by The Open University
Available in 39 free installments
Owner:
Seen in the way we have just defined it, information is a valuable asset. Information security protects information (and the facilities and systems that store, use and transmit it) from a wide range of threats, in order to preserve its value to an organisation.
This definition of information security is adapted from that of the American National Security Telecommunications and Information Systems Security Committee (NSTISSC).
There are two important characteristics of information that determine its value to an organisation:
the scarcity of the information outside the organisation;
the shareability of the information within the organisation, or some part of it.
Simplifying somewhat, these characteristics state that information is only valuable if it provides advantage or utility to those who have it, compared with those who don't.
Thus the value of any piece of information relates to its levels of shareability and scarcity. The aim of information security is to preserve the value of information by ensuring that these levels are correctly identified and preserved.
Threats to information influence the organisation's ability to share it within, or to preserve its scarcity outside. And threats that are carried out can cost millions in compensation and reputation, and may even jeopardise an institution's ability to survive. Here are some examples in which the making available of information that should have been kept scarce or the restricting of information that should have been shareable has damaged an organisation.
Softbank of Japan offers broadband internet services across Japan through two subsidiaries ? Yahoo! BB and Softbank BB. In February 2004, the bank announced that the security of 4.5 million customer records had been compromised: data from both subsidiaries had been illegally copied and disseminated. The leaked details included customer names, home phone numbers, addresses and email IDs, but did not include passwords, access logs or credit card details.
Softbank became aware of the problem only when they were approached by two groups of extortionists. The criminals produced apparently genuine customer data and threatened that all of the data would be posted to the internet if they were not paid a large sum of money.
Japanese police made three arrests but suspected that there may have been connections to organised crime and the political far-right. Amazingly, the police concluded that there had in fact been two simultaneous, yet independent, extortion attempts against Softbank, both of them masterminded by employees of the company. All of the people accused of extortion had been authorised to access the customer data; but it appeared that Softbank had inadequate procedures to protect against its unwarranted copying and dissemination.
The bank immediately announced a tightening of security, further restricting access to their systems and enforcing tighter security on all of their subsidiaries. Profuse apologies were offered to the affected customers and ¥4 billion (£20 million) were paid in compensation. Furthermore, Softbank BB's president, Masayoshi Son, announced that he and other senior executives would take a 50 per cent pay cut for the next six months.
In this example, the threat was to reduce the value of an organisation by revealing information that should have been a well-kept secret ? scarce-within as well as scarce-without. It cost the company £20 million in compensation and affected its reputation.
In October 2002, the University of California, San Francisco (UCSF) Medical Center received an email message from someone who claimed to be a doctor working in Pakistan and who threatened to release patient records onto the internet unless money owing to her was paid. Several confidential medical transcripts were attached to the email.
UCSF staff were mystified; they had no dealings in Pakistan and certainly did not employ the person who sent the email. The Medical Center began an immediate investigation, concentrating on their transcription service, which had been outsourced to Transcription Stat, based in nearby Sausalito. It transpired that Transcription Stat farmed out work to some fifteen subcontractors scattered across America. One of these subcontractors was Florida-based Sonya Newburn, who in turn employed further subcontractors, including one Tom Spires of Texas. No one at Transcription Stat realised that Spires also employed his own subcontractors, including the sender of the email. The sender alleged that Spires owed her money, and had not paid her for some time.
Newburn eventually agreed to pay the $500 that the email sender claimed was owed to her. In return the sender informed UCSF that she had had no intention of publicising personal information and had destroyed any records in her care. Of course, there is no way to prove that the records have actually been destroyed.
Naturally, you would not wish your own medical records to be publicised: they should be scarce. This threat cost the organisation little in money terms, but how much in reputation? Just what is a reputation worth? Or, to put it another way, how much is it worth paying in information security to protect a reputation?
In May 2000, Timothy Lloyd was found guilty of causing between $10 million and $12 million worth of damage to Omega Engineering, an American company specialising in precision engineering for clients, including the US Navy and NASA. Lloyd had been employed with Omega for 11 years, rising to the post of system administrator, and was responsible not only for the day-to-day operation of the company's computers but also for their disaster-recovery process.
In 1996, Lloyd became aware that he was about to be sacked and wrote a logic bomb ? a six-line destructive program ? which he installed on Omega's servers. Ten days later, Lloyd was dismissed and his logic bomb exploded, destroying company contracts and proprietary software used by Omega's manufacturing tools. Although Omega had instituted a backup procedure, Lloyd's account privileges had allowed him to disable these recovery systems. The damage done by his logic bomb was permanent.
When the logic bomb ‘exploded? it wiped out information that was needed for the company to operate. As a result of lost business, Omega was forced to lay off some 80 employees and found itself rewriting the very software which had once given it a competitive edge over its rivals. In effect, what Lloyd managed to do, in the most decisive way possible, was to prevent vital information being shared.
Read the Foreword to IT Governance: A Manager's Guide to Data Security & BS 7799/ISO 177799 (the Set Book), written by Nigel Turnbull.
(a) Write down the three reasons Turnbull gives for companies recognising the need to protect information.
(b) Write down two of the ways in which this unit should be valuable to you and your own organisation.
You may wish to discuss your answer to (b) with other learners, using the unit forum.
(a) The three reasons are:
organisations working in a high-technology environment depend more and more on their information systems;
the public is increasingly concerned about the proper use of information;
threats to information systems from criminals and terrorists are increasing.
(b) You may consider that one or more of the three reasons given in the answer to (a) applies to your organisation, in which case your studies in this unit may be an attempt (by you or your organisation) to learn more about information security. Professional thinking about information security and its management ? the focus of this unit ? may help your organisation assess potential threats to its valuable information. And thinking about the information that is important to your organisation will raise awareness of the value that resides there, and start the important process of protecting that value.
Original Copyright © 2007 The Open University. Now made available within the Creative Commons framework under the CC Attribution – Non-commercial licence (see http://creativecommons.org/by-nc-sa/2.0/uk/).
