical, communications,
or personnel resource within an information system.
5 Components of Information Systems
I. Hardware:
The term hardware refers to machinery. This category includes the computer itself (CPU) and
all of its support equipment. Among the support equipment are input and output devices,
storage devices and communications devices. Computer peripherals also include the other parts
such as keyboard, mouse, screen, printer for output of information and optical discs for storage
of data resources.
II. Software:

The concept of Software Resources includes all sets of information processing

instructions. This generic concept of software includes not only the sets of operating
instructions called programs, which direct and control computer hardware, but also the sets
of information processing instructions needed by people, called procedures.
It is important to understand that even information systems that don’t use computers
have a software resource component. This is true even for the information systems of ancient
times, or the manual and machine-supported information systems still used in the world
today.

They all require software resources in the form of information processing instructions
and procedures in order to properly capture, process, and disseminate information to their
users.

The following are the examples of software resources:

• System Software, such as an operating system program, which con controls and supports
the operations of a computer system.
• Application Software, which are programs that direct processing for a particular use of
computers by end users. Examples are a sales analysis program, a payroll program, and a
word processing program. phenomena or business transactions. For example, a spacecraft
launch or the sale of an automobile would generate a lot of data describing those events.

III. Data:
Data are facts that are used by programs to produce useful information. Like programs, data
are generally stored in machine-readable form on disk or tape until the computer needs them. It
must be managed effectively to benefit all end users in an organization. It can take many forms
from letters and numbers, sentences and paragraphs, images and audio sounds. . Data are raw
facts or observations, typically about physical

Information is data that have been converted into a meaningful and useful context for
specific end users. So, you should view information as processed data placed in a context that
gives it value for specific end users.
 Example:
Names, quantities, and money, amounts recorded on sales forms represent data about sales
transactions.
However, a sales manager may not regard these as information. Only after such facts are
properly organized and manipulated can meaningful sales information be furnished, specifying,
for example, the amount of sales by product type, sales territory, or salespersons.

IV. Networks:
A computer network is a collection of computers and other hardware interconnected by
communication channels that allow sharing of resources and information. Where at least one
process in one device is able to send/receive data to/from at least one process residing in a
remote device, then the two devices are said to be in a network.

Telecommunications networks like the Internet, intranets, and extranets have become
essential to the successful operations of all types of organizations and their computer-based
information systems. Telecommunications networks consist of computers, communications
processors, and other devices interconnected by communications media and controlled by
communications software. The concept of Network resources emphasizes that communications
networks are a fundamental resource component of all information systems. Network resources
include:

V. People:

Every Information System needs people if it is to be useful. Often the most over-looked
element of an information system is the people, probably the component that most influence the
success or failure of information systems. People are required for the operation of all information
systems and these people resources include end users and IS specialists.
• End users (also called users or clients) are people who use an information system or the
information it produces. They can be accountants, salespersons, engineers, clerks,
customers, or managers. Most of us are information system end users.
• IS Specialists are people who develop and operate information systems. They include
systems analysts, programmers, computer operators, and other managerial technical, and
clerical IS personnel. Briefly, systems analysts design information systems based on the
information requirements of end uses, programmers prepare computer programs based
on the specifications of systems analysts, and computer operators operate large computer
systems.

These components combine to make an efficient Information System if using any of these
elements it just would simply not work. Further post will include more examples of organizations
and a more practical outlook on Information Systems.

4) Security Threats in Information systems

4.1) Threat:
A threat is a category of entities, or a circumstance, that poses a potential danger to an asset
(through unauthorized access, destruction, disclosure, modification or denial of service).
i. Threats can be categorized by intent:
accidental or purposeful (error, fraud, hostile intelligence);
ii. Threats can be categorized by the kind of entity involved:
human (hackers, someone flipping a switch), processing (malicious code, sniffers),
natural (flood, earthquake).
iii. Threats can be categorized by impact:
type of asset, consequences.

Page 5 of 10
4.2) Classification of Security Threat in Information Systems (Proposed Model)
 4.3) Security threat source
A threat can be caused by internal, external or both external and internal entities. In this paper, we
focus only on a binary classification of the threats origin: internal or external, in order to localize the
origin (or source) of a threat.

4.3.1) Internal threats

Internal threats occur when someone has authorized access to the network with either an
account on a server or physical access to the network. A threat can be internal to the
organization as the result of employee action or failure of an organization process.

4.3.2. External threats

External threats can arise from individuals or organizations working outside of a company.
They do not have authorized access to the computer systems or network. The most obvious
external threats to computer systems and the resident data are natural disasters: hurricanes,
fires, floods and earthquakes. External attacks occur through connected networks (wired and
wireless), physical intrusion, or a partner network.

4.4) Threat agents

The threat agent is the actor that imposes the threat to the system.
We identified three classes for our specific classification: humans, natural disasters and technological
threats.
The proposed classification covers the full set of potential agents since we include humans, chemical and
physical reaction on human-made objects (technological), and, natural for all those agents on which
humans do not have any influence.

4.4.1) Human Threats

This class includes threats caused by human actions such as insiders or hackers which cause harm
or risk in systems.
4.4.2) Environmental factors
Environmental threats are threats caused by non human agent. It comes, first, from natural
disaster threats like earthquakes, flood, fire, lightning, wind or water and, also, due to animals and
wildlife which cause severe damage to information systems like floods, lightning, Tidal Waves (like
Tsunami) and fire. Indeed, this class includes other threats such as riots, wars, and terrorist attacks
[11].
4.4.3) Technological Threats
Technological threats are caused by physical and chemical processes on material. Physical
processes include the use of physical means to gain entry into restricted areas such as building,
compound room, or any other designated area like theft or damage of hardware and software.
However, chemical processes include hardware and software technologies. It, also, includes
indirect system support equipment like power supplies [11].

4.5) Threat motivation

Attackers normally have a specific goal or motive for an attack on a system. These goals can cause
malicious or non-malicious results.
4.5.1) Malicious threats consist of inside or outside attacks caused by employees or non-employees
to harm and disrupt an organization like viruses, Trojan horses, or worms.
4.5.2) Non-malicious attacks occur due to poor security policies and controls that allow
vulnerabilities and errors to take place. It is caused by ignorant employees with the aim not to
harm the system.

4.6) Threat intent

Threat intent represents the intent of the human who caused the threat:
4.6.1) Intentional Threats:
It represents threats that are result of a harmful decision.

Page 7 of 10
 For example computer crimes, or when someone purposely damages property or information.
Computer crimes include espionage, identity theft, child pornography, and credit card crime.

4.6.2) Unintentional Threats:

It represents threats that are introduced without awareness. These threats basically include the
unauthorized or accidental modification of software. Accidental error includes corruption of data
caused by programming error, user or operator error.

4.7) Threat impacts

In our model, a security threat can cause one or several damaging impacts to systems that we divide
them into seven types: Destruction of information, Corruption of information, Theft or loss of
information, Disclosure of information, denial of use, Elevation of privilege and Illegal usage:

4.7.1) Destruction of information:

Deliberate destruction of a system component to interrupt system operation.
4.7.2) Corruption of Information:
Any unauthorized alteration of files stored on a host computer or data in transit across a
network. It is also called as tampering of information that is the add, delete or modify target
system's memory, hard drives, and other part, such as the implantation of Trojan will lead to
changes, increasing hard disk file, the file-like virus invasion would lead to a corresponding file
changes. It can be caused by: spoof, malicious logic, falsification, repudiation.
4.7.3) Disclosure of Information:
The dissemination of information to anyone who is not authorized to access that information.
These threat actions can cause unauthorized disclosure: Exposure, interception, inference,
intrusion.
4.7.4) Theft of service:
The unauthorized use of computer or network services without degrading the service to other
users. It can result from: theft of service, theft of functionality, theft of data, software or/ and
hardware misuse, data misuse.
4.7.5) Denial of service:
The intentional degradation or blocking of computer or network resources.

4.7.6) Elevation of privilege: Use some means or the use of weaknesses in the system; get
permission to access the target system. Such as guessing passwords, set aside the back door
[3]. It is caused for instance by violation of permissions threats.

4.7.7) Illegal usage:

Use the normal function of the system to achieve the attacker's behavior for other purposes. For
example, an attacker uses the normal network connection to attack other systems, using
vulnerabilities through the normal system services to achieve attacker's aims.
4.8) Conclusion
Information security is a critical problem for individuals and organizations because it leads to
great financial losses. This work dealt with threat classification problem in order to find a generic and
flexible model that allows better understanding of the nature of threats in order to develop
appropriate strategies and information security decisions to prevent or mitigate their effects. Our
model is flexible, dynamic and multidimensional and meets all threats classification principles.
However, this model is limited to a binary decomposition of the sources of threats.

The paper presented a hybrid threat classification model that allows well defining and articulating
of threat characteristics. Indeed, it serves as a guideline to determine what kind of threats influence
our system and it assists with understanding the capabilities and selection of security decisions not
only by presenting threats techniques and their potential impacts in the same model but also by
combining all existing threats criteria. We envision the use of our threat classification model to
propose a Cyber Security Econometric Model and then apply it on practical application named a cloud
computing system.
 V. Learning Activities

Directions: In our day to day living, we deal with much information wherein sometimes they make us
happy or unhappy. As a third-year student, what are the security threats of information you handled or
you are handling that made you, making you or will make you sad? Classify your answer into Internal
and External threat. Present your answer using the fishbone diagram. Digitize your output by
converting it into photo and send it to our facebook group with the hashtags
#SecurityThreatofmyInformation and #activity1

Example: Internal Threat

Security threat in
Information
system

External Threat
VI. Supplemental content
Video Presentation:
Introduction to Computer Security - Information Security
By. Dr. Daniel Soper

https://youtu.be/zBFB34YGK1U

VII. Assessment

Direction: Study the following items and try answering them seriously. An online quiz similar to these items
will be announced through our facebook group later.
1. In information technology, a backup, or data backup is a copy of computer data taken and stored
elsewhere so that it may be used to restore the original after a data loss event. According to U.S.
Department of Defense what pillar of Information assurance is being ensured through file back-up?
a. Availability b. Authenticity
c. credibility d. Integrity
2. Why is it important to have a good understanding of Information Security policies and procedures?
A. Helps protect individuals from being victims of security incidents.
B. Provides an understanding of steps to follow in the event of a security incident
C. Helps to understand levels of responsibility
D. All of the above
3. Which of the following is a good way to create a password?
A. Your children's or pet's names
B. Using look-alike substitutions of numbers or symbols
C. A combination of upper and lowercase letters mixed with numbers and symbols
D. Using common names or words from the dictionary
4. When receiving an email from an unknown contact that has an attachment, you should:

Page 9 of 10
 A. Open the attachment to view its contents
B. Delete the email
C. Forward the email to your co-workers to allow them to open the attachment first
D. Forward the email to your personal email account so you can open it at home
5. Which of the following would be the best password?
A. MySecret b. Dp0si#Z$2
c. honey d. Keyboard
6. Which of the following life experiences might turn a trusted user into a malicious insider:
a. Frustration with co-workers b. Stress
c. Promotion d. Financial problems
7. What should you do if you think your password has been compromised?
a. Change your password
b. Report the incident to the proper authorities - such as a system administrator(s)
c. Check other systems that you have accounts on as they may be compromised as well
d. All the above
8. What is the biggest vulnerability to computer information security?
a. Instant Messaging, Peer-to-Peer (P2P) applications
b. Malware - virus, worms, spyware Spam,
c. Phishing attacks
d. End Users
9. What are the most important things you can do to secure your desktop PCs?
a. Turn on Automatic Updates b. Turn on Windows Firewall
c. Install Antivirus Software d. All of the above
e. None of the above
10. All of these are good physical security practices except?
a. Always wear your security badge when leaving work, even if just for a break. They should be worn
outside of the office in public so other people know where you work
b. Control access to your office by ensuring the door closes completely behind when entering and
exiting. Ensure that no one slips in behind you
c. When working in a public setting, prevent shoulder surfing by shielding your paperwork and
keyboard from view using your body
d. Follow the Clear Desk and Screen Policy. Store confidential and sensitive items in a secure place
11. What is the most important component of the Information Systems?
a. Hardware b. Software
c. data d. people/human
12 Which of the following is not considered as impact of threat in the information system?
a. Illegal usage b. Having healthy body
c. Corruption of Information c. Disclosure of Information
13. In order for Jeremy to protect the data stored in his smartphone, he enabled its security keys such as
facial recognition, pin code, password and google authenticator. What pillar of Information Assurance is
being practiced by Jeremy?
a. Availability b. Integrity
c. Authentication c. Nonrepudiation
14. What component of Information Assurance includes computer parts such as keyboard, mouse, screen,
printer for output of information and optical discs for storage of data resources.
a. Software b. Hardware
c. network d. data
15. During the typhoon “igmi” cell-sites or cell towers where destroyed which resulted temporary internet
connection lost. What threat of information system has resulted that inconvenience?
a. Corona virus b. Human Threats
c. Environmental factors d. Technological Threats