Page 10 - DCAP516_COMPUTER_SECURITY
P. 10
Computer Security
Notes Depending on the size of the organization, the program may be large or small, even a
collateral duty of another management official. However, even small organizations can
prepare a document that states organization policy and makes explicit computer security
responsibilities. This element does not specify that individual accountability must be
provided for on all systems. For example, many information dissemination systems do
not require user identification and, therefore, cannot hold users accountable.
1.3 Threats to Computer Security
Computer systems are vulnerable to many threats that can inflict various types of damage
resulting in significant losses. This damage can range from errors harming database integrity to
fires destroying entire computer centers. Losses can stem, for example, from the actions of
supposedly trusted employees defrauding a system, from outside hackers, or from careless data
entry clerks. Precision in estimating computer security-related losses is not possible because
many losses are never discovered, and others are “swept under the carpet” to avoid unfavorable
publicity. The effects of various threats varies considerably: some affect the confidentiality or
integrity of data while others affect the availability of a system.
1.3.1 Errors and Omissions
Errors and omissions are an important threat to data and system integrity. These errors are
caused not only by data entry clerks processing hundreds of transactions per day, but also by all
types of users who create and edit data. Many programs, especially those designed by users for
personal computers, lack quality control measures. However, even the most sophisticated
programs cannot detect all types of input errors or omissions. A sound awareness and training
program can help an organization reduce the number and severity of errors and omissions.
Users, data entry clerks, system operators, and programmers frequently make errors that
contribute directly or indirectly to security problems. In some cases, the error is the threat, such
as a data entry error or a programming error that crashes a system. In other cases, the errors
create vulnerabilities. Errors can occur during all phases of the systems life cycle. A long-term
survey of computer-related economic losses conducted by Robert Courtney, a computer security
consultant and former member of the Computer System Security and Privacy Advisory Board,
found that 65 percent of losses to organizations were the result of errors and omissions. This
figure was relatively consistent between both private and public sector organizations.
1.3.2 Fraud and Theft
Computer systems can be exploited for both fraud and theft both by “automating” traditional
methods of fraud and by using new methods. For example, individuals may use a computer to
skim small amounts of money from a large number of financial accounts, assuming that small
discrepancies may not be investigated. Financial systems are not the only ones at risk. Systems
that control access to any resource are targets (e.g., time and attendance systems, inventory
systems, school grading systems, and long-distance telephone systems). In addition to the use of
technology to commit fraud and theft, computer hardware and software may be vulnerable to
theft.
1.3.3 Loss of Physical and Infrastructure Support
The loss of supporting infrastructure includes power failures (outages, spikes, and brownouts),
loss of communications, water outages and leaks, sewer problems, lack of transportation services,
fire, flood, civil unrest, and strikes. These losses include such dramatic events as the explosion at
4 LOVELY PROFESSIONAL UNIVERSITY
