Oper Excell 3
Chapter 5: Networking and Communication
Learning Objectives
Upon successful completion of this chapter, you will be
able to:
• understand the history and development of
networking technologies;
• define the key terms associated with networking
technologies;
• understand the importance of broadband
technologies; and
• describe organizational networking.
Introduction
In the early days of computing, computers were seen as devices
for making calculations, storing data, and automating business
processes. However, as the devices evolved, it became apparent that
many of the functions of telecommunications could be integrated
into the computer. During the 1980s, many organizations began
Chapter 5: Networking and Communication | 99
combining their once-separate telecommunications and
information systems departments into an Information Technology
(IT) department. This ability for computers to communicate with
one another and to facilitate communication between individuals
and groups has had a major impact on the growth of computing over
the past several decades.
Computer networking began in the 1960s with the birth of the
Internet. However, while the Internet and web were evolving,
corporate networking was also taking shape in the form of local
area networks and client-server computing. The Internet went
commercial in 1994 as technologies began to pervade all areas of the
organization. Today it would be unthinkable to have a computer that
did not include communications capabilities. This chapter reviews
the different technologies that have been put in place to enable this
communications revolution.
A Brief History of the Internet
In the Beginning: ARPANET
The story of the Internet, and networking in general, can be traced
back to the late 1950s. The United States was in the depths of the
Cold War with the USSR as each nation closely watched the other
to determine which would gain a military or intelligence advantage.
In 1957, the Soviets surprised the U.S. with the launch of Sputnik,
propelling us into the space age. In response to Sputnik, the U.S.
Government created the Advanced Research Projects Agency
(ARPA), whose initial role was to ensure that the U.S. was not
surprised again. It was from ARPA, now called DARPA
((Defense Advanced Research Projects Agency), that the Internet
first sprang.
100 | Information Systems for Business and Beyond (2019)
ARPA was the center of computing research in the 1960s, but
there was just one problem. Many of the computers could not
communicate with each other. In 1968 ARPA sent out a request
for proposals for a communication technology that would allow
different computers located around the country to be integrated
together into one network. Twelve companies responded to the
request, and a company named Bolt, Beranek, and Newman (BBN)
won the contract. They immediately began work and were able to
complete the job just one year later.
ARPA Net 1969 Professor Len Kleinrock of UCLA along with a group of graduate
students were the first to successfully send a transmission over
the ARPANET. The event occurred on October 29, 1969 when they
attempted to send the word “login” from their computer at UCLA to
the Stanford Research Institute. You can read their actual notes. The
first four nodes were at UCLA, University of California, Stanford,
and the University of Utah.
Chapter 5: Networking and Communication | 101
The Internet and the World Wide Web
Over the next decade, the ARPANET grew and gained popularity.
During this time, other networks also came into existence. Different
organizations were connected to different networks. This led to a
problem. The networks could not communicate with each other.
Each network used its own proprietary language, or protocol (see
sidebar for the definition of protocol) to send information back and forth. This problem was solved by the invention of Transmission
Control Protocol/Internet Protocol (TCP/IP). TCP/IP was designed
to allow networks running on different protocols to have an
intermediary protocol that would allow them to communicate. So
as long as your network supported TCP/IP, you could communicate
with all of the other networks running TCP/IP. TCP/IP quickly
became the standard protocol and allowed networks to
communicate with each other. It is from this breakthrough that we
first got the term Internet, which simply means “an interconnected network of networks.”
Sidebar: An Internet Vocabulary Lesson
Network communication is full of some very technical concepts
based on simple principles. Learn the following terms and you’ll be
able to hold your own in a conversation about the Internet.
• Packet The fundamental unit of data transmitted over the Internet. When a host (PC, workstation, server, printer, etc.)
intends to send a message to another host (for example, your
PC sends a request to YouTube to open a video), it breaks the
message down into smaller pieces, called packets. Each packet
has the sender’s address, the destination address, a sequence
102 | Information Systems for Business and Beyond (2019)
number, and a piece of the overall message to be sent.
Different packets in a single message can take a variety of
routes to the destination and they can arrive at different times.
For this reason the sequence number is used to reassemble the
packets in the proper order at the destination.
• Switch A network device that connects multiple hosts together and forwards packets based on their destination within the
local network which is commonly known as a Local Area
Network (LAN).
• Router A device that receives and analyzes packets and then routes them towards their destination. In some cases a router
will send a packet to another router. In other cases it will send
it directly to its destination. Routers are used to connect one
network to another network.
• IP Address Every device on the Internet (personal computer, a tablet, a smartphone, etc.) is assigned a unique identifying
number called an IP (Internet Protocol) address. Originally, the
IPv4 (version 4) standard was used. It had a format of four
numbers with values ranging from 0 and 255 separated by a
period. For example, the domain Dell.com has the IPv4 address
107.23.196.166. The IPv4 standard has a limit of 4,294,967,296
possible addresses. As the use of the Internet has grown, the
number of IP addresses needed has increased to the point
where the use of IPv4 addresses will be exhausted. This has led
to the new IPv6 standard.The IPv6 standard is formatted as
eight groups of four hexadecimal digits, such as
2001:0db8:85a3:0042:1000:8a2e:0370:7334. The IPv6 standard
has a limit of 3.4×1038 possible addresses. For example, the
domain LinkedIn.com has an IPv6 address of:
[2620:109:c002::6cae:a0a]. You probably noticed that the
address has only five groups of numbers. That’s because IPv6
allows the use of two semi-colons ( :: ) to indicate groups that
are all zeroes and do not need to be displayed. For more detail
about the IPv6 standard, see this Wikipedia article.
• Domain name If you had to try to remember the IP address of
Chapter 5: Networking and Communication | 103
every web site you wanted to access, the Internet would not be
nearly as easy to use. A domain name is a human-friendly
name, convenient for remembering a website. These names
generally consist of a descriptive word followed by a dot
(period) and the Top-Level Domain (TLD). For example,
Wikipedia’s domain name is wikipedia.org. Wikipedia describes
the organization and .org is the TLD. Other well-known TLDs
include .com, .net, and .gov. For a list and description of top level domain names, see this Wikipedia article.
• DNS DNS stands for “domain name server or system.” DNS acts as the directory of websites on the Internet. When a request to
access a host with a domain name is given, a DNS server is
queried. It returns the IP address of the host requested,
allowing for proper routing.
• Packet-switching When a message’s packets are sent on the Internet, routers try to find the optimal route for each packet.
This can result in packets being sent on different routes to
their destination. After the packets arrive they are re-
assembled into the original message for the recipient. For
more details on packet-switching, see this interactive web
page.
• Protocol A protocol is the set of rules that govern how communications take place on a network. For example, File
Transfer Protocol (FTP) are the communication rules for
transferring files from one host to another. TCP/IP, discussed
earlier, is known as a protocol suite since it contains numerous
protocols.
104 | Information Systems for Business and Beyond (2019)
Internet Users Worldwide, December 2017.
(Public Domain. Courtesy of the Miniwatts Marketing Group) The 1980s witnessed a significant growth in Internet
usage. Internet access came primarily from government, academic,
and research organizations. Much to the surprise of the engineers,
the early popularity of the Internet was driven by the use of
electronic mail (see the next sidebar ).
Initially, Internet use meant having to type commands, even
including IP addresses, in order to access a web server. That all
changed in 1990 when Tim Berners-Lee introduced his World Wide
Web project which provided an easy way to navigate the Internet
through the use of hypertext. The World Wide Web gained even more steam in 1993 with the release of the Mosaic browser which
allowed graphics and text to be combined as a way to present
information and navigate the Internet.
The Dot-Com Bubble
In the 1980s and early 1990s, the Internet was being managed by
the National Science Foundation (NSF). The NSF had restricted
commercial ventures on the Internet, which meant that no one
could buy or sell anything online. In 1991, the NSF transferred its
role to three other organizations, thus getting the US government
out of direct control over the Internet and essentially opening up
commerce online.
This new commercialization of the Internet led to what is now
known as the dot-com bubble. A frenzy of investment in new dot-
Chapter 5: Networking and Communication | 105
com companies took place in the late 1990s with new tech
companies issuing Initial Public Offerings (IPO) and heating up the
stock market. This investment bubble was driven by the fact that
investors knew that online commerce would change everything.
Unfortunately, many of these new companies had poor business
models and anemic financial statements showing little or no profit.
In 2000 and 2001, the bubble burst and many of these new
companies went out of business. Some companies survived,
including Amazon (started in 1994) and eBay (1995). After the dot-
com bubble burst, a new reality became clear. In order to succeed
online, e-business companies would need to develop business
models appropriate for the online environment.
Web 2.0
In the first few years of the World Wide Web, creating and hosting a
website required a specific set of knowledge. A person had to know
how to set up a web server, get a domain name, create web pages in
HTML, and troubleshoot various technical issues.
Starting in the early 2000s, major changes came about in how the
Internet was being used. These changes have come to be known as
Web 2.0. Here are some key characteristics in Web 2.0.
• Universal access to Apps
• Value is found in content, not display software
• Data can be easily shared
• Distribution is bottom up, not top down
• Employees and customers can use access and use tools on
their own
• Informal networking is encouraged since more contributors
results in better content
• Social tools encourage people to share information 1
106 | Information Systems for Business and Beyond (2019)
Social networking, the last item in the list, has led to major
changes in society. Prior to Web 2.0 major news outlets investigated
and reported important news stories of the day. But in today’s world
individuals are able to easily share their own views on various
events. Apps such as Facebook, Twitter, Youtube, and personal blogs
allow people to express their own viewpoint.
Sidebar: E-mail Is the “Killer” App for the Internet
As discussed in chapter 3, a “killer app” is a use of a device that
becomes so essential that large numbers of people will buy the
device just to run that application. The killer app for the personal
computer was the spreadsheet, enabling users to enter data, write
formulas, and easily make “what if” decisions. With the introduction
of the Internet came another killer app – E-mail.
The Internet was originally designed as a way for the Department
of Defense to manage projects. However, the invention of electronic
mail drove demand for the Internet. While this wasn’t what
developers had in mind, it turned out that people connecting with
people was the killer app for the Internet. As we look back today, we
can see this being repeated again and again with new technologies
that enable people to connect with each other.
Sidebar: The Internet and the World Wide Web
1. [1]
Chapter 5: Networking and Communication | 107
Are Not the Same Thing
Many times the terms “Internet” and “World Wide Web,” or even
just “the web,” are used interchangeably. But really, they are not the same thing.
The Internet is an interconnected network of networks. Services such as email, voice and video, file transfer, and the World Wide
Web all run across the Internet.The World Wide Web is simply one part of the Internet. It is made up of web servers that have HTML
pages that are being viewed on devices with web browsers.
The Growth of High Speed Internet
In the early days of the Internet, most access was accomplished via
a modem over an analog telephone line. A modem was connected
to the incoming phone line when then connected to a computer.
Speeds were measured in bits-per-second (bps), with speeds
growing from 1200 bps to 56,000 bps over the years. Connection to
the Internet via modems is called dial-up access. As the web became more interactive, dial-up hindered usage when users wanted to
transfer more and more data. As a point of reference, downloading
a typical 3.5 MB song would take 24 minutes at 1200 bps and 2
minutes at 28,800 bps.
High speed Internet speeds, by definition, are a minimum of
256,000 bps, though most connections today are much faster,
measured in millions of bits per second (megabits or Mbps) or even
billions (gigabits). For the home user, a high speed connection is
usually accomplished via the cable television lines or phone lines
using a Digital Subscriber Line (DSL). Both cable and DSL have
similar prices and speeds, though price and speed can vary in local
communities. According to the website Recode, the average home
108 | Information Systems for Business and Beyond (2019)
broadband speed ranges from 12 Mbps and 125 Mbps.2
Telecommunications companies provide T1 and T3 lines for greater
bandwidth and reliability.
High speed access, also known as broadband, is important
because it impacts how the Internet is used. Communities with
high speed Internet have found residences and businesses increase
usage of digital resources. Access to high speed Internet is now
considered a basic human right by the United Nations, as declared
in their 2011 statement:
“Broadband technologies are fundamentally transforming the way
we live,” the Broadband Commission for Digital Development, set up
in 2017 by the UN Educational Scientific and Cultural Organization
(UNESCO) and the UN International Telecommunications Union
(ITU), said in issuing “The Broadband Challenge” at a leadership
summit in Geneva.
“It is vital that no one be excluded from the new global knowledge
societies we are building. We believe that communication is not just
a human need – it is a right.”3
Wireless Networking
Thanks to wireless technology, access to the Internet is virtually
everywhere, especially through a smartphone.
Wi-Fi
Wi-Fi takes an Internet signal and converts it into radio waves.
2. [2]
3. [3]
Chapter 5: Networking and Communication | 109
These radio waves can be picked up within a radius of
approximately 65 feet by devices with a wireless adapter. Several
Wi-Fi specifications have been developed over the years, starting
with 802.11b in 1999, followed by the 802.11g specification in 2003
and 802.11n in 2009. Each new specification improved the speed and
range of Wi-Fi, allowing for more uses. One of the primary places
where Wi-Fi is being used is in the home. Home users access Wi-Fi
via in-home routers provided by the telecommunications firm that
services the residence.
Mobile Network
As the cellphone has evolved into the smartphone, the desire for
Internet access on these devices has led to data networks being
included as part of the mobile phone network. While Internet
connections were technically available earlier, it was really with
the release of the 3G networks in 2001 (2002 in the US) that
smartphones and other cellular devices could access data from the
Internet. This new capability drove the market for new and more
powerful smartphones, such as the iPhone, introduced in 2007. In
2011, wireless carriers began offering 4G data speeds, giving the
cellular networks the same speeds that customers were accustomed
to getting via their home connection.
Beginning in 2019, some part of the world began seeing the
implementation of 5G communication networks. Speeds associated
with 5G will be greater than 1 GB/second, providing connection
speeds to handle just about any type of application. Some have
speculated that the 5G implementation will lead households to
eliminate the purchase of wired Internet connections for their
homes, just using 5G wireless connections instead.
110 | Information Systems for Business and Beyond (2019)
3G, 4G, and 5G Comparison
3G 4G 5G
Deployed 2004-2005 2006-2010 By 2020
Bandwidth 2 mbps 200 mbps > 1 gbps,
Service
Integrated high-quality audio, video and data
Dynamic information access, variable devices
Dynamic information access, variable devices with all capabilities
(James Dean, Raconteur, December 7, 2014) 4
Sidebar: Why Doesn’t My Cellphone Work When I Travel Abroad?
As mobile phone technologies have evolved, providers in different
countries have chosen different communication standards for their
mobile phone networks. There are two competing standards in the
US: GSM (used by AT&T and T-Mobile) and CDMA (used by the
other major carriers). Each standard has its pros and cons, but
the bottom line is that phones using one standard cannot easily
switch to the other. This is not a big deal in the US because mobile
networks exist to support both standards. But when traveling to
other countries, you will find that most of them use GSM networks.
The one exception is Japan which has standardized on CDMA. It is
possible for a mobile phone using one type of network to switch
to the other type of network by changing out the SIM card, which
controls your access to the mobile network. However, this will not
4. [4]
Chapter 5: Networking and Communication | 111
work in all cases. If you are traveling abroad, it is always best to
consult with your mobile provider to determine the best way to
access a mobile network.
Bluetooth
While Bluetooth is not generally used to connect a device to the
Internet, it is an important wireless technology that has enabled
many functionalities that are used every day. When created in 1994
by Ericsson, it was intended to replace wired connections between
devices. Today, it is the standard method for wirelessly connecting
nearby devices. Bluetooth has a range of approximately 300 feet
and consumes very little power, making it an excellent choice for
a variety of purposes. Some applications of Bluetooth include:
connecting a printer to a personal computer, connecting a mobile
phone and headset, connecting a wireless keyboard and mouse to a
computer, or connecting your mobile phone to your car, resulting in
hands free operation of your phone.
112 | Information Systems for Business and Beyond (2019)
Typical VoIP communicati on
VoIP
Voice over IP (VoIP) allows analog signals to be converted to digital
signals, then transmitted on a network. By using existing
technologies and software, voice communication over the Internet
is now available to anyone with a browser (think Skype, WebEx,
Google Hangouts). Beyond this, many companies are now offering
VoIP-based telephone service for business and home use.
Chapter 5: Networking and Communication | 113
Organizational Networking
LAN and WAN
Scope of business networks While the Internet was evolving and creating a way for
organizations to connect to each other and the world, another
revolution was taking place inside organizations. The proliferation
of personal computers led to the need to share resources such
as printers, scanners, and data. Organizations solved this problem
through the creation of local area networks (LANs), which allowed
computers to connect to each other and to peripherals.
A LAN is a local network, usually operating in the same building
or on the same campus. A Wide Area Network (WAN) provides
connectivity over a wider area such as an organization’s locations in
different cities or states.
114 | Information Systems for Business and Beyond (2019)
Client-Server
Client-server computing provides stand-alone devices such as
personal computers, printers, and file servers to work together. The
personal computer originally was used as a stand-alone computing
device. A program was installed on the computer and then used to
do word processing or calculations. With the advent of networking
and local area networks, computers could work together to solve
problems. Higher-end computers were installed as servers, and
users on the local network could run applications and share
information among departments and organizations.
Intranet
An intranet, as the name implies, provides web-based resources
for the users within an organization. These web pages are not
accessible to those outside the company. The pages typically
contain information useful to employees such as policies and
procedures. In an academic setting the intranet provides an
interface to learning resources for students.
Extranet
Sometimes an organization wants to be able to collaborate with
its customers or suppliers while at the same time maintaining the
security of being inside its own network. In cases like this a
company may want to create an extranet, which is a part of a company’s network that can be made available securely to those
outside of the company. Extranets can be used to allow customers
to log in and place orders, or for suppliers to check their customers’
inventory levels.
Chapter 5: Networking and Communication | 115
Sometimes an organization will need to allow someone who is not
located physically within its internal network to gain secure access
to the intranet. This access can be provided by a virtual private
network (VPN). VPNs will be discussed further in Chapter 6 which
focuses on Information Security).
Sidebar: Microsoft’s SharePoint Powers the Intranet
As organizations begin to see the power of collaboration between
their employees, they often look for solutions that will allow them
to leverage their intranet to enable more collaboration. Since most
companies use Microsoft products for much of their computing,
some are using Microsoft’s SharePoint to support employee
collaboration.
SharePoint provides a communication and collaboration platform
that integrates seamlessly with Microsoft’s Office suite of
applications. Using SharePoint, employees can share a document
and edit it together, avoiding the need to email the document for
others to review. Projects and documents can be managed
collaboratively across the organization. Corporate documents are
indexed and made available for search.
Cloud Computing
Cloud computing was covered in Chapter 3. The universal
availability of the Internet combined with increases in processing
116 | Information Systems for Business and Beyond (2019)
power and data-storage capacity have made cloud computing a
viable option for many companies. Using cloud computing,
companies or individuals can contract to store data on storage
devices somewhere on the Internet. Applications can be “rented”
as needed, giving a company the ability to quickly deploy new
applications. The I.T. department benefits from not having to
maintain software that is provided on the cloud.
Sidebar: Metcalfe’s Law
Just as Moore’s Law describes how computing power is increasing
over time, Metcalfe’s Law describes the power of networking.
Metcalfe’s Law states that the value of a telecommunications
network is proportional to the square of the number of connected
users of the system, or N2. If a network has 10 nodes, the inherent
value is 100, or 102.
Metcalfe’s Law is attributed to Robert Metcalfe, the co-inventor of
Ethernet. It attempts to address the added value provided by each
node on the network. Think about it this way: If none of your friends
were on Instagram, would you spend much time there? If no one
else at your school or place of work had e-mail, would it be very
useful to you? Metcalfe’s Law tries to quantify this value.
Summary
The networking revolution has completely changed how personal
computers are used. Today, no one would imagine using a computer
that was not connected to one or more networks. The development
Chapter 5: Networking and Communication | 117
of the Internet and World Wide Web, combined with wireless
access, has made information available at our fingertips. The Web
2.0 revolution has made everyone potential authors of web content.
As networking technology has matured, the use of Internet
technologies has become a standard for every type of organization.
The use of intranets and extranets has allowed organizations to
deploy functionality to employees and business partners alike,
increasing efficiencies and improving communications. Cloud
computing has truly made information available everywhere.
Study Questions
1. What were the first four locations hooked up to the Internet
(ARPANET)?
2. What does the term packet mean? 3. Which came first, the Internet or the World Wide Web?
4. What was revolutionary about Web 2.0?
5. What was the so-called killer app for the Internet?
6. What does the term VoIP mean?
7. What is a LAN?
8. What is the difference between an intranet and an extranet?
9. What is Metcalfe’s Law?
Exercises
1. What is the difference between the Internet and the World
Wide Web? Create at least three statements that identify the
differences between the two.
2. Who are the broadband providers in your area? What are the
118 | Information Systems for Business and Beyond (2019)
prices and speeds offered?
3. Pretend you are planning a trip to three foreign countries in
the next month. Consult your wireless carrier to determine if
your mobile phone would work properly in those countries.
What would the costs be? What alternatives do you have if it
would not work?
Labs
1. Check the speed of your Internet connection by going to the
following web site: speedtest.net
What is your download and upload speed?
2. What is the IP address of your computer? How did you find it?
Hint for Windows: Go to the start icon and click Run. Then
open the Command Line Interface by typing: cmd Then type: ipconfigWhat is your IPv4 address?What is your IPv6 address?
3. When you enter an address in your web browser, a Domain
Name Server (DNS) is used to lookup the IP address of the site
you are seeking. To locate the DNS server your computer is
using, type: nslookupWrite down the name and address of your DNS server.Use the nslookup command to find the address for a favorite web site. For example, to find the IP
address of espn type: nslookup espnWrite down your website’s name and address. Note: it is on the line following the name of
the web site you entered.
4. You can use the tracert (trace route) command to display the path from your computer to the web site’s IP address you used
in the previous lab. For example, tracert 199.181.132.250Be patient as tracert contacts each router in the path to your website’s server. A “Request timed out” message indicates the
tracing is taking too long, probably due to a lack of bandwidth.
You can stop the trace by pressing Ctrl + C
Chapter 5: Networking and Communication | 119
5. The ping command allows you check connectivity between the local host (your computer) and another host. If you are unable
to connect to another host, the ping command can be used to
incrementally test your connectivity. The IP address 127.0.0.1 is
known as your home address (local host).Begin your test by
going to your command line interface (command promkpt) and
pinging your local host: ping 127.0.0.1You should get a series of “Reply from 127.0.0.1” messagesNext, ping the IP address you
used in lab #3.Sometimes a failed ping is not the result of a
lack of connectivity. Network administrators of some IP
addresses/hosts do not want their site pinged so they block all
ICMP packets. That’s the protocol used for pinging.
• The whois.domaintools.com site provides you with information
about a web site. For example, to find information about
google.com open your web browser and type:
whoisdomaintools.com Then in the Lookup window, type: google.comFind information about a favorite site of yours. Record the following: administrator name, phone number,
when the site was created, and the site’s name servers (the
names begin with “ns”).
• Network statistics can be displayed using the netstat command. In the command line window (see lab #2 for
instructions on how to get to the command line), type: netstat -eHow many bytes were sent and how many were received?Execute the command again and record your results.
You should see an increase in both received and sent bytes.To
see a complete list of options/switches for the netstat
command, type: netstat ?
1. Wolcott, M. (2017). What is Web 2.0? MoneyWatch. Retrieved from https://www.cbsnews.com/news/what-is-web-20/↵
2. Molla, R. (2017). These are the fastest and slowest Internet
120 | Information Systems for Business and Beyond (2019)
speeds”. Recode. Retrieved from https://www.recode.net/2017/ 6/9/15768598/states-fastest-slowest-internet-speeds↵
3. International Telecommunications Union. (2018, January 23). UN Broadband Commission sets goal broadband targets to
bring online the world’s 3.8 billion not connected to the
Internet. Retrieved from https://www.itu.int/en/
mediacentre/Pages/2018-PR01.aspx↵
4. “Dean, J. (2014). 4G vs 5G Mobile Technology. Raconteur Retrieved from https://www.raconteur.net/technology/4g-
vs-5g-mobile-technology.
Chapter 5: Networking and Communication | 121
Chapter 6: Information Systems Security
Learning Objectives
Upon successful completion of this chapter, you will be
able to:
• identify the information security triad;
• identify and understand the high-level concepts
surrounding information security tools; and
• secure yourself digitally.
Introduction
As computers and other digital devices have become essential to
business and commerce, they have also increasingly become a
target for attacks. In order for a company or an individual to use
a computing device with confidence, they must first be assured
that the device is not compromised in any way and that all
communications will be secure. This chapter reviews the
fundamental concepts of information systems security and
discusses some of the measures that can be taken to mitigate
122 | Chapter 6: Information Systems Security
The security triad
security threats. The chapter begins with an overview focusing on
how organizations can stay secure. Several different measures that a
company can take to improve security will be discussed. Finally, you
will review a list of security precautions that individuals can take in
order to secure their personal computing environment.
The Information Security Triad: Confidentiality, Integrity, Availability (CIA)
Confidentiality
Protecting information
means you want to want to be
able to restrict access to those
who are allowed to see it. This
is sometimes referred to as
NTK, Need to Know. Everyone
else should be disallowed from
learning anything about its
contents. This is the essence of
confidentiality. For example,
federal law requires that
universities restrict access to private student information. Access to
grade records should be limited to those who have authorized
access.
Chapter 6: Information Systems Security | 123
Integrity
Integrity is the assurance that the information being accessed has
not been altered and truly represents what is intended. Just as a
person with integrity means what he or she says and can be trusted
to consistently represent the truth, information integrity means
information truly represents its intended meaning. Information can
lose its integrity through malicious intent, such as when someone
who is not authorized makes a change to intentionally misrepresent
something. An example of this would be when a hacker is hired to
go into the university’s system and change a student’s grade.
Integrity can also be lost unintentionally, such as when a
computer power surge corrupts a file or someone authorized to
make a change accidentally deletes a file or enters incorrect
information.
Availability
Information availability is the third part of the CIA triad. Availability means information can be accessed and modified by anyone
authorized to do so in an appropriate timeframe. Depending on
the type of information, appropriate timeframe can mean different things. For example, a stock trader needs information to be available
immediately, while a sales person may be happy to get sales
numbers for the day in a report the next morning. Online retailers
require their servers to be available twenty-four hours a day, seven
days a week. Other companies may not suffer if their web servers
are down for a few minutes once in a while.
124 | Information Systems for Business and Beyond (2019)
Tools for Information Security
In order to ensure the confidentiality, integrity, and availability of
information, organizations can choose from a variety of tools. Each
of these tools can be utilized as part of an overall information-
security policy.
Authentication
The most common way to identify someone is through their
physical appearance, but how do we identify someone sitting behind
a computer screen or at the ATM? Tools for authentication are used
to ensure that the person accessing the information is, indeed, who
they present themselves to be.
Authentication can be accomplished by identifying someone
through one or more of three factors:
1. Something they know,
2. Something they have, or
3. Something they are.
For example, the most common form of authentication today is the
user ID and password. In this case, the authentication is done by
confirming something that the user knows (their ID and password).
But this form of authentication is easy to compromise (see sidebar)
and stronger forms of authentication are sometimes needed.
Identifying someone only by something they have, such as a key or a
card, can also be problematic. When that identifying token is lost or
stolen, the identity can be easily stolen. The final factor, something
you are, is much harder to compromise. This factor identifies a user
through the use of a physical characteristic, such as a retinal scan,
Chapter 6: Information Systems Security | 125
RSA SecureID token
fingerprint, or facial geometry. Identifying someone through their
physical characteristics is called biometrics.
A more secure way to authenticate a user is through multi-factor
authentication. By combining two or more of the factors listed above, it becomes much more difficult for someone to misrepresent
themselves. An example of this would be the use of an RSA SecurID
token. The RSA device is something you have, and it generates a
new access code every sixty seconds. To log in to an information
resource using the RSA device, you combine something you know,
such as a four-digit PIN, with the code generated by the device. The
only way to properly authenticate is by both knowing the code and having the RSA device.
Access Control
Once a user has been authenticated, the next step is to ensure that
they can only access the information resources that are appropriate.
This is done through the use of access control. Access control
determines which users are authorized to read, modify, add, and/
or delete information. Several different access control models exist.
Two of the more common are: the Access Control List (ACL) and
Role-Based Access Control (RBAC).
An information security employee can produce an ACL which
identifies a list of users who have the capability to take specific
actions with an information resource such as data files. Specific
126 | Information Systems for Business and Beyond (2019)
Comparison of ACL and RBAC
permissions are assigned to each user such as read, write, delete,
or add. Only users with those permissions are allowed to perform those functions.
ACLs are simple to understand and maintain, but there are several
drawbacks. The primary drawback is that each information resource
is managed separately, so if a security administrator wanted to add
or remove a user to a large set of information resources, it would be
quite difficult. And as the number of users and resources increase,
ACLs become harder to maintain. This has led to an improved
method of access control, called role-based access control, or RBAC. With RBAC, instead of giving specific users access rights to an
information resource, users are assigned to roles and then those
roles are assigned the access. This allows the administrators to
manage users and roles separately, simplifying administration and,
by extension, improving security.
The following image shows an ACL with permissions granted to
individual users. RBAC allows permissions to be assigned to roles,
as shown in the middle grid, and then in the third grid each user is
assigned a role. Although not modeled in the image, each user can
have multiple roles such as Reader and Editor.
Sidebar: Password Security
So why is using just a simple user ID and password not considered a
secure method of authentication? It turns out that this single-factor
Chapter 6: Information Systems Security | 127
authentication is extremely easy to compromise. Good password
policies must be put in place in order to ensure that passwords
cannot be compromised. Below are some of the more common
policies that organizations should use.
• Require complex passwords. One reason passwords are compromised is that they can be easily guessed. A recent study
found that the top three passwords people used were
password, 123456 and 12345678.[1] A password should not be simple, or a word that can be found in a dictionary. Hackers
first attempt to crack a password by testing every term in the
dictionary. Instead, a good password policy should require the
use of a minimum of eight characters, at least one upper-case
letter, one special character, and one digit.
• Change passwords regularly. It is essential that users change their passwords on a regular basis. Also, passwords may not be
reused. Users should change their passwords every sixty to
ninety days, ensuring that any passwords that might have been
stolen or guessed will not be able to be used against the
company.
• Train employees not to give away passwords. One of the primary methods used to steal passwords is to simply figure
them out by asking the users for their password. Pretexting occurs when an attacker calls a helpdesk or security
administrator and pretends to be a particular authorized user
having trouble logging in. Then, by providing some personal
information about the authorized user, the attacker convinces
the security person to reset the password and tell him what it
is. Another way that employees may be tricked into giving away
passwords is through e-mail phishing. Phishing occurs when a user receives an e-mail that looks as if it is from a trusted
source, such as their bank or employer. In the e-mail the user
is asked to click a link and log in to a website that mimics the
genuine website, then enter their ID and password. The userID
and password are then captured by the attacker.
128 | Information Systems for Business and Beyond (2019)
Encryption
Many times an organization needs to transmit information over the
Internet or transfer it on external media such as a flash drive. In
these cases, even with proper authentication and access control, it
is possible for an unauthorized person to gain access to the data.
Encryption is a process of encoding data upon its transmission
or storage so that only authorized individuals can read it. This
encoding is accomplished by software which encodes the plain text
that needs to be transmitted (encryption). Then the recipient
receives the cipher text and decodes it (decryption). In order for
this to work, the sender and receiver need to agree on the method
of encoding so that both parties have the same message. Known
as symmetric key encryption, both parties share the encryption key, enabling them to encode and decode each other’s messages.
An alternative to symmetric key encryption is public key
encryption. In public key encryption, two keys are used: a public key and a private key. To send an encrypted message, you obtain the
public key, encode the message, and send it. The recipient then uses
their private key to decode it. The public key can be given to anyone
who wishes to send the recipient a message. Each user simply needs
one private key and one public key in order to secure messages. The
private key is necessary in order to decrypt a message sent with the
public key.
Notice in the image how the sender on the left creates a plaintext
message which is then encrypted with a public key. The ciphered
text is transmitted through the communication channel and the
recipient uses their private key to decrypt the message and then
read the plain text.
Chapter 6: Information Systems Security | 129
Public Key Encryption
Sidebar: Blockchain and Bitcoin
Blockchain
Introduced in 2008 as part of a proposal for Bitcoin, Blockchain is
a peer-to-peer network which provides an open, distributed record
of transactions between two parties. A “peer-to-peer” network is
one where there is no server between the two nodes trying to
communicate. Essentially, this means that each node acts as a server
and a client.
130 | Information Systems for Business and Beyond (2019)
Supporters see blockchain as a tool to simplify all types of
transactions: payments, contracts, etc. Motivation comes from the
desire to remove the middleman (lawyer, banker, broker) from
transactions, making them more efficient and readily available
across the Internet. Blockchain is already being used to track
products through supply chains.
Blockchain is considered a foundational technology, potentially creating new foundations in economics and social systems. There
are numerous concerns about Blockchain and its adoption.
Consider the following:
• Speed of adoption. Initially there is a great deal of enthusiasm by a small group. However, adoption on a larger scale can take
a great number of years even decades for a worldwide
acceptance of a new method of doing business.
• Governance. The banking sector, both in individual countries (U. S. Federal Reserve System) and the world at large (the
International Monetary Fund), controls financial transactions.
One purpose of these organizations is an attempt to avoid
banking and financial systems collapse. Blockchain will result
in the governance of financial transactions shifting away from
these government-controlled institutions.
• Smart contracts. The smart contract will re-shape how businesses interact. It is possible for blockchain to
automatically send payment to a vendor the instant the
product is delivered to the customer. Such “self-executing”
contracts are already taking place in banking and venture
capital funding. 1
Many are forecasting some universal form of payment or value
transfer for business transactions. Blockchain and Bitcoin are being
used to transform banking in various locations around the world.
1. [9]
Chapter 6: Information Systems Security | 131
The following Bitcoin section includes a look at a new banking
venture in Tanzania, East Africa.
Bitcoin
Bitcoin logo
Bitcoin is a world wide payment system using cryptocurrency. It
functions without a central bank, operating as a peer-to-peer
network with transactions happening directly between vendors and
buyers. Records for transactions are recorded in the blockchain.
Bitcoin technology was released in 2009. The University of
Cambridge estimated there were 2.9 and 5.8 million unique users
of bitcoin in 2017.2 This web site provides more information about
bitcoin.
A major bitcoin project is underway in Tanzania. Business
transactions in this East African country are fraught with many
challenges such as counterfeit currency and a 28% transaction fee
on individuals who do not have a bank account. Seventy percent of
the country’s population fall into this category. Benjamin Fernandes,
2. [10]
132 | Information Systems for Business and Beyond (2019)
a Tanzanian and 2017 graduate of Stanford Graduate School of
Business, is co-founder of NALA, a Tanzanian firm working to bring
cryptocurrency to a country where 96% of the population have
access to mobile devices. NALA’s goal is to provide low cost
transactions to all of the country’s citizens through
cryptocurrency.3 You can read more of this cryptocurrency venture
here.
Backups
Another essential tool for information security is a comprehensive
backup plan for the entire organization. Not only should the data
on the corporate servers be backed up, but individual computers
used throughout the organization should also be backed up. A good
backup plan should consist of several components.
• Full understanding of the organization’s information resources. What information does the organization actually have? Where is it stored? Some data may be stored on the
organization’s servers, other data on users’ hard drives, some
in the cloud, and some on third-party sites. An organization
should make a full inventory of all of the information that
needs to be backed up and determine the best way to back it
up.
• Regular backups of all data. The frequency of backups should be based on how important the data is to the company,
combined with the ability of the company to replace any data
that is lost. Critical data should be backed up daily, while less
3. [11]
Chapter 6: Information Systems Security | 133
critical data could be backed up weekly. Most large
organizations today use data redundancy so their records are
always backed up.
• Offsite storage of backup data sets. If all backup data is being stored in the same facility as the original copies of the data,
then a single event such as an earthquake, fire, or tornado
would destroy both the original data and the backup. It is
essential the backup plan includes storing the data in an offsite
location.
• Test of data restoration. Backups should be tested on a regular basis by having test data deleted then restored from backup.
This will ensure that the process is working and will give the
organization confidence in the backup plan.
Besides these considerations, organizations should also examine
their operations to determine what effect downtime would have
on their business. If their information technology were to be
unavailable for any sustained period of time, how would it impact
the business?
Additional concepts related to backup include the following:
• Uninterruptible Power Supply (UPS). A UPS provides battery backup to critical components of the system, allowing them to
stay online longer and/or allowing the IT staff to shut them
down using proper procedures in order to prevent data loss
that might occur from a power failure.
• Alternate, or “hot” sites. Some organizations choose to have an alternate site where an exact replica of their critical data is
always kept up to date. When the primary site goes down, the
alternate site is immediately brought online so that little or no
downtime is experienced.
As information has become a strategic asset, a whole industry
has sprung up around the technologies necessary for implementing
a proper backup strategy. A company can contract with a service
134 | Information Systems for Business and Beyond (2019)
Diagram of a network configuration with firewalls, a router, and a DMZ.
provider to back up all of their data or they can purchase large
amounts of online storage space and do it themselves. Technologies
such as Storage Area Networks (SAN) and archival systems are now
used by most large businesses for data backup.
Firewalls
Firewalls are another method that an organization can use for
increasing security on its
network. A firewall can exist as
hardware or software, or both.
A hardware firewall is a device
that is connected to the
network and filters the packets
based on a set of rules. One
example of these rules would
be preventing packets entering
the local network that come
from unauthorized users. A software firewall runs on the operating
system and intercepts packets as they arrive to a computer.
A firewall protects all company servers and computers by
stopping packets from outside the organization’s network that do
not meet a strict set of criteria. A firewall may also be configured
to restrict the flow of packets leaving the organization. This may
be done to eliminate the possibility of employees watching YouTube
videos or using Facebook from a company computer.
A demilitarized zone (DMZ) implements multiple firewalls as part
of network security configuration, creating one or more sections of
their network that are partially secured. The DMZ typically contains
resources that need broader access but still need to be secured.
Chapter 6: Information Systems Security | 135
Intrusion Detection Systems
Intrusion Detection Systems (IDS) can be placed on the network for security purposes. An IDS does not add any additional security.
Instead, it provides the capability to identify if the network is being
attacked. An IDS can be configured to watch for specific types of
activities and then alert security personnel if that activity occurs. An
IDS also can log various types of traffic on the network for analysis
later. It is an essential part of any good security system.
Sidebar: Virtual Private Networks
Using firewalls and other security technologies, organizations can
effectively protect many of their information resources by making
them invisible to the outside world. But what if an employee
working from home requires access to some of these resources?
What if a consultant is hired who needs to do work on the internal
corporate network from a remote location? In these cases, a Virtual
Private Network (VPN) is needed.
136 | Information Systems for Business and Beyond (2019)
Diagram of VPN (click to enlarge). Attribution to Ludovic.ferre.
A VPN allows a user who is outside of a corporate network to
take a detour around the firewall and access the internal network
from the outside. Through a combination of software and security
measures, a VPN provides off-site access to the organization’s
network while ensuring overall security.
The Internet cloud is essentially an insecure channel through
which people communicate to various web sites/servers.
Implementing a VPN results in a secure pathway, usually referred
to as a tunnel, through the insecure cloud, virtually guaranteeing
secure access to the organization’s resources. The diagram
represents security by way of the functionality of a VPN as it
“tunnels” through the insecure Internet Cloud. Notice that the
remote user is given access to the organization’s intranet, as if the
user was physically located within the intranet.
Chapter 6: Information Systems Security | 137
Physical Security
An organization can implement the best authentication scheme in
the world, develop superior access control, and install firewalls and
intrusion detection, but its security cannot be complete without
implementation of physical security. Physical security is the
protection of the actual hardware and networking components that
store and transmit information resources. To implement physical
security, an organization must identify all of the vulnerable
resources and take measures to ensure that these resources cannot
be physically tampered with or stolen. These measures include the
following.
• Locked doors. It may seem obvious, but all the security in the world is useless if an intruder can simply walk in and physically
remove a computing device. High value information assets
should be secured in a location with limited access.
• Physical intrusion detection. High value information assets should be monitored through the use of security cameras and
other means to detect unauthorized access to the physical
locations where they exist.
• Secured equipment. Devices should be locked down to prevent them from being stolen. One employee’s hard drive
could contain all of your customer information, so it is
essential that it be secured.
• Environmental monitoring. An organization’s servers and other high value equipment should always be kept in a room
that is monitored for temperature, humidity, and airflow. The
risk of a server failure rises when these factors exceed
acceptable ranges.
• Employee training. One of the most common ways thieves steal corporate information is the theft of employee laptops
while employees are traveling. Employees should be trained to
secure their equipment whenever they are away from the
138 | Information Systems for Business and Beyond (2019)
office.
Security Policies
Besides the technical controls listed above, organizations also need
to implement security policies as a form of administrative control.
In fact, these policies should really be a starting point in developing
an overall security plan. A good information security policy lays out
the guidelines for employee use of the information resources of the
company and provides the company recourse in the event that an
employee violates a policy.
According to the SANS Institute, a good policy is “a formal, brief,
and high-level statement or plan that embraces an
organization’s general beliefs, goals, objectives, and acceptable
procedures for a specified subject area.” Policies require
compliance. Failure to comply with a policy will result in disciplinary
action. A policy does not list the specific technical details, instead it
focuses on the desired results. A security policy should be based on
the guiding principles of confidentiality, integrity, and availability.4
Web use is a familiar example of a security policy. A web use
policy lays out the responsibilities of company employees as they
use company resources to access the Internet. A good example of a
web use policy is included in Harvard University’s “Computer Rules
and Responsibilities” policy, which can be found here.
A security policy should also address any governmental or
industry regulations that apply to the organization. For example,
if the organization is a university, it must be aware of the Family
Educational Rights and Privacy Act (FERPA), which restricts access
to student information. Health care organizations are obligated to
4. [2]
Chapter 6: Information Systems Security | 139
follow several regulations, such as the Health Insurance Portability
and Accountability Act (HIPAA).
A good resource for learning more about security policies is the
SANS Institute’s Information Security Policy Page.
Sidebar: Mobile Security
As the use of mobile devices such as laptops and smartphones
proliferates, organizations must be ready to address the unique
security concerns that the use of these devices bring. One of the
first questions an organization must consider is whether to allow
mobile devices in the workplace at all. Many employees already have
these devices, so the question becomes: Should we allow employees
to bring their own devices and use them as part of their employment
activities? Or should we provide the devices to our employees?
Creating a BYOD (“Bring Your Own Device”) policy allows employees
to integrate themselves more fully into their job and can bring
higher employee satisfaction and productivity. In many cases, it
may be virtually impossible to prevent employees from having their
own smartphones or laptops in the workplace. If the organization
provides the devices to its employees, it gains more control over
use of the devices, but it also increases the burden of having to
administrate distribution and use.
Mobile devices can pose many unique security challenges to an
organization. Probably one of the biggest concerns is theft of
intellectual property. For an employee with malicious intent, it
would be a very simple process to connect a mobile device either to
a computer via the USB port, or wirelessly to the corporate network,
and download confidential data. It would also be easy to secretly
take a high-quality picture using a built-in camera.
When an employee does have permission to access and save
140 | Information Systems for Business and Beyond (2019)
company data on his or her device, a different security threat
emerges. Namely, that device now becomes a target for thieves.
Theft of mobile devices (in this case, including laptops) is one of the
primary methods that data thieves use.
So what can be done to secure mobile devices? Begin with a
good policy regarding their use. According to a 2013 SANS study,
organizations should consider developing a mobile device policy
that addresses the following issues: use of the camera, use of voice
recording, application purchases, encryption at rest, Wi-Fi
autoconnect settings, Bluetooth settings, VPN use, password
settings, lost or stolen device reporting, and backup. 5
Besides policies, there are several different tools that an
organization can use to mitigate some of these risks. For example,
if a device is stolen or lost, geolocation software can help the
organization find it. In some cases, it may even make sense to install
remote data removal software, which will remove data from a device
if it becomes a security risk.
Usability
When looking to secure information resources, organizations must
balance the need for security with users’ needs to effectively access
and use these resources. If a system’s security measures make it
difficult to use, then users will find ways around the security, which
may make the system more vulnerable than it would have been
without the security measures. Consider password policies. If the
organization requires an extremely long password with several
5. [3]
Chapter 6: Information Systems Security | 141
Stop.Think.Connect. poster (click to enlarge)
special characters, an employee may resort to writing it down and
putting it in a drawer since it will be impossible to memorize.
Personal Information Security
As a final topic for this
chapter, consider what
measures each of us, as
individual users, can take to
secure our computing
technologies. There is no way
to have 100% security, but
there are several simple steps
each individual can take to be
more secure.
• Keep your software up to date. Whenever a software vendor determines that a
security flaw has been
found in their software, an
update will be released so you can download the patch to fix
the problem. You should turn on automatic updating on your
computer to automate this process.
• Install antivirus software and keep it up to date. There are many good antivirus software packages on the market today,
including some that are free.
• Be smart about your connections. You should be aware of your surroundings. When connecting to a Wi-Fi network in a
public place, be aware that you could be at risk of being spied
on by others sharing that network. It is advisable not to access
your financial or personal data while attached to a Wi-Fi
hotspot. You should also be aware that connecting USB flash
142 | Information Systems for Business and Beyond (2019)
drives to your device could also put you at risk. Do not attach
an unfamiliar flash drive to your device unless you can scan it
first with your security software.
• Backup your data. Just as organizations need to backup their data, individuals need to so as well. The same rules apply.
Namely, do it regularly and keep a copy of it in another
location. One simple solution for this is to set up an account
with an online backup service to automate your backups.
• Secure your accounts with two-factor authentication. Most e-mail and social media providers now have a two-factor
authentication option. When you log in to your account from
an unfamiliar computer for the first time, it sends you a text
message with a code that you must enter to confirm that you
are really you. This means that no one else can log in to your
accounts without knowing your password and having your mobile phone with them.
• Make your passwords long, strong, and unique. Your personal passwords should follow the same rules that are recommended
for organizations. Your passwords should be long (at least 12
random characters) and contain at least two of the following:
uppercase and lowercase letters, digits, and special characters.
Passwords should not include words that could be tied to your
personal information, such as the name of your pet. You also
should use different passwords for different accounts, so that
if someone steals your password for one account, they still are
locked out of your other accounts.
• Be suspicious of strange links and attachments. When you receive an e-mail, tweet, or Facebook post, be suspicious of
any links or attachments included there. Do not click on the
link directly if you are at all suspicious. Instead, if you want to
access the website, find it yourself with your browser and
navigate to it directly. The I Love You virus was distributed via
email in May 2000 and contained an attachment which when
opened copied itself into numerous folders on the user’s
computer and modified the operating system settings. An
Chapter 6: Information Systems Security | 143
estimated 50,000 computers were affected, all of which could
have been avoided if users had followed the warning to not
open the attachment.
You can find more about these steps and many other ways to be
secure with your computing by going to Stop. Think. Connect. This
website is part of a campaign by the STOP. THINK. CONNECT.
Messaging Convention in partnership with the U.S. government,
including the White House.
Summary
As computing and networking resources have become more an
integral part of business, they have also become a target of
criminals. Organizations must be vigilant with the way they protect
their resources. The same holds true for individuals. As digital
devices become more intertwined in everyone’s life, it becomes
crucial for each person to understand how to protect themselves.
Study Questions
1. Briefly define each of the three members of the information
security triad.
2. What does the term authentication mean? 3. What is multi-factor authentication?
4. What is role-based access control?
5. What is the purpose of encryption?
144 | Information Systems for Business and Beyond (2019)
6. What are two good examples of a complex password?
7. What is pretexting?
8. What are the components of a good backup plan?
9. What is a firewall?
10. What does the term physical security mean?
Exercises
1. Describe one method of multi-factor authentication that you
have experienced and discuss the pros and cons of using
multi-factor authentication.
2. What are some of the latest advances in encryption
technologies? Conduct some independent research on
encryption using scholarly or practitioner resources, then
write a two- to three-page paper that describes at least two
new advances in encryption technology.
3. Find favorable and unfavorable articles about both blockchain
and bitcoin. Report your findings, then state your own opinion
about these technologies
4. What is the password policy at your place of employment or
study? Do you have to change passwords every so often? What
are the minimum requirements for a password?
5. When was the last time you backed up your data? What
method did you use? In one to two pages, describe a method
for backing up your data. Ask your instructor if you can get
extra credit for backing up your data.
6. Find the information security policy at your place of
employment or study. Is it a good policy? Does it meet the
standards outlined in the chapter?
7. How diligent are you in keeping your own information secure?
Review the steps listed in the chapter and comment on your
security status.
Chapter 6: Information Systems Security | 145
Labs
1. The Caesar Cipher. One of the oldest methods of encryption was used by Julius Caesar and involved simply shifting text a
specified number of positions in the alphabet. The number of
shifted positions is known as the key. So a key = 3 would
encrypt ZOO to CRR. Decrypt the following message which has
a key = 3: FRPSXWHU
2. The Vigenere Cipher. This cipher was used as recently as the Civil War by the Confederate forces. The key is slightly more
complex than the Caesar Cipher. Vigenere used the number of
letters after ‘A’ for his key. For example, if the key = COD, the
first letter in the cypher is shifted 2 characters (because “C” is
2 letters after the letter ‘A’), the second letter is shifted 14
letters (O being 14 letters after ‘A’), and the third letter is
shifted 3 letters (D being 3 letters after ‘A’). Then the pattern is
repeated for subsequent letters. Decrypt the following
message which has a key = COD: YSPGSWCHGCKQ
3. Frequency and Pattern Analysis. If you’ve ever watched Wheel of Fortune you know that contestants look for patterns and
frequencies in trying to solve a puzzle. Your job in this lab is to
analyze letter frequency and letter patterns to determine the
plaintext message which in this case is a single word. The key
is a simple substitution where the same letter in plaintext
always results in the same letter in the cyphertext. The most
frequently used letters in the English language are: E, A, O , I, T,
S, N. Pattern analysis includes knowing words that have double
letters such as “school.” Other patterns include “ing” at the end
of a word, “qu” and “th” as a pairs of letters.Cyphertext =
CAGGJWhat is the key and the plaintext?
1. Gallagher, S. (2012, November 3). Born to be
146 | Information Systems for Business and Beyond (2019)
breached. Arstechnica. Retrieved from http://arstechnica.com/information-technology/2012/11/
born-to-be-breached-the-worst-passwords-are-still-the-
most-common/
2. SANS Institute. (n.d.). Information Security Policy Templates. Retrieved from http://www.sans.org/security-resources/
policies/Policy_Primer.pdf on May 31, 2013.
3. SANS. (n.d.). SCORE: Checklists and Step by Step Guides. Retrieved from http://www.sans.org/score/checklists/
mobile-device-checklist.xls
4. Iansiti, M. and Lakhani, K. R. (2017, January). The truth about
blockchain. Harvard Business Review. Retrieved from https://hbr.org/2017/01/the-truth-about-blockchain↵
5. Wikipedia. (n.d.). Bitcoin. Harvard Business Review. Retrieved from https://en.wikipedia.org/wiki/Bitcoin↵
6. Fernandes, B. (2017, October 20). Personal telephone
interview↵
Chapter 6: Information Systems Security | 147
PART II: INFORMATION SYSTEMS FOR STRATEGIC ADVANTAGE
Part II: Information Systems for Strategic Advantage | 149
- Information Systems for Business and Beyond (2019)
- Information Systems for Business and Beyond (2019)
- Title Page
- Copyright
- Book Contributors
- Changes from Previous Edition
- How you can help
- Introduction
- Part I: What is an information system?
- Chapter 1: What Is an Information System?
- Chapter 2: Hardware
- Chapter 3: Software
- Chapter 4: Data and Databases
- Chapter 5: Networking and Communication
- Chapter 6: Information Systems Security
- Part II: Information Systems for Strategic Advantage
- Chapter 7: Does IT Matter?
- Chapter 8: Business Processes
- Chapter 9: The People in Information Systems
- Chapter 10: Information Systems Development
- Part III: Information Systems Beyond the Organization
- Chapter 11: Globalization and the Digital Divide
- Chapter 12: The Ethical and Legal Implications of Information Systems
- Chapter 13: Trends in Information Systems
- Index