By Michael E.

Whitman

A firm can build more effective

security strategies by identifying and
ranking the severity of potential
threats to its IS efforts.

ENEMY AT THE GATE: THREATS TO

INFORMATION SECURITY
“Know the enemy, and know yourself, and in a Security researchers warn: “Information
hundred battles you will never be in peril” [5]. security continues to be ignored by top man-
agers, middle managers, and employees alike.

T
The result of this neglect is that organizational
hese prophetic words, spoken systems are far less secure than they might oth-
over 2,500 years ago by erwise be and that security breaches are far
renowned Chinese general Sun more frequent and damaging than is necessary”
Tzu, ring true for the battlefield [4]. In order to strengthen the level of protec-
warrior and information security tion of information in the organization, those
administrator alike. Knowing the enemy faced responsible for that information must begin
by information security is a vital component to with an understanding of the threats facing the
shaping an information security defense pos- information, and then must examine the vul-
ture. The press routinely publishes dramatic nerabilities inherent in the systems that store,
reports of billions of dollars lost to computer process, and transmit the information possibly
theft, fraud, and abuse. The 2002 Computer subjected to those threats. The first part of this
Security Institute/Federal Bureau of Investiga- strategy is the identification of the dominant
tion (CSI/FBI) survey on Computer Crime and threats facing organizational information secu-
Security Survey found that 90% of respondents rity, and the ranking of those threats in order
(primarily large corporations and government to allow organizations to direct priorities
agencies) detected computer security breaches accordingly.
within the last 12 months. The report docu- Sadly, IT executives have frequently identi-
mented that 80% of respondents acknowledged fied the security of information as an important
financial losses due to computer breaches, a but not critical issue [4]. IT executives report-
total of approximately $455,848,000 in finan- edly dropped information security as an impor-
cial losses, up from $377,828,700 reported in tant issue altogether in 1995, suggesting either
2001. Respondents citing their Internet connec- they felt they had sufficiently addressed the
tions as a frequent point of attack rose from problem, or they no longer felt it was as signif-
70% in 2001 to 74% in 2002 [3]. icant as other issues [1].

COMMUNICATIONS OF THE ACM August 2003/Vol. 46, No. 8 91

Profiling the Enemy As expected, the respondents were predominantly
Changes in the identification of threats, in the roll- IS directors, managers, or supervisors (see Figure 1).
out of new technologies, and the identification of They represented a variety of organizational sizes, the
new threats may have dramatically shifted the orga- majority of which were greater than 1,000 employees
nizational security focus. In an attempt to better (see Figure 2).
understand the threats facing organizations, this When asked how their company uses the Internet,
study examined three questions: What are the threats almost 95% responded they use it Internet to provide
to information security? Which of these threats are the information; 81% use it to collect information; 60%
most serious? How frequently (per month) are these to advertise; 55% to provide customer service; 46%
threats observed? to support internal operations; 45% to order goods
In order to identify the threats and services; 38% to pro-
to be assessed, the study identi- IS/IT Staff vide technical support;
6%
fied a dozen categories of threats Technology VPs 36% to connect remote
(Corporate Mgmt)
by examining previous works 8% sites; 32% to extend inter-
and publications and by inter- nal networks; 27% to inte-
viewing three chief information grate value chain partners;
security officers. These cate- and 18% to collect orders.
gories are: With the extensive use
Executive IS of the Internet (99%),
managers (CIOs,
1. Act of Human Error or CTO, or Exec VP) IS/IT directors, these organizations could
Failure (accidents, 24% managers or clearly be open to attack.
supervisors
employee mistakes) 62% With almost 95% of
2. Compromises to Intellec- respondents providing
tual Property (piracy, copyright infringement) Figure 1. Respondents by information via the Internet,
3. Deliberate Acts of Espionage or Trespass position. there could be a great expo-
(unauthorized access and/or data collection) sure of information to poten-
4. Deliberate Acts of Information Extortion tial crime, abuse, or misuse. With almost half of
(blackmail of information disclosure) respondents indicating use of the Internet to support
5. Deliberate Acts of Sabotage or Vandalism internal operations, there is also the risk of unautho-
(destruction of systems or information) rized disclosure or modification of information.
6. Deliberate Acts of Theft (illegal confiscation of What are organizations doing to protect them-
equipment or information) <100
selves? As indicated in
7. Deliberate Software Attacks 6% Table 1, all respondents
>5000
(viruses, worms, macros, 21%
use passwords and virtu-
denial of service) ally all use media back-
8. Forces of Nature (fire, flood, 101–500 ups and virus protection.
earthquake, lightning) 28% What is not revealed is
9. Quality of Service Devia- 2501–5000 the organizations’ vigi-
tions from Service Providers 8% lance in updating virus
(power and WAN service definitions, or the type of
issues) media backup schedule,
10. Technical Hardware Failures either of which could
1001–2500
or Errors (equipment failure) 17% negate any benefit
11. Technical Software Failures 501–1000 derived from use of these
20%
or Errors (bugs, code prob- protection mechanisms.
lems, unknown loopholes) Sadly, only about 63%
12. Technological Obsolescence (antiquated or out- Figure 2. Respondents by indicated a consistent
dated technologies) organizational size. security policy. The secu-
rity policy is the first and
The next step was to develop an online survey ask- potentially most important layer of security available
ing IT executives to rank the threats to information to an organization. Security policies define the secu-
security; to identify the priority of expenditures to rity philosophy and posture the organization takes,
protect against these threats; and to indicate the fre- and are the basis for all subsequent security decisions
quency of attacks attributed to each category. and implementations. Again, what’s indistinguishable

92 August 2003/Vol. 46, No. 8 COMMUNICATIONS OF THE ACM

is the effectiveness, compre- Code Red, Sircam, Klez, and
hensiveness, and quality of Protection Mechanisms the SQL Slammer Worm,
the security policies of those Use of passwords 100%there is a substantial risk to
indicating the presence of a Media backup 97.9%organizational information
policy. Equally concerning is Virus protection software 97.9%and systems from malicious
the low response in the area Employee education 89.6%
code. What is their primary
Audit procedures 65.6%
of ethics training. A funda- Consistent security policy 62.5%
means of access to systems?
mental part of an organiza- Firewall 61.5%Exploitation of human fail-
tion’s security function is the Encourage violations reporting 51.0%ures in accidental activation
implementation of a security Auto account logoff 50.0%of virus and worm executa-
education, training, and Monitor computer usage 45.8%bles, usually from email or
awareness (SETA) program. Publish formal standards 43.8%Web site downloads. What’s
Both the security policy and Control of workstations 40.6%also interesting is that threats
Network intrusion detection 33.3%
the SETA program are rela- Host intrusion detection 31.3%
of Technical Software Failure
tively low-cost protection Ethics training 30.2%or Errors ranked second,
mechanisms with the poten- No outside dialup connections 10.4%which can be viewed as both
tial for high returns-on- Use shrink-wrap software only a threat and vulnerability; as
9.4%
investment. As technologists No internal Internet connections malicious code and intruders
6.3%
we often overlook the human Use internally developed software only exploiting problems in the
4.2%
solutions and instead opt for No outside network connections 4.2%
software code. A direct threat
No outside Web connections 2.1%
technology solutions, when to information exists when
(Multiple responses possible)
in fact the human factors software failure causes infor-
must be addressed first, with technology assisting in Table 1. Threat protection mation to be inaccurate,
the enforcement of desired human behaviors. mechanisms employed in compromises integrity, or
respondents’ organizations.
simply corrupts or impedes
Know the Enemy availability. Third and fourth
The key information sought in this study is the iden- on the list are Acts of Human Error or Failure and
tification and ranking of threats to information secu- Deliberate Acts of Espionage or Trespass, better
rity. This list presents the result of the study with known as hacking.
each category’s corresponding ranking. These results were compared to the 2002 CSI/FBI
Annual Computer Crime and Security Survey [3],
Threat Category Weighted which ranked the following items as significant threats
Ranking (in order of significance) with 2001 ranking in paren-
Deliberate Software Attacks 2178 theses:
Technical Software Failures or Errors 1130
Act of Human Error or Failure 1101 1. Virus (1)
Deliberate Acts of Espionage or Trespass 1044 2. Insider abuse of Net access (2)
Deliberate Acts of Sabotage or Vandalism 963 3. Laptop (3)
Technical Hardware Failures or Errors 942 4. Denial of Service (6)
Deliberate Acts of Theft 695 5. Unauthorized access by insiders (4)
Forces of Nature 611 6. System penetration (5)
Compromises to Intellectual Property 495 7. Theft of proprietary info (7)
QoS Deviations from Service Providers 434 8. Financial fraud (9)
Technological Obsolescence 428 9. Telecom fraud (10)
Deliberate Acts of Information Extortion 225 10. Sabotage (8)
11. Telecom eavesdropping (11)
The ranking is a calculation based on a combina- 12. Active wiretap (12)
tion of the respondents evaluating each category on a
scale of “very significant” to “not significant” and then Both studies found malicious code the number-one
identifying the top five threats to their organization. threat. Not surprising, the CSI/FBI study found it the
With the prevalence of the malicious code attacks, it dominating threat for the past several years. The sec-
is not surprising that Deliberate Software Attacks tops ond threat category in the CSI/FBI study was Insider
the list, weighted almost twice as important as the sec- abuse of Net access. Interestingly enough this is more
ond threat on the list. Given the cases of Nimda, a function of security policy, ethics training, and

COMMUNICATIONS OF THE ACM August 2003/Vol. 46, No. 8 93

human failure than of technology. In order for a to develop and implement a “control matrix” is sim-
response to qualify for this category, first an organiza- ple. Making it work is the real challenge.
tion had to establish a security policy, then train the Identify and prioritize threats to the organization’s
employees on what they could and could not use their information assets. Beginning with the information
Internet access for, then the individuals had to fail to provided, the security administrators should prioritize
follow the established policy. Whether those respond- those categories of threats that represent the greatest
ing to this question actually met all three require- danger to the organization. How the organization
ments is open to speculation. Similar in scope is the defines danger is up to them. Danger could be deter-
CSI/FBI’s unauthorized access by insiders. Here, mined based on the probability of an attack coupled
however, there may be technology issues present. Was with the potential loss value in financial terms, in crit-
this a failure of individuals to follow policy? Or was it ical information, or in potential embarrassment. The
the failure or absence of a control
mechanism to regulate user Number of Attacks per Month >100 51–100 10–50 < 10 None No
Answer
access?
The next area of interest was 1. Act of Human Error or Failure 5.2% 2.1% 14.6% 41.7% 24.0% 12.5%

the frequency of attacks identi- 2. Compromises to Intellectual Property 1.0% 2.1% 3.1% 25.0% 61.5% 7.3%
fied by respondents. Unfortu- 3. Deliberate Acts of Espionage or Trespass 4.2% 3.1% 3.1% 20.8% 68.8%
nately, for every attack detected 4. Deliberate Acts of Information Extortion 1.0% 8.3% 90.6%
many more go undetected. Table 5. Deliberate Acts of Sabotage or Vandalism 1.0% 3.1% 31.3% 64.6%
2 presents the responses to the 6. Deliberate Acts of Theft 7.3% 38.5% 54.2%
inquiries on the number of 7. Deliberate Software Attacks 11.5% 9.4% 14.6% 47.9% 16.7%
attacks per month. Of particular 8. Forces of Nature 1.0% 2.1% 34.4% 62.5%
interest is the emergence of
9. Quality of Service Deviations from
Deliberate Acts of Information Service Providers 1.0% 8.3% 43.8% 46.9%
Extortion, the intentional illegal 10. Technical Hardware Failures or Errors 3.1% 11.5% 51.0% 34.4%
acquisition of information from 11. Technical Software Failures or Errors 5.2% 18.8% 45.8% 30.2%
an organization, with the intent 1.0%
12. Technological Obsolescence 1.0% 15.6% 21.9% 60.4%
to blackmail the organization
4.0% 3.4% 8.6% 34.2% 51.2% 6.9%
with the threat of publication, Average Responses:
dissemination, or use. While not
Table 2. Numbers
a largely indicated threat, the of attacks per month
criteria used to rank the threats are part of the cus-
mere presence designates an as reported by tomization of the process to the organization’s needs.
increase in the malicious nature respondents. Identify and prioritize the information assets.
of intruders. In general, almost Administrators should detail all assets that collect,
all of the respondents indicated process, store, or use information in the organization.
some form of attack, whether internal or external. These will most likely not be all IT assets, and should
As is evident from the findings, the threat is real, include various “people” areas as well. How the orga-
the stakes are high, and the systems protecting the tar- nization prioritizes these assets could be based on the
get information are difficult to protect. Just as Loch, number or severity of known vulnerabilities, exposure
Carr, and Warkentin found in a similar study over 10 to threats, cost or difficulty of replacement of the asset,
years ago, “results suggest that management needs to content of critical information, or a host of other cri-
(1) become more informed of the potential for secu- teria. Should more than one criterion be used in eval-
rity breaches … (2) increase their awareness in key uating the asset, a weighted means could be developed
areas, … and (3) recognize that their overall level of to quantify the ranking.
concern for security may underestimate the potential Create a matrix listing the threats, in priority, along
risk inherent in the highly connected environment in one axis, and the assets, in priority along the other.
which they operate” [2]. The resulting grid provides a convenient method of
examining the “exposure” of assets, allowing a sim-
How to Put this Information to Use plistic vulnerability assessment. Table 3 presents a
Now that an organization knows what the threats are, sample of the resulting framework.
how can its security administrators and technology Fill in each intersection with the current controls.
managers put this information to use? One of the The intersection of the threat to asset pair represents
most direct uses of this information is in the identifi- an area that should be addressed by more than one
cation and application of controls. The methodology control. Controls in this situation are defined as those

94 August 2003/Vol. 46, No. 8 COMMUNICATIONS OF THE ACM

 Asset 1 Asset 2 ... ... ... ... ... ... ... ... ... Asset n Table 3. Sample control matrix
(incomplete).
Threat 1

Threat 2

... rity education, training, and aware-

... ness program. These programs seek
... to educate employees on the
...
importance of security, and its
implementation within the organi-
...
zation. The accompanying aware-
... ness program seeks to keep security
... on the minds of employees as they
... deal with vital information on a
... daily basis.
Threat n
Lessons Learned
Priority of 1 2 3 4 5 6 The lessons learned from this
Controls
study are simple. Now, more
These bands of controls should be continued through all threat: asset pairs.
than ever before, the information
contained in the organization is
measures that protect this asset from this threat, or at risk. There are a large number of threats to this
allow the organization to recover this asset if attacked information, representing diverse and complex chal-
by this threat. If a particular asset is not at risk from a lenges to protect the information, personnel, and
paired threat, simply cross out that cell. At a mini- systems that process, transport, and store it. This
mum each threat:asset pair should contain one policy- requires a wide array of protection mechanisms and
related control, one education- and training-related strategies to be thorough. An important component
control, and one technology-related control. When all of this protection is the understanding of the enemy.
controls in place have been entered, an organization This study sought to provide additional insight into
can (beginning with the upper-left corner of the this understanding, as well as a method for assessing
matrix) begin prioritizing the implementation of protection mechanisms, ensuring a comprehensive
additional controls until such time as multiple con- security profile, with defense in depth. Organizations
trols have been assigned, implemented, and tested to that employ these techniques can expect to better
protect each asset. understand their security profile, and more easily iden-
Upon completion of this task, not only have the tify weaknesses in it. This information, coupled with
administrators gone through an internal self-assess- solid policy planning, and SETA development should
ment of vulnerabilities, they also have ensured the allow an organization to better focus its security efforts,
organization has “defense in depth” providing protec- thus increasing its probability of protecting the infor-
tion and recovery capabilities for all priority informa- mation and reducing its vulnerability to attack. c
tion assets.
References
Policy and the SETA Program 1. Brancheau, J.C., Janz, B.D., and Weatherbe, J.C. Key issues in informa-
tion systems management: 1994–95 SIM Delphi results. MIS Q 20. 2
The information gathered through the aforemen- (1996), 225–242.
tioned exercise should not be used in isolation. Nor 2. Loch, K.D., Carr, H.H., and Warkentin, M.E. Threats to information sys-
tems: Today’s reality, yesterday’s understanding. MIS Q. 16, 2 (1992),
should it be the first exercise in security profile devel- 173–186.
opment. Security advocates emphasize that any secu- 3. Power, R. 2002 CSI/FBI computer crime and security survey. Computer
rity profile begins with valid security policy [4, 6]. This Security Issues & Trends 8, 1 (2002), 1–24.
4. Straub, D.W. and Welke, R.J. Coping with systems risk: Security planning
policy is then translated into action through an effec- models for management decision making. MIS Q. 22, 4 (1998), 441–469.
tive security plan focusing on the prevention, detec- 5. Tzu, S. The Art of War: Translation by Samuel B. Griffith. Oxford Uni-
versity Press, Oxford, U.K., 1988.
tion, and correction of threats. While the development 6. Wood, C.C. Integrated approach includes information security. Security
of such a policy—or more accurately, series of poli- 37, 2 (2000), 43–44.
cies—is so important as to go beyond the scope of this
discussion, it is vital an organization begin with the Michael E. Whitman ([email protected]) is an
associate professor of IS in the Computer Science and Information
methodical development of such policy. Systems Department of Kennesaw State University, Kennesaw, GA.
An additional activity that should be developed early
is the design and implementation of an employee secu- © 2003 ACM 0002-0782/03/0800 $5.00

COMMUNICATIONS OF THE ACM August 2003/Vol. 46, No. 8 95