BUSI 1401

Foundations of Information Systems

Lecture 4
Ch04-Information Security

Arthur So, Ph.D.

[email protected]
.
Recap Week03

• Ethics
• Definition
• Dilemmas
• Ethical Standards (5) for Corporations
• Opt-in/out for Informed Consent
• Privacy
• Areas of Concern
• Principles of Collection, Disclosure, and Usage
• Acts – PIPEDA and PHIPA
• Good Security  Good Privacy
• How much electronic surveillance is too much?
Security

• Policy is typically a document that outlines specific requirements or rules

that must be met. Usually, issue-specific, covering a single area.

• Standard is typically a collection of system-specific or procedural-specific

requirements that must be met by everyone. Typically to be followed exactly
to ensure compliance.

• Guideline is typically a collection of system-specific or procedural-specific

suggestions for best practice. Not a requirement but strongly recommended.

• Procedure is the specific details of how the policy is to be implemented.

• Best Practice is the specific commercial or professional procedures to be

implemented and considered to be the most effective
Standards

Standardization Back Then:

 Early American efforts generated standards for building and evaluating secure
systems and standards for cryptography
 1974 - Standards for emanations (called TEMPEST)
 1977 - DES was adopted as the US Gov standard for cryptography

 In the early 1980’s the US DoD released the Trusted Computer System Evaluation
Criteria.
 This book had an orange cover and became known as the Orange Book.
 Based largely on the Multilevel Security model developed by Bell and
LaPadula

 Canadian Trusted Computer Product Evaluation Criteria, Version 3.0e;

January 1993

 Canada, France, Germany, the United Kingdom and the United States agreed on a
Common Criteria for Trusted Computers in 1998
Standards

Standardization Today:
• The National Institute of Standards & Technology (NIST)
 Health Insurance Portability & Accountability Act (HIPAA)
1996
HIPAA established a national standard for the security of electronic health information,
including the protection of individually identifiable health information, the rights granted to
individuals, breach notification requirements, and the role of the OCR (Office for Civil
Rights)

• General Data Protection Regulation (GDPR)

Mandatory privacy-based statutory regulations for enterprises processing or
controlling private personal data belonging to EU citizens
• ISO/IEC 27000 (27001 & 27002)
A growing family of ISO/IEC Information Security Management Systems
(ISMS) standards, called the 'ISO/IEC 27000 series’
Standards

• Payment Card Industry Data Security Standard (PCI-DSS)

This data security standard is mandatory for most enterprises collecting, processing and
storing payment card data in 2004 (American Express, Visa, and Mastercard)

• Internal Standards
Each enterprise has specific requirements to control risks and guard against liabilities
that are unique to their business or industry
Security

• CIA helps to define what you are trying to

protect using 3 elements
• Confidentiality
• Integrity
• Availability

Information Security
Security
• The traditional CIA Triad is expanded to
the 3 dimensions of Cybersecurity
Called the Cybersecurity Cube, or
cybersecurity sorcery cube

1st Dimension is the CIA Triad

2nd Dimension of the Cybersecurity Cube

focuses on the problem of protecting all the
states of data in the cyber world
(Transmission, Storage, and processing)

3rd Dimension defines the types of powers used to

protect the cyberworld and its denizens.
Technologies: devices/products used to protect Information Systems and fend off cybercriminals.
Policies and Practices: definitions, procedures, and guidelines that enable citizens of the cyber world
safe and follow good practices
People: Security Awareness training and making the citizens knowledgeable about their world and the
dangers that threaten their world.
Security
Security is considered to be a balancing act between:
Security Concerns
Functionality
Ease of Use Security

Functionality Ease of Use

Security
Security

Course of Actions

• Prevention

• Detection

• Response

• Recovery
Secure Communication

• German encryption and decryption machine used in

WWII
• Essentially a complex, automated substitution cipher
Secure Communication

• Cryptography: The science or study of the techniques of

secret writing, especially code and cipher systems,
methods, and the like; anything is written in a secret code,
cipher, or the like.
• Cryptoanalysis: A study of mathematical techniques for
attempting to defeat cryptographic techniques and
information security services.
• Encryption: means converting plaintext to a non-
readable form called ciphertext
• Decryption: means converting ciphertext back into
plaintext, like “jgnnq” to “hello”
• Key: means the secret information that shows how the
text is encrypted
Secure Communication

Classical Cipher

• A substation/Shift cipher – off setting the

order of the 26 alphabets, e.g. Caesar Cipher

• A transposition cipher – changes one

character from the plaintext to another by
randomly mix up alphabet
Secure Communication

Simple Substitution
• Straight exchange of one character/byte for another using a
predetermined mapping
• E.g.: A B C D E… becomes W K M P D … thus CAB becomes MWK
• Mapping function is the crypto key
• Unique one-to-one character/byte substitution map
• Easy to break by looking for known patterns

Rotation Substitution
• Shifts every character a determined amount of spaces
• E.g. Caesar Cipher uses ROT-3, while Usenet uses ROT-13
• Using ROT-3, CAB becomes FDE
• Also unique one-to-one character/byte substitution
• Also very easy to break, using knowledge of letter patterns in languages
Secure Communication

Digital Substitution
 Based on algebraic “Truth Tables”, developed by George Boole (1800’s)
 Encryption using Boolean Exclusive OR (XOR) function
 Encryption: Key XOR PlainText -> Ciphertext
 Decryption: Key XOR Ciphertext -> PlainText

 Considered a symmetric encryption mechanism because same key used in

both the encryption and decryption process

 Example:
Encryption Decryption
21 bit key 21 bit key


1010011 1010010 1001110 1010011 1010010 1001110

XOR:
Plaintext message in ASCII Ciphertext - result is zero if compared bits

+ C = 1000011
A = 1000001
0010000 0010011 0011010 are the same
- result is one (1) is compared
T = 1010100 bits are different

Key 1010011 1010010 1001110 Key 1010011 1010010 1001110

XOR Msg 1000011 1000001 1010100 Cipher 0010000 0010011 0011010
Cipher 0010000 0010011 0011010 Msg 1000011 1000001 1010100
Secure Communication

Two important ciphers in the history of modern

cryptography:

• DES (Data Encryption Standard)

• AES (Advanced Encryption Standard)

Secure Communication

Symmetric Key

• Cryptographic key generated by algorithms

and use both for encryption of plaintext and
decryption of ciphertext
Secure Communication

Asymmetric Key

Uses public and private keys to encrypt and decrypt

data
Secure Communication

Hash Function
No cipher key required – one-way encryption
• Fixed-length hash value is generated based on the plaintext
• Plaintext -> hash function -> ciphertext
• Plaintext, and length of plaintext, is not recoverable from ciphertext
• Hash cannot be deciphered back to plaintext, one-way hash
• Primary use is for message integrity
• Hash value provides a digital fingerprint of content, ensuring against
alteration
• Effective because of the low probability that 2 different plaintext messages
will generate the same hash value
• Also called message-digest or one-way encryption
• Examples: HMAC, MD2, MD4, MD5, RIPEMD-160, SHA-1
Introduction to Information Systems
Rainer, Prince, Sanchez-Rodriguez,
Splettstoesser Hogeterp, Ebrahimi
Canadian Fifth Edition

Chapter 4

Information Security

Copyright ©2021 John Wiley & Sons Canada, Ltd.

Learning Objectives (1 of 2)

• Identify the five factors that contribute to the increasing

vulnerability of information resources and provide a specific
example of each factor
• Compare and contrast human mistakes and social engineering
and provide a specific example of each one
• Discuss the 10 types of deliberate attacks
• Define the three risk mitigation strategies, and provide an
example of each one in the context of owning a home

Copyright ©2021 John Wiley & Sons Canada, Ltd. 22

Learning Objectives (2 of 2)

• Identify the three major types of controls that organizations can

use to protect their information resources and provide an
example of each one
• Explain why it is critical that you protect your information
assets and identify actions that you could take to do so

Copyright ©2021 John Wiley & Sons Canada, Ltd. 23

Chapter Outline

1. Introduction to Information Security

2. Unintentional Threats to Information Systems
3. Deliberate Threats to Information Systems
4. What Organizations Are Doing to Protect Information
Resources
5. Information Security Controls
6. Personal Information Asset Protection

Copyright ©2021 John Wiley & Sons Canada, Ltd. 24

Opening Case: The Equifax Breaches

Think about:
• The importance of immediate response to software updates.
Is your computer on “automatic update”?
• How could your credit rating be affected by identity theft?

Copyright ©2021 John Wiley & Sons Canada, Ltd. 25

4.1 Introduction to Information Security

• Security
• Information security
• Threat
• Exposure
• Vulnerability

Copyright ©2021 John Wiley & Sons Canada, Ltd. 26

Introduction to Information Security

• Five factors contributing to vulnerability of organizational

information resources:
o Today’s interconnected, interdependent, wirelessly
networked business environment
o Smaller, faster, cheaper computers and storage devices
o Decreasing skills necessary to be a computer hacker
o International organized crime taking over cybercrime
o Lack of management support

Copyright ©2021 John Wiley & Sons Canada, Ltd. 27

4.2 Unintentional Threats to Information
Systems
• Human Errors
• Social Engineering

Copyright ©2021 John Wiley & Sons Canada, Ltd. 28

FIGURE 4.1 Security threats
FIGURE 4.1 Security threats.

Copyright ©2021 John Wiley & Sons Canada, Ltd. 29

Human Errors: Risk Areas

• Higher level employees + greater access privileges =

greater threat
• Two areas pose significant threats:
o Human resources
o Information systems
• Other areas of threats:
o Contract labour, consultants, janitors, and guards

Copyright ©2021 John Wiley & Sons Canada, Ltd. 30

TABLE 4.1 Human Mistakes (1 of 2)

• Carelessness with computing devices (e.g., laptops, tablets,

smartphones)
• Opening questionable emails
• Careless Internet surfing
• Poor password selection and use

Copyright ©2021 John Wiley & Sons Canada, Ltd. 31

TABLE 4.1 Human Mistakes (2 of 2)

• Carelessness with one’s office

• Carelessness using unmanaged devices
• Carelessness with discarded equipment
• Careless monitoring of environmental hazards

Copyright ©2021 John Wiley & Sons Canada, Ltd. 32

Social Engineering

• Social engineering:
o An attack in which the perpetrator uses social skills to trick
or manipulate legitimate employees into providing
confidential company information such as passwords
• Example:
o Kevin Mitnick, famous hacker and former FBI’s most
wanted

Copyright ©2021 John Wiley & Sons Canada, Ltd. 33

4.3 Deliberate Threats to Information
Systems (1 of 2)
• Espionage or trespass
• Information extortion
• Sabotage or vandalism
• Theft of equipment or information
• Identity theft
• Compromises to intellectual property

Copyright ©2021 John Wiley & Sons Canada, Ltd. 34

4.3 Deliberate Threats to Information
Systems (2 of 2)
• Software attacks
• Alien software
• Supervisory control and data acquisition (SCADA) attacks
• Cyberterrorism and cyberwarfare

Copyright ©2021 John Wiley & Sons Canada, Ltd. 35

TABLE 4.2 Types of Software Attacks
(1 of 3)
• Remote attacks requiring user action:
o Virus
o Worm
o Phishing attack
o Spear phishing

Copyright ©2021 John Wiley & Sons Canada, Ltd. 36

TABLE 4.2 Types of Software Attacks
(2 of 3)
• Remote attacks needing no user action:
o Denial-of-service attack
o Distributed denial-of-service attack

Copyright ©2021 John Wiley & Sons Canada, Ltd. 37

TABLE 4.2 Types of Software Attacks
(3 of 3)
• Attacks by a programmer developing a system:
o Trojan horse
o Back door
o Logic bomb

Copyright ©2021 John Wiley & Sons Canada, Ltd. 38

IT’s About Business 4.1:
Whaling Attacks
Consider:
• How personal data can be used both for identity theft and
for whaling attacks
• That password theft via whaling can provide an
unauthorized gateway to corporate data

Copyright ©2021 John Wiley & Sons Canada, Ltd. 39

IT’s About Business 4.2:
An Attack on the Internet
Consider:
• That many computers could be part of a botnet
• How high-capacity servers help prevent successful
execution of DDoS attacks

Copyright ©2021 John Wiley & Sons Canada, Ltd. 40

Alien Software (Pestware)

• Adware
• Spyware
o Keyloggers, screen scrapers
• Spamware
• Cookies
o Tracking cookies

Copyright ©2021 John Wiley & Sons Canada, Ltd. 41

4.4 What Organizations Are Doing to
Protect Information Resources
• Risk: the probability that a threat will impact an
information resource
• Risk management
• Risk analysis
• Risk mitigation

Copyright ©2021 John Wiley & Sons Canada, Ltd. 42

Risk Mitigation

• Risk acceptance
• Risk limitation
• Risk transference

Copyright ©2021 John Wiley & Sons Canada, Ltd. 43

IT’s About Business 4.3:
The Data Breach at Desjardins Group

Consider:
• What are the resources required to carefully investigate
a data breach?
• The seriousness of the consequences for individuals
who leak or sell confidential data

Copyright ©2021 John Wiley & Sons Canada, Ltd. 44

4.5 Information Security Controls

• Categories of Controls
• Physical Controls
• Access Controls
• Communication Controls
• Business Continuity Planning
• Information Systems Auditing

Copyright ©2021 John Wiley & Sons Canada, Ltd. 45

Categories of Controls

• Security is only one aspect of operational control (which is

part of general controls)
• Controls come in “layers”
o Control environment
o General controls
o Application control

Copyright ©2021 John Wiley & Sons Canada, Ltd. 46

Control Environment

• Encompasses management attitudes toward controls, as

evidenced by management actions, as well as by stated
policies that address:
o Ethical issues
o Quality of supervision

Copyright ©2021 John Wiley & Sons Canada, Ltd. 47

FIGURE 4.2 Where defence mechanisms
(general controls) are located
FIGURE 4.2 Where defence mechanisms are located.

Copyright ©2021 John Wiley & Sons Canada, Ltd. 48

Physical Controls

• Prevent unauthorized individuals from gaining access to a

company’s facilities
• Examples:
o Walls, doors, fencing, gates, locks
o Badges, guards, alarm systems
o Pressure sensors, temperature sensors, motion sensors

Copyright ©2021 John Wiley & Sons Canada, Ltd. 49

Access Controls

• Logical controls (implemented by software) help to

provide controls such as:
o Authentication
o Authorization

Copyright ©2021 John Wiley & Sons Canada, Ltd. 50

Access and Communications Controls
Help to Prevent Identity Theft
• Using confidential information such as passwords, drivers
licences, or medical records to assume someone else’s
identity
• The thief applies for credit cards, mortgages, or passports
• Example controls include: physical security, access
security, and encryption
• The Office of the Privacy Commissioner of Canada tells
businesses how to reduce the risk of identity theft and how
to respond (priv.gc.ca/en)

Copyright ©2021 John Wiley & Sons Canada, Ltd. 51

Password Controls Need to be
Supported at All 3 Control Levels
1. Control environment: Policies that enforce the proper
management of user codes and passwords
2. General control: A security system that requires a user
ID and password to “log on”
3. Functional application control: Separate passwords for
sensitive functions, e.g., employee raises or write-off
of customer accounts

Copyright ©2021 John Wiley & Sons Canada, Ltd. 52

Security

Fast Identification Online (FIDO)

• The FIDO Alliance was founded by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio
in 2012 for a passwordless authentication protocol.
• In 2014, FIDO authentication enabled Samsung Galaxy S5 users to login and shop with the swipe of a
finger in online, mobile, and in-store payments via PayPal. There are two standards in the Alliance:
• Universal Authentication Framework -­FIDO UAF.
• Universal 2nd Factor ­- FIDO U2F.
• In 2015, the Alliance introduced the government membership program for the United States, United
Kingdom, Germany, and Australia.
• In 2019, WebAuthn is part of the FIDO Alliance’s FIDO2 specifications, which is a Client to Authenticator
Protocol (CTAP FIDO2) that works with browsers (Chrome, Firefox, Edge, Safari, Windows 10) with a
security key or a mobile phone.
• In 2020, Apple and Android join FIDO
• In 2021, The German Federal Office for Information Security achieved the Certified Authenticator Level
3+ certification

Ref: https://fidoalliance.org/overview/ and https://www.zippia.com/fido-solutions-careers-1543569/history/

Copyright ©2021 John Wiley & Sons Canada, Ltd. 53

Security

Ref: https://fidoalliance.org/overview/history/
Copyright ©2021 John Wiley & Sons Canada, Ltd. 54
 HOW FIDO AUTHN WORKS
The user authenticates The device authenticates the
“locally” to their device by user online using public key
various means cryptography

LOCAL ONLINE

AUTHENTICATOR

Source: Brett McDowell, Executive Director, FIDO Alliance

Copyright ©2021 John Wiley & Sons Canada, Ltd. 55
 Passwordless Experience (UAF Standards)

1 2 3

?
Authentication Challenge Biometric Verification* Authenticated Online

Second Factor Experience (U2F Standards)

1 2 3

Second Factor Challenge Insert Dongle* / Press Button Authenticated Online

*There are other types of authenticators

Source: Brett McDowell, Executive Director, FIDO Alliance

Copyright ©2021 John Wiley & Sons Canada, Ltd. 56
 FIDO TIMELINE
Broad
New U2F Adoption
Certification Transports
Program
FIDO 1.0
First FINAL
Specification Deployments
Review Draft
FIDO Ready
Program
Alliance
Announced

FEB DEC FEB FEB-OCT DEC 9 MAY JUNE TODAY

2013 2013 2014 2014 2014 2015 2015 >220
6 Members Members

Copyright ©2021 John Wiley & Sons Canada, Ltd. 57

Authentication

• Something the user is - biometrics

• Something the user has – tokens & FOBs
• Something the user does – gestures & touches
• Something the user knows – passwords & pins
o Passwords

Copyright ©2021 John Wiley & Sons Canada, Ltd. 58

Communication Controls

• Firewalls
• Anti-malware systems
• Whitelisting and blacklisting
• Encryption
• Virtual private networking
• Transport layer security (TLS)
• Employee monitoring systems

Copyright ©2021 John Wiley & Sons Canada, Ltd. 59

FIGURE 4.3a Basic firewall for home computer
FIGURE 4.3b Organization with two firewalls and
demilitarized zone
FIGURE 4.3 (a) Basic firewall for a home computer. (b) Organization
with two firewalls and a demilitarized zone.

Copyright ©2021 John Wiley & Sons Canada, Ltd. 60

FIGURE 4.4 How public key encryption
works
FIGURE 4.4 How public-key encryption works.

Copyright ©2021 John Wiley & Sons Canada, Ltd. 61

FIGURE 4.5 How digital certificates work
FIGURE 4.5 How digital certificates work. Sony and Dell, business
partners, use a digital certificate from VeriSign for authentication.

Copyright ©2021 John Wiley & Sons Canada, Ltd. 62

FIGURE 4.6 Virtual private network
(VPN) and tunneling
FIGURE 4.6 Virtual private network and tunnelling.

Copyright ©2021 John Wiley & Sons Canada, Ltd. 63

Application Controls

• Controls that apply to individual applications (functional

areas), e.g., payroll
• The text describes three categories: input, processing,
output
• It is more common to consider the purpose of application
controls for input, processing, and output using: accuracy,
completeness, authorization, and an audit trail
(documentation)

Copyright ©2021 John Wiley & Sons Canada, Ltd. 64

Application Controls Examples

• Input: Edits that check for reasonable data ranges

(accuracy)
• Processing: Automatically check that each line of an
invoice adds to the total (accuracy for total and
completeness of line items)
• Output: Supervisor reviews payroll journal for unusual
amounts (exceptions) before cheques are printed
(authorization)

Copyright ©2021 John Wiley & Sons Canada, Ltd. 65

Business Continuity Planning (BCP) (1 of 2)

• Disaster recovery plan

o Hot site
o Warm site
o Cold site

Copyright ©2021 John Wiley & Sons Canada, Ltd. 66

Business Continuity Planning (BCP) (2 of 2)

• BCP’s purpose:
o Provide continuous availability
o Be able to recover in the event of a hardware or software
failure or attack (e.g., due to ransomware)
o Ensure that critical systems are available and operating

Copyright ©2021 John Wiley & Sons Canada, Ltd. 67

Information Systems Auditing

• Types of auditors and audits

• How does the IS auditor decide on audits?

Copyright ©2021 John Wiley & Sons Canada, Ltd. 68

4.6 Personal Information Asset
Protection
• Before deciding upon potential actions you need to take:
o Do an inventory of information you are using, storing, or
accessing
o Relate your inventory to a personal risk assessment
• Use Table 4.4 to help enable changes to your methods of
protecting your personal information assets

Copyright ©2021 John Wiley & Sons Canada, Ltd. 69

Closing Case: WannaCry, Petya, and
SamSam Ransomware
Think about:
• Where is your most recent backup and when was it done?
• What are the tangible and intangible costs associated with
ransomware?

Copyright ©2021 John Wiley & Sons Canada, Ltd. 70

Copyright
Copyright © 2021 John Wiley & Sons Canada, Ltd. or the author. All rights
reserved. Students and instructors who are authorized users of this course are
permitted to download these materials and use them in connection with the
course. No part of these materials should be reproduced, stored in a retrieval
system, or transmitted, in any form or by any means, electronic, mechanical,
photocopying, recording or otherwise, except as permitted by law. Advice on
how to obtain permission to reuse this material is available at
http://www.wiley.com/go/permissions.

Copyright ©2021 John Wiley & Sons Canada, Ltd. 71

Excel 3

• GET DATA FROM ONE SHEET TO ANOTHER

• =SHEET1!B4
• GET THE CONTENTS OF SHEET 1, CELL B4

• IF Function
USED WHEN YOU NEED TO MAKE A CHOICE
• VARIABLE TAX RATE - MORE EARNINGS MEANS HIGHER TAX
• CALCULATE COMMISSION PAID ON EMPLOYEE SALES
• DISPLAY MESSAGES WHEN
• STOCK NEEDS REFILLING
• YOU HAVE A PROFIT OR LOSS

• =IF(G7<=300,0.15,0.2)
• SYNTAX - IF(CONDITION, RESULT IF TRUE, RESULT IF FALSE)
• CAN BE READ “IF THE CONTENTS OF G7 ARE LESS THAN 300, USE THE 15% TAX RATE,
OTHERWISE USE THE 20% TAX RATE”
• VALUES OF 15% OR 20% CAN BE USED IN FORMULAS AND FUNCTIONS
Excel 3

• CAN ALSO BE USED TO DISPLAY TEXT

• =IF(B3>300, ”PROFIT”, ”LOSS”)
• EXCEL RECOGNIZES TEXT BY QUOTATION MARKS
• RESULTS FROM AN IF FUNCTION CAN BE USED IN OTHER FORMULAS OR
FUNCTIONS

• Filter and Sort

• ALLOWS ORGANIZATION OF INFORMATION TO SEE ONLY WHAT USER WANTS
• FILTER AND SORT OPTIONS FOUND ON DATA TAB OF RIBBON
• MULTI-LEVEL SORT (DATA TAB, SORT BUTTON)
• SORT ON HW 3 COLUMN ADD A LEVEL THEN ON HW 4 COLUMN, BOTH
SMALLEST TO LARGEST
• FILTER
• CLICK ANY CELL ON ROW 1 (DO NOT SELECT MULTIPLE CELLS)
• PRESS FILTER BUTTON
Excel 3

• Pivot Tables / Charts

• A PIVOT TABLE IS A TOOL TO CALCULATE, SUMMARIZE, AND ANALYZE DATA THAT
LETS YOU SEE COMPARISONS, PATTERNS, AND TRENDS IN YOUR DATA
• PIVOT CHART
• A CHART BASED ON A PIVOT TABLE
• CREATION TOOLS AND OPTIONS ARE MOSTLY THE SAME AS A REGULAR
EXCEL CHART (MAJOR EXCEPTION BELOW)
• PIVOT CHARTS HAVE BUTTONS THAT WILL ALLOW FILTERING IF DATA IS
ARRANGED APPROPRIATELY
• GRADES CAN BE FILTERED, VALUES AND LEGEND CANNOT
• BUTTONS MAY BE HIDDEN BY RIGHT CLICKING
• HIDDEN BUTTONS CAN BE SHOWN VIA SELECT CHART, ANALYZE TAB, FIELD
BUTTON LIST (FAR RIGHT OF RIBBON)
Excel 3

• Goal Seek

ALLOWS THE USER TO CHANGE THE RESULT OF A FORMULA BY CHANGING ONE

VARIABLE
• DATA, WHAT IF ANALYSIS, GOAL SEEK
• “SET CELL” ARGUMENT
• MUST CONTAIN A FORMULA
• CHANGES TO THE GOAL YOU WANT TO REACH
• “TO VALUE” ARGUMENT IS YOUR GOAL
• “CHANGING CELL” ARGUMENT IS WHAT VARIABLE CHANGES