IT for Management: On-Demand Strategies for

Performance, Growth, and Sustainability

Eleventh Edition
Turban, Pollard, Wood

Chapter 5

Cybersecurity and Risk Management

Technology
Learning Objectives (1 of 5)
Copyright ©2018 John Wiley & Sons, Inc. 2
The Face and Future of Cyberthreats

Figure 5.1: Number of 2016 U.S. Data Breaches by Industry Sector. The number
of cyberthreats in which data records have been stolen by hackers has increased
at an alarming rate.

Copyright ©2018 John Wiley & Sons, Inc. 3

Cyberthreat Terminology
• Cyberthreat is a threat posed by means of the Internet (a.k.a.
cyberspace) and the potential source of malicious attempts to
damage or disrupt a computer network, system, or application.
• Vulnerability is a gap in IT security defenses of a network,
system, or application that can be exploited by a threat to gain
unauthorized access.
• Incident is an attempted or successful unauthorized access to a
network, system, or application; unwanted disruption or denial
of service; unauthorized use of a system for processing or
storage of data; changes to a system without the owner’s
knowledge, instruction, or consent.
• Data Breach is the successful retrieval of sensitive information by
an individual, group, or software system.
Copyright ©2018 John Wiley & Sons, Inc. 4
Figure 5.2 The three objectives of data and information systems security

Copyright ©2018 John Wiley & Sons, Inc. 5

2016 Biggest Data Breaches Worldwide
Company Type of Breach Records Breached
Anthem Insurance Identity theft—healthcare 78.8 million
records
Turkish General Identity theft—malicious 50 million
Directorate outsider (government
agency)
Korean Pharmaceutical Identity theft—malicious 43 million
Info. Center insider
U.S. Office of Personnel Personally Identifiable 22 million
Management Information (PII)
(government agency)
Experian Identity theft—malicious 15 million
outsider (credit bureau)

Copyright ©2018 John Wiley & Sons, Inc. 6

Major Sources of Cyberthreats (1 of 2)
Unintentional cyberthreats can be caused by
o Human error (a majority of internal security issues)
• Poorly designed systems
• Faulty programming
• Neglecting to change passwords
• Unaware users
o Environmental hazards
• Natural disasters
• Faulty HVAC systems
o Computer systems failure
• Poor manufacturing or maintenance

Copyright ©2018 John Wiley & Sons, Inc. 7

Major Sources of Cyberthreats (1 of 2)
Intentional Threats
Examples of intentional threats include data theft such as
inappropriate use of data (e.g., manipulating inputs); theft of
computer time; theft of equipment and/or software; deliberate
manipulation in handling, entering, programming, processing, or
transferring data; sabotage; malicious damage to computer
resources; destruction from malware and similar attacks; and
miscellaneous computer abuses and Internet fraud.

Copyright ©2018 John Wiley & Sons, Inc. 8

Major Sources of Cyberthreats (1 of 2)
Unintentional threats fall into three major categories:
1. Human error can occur in the design of the hardware or
information system. It can also occur during programming, testing,
or data entry.
Neglecting to change default passwords in applications or on
systems or failing to manage patches creates security holes.
Human error also includes untrained or unaware users falling prey
to social engineering like phishing scams or ignoring security
procedures.
Human errors contribute to the majority of internal control and
information security problems.

Copyright ©2018 John Wiley & Sons, Inc. 9

Major Sources of Cyberthreats (1 of 2)
2. Environmental hazards include volcanoes, earthquakes, blizzards,
floods, power failures or strong fluctuations, fires (the most
common hazard), defective heating, ventilation and air-
conditioning (HVAC) systems, explosions, radioactive fallout, and
water-cooling-system failures.
In addition to the primary damage, computer resources can be
damaged by the side effects of a hazard, such as smoke and water.
Such hazards may disrupt normal computer operations resulting in
extended data inaccessibility and exorbitant restoration and
recovery costs.

Copyright ©2018 John Wiley & Sons, Inc. 10

Major Sources of Cyberthreats (1 of 2)
3. Computer systems failures can occur as the result of poor
manufacturing, defective materials, or poor maintenance.
Unintentional malfunctions can also occur for other reasons,
ranging from administrator inexperience to inadequate testing.

Copyright ©2018 John Wiley & Sons, Inc. 11

Major Sources of Cyberthreats (2 of 2)
• Some intentional forms of cyberthreats are:
o Hacking
o Phishing
o Crimeware
o Distributed Denial of Service (DDoS)
o Insider and Privilege Misuse
o Physical Theft

Copyright ©2018 John Wiley & Sons, Inc. 12

Intentional Cyberthreats: Hacking
• Hacking is broadly defined as intentionally accessing a computer
without authorization or exceeding authorized access.
There are three types of hackers:
• White Hat: Computer security specialist who breaks into
protected systems and network to test and assess their security.
• They use their skills to improve security by exposing
vulnerabilities before malicious hackers (black hats) can detect
and exploit them.

Copyright ©2018 John Wiley & Sons, Inc. 13

Intentional Cyberthreats: Hacking
• Black Hat: Person who attempts to find computer security
vulnerabilities and exploit them for personal and/or financial
gain, or other malicious reasons.
• Can inflict major damage on both individual computer users and
large organizations by stealing personal financial information,
compromising security of major systems, or shutting down or
alerting the function of websites and networks.

Copyright ©2018 John Wiley & Sons, Inc. 14

Intentional Cyberthreats: Hacking
• Gray Hat: Person who may violate ethical standards or principles,
but without the malicious intent ascribed to black hat hackers.
• Can inflict major damage on both individual computer users and
large organizations by stealing personal financial information,
compromising security of major systems, or shutting down or
alerting the function of websites and networks.
• Hacktivist: is short for hacker-activist, or someone who performs
hacking to promote awareness, or otherwise support a social,
political, economic, or other cause.

Copyright ©2018 John Wiley & Sons, Inc. 15

Intentional Cyberthreats: Spear Phishing
• Spear phishers often target select groups of people with
something in common
• Trick user into opening an infected email
• Emails sent that look like the real thing
• Confidential information extracted through seemingly
legitimate website requests for passwords, user IDs,
PINs, account numbers, and so on.

Copyright ©2018 John Wiley & Sons, Inc. 16

Intentional Cyberthreats: Crimeware
• Malware refers to hostile or intrusive software, including
computer viruses, rootkits, worms, Trojan horses,
ransomware, and other malicious programs used to disrupt
computer or mobile operations, gather sensitive information,
gain access to private computer systems.
• Spyware is tracking software that is not designed to
intentionally damage or disable a system but to monitor or
track activities.
• Adware is software that embeds advertisement in the
application
• Ransomware is a type of malware that is designed to block
access to a computer system until a sum of money has been
paid.
Copyright ©2018 John Wiley & Sons, Inc. 17
Intentional Cyberthreats: Variants
• Malware Reinfections, Signatures, Mutations, and
Variants
o Malware is captured in backups or archives. Restoring the
infected backup or archive also restores the malware.
o Malware infects removeable media, and could reinfect a host
years later when it accessed again.
o Most antivirus (AV) software relies on signatures to identify
and then block malware.

Copyright ©2018 John Wiley & Sons, Inc. 18

Intentional Cyberthreats: Botnets
• A botnet is a group of external attacking entities and is
a totally different attack method/vector from malware,
which is internal to the system.
• A group of infected computers, called zombies, can be
controlled and organized into a network of zombies on
the command of a remote botmaster (also called a bot
herder).

Copyright ©2018 John Wiley & Sons, Inc. 19

Intentional Cyberthreats: Denial of
Service Attacks
• Distributed Denial-of-Service (DDoS) crashes a network or
website by bombarding it with traffic (i.e., requests for service)
and effectively denies service to all those legitimately using it,
leaving it vulnerable to other threats.
• Telephony Denial-of-Service (TDoS) floods a network with
phone calls and keeps the calls up for long durations to
overwhelm an agent or circuit and prevent legitimate callers,
such as customers, partners, and suppliers, from using network
resources.
• Permanent Denial-of-Service (PDoS) prevents the target’s
system or device from working. Instead of collecting data or
providing some on-going perverse function, its objective is to
completely prevent the target’s device(s) from functioning.
Copyright ©2018 John Wiley & Sons, Inc. 20
Intentional Cyberthreats: Internal
Threats
• Internal threats from employees can be some of the
most challenging to defend against
• Data tampering is a common means of internal attack
o Refers to an attack during which someone enters false or
fraudulent data into a computer, or changes/deletes existing
data
o Data tampering is extremely serious because it may not be
detected; the method often used by insiders and fraudsters

Copyright ©2018 John Wiley & Sons, Inc. 21

New Attack Vectors
• Attack Vector is a path or means by which a hacker can
gain access to a computer or network server in order to
deliver a malicious outcome.
• Mobile devices and apps, social media, and cloud
services introduce even more attack vectors for
malware, phishing, and hackers.
• Malicious (rogue) apps can serve up Trojan attacks,
other malware, or phishing attacks.
• Found in Google Play Store for Andriod phones.

Copyright ©2018 John Wiley & Sons, Inc. 22

The Face and Future of Cyberthreats
Review
1. Define and give an example of an intentional threat and an unintentional
threat.
2. Why might management not treat cyberthreats as a top priority?
3. Describe the differences between distributed denial-of-service (DDoS),
telephony denial-of-service (TDoS), and permanent denial-of-service (PDoS).
4. Why is social engineering a technique used by hackers to gain access to a
network?
5. List and define three types of malware.
6. What are the risks caused by data tampering?
7. Define botnet and explain why they are dangerous.
8. Why is Ransomware on the rise? How might companies guard against
ransomware attacks?

Copyright ©2018 John Wiley & Sons, Inc. 23

Learning Objectives (2 of 5)
Copyright ©2018 John Wiley & Sons, Inc. 24
Cyberattack Targets and Consequences
• Managers make the mistake of underestimating IT
vulnerabilities and threats, and appear detached from
the value of confidential data (even high-tech
companies).
• Targets for cyberattacks include critical infrastructure,
theft of intellectual property, identity theft, BYOD, and
social media.
• These attacks can be “high profile” or “under the
radar”.

Copyright ©2018 John Wiley & Sons, Inc. 25

High Profile and Under the Radar
Attacks
• Advanced Persistent Threats (APT)
o Launched by attacker through phishing to again access to enterprise’s
network
o Designed for long-term espionage
o Profit-motivated cybercriminals often operate in stealth mode to continue
long-term activities
• Hackers and hacktivists, commonly with personal agendas, carry
out high-profile attacks to further their causes.
o Anonymous and LulzSec are two hacker groups who have committed
daring data breaches, data compromises, data leaks, thefts, threats, and
privacy invasions.

Copyright ©2018 John Wiley & Sons, Inc. 26

Critical Infrastructure Attacks

Figure 5.3 U.S. Critical Infrastructure Sectors.

Critical infrastructure is defined as systems and assets so vital to the country that
their incapacity or destruction would have a debilitating effect.

Copyright ©2018 John Wiley & Sons, Inc. 27

Theft of Intellectual Property
• Intellectual Property is a work or invention that is the
result of creativity that has commercial value.
• Includes copyrighted property such as a blueprint,
manuscript or a design, and is protected by law from
unauthorized use by others.
• Intellectual property can represent more than 80% of a
company’s value.
• Losing customer data to hackers can be costly and
embarrassing but losing intellectual property,
commonly known as trade secrets, could threaten a
company’s existence.
Copyright ©2018 John Wiley & Sons, Inc. 28
Identity Theft

• One of the worst and most prevalent cyberthreats is

identity theft.
o Made worse by electronic sharing and databases
o Businesses reluctant to reveal incidents in which their
customers’ personal financial information may have been
stolen, lost, or compromised

Copyright ©2018 John Wiley & Sons, Inc. 29

Bring Your Own Device (BYOD)
• Bring Your Own Device (BYOD): employees providing
their own (mobile) devices for business purposes to
reduce expenses through cut purchase and
maintenance costs.
• Roughly 74% of U.S. organizations are using or planning
to use BYOD
• Cuts business costs by not having to purchase and
maintain employees’ mobile devices
• Security risk: mobile devices rarely have strong
authentication, access controls, and encryption even
though they connect to mission-critical data and cloud
services. Could also be lost or stolen.
Copyright ©2018 John Wiley & Sons, Inc. 30
Social Media Attacks
• Social networks and cloud computing increase
vulnerabilities by providing a single point of failure and
attack for organized criminal networks.
• FBI: social media-related events have quadrupled over
the past five years.
• Pricewaterhouse Coopers found that more than one in
eight enterprises has suffered at least one security
breach due to a social media-related cyberattack.
• Facebook scams were the most common form of
malware distributed in 2015.

Copyright ©2018 John Wiley & Sons, Inc. 31

Networks and Services Increase
Exposure to Risk
• Time-to-exploitation is the elapsed time between when
vulnerability is discovered and when it is exploited
o Launched by attacker through phishing to again access to enterprise’s
network
o Designed for long-term espionage
o Profit-motivated cybercriminals often operate in stealth mode to continue
long-term activities
• Hackers and hacktivists, commonly with personal agendas, carry
out high-profile attacks to further their causes.
o Anonymous and LulzSec are two hacker groups who have committed
daring data breaches, data compromises, data leaks, thefts, threats, and
privacy invasions.

Copyright ©2018 John Wiley & Sons, Inc. 32

Cyberattack Targets and Consequences
Review
1. What is a critical infrastructure?
2. List three types of critical infrastructures.
3. How do social network and cloud computing increase
vulnerability?
4. Why are patches and service packs needed?
5. Why is it important to protect intellectual property?
6. How are the motives of hacktivists and APTs different?
7. Explain why data on laptops and computers need to be
encrypted.
8. Explain how identity theft can occur.

Copyright ©2018 John Wiley & Sons, Inc. 33

Learning Objectives (3 of 5)
Copyright ©2018 John Wiley & Sons, Inc. 34
Cyber Risk Management
• Risk is the probability of a threat successfully exploiting
a vulnerability and the estimated cost of the loss or
damage.
• Factors leading to an increased risk of cyberattack:
o Interconnected, interdependent, wirelessly networked
business environment
o Smaller, faster, cheaper computers and storage devices
o Decreasing skills necessary to be computer hacker
o International organized crime taking over cybercrime
o Lack of management support

Copyright ©2018 John Wiley & Sons, Inc. 35

IT Defenses
• Some essential defenses organizations can institute to
defend again cyberattacks
o Antivirus Software: designed to detect malicious codes and
prevent users from downloading them.
o Intrusion Detection Systems (IDSs): scans for unusual or
suspicious traffic (passive defense)
o Intrusion Prevention Systems (IPSs): is designed to take
immediate action—such as blocking specific IP addresses—
whenever a traffic-flow anomaly is detected (active defense)
• Security is an ongoing, unending process

Copyright ©2018 John Wiley & Sons, Inc. 36

Figure 5.7 Basic IT security concepts

Copyright ©2018 John Wiley & Sons, Inc. 37

Security Defenses for Mobiles
• Biometric Control is an automated method of verifying
the identity of a person, based on physical or behavioral
characteristics
o The most common biometrics are a thumbprint or fingerprint,
voice print, retinal scan, and signature.
• Mobile biometrics can significantly improve the security
of physical devices and provide stronger authentication
for remote access or cloud services.
• Voice biometrics are an effective authentication
solution across a wide range of consumer devices
including smartphones, tablets, and TVs.
Copyright ©2018 John Wiley & Sons, Inc. 38
Additional IT Defenses: Do-Not-Carry
Rules
• U.S. companies, government agencies, and
organizations may impose rules that assume mobile
technologies will inevitably be compromised.
o Only “clean” devices are allowed to be brought inside
o Devices are forbidden from connecting while abroad
o Some individuals carry no electronics on trips for compliance

Copyright ©2018 John Wiley & Sons, Inc. 39

Business Continuity Planning
• Business continuity refers to maintaining business
functions or restoring them quickly when there is a
major disruption
o A business continuity plan covers business processes, assets,
human resources, business partners
o Keeps the business running after a disaster occurs
o Covers fires, earthquakes, floods, power outages, malicious
attacks, and other types of disasters

Copyright ©2018 John Wiley & Sons, Inc. 40

 Figure 5.8
Copyright ©2018 John Wiley & Sons, Inc. 41
Cyber Risk Management Review
1. Explain why it is becoming more important for organizations to
make cyber risk management a high priority?
2. Name four U.S. Government Regulations that relate to cyber risk
management.
3. What is the purpose of Rogue Application Monitoring?
4. Why is a mobile kill switch or remote wipe capability an
important part of managing cyber risk?
5. Why does an organization need to have a business continuity
plan?
6. Name the three essential cybersecurity defenses.
7. Name three IT defenses.
8. Why do companies impose do-not-carry rules?
Copyright ©2018 John Wiley & Sons, Inc. 42
Learning Objectives (4 of 5)
Copyright ©2018 John Wiley & Sons, Inc. 43
Defending Against Fraud
• Crime
o Violent crime involves physical threat or harm
o Nonviolent crime uses deception, confidence, and trickery by
abusing the power of their position or by taking advantage of
the trust ignorance, or laziness of others, otherwise known as
fraud.
• Fraud
o Occupational fraud refers to the deliberate misuse of the
assets of one’s employer for personal gain.

Copyright ©2018 John Wiley & Sons, Inc. 44

Occupational Fraud Prevention and
Detection
• Corporate Governance
o Enterprise-wide approach greatly increases the prevention
and detection of fraud
• Intelligent Analysis
o Forms insider profiling to find wider patterns of criminal
networks.
• Anomaly Detection
o Audit trails from key systems and personnel records used to
detect anomalous patters, such as excessive hours worked,
deviations in patterns of behavior, copying huge amounts of
data, attempts to override controls, unusual transactions, and
inadequate documentation about a transaction.
Copyright ©2018 John Wiley & Sons, Inc. 45
Internal Controls (IC)
• A process to ensure that sensitive data are protected
and accurate designed to achieve:
o Reliability of financial reporting, to protect investors
o Operational efficiency
o Compliance with laws, regulations, and policies
o Safeguarding of assets

Copyright ©2018 John Wiley & Sons, Inc. 46

Cyber Defense Strategies

• The major objectives of Defense Strategies are:

o Prevention and deterrence
o Detection
o Contain the Damage (damage control)
o Recovery
o Correction
o Awareness and compliance
• Auditing can provide an additional layer of safeguards.

Copyright ©2018 John Wiley & Sons, Inc. 47

Defending Against Fraud Review
1. What defenses help prevent occupational fraud?
2. What level of employee commits the most occupational fraud?
3. What is the purpose of internal controls?
4. What federal law requires effective internal controls?
5. Explain the concepts of Intelligence Analysis and Anomaly
Detection.
6. Name the major categories of general controls.
7. Explain authentication and name two methods of authentication.
8. What are the six major objectives of a defense strategy?

Copyright ©2018 John Wiley & Sons, Inc. 48

Learning Objectives (5 of 5)
Copyright ©2018 John Wiley & Sons, Inc. 49
Frameworks, Standards, and Models

• Current Frameworks and standards have been

developed to address compliance:
o Enterprise Risk Management (ERM)
o Control Objectives for Information and Related Technology
(COBIT)
o Industry Standards, for example, Payment Card Industry Data
Security Standard (PCI DSS)

Copyright ©2018 John Wiley & Sons, Inc. 50

Enterprise Risk Management Framework
(ERM)
• Risk-based approach to managing an enterprise
• Developed by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO)
ERM
• Integrates internal control, the Sarbanes-Oxley Act
mandates, and strategic planning
• Consists of eight components, listed in Table 5.13

Copyright ©2018 John Wiley & Sons, Inc. 51

Figure 5.11 COBIT 5 Principles
COBIT 5 is the leading framework for the governance and security of IT
Copyright ©2018 John Wiley & Sons, Inc. 52
Industry Standards: Payment Card Industry
Data Security Standard (PCI DSS)
• Created by Visa, MasterCard, American Express, and
Discover
• Requires merchants and card payment providers to
make certain their Web applications are secure
• Improves customers’ trust in e-commerce
• Increase the Web security of online merchants
• Penalties for noncompliance are severe

Copyright ©2018 John Wiley & Sons, Inc. 53

Figure 5.12 IT security defense-in-depth model.

Copyright ©2018 John Wiley & Sons, Inc. 54

Frameworks, Standards, and Models Review
1. Who created the Enterprise Risk Management Framework (ERM)?
What is its purpose?
2. What are the 5 principles of COBIT 5? Explain.
3. Why do industry groups have their own standards for cybersecurity?
Name one standard.
4. Are measurements of direct costs sufficient to reflect total damage
sustained by a cyberattack?
5. What 4 components comprise the IT Security Defense-in-Depth model?
6. What are the 4 steps in the IT Security Defense-in-Depth IT security
model?
7. Explain why frameworks, standards, and models are important parts of
a cybersecurity program.

Copyright ©2018 John Wiley & Sons, Inc. 55

Copyright
Copyright © 2018 John Wiley & Sons, Inc.
All rights reserved. Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Act without the express written permission of the
copyright owner is unlawful. Request for further information should be addressed to the
Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies
for his/her own use only and not for distribution or resale. The Publisher assumes no
responsibility for errors, omissions, or damages, caused by the use of these programs or
from the use of the information contained herein.

Copyright ©2018 John Wiley & Sons, Inc. 56