- fundamentals 
- definitions of a disaster
- Risk, Threat, Vulnerability explained
see also  
last updated 2014 Sept 15
. This page used in the following courses taught by Prof. Richardson
BIT 801
MGD 415
MGD 426
  • understand that good security involves more than just prevention
  • identify what a company can do beyond prevention
    • detection
    • reaction
    • countermeasures
  • identify the risks of insecure systems faced by business partners
  • appreciate that business partners can pass on vulnerabilities to your clients
  • differentiate between the relative risk benefits of intranets, extranets and the Internet
  • understand the risk management paradigm and methodology
  • differentiate between control weakness and control risk
Q. Why is security so important in the age of the internet and computers?

A. Answer - magnitude

  • more damage can be done 
  • on a very large scale 
  • in a short period of time
Ghosh, in his 1998 book "E-commerce Security" said
"A simple error in configuring a commerce site's server can lead to the compromise of thousands of credit card numbers".
http://www.counterpane.com/ Threat Modelling and Risk Assessment

In Bruce Schneier's book "Secrets & Lies: Digital Security in a Networked World" he explains that 

"Threat modeling is the first step in any security solution. It's a way to start making sense of the vulnerability landscape. What are the real threats against the system? If you don't know that, how do you know what kid of countermeasures to employ?"
Threat Modelling and Risk Assessment
- understanding that vulnerability can exist in many forms

In Schneier's books he often uses silly examples to explain scenarios and processes and several years ago he described a situation of how to steal pancakes -which was silly, but provided an excellent way of explaining how vulnerability can exist in many ways - additionally, it serves to explain that sometimes you can steal something of value without having anything to do with the transcation part of taking the money.

Here is the pancake story repeated below.

"I find that the best security analysts are people who go through life finding the limitations of systems; they can’t help it. They can’t walk into a polling place without thinking about the security measures and figuring out ways that they can vote twice. They can’t use a telephone calling card without thinking about the possible anti-fraud mechanisms and how to get around them. These people don’t necessarily act on these thoughts--just because they found the blind spot in the store’s video surveillance system doesn’t mean they start shoplifting--but they can’t help looking."

"Threat modeling is a lot like this, and the only way to learn it is to do it. So let’s start by stealing some pancakes."
"Our goal is to eat, without paying, at the local restaurant. And we’ve got a lot of options. We can eat and run. We can pay with a fake credit card, a fake check, or counterfeit cash. We can convince another patron to leave the restaurant without eating and eat his food. We can impersonate a cook, a waiter, a manager, or the restaurant owner (who might be someone that few workers have ever met). We could snatch a plate off someone’s table before he eats it, or from under the heat lamps before the waiters can get to it. We can wait at the dumpster for the busboy to throw away the leftovers. We can pull the fire alarm and sneak in after everyone evacuates." 
" We can even try to convince the manager that we’re some kind of celebrity who deserves a free breakfast, or maybe we can find a gullible patron and convince him to pay for our food. We could mug someone, nowhere near the restaurant, and buy the pancakes. We can forge a coupon for free pancakes, and there’s the time-honored tradition of pulling a gun and saying “give me all your pancakes.”

"There are probably even more possibilities, but you get the idea. Looking at this list, most of the attacks have nothing to do with the point where money changes hands. This is interesting, because it means that securing the payment system does not prevent illicit pancake stealing."

permission to quote Bruce Schneier and to quote from his book dealt with in emails June 9th, 2006. Copies of emails kept in the permissions binder.

vulnerability can exist in many forms

One of the purposes of recounting Schneier's pancake stealing story is to illustrate that one of the best ways to approach security is to use the powers of an overactive imagination to conceive of as many different weird possibilities that could happen. 

So one of the things I'm trying to do in this unit is give students a very long list of all the possible risk and threat situations that can possibly happen, and discuss these, so that by being aware of such circumstances, you may be better prepared to address them if the threat develops into an immediate risk.

If you can develop countermeasures and contingencies to protect against most of these possible threats then it is unlikely you can be "surprised" by something that happens in the real world.

is not always symmetrical
http://www.youtube.com/watch?v=l0JbPQBmUP0 Asymmetrical Cyber Security

from a speech given by Tim Richardson in 2013 to The Mackenzie Institute

http://vig.prenhall.com/catalog/academic/product/0,1144,0131866915,00.html What is a disaster

"A disaster is a disruption of normal business functions where the expected time for returning to normalcy would seriously impact the organization' s ability to maintain operations, including customer commitments and regulatory compliance"
Green Security Policies and Procedures Chpt 11, p. 352


- definitions

, "A serious disruption of the functioning of a community or a society causing widespread human, material, economic or environmental losses which exceed the ability of the affected community or society to cope using its own resources."
from www.unisdr.org/eng/library/
the United Nations
International Strategy for Disaster Reduction
Chpt 5
1st Edition

Chpt 7
2nd Edition

"Electronic Commerce": 
Greenstein & Feinman, (1st Edition) Chpt 5 The Risks of Insecure Systems
Greenstein & Vasarhelyi, (2nd Edition) Chpt 7 The Risks of Insecure Systems

the powerpoints for Chpt 5 (1st Ed) can be obtained from

Page 133 Greenstein Text - 1st Edition
Page 215 Greenstein Text - 2nd Edition

Before you begin reading Chapter 5 (7) in the Greenstein book, it would be a good idea to go to the website for the book and scan through the online list of "Key Terms"

clicking on the screen capture to the right will take you directly to this "glossary" http://www.mhhe.com/business/accounting/greenstein/keyterms.mhtml#five
Page 133 G.
a Risk

- definitions

, "The probability of harmful consequences, or expected losses (deaths, injuries, property, livelihoods, economic activity disrupted or environment damaged) resulting from interactions between natural or human-induced hazards and vulnerable conditions."
from www.unisdr.org/eng/library/
the United Nations
International Strategy for Disaster Reduction

"The potential danger that threatens to harm or destroy an object, event, or person."
the Legal Encyclopedia

.133 G.
Chpt 5
1st Edition


Chpt 7
2nd Edition



Overview of Risks Associated with Internet Transactions
  • Internet Associated Risks
    • Risks to Customers
      • False or Malicious Websites (p. 218 2nd Edition)
        • Stealing Visitor's ID's and Passwords
        • Stealing Visitors's Credit Card information
        • "man-in-the-middle" attacks to monitor a Visitor's activity
        • Spying on a Visitor's hard drive
        • Uploading from the Visitor's hard drive
      • Theft of Customer Data
        • from Selling Agents
        • from ISPs
      • Cookies (see special section) p. 220-222   2nd ed.
      • Web Bugs
        • embedded within the HTML code on a page
        • used to track visitor's online movements
        • unlike cookies, cannot be turned off
    • Risks to Selling Agents and Vendors, p. 223   2nd ed.
      • customer impersonation
        • used to obtain product and service without paying
        • used also to create negative publicity situations
      • Denial of service (DNS) Attacks,  p. 224   2nd ed
        • explanation of PINGING a DNS
        • SYN flooding
  • Intranet Associated Risks
    • Sabotage by Employees
    • former employees
    • threats from current employees
    • social engineering
  • B2B Risks

  • risks associated with transactions between business partners
    • Data Interception
  • Archives

  • risks associated with confidentially-maintained archival, master file and reference data
  • Viruses

  • risks associated with viruses and malicious code overflows
    - see our unit  www.witiger.com/ecommerce/viruses.htm
    • trojan horses
    • hoaxes

    • buffer overflows



Principles of Information Security
by Michael Whitman and Herbert Mattord
Chpt 2 The Need for Security
. This chapter provides an excellent list of all the types of things that can go wrong with IT security. 


A summary of the Threats described in Chpt 2 is listed below

Five groups of "real and present" danger

  • Inadvertent acts (malicious intent is absent)
    • Human error or failure of the product/system to operate
    • Deviations in quality of service by service providers
  • Deliberate acts
    • Competitive Intelligence
    • Industrial Espionage
    • Trespass
      • hacking
    • Information extortion
    • Sabotage ad vandalism
    • Theft
    • Software attacks
      • DNS attacks
      • Virus attacks
        • Trojan Horse
        • Worms
    • Compromises to Intellectual Property
  • Acts of God
    • Forces of Nature
      • Fire
      • Flood
      • Earthquake
      • Lightning
      • Tornado / Hurricane
  • Technical failures
    • Hardware Failures
    • Softare Failures
  • Management failures
    • Technological Obsolescence
    • Ignoring SOPs (Standard Operating Procedures)
    • Errors in judegement
Principles of Information Security
by Michael Whitman and Herbert Mattord
Chpt 2 The Need for Security
.  We have a CD with the powerpoints for this book and the powerpoint for Chpt 2 is available at the link below

Chpt 3

Types of

- Frauds

In addition to the resources of the National Consumers League, you can also access the web page of the National Fraud Information Center. The NFIC also has a special section on their web site dealing with Internet Fraud
In their own words "Internet Fraud Watch was launched in March of 1996 enabling the NFIC to expand its services to help consumers distinguish between legitimate and fraudulent promotions in cyberspace and route reports of suspected fraud to the appropriate law enforcement agencies. "
. The NFIC web site is very extensive and you should time looking at the various links and read about some of the types of scams and frauds.

They also have an "Internet Tips" page which is simply worded, but useful.

You could earn some class contribution points by thoroughly reviewing this site and picking out some additional information which could be added in to this page.

http://www.stac.state.tx.us/IRAPC/practices/ State of Texas
Department of Information Resources

Practices for Protecting Information Resources Assets
originally from www.stac.state.tx.us/IRAPC/practices/


"guidelines are intended to assist agencies and institutions of higher education to achieve the goal of acceptable information resources risk management"

Part 1 – Main Body of Report – 76 pages, 6 MS Word files

    Chapter 1. Establishing an Information Security Policy 
    Chapter 2. Identifying Critical Information Assets and Risks 
    Chapter 3. Tools and Practices for Critical Information Asset Protection 
    Chapter 4. Security Incident Planning 

   Part 2 – Appendices – 144 pages, 22 MS Word files

    Appendix A-1. Bibliography 
  Appendix A-2. Glossary – 66 pages, - recommended
    Appendix B-1. Additional References and Sources 
    Appendix C-1. Example of Virus Handling Procedures 
    Appendix C-2. Perspective: Malicious Code and Other Security Threats 
    Appendix D-1. Checklist for Outsourcing Contracts 
    Appendix E-1. What to Do if You Think Your Installation Has Been Hacked 
    Appendix E-2. DoS Defense 
    Appendix E-3. Recipe for Developing a Successful Incident Handling Plan 
    Appendix E-4. Example of Agency Incident Response Plan 
    Appendix E-5. Emergency Steps for Incident Response 
    Appendix E-6. IDS Product Evaluation Criteria 
    Appendix E-7. Disruption Defense; Mitigation Checklist 
    Appendix F-1. LAN Security Checklist 
    Appendix G-1. Considering an Extranet?
    Appendix H-1. Protecting Your Password 
    Appendix I-1. Low-Cost/No-Cost Computer Security Measures 
    Appendix J-1. A Snapshot in Time: Where are the Vulnerabilities Now? 
    Appendix J-2. Risk Analysis and Assessment 
    Appendix J-3. Automation Controls Self-Assessment Guide 
    Appendix K-1. Implementation of Transaction Safeguards 
    Appendix K-2. Questions to Consider When Assessing Transaction Security Risks 

the National Consumers League (Chpt 3, page 24)
It would be very worthwhile for student to spend some time on this site since
it has some links and tips that are helpful

permission to quote Bruce Schneier and to quote from his book dealt with in emails June 9th, 2006. Copies of emails kept in the permissions binder.