Computer Security

Case4A4COverview.docx

Home >Computer Science homework help >Computer Security

Case 4AOverview

There is no business endeavor with profit motive, yet without attendant risks. Businesses must face risk in their pursuit of return on investment. Risk as opposed to uncertainty is more man- ageable—often we are able to ascribe an informed mathematical probability on its realization, and assign an expected value of the concomitant loss. The particular type of risk that we discuss here concerns utilization of information assets in businesses and the risks arising thereof—the information security risks or cyber risks.

(Whitman 75)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.

Introduction

Information assets (e.g., computers, servers, PDAs) and the interconnectivity among these assets (LAN, Intranet, and Internet) are integral parts of doing business in today’s networked economy. While networked information assets add great value to the business processes, pos- sible abuse/misuse/unuse of such assets and networks do give rise to a substantial amount of information security risks.

There are several options for managing information security risks. At the extremes, a firm could avoid such risks altogether by freeing its business processes from information assets (quite unrealistic), or it could retain all the risks and bear all the probabilistic misfortunes. In reality, firms attempt to mitigate a part or all of the risks, and/or adopt ways to transfer some of the remaining risks to willing parties (the insurer). The mitigation of information security risk is generally achieved through the layered regimes of prevention (e.g., firewall) and detec- tion (e.g., IDS, Honey Nets) to minimize threats, and providing for the measures for loss/ damage control (e.g., incidence response, disaster recovery, and business continuity planning). Among others, the transfer of the risks could be achieved through financial instruments, for- mally known as cyber insurance contracts. Cyber insurance provides indemnity for losses on information assets: which could arise out of the unuse (e.g., DoS), abuse (e.g., unauthorized access), misuse (e.g., identity theft), third-party loss (e.g., customers’ personally identifiable information), and losses from cyber extortion. Cyber insurance is a new concept in the man- agement of information security risks, and although IT security managers express increasing interest in these instruments (Ernst and Young Survey, 2007), the cyber insurance market is still in a nascent stage of development. In what follows, we introduce the readers to the basics of insurance economics, integrate such prudence in the information risk domain, and then briefly discuss the products, providers, and utilization of cyber insurance as an integral part of the organizational IT risk management program.

The following pages in this chapter have been divided into several sections. Section 2 presents the economic concepts of cyber insurance and section 3 discusses the needs of organizations that translate to the demand for cyber insurance. Section 4 presents the involved decisions in cyber insurance. Section 5 provides a discussion on the major cyber insurance carriers and the cyber insurance products that are available in the market, and explains how IT Managers could effectively integrate these products in their information risk management programs and initiatives. Section 6 provides an outlook for the cyber insurance industry including some con- cluding remarks.

The Economics of Cyber Insurance

The insurer is in the insurance market because of profit motive, but the prospect (insured) firm’s motivation arises out of risk aversion. Because the future is uncertain, the prospect firm faces potential variability in its wealth—a risk.1 The insurance market offers instruments with which a risk-averse firm could transfer their risk to the insurer firms, whose business model aggregates and averages the risks (law of large numbers) to manageable proportions.2

Suppose that if there is no data theft, the net wealth of the prospect firm would be $10 mil- lion, but if the future turns out to be adverse (for example, a hacker steals sensitive data), the net wealth of the firm could be only $2 million. Moreover, this adverse outcome could be so

(Whitman 76)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.

debilitating that the firm may be forced out of business! Assume that the firm could buy cyber insurance from the insurer who would pay the shortfall of wealth (10 – 2 = $8 million) in the 4A event of data theft, but only when an upfront premium is paid. In one hypothetical scenario, the prospect firm may pay $4 million as the premium, and in the event of data theft, the insurer could pay an indemnity of $8 million. Note that this arrangement would ensure that in either of the outcomes of the future, the prospect firm would be left with a net wealth of $6 million. More interestingly though, we see that the firm has successfully managed the vari- ability of its future wealth but paid $4 million to achieve this. In other words, the firm has transferred its information risk of data theft for a premium of $4 million to a willing party, the insurer. The insurer is willing to take the risk so long there is no expected loss from it (when we assume perfect competition, the zero profit situation is the outcome*), or when it has issued many such contracts, and has moderated its risk exposure on the whole. However, the prospect firm cannot bear this risk because of possible threat of business closure in cause of data theft (and no insurance). In other words, the insurance contract may have equal mon- etary value to the contracting parties, but the insured firm likely derives higher utility out of it because of its inherent risk aversion. The cyber insurance market exists for this fundamental reason.3

We need to look more closely at the hypothetical scenario that we had utilized for the insur- ance premium in the last paragraph. We had implicitly assumed that the future outcomes were equally probable. In that scenario, the insured firm faced a 50% probability of data theft, which is equivalent to exposing the insurer to a 50% probability for the indemnity pay- ment of $8 million. That also explains the premium of $4 million. Clearly, a pertinent ques- tion here is that of the likelihood of the occurrence of the data theft.

Suppose that there is only 25% probability that there will be a data theft, such that the expected wealth of the firm is now $8 million (0.75 × 10 + 0.25 × 2). Note that the only dif- ference from the earlier scenario is that of the altered expectation of the data theft, which, however, alters the expected indemnity payout that the insurer faces: only $2 million (25% of 8 million). In the new scenario, the prospect firm could pay $2 million in an up- front premium (a certain payment) for which the insurer would be ready to pay an indemnity of $8 million in the probabilistic event of data theft.

Three concepts are noteworthy here:

1. The insured firm trades the uncertainty of outcomes for an assurance of certainty, and pays for it up front.

2. The insurer balances its risk (which is really the expected large indemnity payments) over the large numbers of insurance contracts that it sells.

3. The probability of ruin is instrumental in determining the premium that is required in the arrangement.

The example scenarios suggest that as the probability of the occurrence of data theft decreases, the insured firm is required to pay even lower levels of the premium. This is a stan- dard observation in insurance, and makes good sense. There is one last thing to remember here. In order to ensure that an insurance contract may not be utilized to gamble up the losses

(Whitman 77)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.

Reading 4A and shore in higher indemnity, regulators impose strict provisions for penalty in case an

insured firm indulges in such fraudulent actions.

Let us look closely at the probability and loss aspects of the future event.4 Who decides how probable the data theft is, or how much loss it incurs? The interests of the contracting parties are diagonally opposite here. The prospect firm is interested to exhibit that there is a small probability of data theft and lower eventual loss, because these variables reduce the premium. On the other hand, for any underestimation of the probability or the magnitude of loss, the insurer loses money through higher than expected indemnity payout. It is important to realize that the prospect firm knows and understands its own systems much better than the insurer (information asymmetry), yet has no obvious incentive to be truthful. Because the information asymmetry works against the interest of the insurer, objective estimations of the probability and the magnitude of loss from data theft through truthful revelation are imperative in the process. Two measures are commonplace in the cyber insurance market today:

1. The prospect firm is required to submit self-assessment paperwork, which essentially reveals the assets, processes, and procedures of IT security management of the firm and

2. The prospect firm is audited by a third party for an independent analysis, which tends to compensate for the lack of technical prowess of the insurer.

Finally, these assessment and analysis reports are consolidated, and the two parties arrive at the agreed “probability” and “loss” from data theft for the prospect firm, which then go into structuring the cyber insurance contract. When the prospect firm can exhibit technical, proce- dural, and policy controls in place, a better sense of data assurance prevails, and a lower probability of data theft is evident. On the other hand, when the prospect firm exhibits that adequate planning and provisioning have gone into the measures toward incidence response, disaster recovery, and business continuity management, a lower magnitude of loss from even- tual compromise of the network is apparent. It is important to realize that the magnitude of loss from abuse/unuse/misuse of information assets is intrinsically difficult to estimate because these assets are often utilized across multiple lines of business and used by multiple depart- ments, giving rise to interaction effects. Finally, all these pre-contract investigations and analy- ses raise the contract writing costs of cyber insurance substantially, which of course is passed on to the insured firm.

Stepping aside, let us look closely at the prospect firms as a group in general. The firms that employ a high amount of controls against data theft and operationalize security-savvy policies and procedures face lower probability of data theft and a lower amount of losses from a realized breach. This is also the type of firm that would likely exhibit lower propensity for cyber insur- ance products than those who face a higher probability of data theft or higher losses, or both. However, the insurer is more interested in selling a cyber insurance contract to the first type of firm rather than the second. In other words, like other insurance markets, the cyber insurance market is prone to adverse selection as well. As a result, firms that find cyber insurance more attractive are less likely to receive coverage, while the insurer is hard pressed to differentiate between the good and bad risks. In the cyber insurance market, firms space themselves in a wide spectrum of this variability, and the insurers are compelled to run third-party audits and restrict themselves in writing private contracts (especially for larger coverage) rather than offer- ing canned products, which could otherwise lower contract-writing costs substantially.

Once the initial IT security health of the prospect firm is assessed and the contract is written, the insured firm enjoys the assurance of certainty in future outcomes, but is now prone to lose

(Whitman 78)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.

vigilance on the control and policy strengths, which in the first place earned the cyber insur- ance contract, or lowered the premium (or both)! This is known as moral hazard, and 4A mechanisms are designed and integrated to cyber insurance contracts to counter the effect. For example, an insurer may require the insured firm to regularly monitor and update the IDS system during the contract period, and report the same as an indication that there are no obvious lacks in its measures. On top of the above, deductible clauses are often applied to a cyber insurance contract to make sure that a part of loss is borne by the insured party, encouraging the insured firm to keep security breaches to the minimum. As such, the effect of a deductible on the performance of cyber insurance contracts is broad based. A higher deduct- ible results in lower amount of up-front premium, which often increases the salability of a cyber insurance contract. Also, a deductible plays an indirect role in reducing the number of claims, and limits the origination and disbursement costs that are associated with indemnity payouts. Larger cyber insurance contracts could also feature caps on the liability that the insurer accepts. This is particularly important in case of IT risks, because the business impact of losses is not yet fully understood, and regulations on data and information repositories are not quite developed yet.

The Need for Cyber Insurance

There are several reasons why cyber insurance has its place in the management of IT security risks.5 First, the technological controls lag hacker innovation. Second, even if the technological controls could catch up to the rate of the hackers’ nefarious innovations, the advantage of effort still would lie with the hackers’ community even for the remaining vulnerabilities in a system. While the defender of a system is required to know all the vulnerabilities of the system and also be able to protect them with absolute certainty, the hacker needs to find only one small subset of these vulnerabilities to unleash a massive attack. Third, modern software sys- tems rely, at least in part, on post-release user testing and feedback (competitive pressures often force the provider to release the software before the bulk of its vulnerabilities are known or understood in a lab setting). As a result, even if the defender could implement all the latest technological controls (though cost may be prohibitive), residual IT security risks could still remain in the IT system.6 Finally, IT risks are increasingly being differentiated from the way the insurance industry deals more traditional risks. This is primarily because we have not fully resolved the debate whether information assets could be treated as tangible property. Consider the case where the insured company maintains an online discussion board, and some outsider discussants post defamatory or racially discriminatory messages. The insurers have exhibited resistance/refusal to cover such incidents under the general liability insurances that the firm might possess. Similarly, the insurers of traditional insurance products have consis- tently refused to identify potential liabilities arising from a chat room as equivalent to those from the activities in a physical room of the insured premise (e.g., how lawyers’ risks are redefined may be found at http://www.brunswickcompanies.com/pl-cyber-liability-insurance .html). Essentially, in many occasions, the insured firms find themselves frustrated between the way they interpret the standard insurance contracts and the way the providers of insurance pre- fer to exclude information assets from them. As a result, in more recent liability insurances, property damage excludes computer data from the definition of tangible property. Amend- ments like these have created gaps in the coverage of the firms, creating the need for insurance products specifically designed for cyber losses. Liability clauses affected by such gaps are

(Whitman 79)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.

80 Reading 4A

inadvertent distribution of malice (e.g., virus), unauthorized use of company information (e.g., meta tagging or deep linking of Web resources), intellectual property infringement/ distortion (e.g., Web content and graphics), and loss of privacy issues, to name a few. More- over, there are certain risks that are new and characteristic of IT assets only, yet pose significant potential losses to firms (e.g., DDoS, cyber extortion, etc.).

Clearly, there is a need for specialized insurance products that could help manage the residual risks remaining after the technological controls are placed, or for those risks now falling through the cracks of interpretation from traditional insurance contracts.

The Fundamental Decisions in Cyber Insurance

Technology alone cannot mitigate all the IT risks, meaning that the firm must manage some residual risk; and second, budgetary considerations rarely provide for all the countermeasures, meaning that the firm must accept and live with some amount of unmitigated IT risks. It is between these two considerations that the utilization of cyber insurance products falls: a stan- dard pattern tends to emerge as a firm contemplates how to manage its information risks. The firm attempts to transfer that part of the risks it may neither control in a cost-effective fashion with current technologies nor can accept (and live with) yet avoid potential catastrophic out- comes. The transfer of this part of the risk is achieved through the vehicle of cyber insurance.

In what follows, we briefly describe an elegant framework for utilization of cyber insurance products in the management of IT security risk provided by Gordon et al. in their 2003 CACM article.7

Their model framework suggests that a firm first needs to assess its risks that arise out of the abuse/unuse/misuse of data and information assets. Integral in this are the creation and rank- ing of threat-vulnerability pairs in an appropriate scale of “severity.” The threat-vulnerability pairs, which contribute to the highest proportion of security risks, are then subjected to tech- nology controls (e.g., firewall, encryption technologies, etc.), as long the process remains cost effective. The residual risks, which still remain after all these technological controls are already in place, are then addressed with the help of cyber insurance products. Subsequently, the firm must create a maintenance regime that can tune the technological controls and readjust the cyber insurance coverage on a regular basis to take care of the exposures from new threats and vulnerabilities for times to come.

In the same work, Gordon et al. also provide a four-step decision process that could opera- tionalize the above framework into an organization specific implementation. They suggest that a firm should

1. Audit all its information resources vis-à-vis the threats and vulnerabilities that could affect those resources, and assess the dollar value of the total exposure.

2. Check the existing coverage from all existing insurance contracts. (This process would likely point out the gaps in coverage that we have already discussed in an earlier section.)

3. Research and investigate cyber insurance providers and their products with special con- sideration to exclusion and mandatory observation clauses

(Whitman 80)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.

4. Select only those contracts that complement the firm-specific IT risk scenario as man-

aged with the help of technological and other organizational controls together. 4A

The Providers and Their Cyber Insurance Products

We begin with a discussion on the specific types of coverage that the cyber insurance products provide. First-party coverage refers to losses that accrue directly at the insured firm. These are the losses that the insured firm suffers when data, information, or network assets become unavailable for use in their business processes. For example, first-party cyber insurance con- tracts could cover losses arising out of business interruption caused by accidental data loss, or a network failure because of an attack by hackers. Other contracts in this category could provide for the expenses associated with the recovery of data after a breach or accident. One popular category of cyber products here relates to criminal extortion, especially from threats of DDoS attacks. E-commerce and other pure presence firms, which must depend on their bandwidth to ensure a steady flow of revenue, are often the victims of DDoS attacks, and may find this type of cyber insurance products quite helpful in their IT security management programs.

Cyber insurance products are also available for third-party cyber losses. Such losses relate to those liability issues that typically inflict the firm in an indirect fashion. For example, in case a firm loses customer data, it could become responsible for restitution of the financial loss that the customer suffers from the resulting identity theft. Cyber contracts could cover such third-party losses and provide the compensation on behalf of the insured firm. Third-party contracts also exist for liabilities in media usage (e.g., Web publishing, Web chat, email copy- right, etc.) or for other Internet liabilities when the computers or other network resources of a firm are unwittingly utilized in a botnet to stage cyber attacks on other firms.8

As the utilization of information and network assets exploded over the last decade in terms of penetration and intensity of use, cyber insurance providers have also attempted to provide products that are either more focused or provide higher coverage. As part of their focused strategy, providers of cyber insurance are also offering market specific cyber insurance prod- ucts. For example, Ace USA now offers products that apply to the financial services industry only.

One aspect of cyber insurance contract that has shown definite maturity is the IT risk assess- ment process, which is often a prerequisite for a cyber insurance contract. (Many major insur- ance carriers now provide managed assessment service along with possible cyber insurance contracts.) This process could include administration of self-assessment questionnaires as well as on-site audits as deemed fit for the case in hand. Elaborate self-assessment questionnaires could require documentation for several of the following:*

1. Enterprise-specific, issue-specific, technical, and organizational policies, their governance and management;

2. Physical security measures of information assets and networks, physical and biometric access controls, building security and third-party managed services;

*One detailed questionnaire for a cyber insurance module for network security can be accessed from AIG at http://www.aig.com/Network-Security-and-Privacy-Insurance-(AIG-netAdvantage)_20_2141.html under the heading of Network Security Self Assessment.

Copyright 2010 Cengage Learning. All Rights Reserved. May not be copied, scanned, or duplicated, in whole or in part. Due to electronic rights, some third party content may be suppressed from the eBook and/or eChapter(s). Editorial review has deemed that any suppressed content does not materially affect the overall learning experience. Cengage Learning reserves the right to remove additional content at any time if subsequent rights restrictions require it.

82 Reading 4A 3. Configurations, rules, procedures, and maintenance schedules for operating systems of

all network nodes and routers;

4. Business continuity planning including incident response, disaster recovery with backup and recovery programs and histories;

5. Security Education, Training and Awareness (SETA) policies and program details; and

6. Specifics of vulnerability monitoring and software patch management in the IT security maintenance program.

The major providers of cyber insurance today are AIG, Ace, AON, Chubb, CNA, Lloyd’s, St. Paul Travelers, and Zurich. The coverage for cyber property and theft in these insurance products include destruction of data or software, recovery from virus attacks, data loss, busi- ness interruption, DoS, cyber extortion, and terrorist attacks while the liability provisions include those of media injury, copyright, and network security issues (the Betterly report, June 2006).

The major players in cyber insurance offer a fairly exhaustive set of choices, a vast improve- ment over the first-generation cyber insurances of a decade ago. In reality, the cyber insurance products are now differentiated in the way they are bundled. For example, AIG offers an array of products selectively grouped across individual coverage options. AIG’s NetAdvantage line of products is indeed a set of bundled products, each offering different combinations of risk mitigation capabilities (Figure 4A-1). Competitors of AIG have responded similarly in the individual coverage; cross-differentiated bundles are now offered by the major insurance pro- viders. Unlike the first cyber insurance products that focused on first-party losses, cyber insur- ance products now cater to the emerging need of third-party liability insurance. As we have discussed before, one major reason for much emphasis on cyber liability is the fact that the data assets are increasingly being considered as a special type of assets as against the usual physical assets. This has caused the liabilities from data assets not being covered by the stan- dard business liability insurances.

The premiums for cyber insurance can vary depending on the type and size of business, the intensity of information goods and assets in the firm’s business processes, the extent of policy and technological controls, and on other existing cyber insurance coverage. A typical cyber insurance premium could fall from 0.5% to 6% of coverage for a million dollar coverage (for coverage details, see an article by Mollie Niel, Protecting your assets with cyber insurance at http://smallbusinessreview.com/technology/Protect_Your_Assets_With_Cyber_Insurance/). Unlike more conventional products, the cyber insurance products do not have a high volume of sales, and still do not benefit from the economies of scale. The cost of writing cyber insur- ance is still high, and there is much subjectivity in the process of evaluation of cyber risk.

The Outlook for Cyber Insurance

Early estimations of cyber insurance in the beginning of the 1990s were high.9 Although cyber insurance products have come a long way, especially compared to the first-generation hacker insurance products offered in the early 1990s, such expectation of market size has not been realized. The market, by popular estimates, is still below the billion dollar mark in premium revenue. The reasons for such lackluster growth of cyber insurance markets have been

(Whitman 82)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.

List of Coverage: 1) Network Security Liability, 2) Web Content Liability, 3) Internet Professional Liability, 4) Network Business Interruption, 5) Information Asst Coverage, 6) Identity Theft, 7) Extra Expense, 8) Cyber Extortion, 9) Cyber Terrorism, 10) Criminal Reward Fund, 11) Crisis Communication Fund, 12) Punitive, Exemplary and Multiple Damages, 13) Physical Theft of Data on Hardware/Firmware

Figure 4A-1 Net Advantage Line of Bundled Products from AIG10 (Source: Majuca, R. P., Yurcik, W., Kesan, J. P., The Evolution of Cyberinsurance, 2006, http://arxiv.org/ftp/cs/papers/0601/0601020.pdf)

https://bookshelf.vitalsource.com/books/9781133168645/page/83

explained from several angles. Our inability to accurately and objectively calculate losses from information assets is possibly the most accepted reason. Other possible reasons are the accounting difficulties of losses, the dearth of actuarial data, and the inexperience of IT managers in utilization of insurance in their cyber risk management programs. The lack of acceptance/use of cyber insurance products has affected the economy of scale that the insur- ance industry enjoys in other standard products: thus, contract-writing costs are high on an individual cyber insurance contract, and products are generally perceived to be expensive.

There is no denying of the fact that insurance can play an important role in the management of cyber risks in today’s businesses (http://www.cl.cam.ac.uk/~rja14/econws/53.pdf). As a mat- ter of fact, in the brick-and-mortar side of the economy, insurance industry drives the security and safety industries in a big way. Thus, it appears natural for one to expect that the same could happen to the cyber security industry. However, before that, the risks that unuse/ misuse/abuse of data, information, and network assets pose to the general business processes are required to be understood, and then integrated in the organizational risk management pro- grams. IT managers are technologically oriented and skilled, while the organizational risk

84 Reading 4A

managers share different philosophies in the way they look at the organizational risks in gen- eral. Unless these two groups of managers share a common process of assessment of cyber risk, and address them in a unified fashion, the real impetus for the growth of the cyber insur- ance products could remain elusive

(Whitman 83-84)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.

Case 4C Overview

This case describes the issues associated with a small business entrepreneur who relies on information technology to provide the competitive edge in his video business. Background on

(Whitman 97)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.

Case 4C the business, business owner, the employees, and technology used are included to create the

environment for the exploration of ideas.

Introduction

On a cold day in January, Richard Maze sat in his favorite café with a regular cup of coffee and the morning newspaper. The front page headline caught his eye; it read “Information sto- len, business being sued.” Immediately, Richard looked to see what business had been com- promised. He thought to himself—it can’t be a small-sized business like Video Maze; it must be a multinational company for there to be so much hype. Upon further review, however, Richard was amazed to see the company in question was very similar to his own both in size and structure. Although the business was similar in structure, the function differed. All of these things set Richard to thinking—what do I have in place for my business? Next year I am planning to expand operations by adding another location in a city 20 miles away. Will my current system setup carry over to the new location? Can I interface the two systems and operate my computer services at a cost savings?

With these questions in mind, Richard set out to determine how to more efficiently run his business, while at the same time protect it from the range of new problems in security and operations associated with the continuously changing IT sector.

Business Background

Video Maze opened in the downtown area of the heavily populated city of Millville, by Richard Maze in 2005. Video Maze later registered the business name as DVD Video Maze, and as the new title indicated, both DVDs and videos were for sale or rental. The video/DVD business had been the primary operation, but a variety of amenities available from the coffee bar made the video selection a pleasure for customers rather than a task. Customers could sit at one of the 10 PCs and view movie choices by searching the online database with key words or favorite titles rather than walk the perimeter of the store trying to read empty video cases. Not only could the choices be viewed in the store, but they could be viewed in the comfort of the customer’s home. Customers could send an email to the shop to make or confirm a movie reservation instead of doing it through the Web page. At pickup, employees requested the cus- tomer’s reservation code to call up their record for processing. At this point, the exchange was made, the customer got the DVD or video, and the employee received the payment, which was entered into the system.

The coffee bar menu included tea/coffee, cappuccino, pop, juice, and water. Snacks included chips, bars, nachos, and other confectionary items. The goal was to make refreshments and snacks available to customers while using the computers, or to take home with them, for a reasonable price.

organization structure

Owner/Operator Richard

Manager Jenna

Confectionary Clerks Sue, Brandon, Calvin, Meredith

Video/DVD Clerks Brad, Sam, Harvey, Judy

Microcomputer Specialist Chris

Figure 4C-1 Organization Chart Courtesy Course Technology/Cengage Learning

Customers could use the computers to check their email and browse the Internet and, there- fore, receive an added benefit to their DVD Video Maze experience. Convenience, ease of Use, and availability of the computers, which otherwise would be unused, lent more value to the social aspect of the business.

The impact of information technology on this business has yielded high returns in the past. Competitors were gradually shifting to online booking and soon it would be the industry norm. Future growth would depend on the efficiencies of the information system within the business.

Management and Staffing at Video Maze

The organizational structure was comprised of the owner/operator (Richard), the manager (Jenna), the techy (Chris), the video/DVD clerks (Brad, Sam, Harvey, Judy), and the confec- tionary clerks (Sue, Brandon, Calvin, and Meredith). See Figure 4C-1.

Each employee was permitted full access to the computer network for personal use during slow periods in the day. Richard tried to stress, however, that business operations were the first priority.

Richard’s educational background focused on the Arts. His entrepreneurial spirit was sparked from an urgency to experiment with the unknown adventures of business. When it came to technology, Richard admitted he was afraid of it. Richard relied heavily on the expertise provided by Chris. Richard had decided to offer Chris a challenge if Chris would agree to manage all IT-related areas for both the current and new business operations. If Chris accepted the challenge, he would receive a raise in pay.

Chris was self-taught and easy-going. His interest and excitement over processing power had traditionally caused him to exceed his hardware budget unnecessarily. Chris had been with the business a long time and reassured Richard that he stayed current with the changing IT industry.

(Whitman 99)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.

The video/DVD clerks ranged in experience levels for data entry and transaction processing. The transactions were processed in the DVD/video computer system. The coffee bar clerks provided the customer with the product and received the payment, thereby completing the transaction. The cash transactions were entered into the database as they occurred.

Hardware Specifications

The hardware configuration was a very important component of the business operations. Richard knew that the Ethernet network consisted of a bank of 10 PCs wired (cat 5e) in a star topology. Chris had prepared a network diagram and store layout as well as system hardware specifications for the servers, computers, and printers. This information is provided later in Figures 4C-2 and 4C-3 in the section called “Supplemental Information.”

Windows® 2003 was installed on the operational server. The other server, which was set up to mirror the operational server, was housed in the basement in the area that had a founda- tion. Chris was pleased with his planning and boasted of the online, up-to-date, current backup, which was ready to be used at any time. He figured this scenario was better than using CDs, DVDs, or tapes because it eliminated storage problems. Chris strongly believed that tape media was at risk of damage in a damp basement.

Software Specifications

Windows® 2003 comes with a default setup and Chris installed it with only one change. He created, read/write access for all DVD Video Maze employees, and a multi-user customer log- in “video” with the password “maze.” Chris left inactive accounts from past years installed for testing on the system.

Chris had set up each of the PC workstations to perform standard functions for the cus- tomers, which included the search and selection of titles from the DVD/video database, the option to view the clips of the titles and to reserve the title from the computer bank in-house or from home. The software used for this was Microsoft Access® database interfaced with a Web page form. The Web page was located on the main server. The fees for Internet access were monthly. The PCs had a browser installed to access the Internet via the local ISP. Chris felt that some of the software bundled with the PCs at the time of purchase were not neces- sary and, therefore, did not install them. See the following section of supplemental informa- tion for a complete list of the bundled software. Norton Security software was resident on all systems but was not active.

Any user/customer could log in to a PC, modify or save any kind of files to the hard drive, anywhere on the network except for Chris’s. Chris set himself up as administrator on the server and used administrator access rights only to clear log files accruing on the server. If he could have figured out how to stop log files from being created, he would put an end to them.

The cash systems accessed the database to view the customer’s selection and ultimately pro- cessed the transaction and updated the inventory table. The interface to interact with the Microsoft Access® database and perform cash register functions was developed years ago by

(Whitman 100)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.

an old friend of Chris’s. Additional staff information such as scheduled shifts and employee

records were also a part of the same Microsoft Access® database. 4C

Chris designed the business database in Microsoft Access® 2007. The database had multiple tables and multiple keys. The key for the tables associated with the customer was the customer number. The key associated with the timesheets and payroll information was the employee number. Chris used remote software to log in and fix problems from home or elsewhere.

Chris figured all customers knew their customer number so it made a perfect key for entering transactions. As a precaution, Chris printed a list of all customers and their associated num- bers just in case a customer forgot their number. The video/DVD clerks found this a nuisance at peak times and often relied on guesses to put customer numbers in. Chris set up the same scenario for employee numbers.

Some of the fields from Chris’s notes included:

Customer_Number

Member_Number

Emp_id

First_Name

Status

Emp_rate

Last_Name

Discount_rate

Emp phone

Address

Member_fee

Emp_SIN

Telephone

Date_joined

Emp_Fname

Customer_balance

Emp_Lname

Confectionary_code

Emp_number

Video code

Confectionary_desc

Emp_Address

Video description

Confectionary_price

Emp_Tax_rate

Video availability

Emp_hours

Video reserved

Transaction_id

Emp_YTD

Video rate

Emp_ded1

Video rental price

Emp_ded2

Emp_ded3

Emp_ded4

DVD code

Emp_ded5

DVD description

Emp_shift

DVD availability

DVD reserved

DVD rate

DVD rental price

(Whitman 101)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.

Case 4C

When the field naming system had been devised, Chris had told Richard that he jotted down the fields quickly and might be missing some information but “it wasn’t a concern” because anyone could get the idea of what the labels represented.

Business Operations

Richard noted that one of his employees always sat at the computer farthest away from every- one. He never seemed to share his Internet search results with anyone and was consciously monitoring anyone who sat at that same computer. Richard asked Chris if there was any chance that Brad could be using the computer inappropriately and if he would be legally obli- gated and possibly have his computer equipment confiscated. Chris did not know the answer to Richard’s question.

Some of the employees had received complaints from customers. Some customers said it took forever to access the DVD/Video Maze Web page, and when they did get into the system, it took a long time to process their selection. Chris told the clerks the system was like anything else: it has good days and bad days and there was nothing to be concerned about. He said the backup server was online and ready to go if the main server crashed.

As for business reporting, every couple of months Chris met with Richard to discuss improve- ments for the computer aspects of the operation. Each time, Chris spoke in technical language emphasizing the need for replacement or for upgrades to the existing systems. Richard, unfa- miliar with the lingo, invested additional dollars trying to stay on top of the technology wave. Chris believed speed was what the customers wanted when searching the database and insisted that hardware was the way to go. Chris believed the computer bank should be upgraded constantly.

Chris reassured Richard that the business expansion discussed earlier was simple. He said the new operation required onsite hardware the same as the current site and another ISP connection. All transactions and business processing could be processed at the main site (current site).

With respect to working hours, Chris logged many hours of work and ultimately received a paycheck greater than anyone else working at Video Maze, including Richard. Richard felt this was fair considering his lack of knowledge when it came to IT.

Chris’s time was usually devoted to removing files from the system hard drives. Chris has asked Richard to approve specifications to upgrade all the hard drives. Chris felt the upgrade would pay for itself by reducing the number of hours he spent cleaning the hard drives.

Employees were permitted to check their email account during break time. Several months ago, during one of Chris’s breaks, he noted an email from a friend in the industry, which included an attachment about server disaster guidelines (see the Windows 2000 Server Disas- ter Recovery Guidelines in the section of Supplemental Information later in this case). Chris felt he didn’t have the time to read it now but put it in his “to do” pile. He figured it was out- dated anyway. He never did seem to get the time to read emails like this and others The Situation and Alternatives

After his eye-opening experience while having coffee that January morning, Richard decided that he would contact Chris, his PC specialist, to discuss the current system. During their con- versation, Chris firmly stated the system was secure and that there was no way business infor- mation could be compromised. Chris refused to even consider the possibility of risk and told Richard he did not have the time to “fool around” with unimportant tasks such as an assess- ment on a system he knew by heart. Chris did agree, however, to give Richard permission to pass on his notes on the system and setup to someone else, if Richard really felt it was neces- sary to have an assessment conducted.

After the discussion with Chris, Richard decided to contact his good friend Paul, who was an IT instructor at the local university. Paul suggested having a group of his competent students investigate and observe the business operation with the intent of producing a threat and risk assessment document. A time was set up for Richard to speak with the class, and once the meeting was over, Richard felt he had been well received by the Systems Security, Audit, and Control class. He also felt assured that the students would meet the challenge. Richard passed the business information on to the students. He was, however, unable to answer any addi- tional questions other than the information provided by Chris by way of his notes and his own knowledge.

Conclusion

It was now several weeks since Richard had given the students the details, and in that time Richard was doing a lot of thinking. A threat and risk assessment might answer the secu- rity question, but not the business expansion question and vice versa. Is the business system secure? Is the business system scalable to accommodate a second business at a different location? Is Richard responsible for the security of his customers’ information? Is Richard responsible for the actions of his employees in the workplace? Are there any inefficiencies in the system or the business that could be corrected? He looked forward to receiving the students’ response, and he hoped their analysis would shed light on some of these impor- tant questions.

(Whitman 103)

Whitman, Michael E. Readings & Cases in Information Security: Law & Ethics. Cengage Learning, 20100623. VitalBook file.