• No results found

Chapter 2 Literature Review

2.3 Security threats

2.3.1 What is meant by security threats?

A review o f the literature shows that there is some confusion concerning the meaning of threats, risks, incidents, vulnerabilities, and attacks.

A threat is any possible event or sequence o f actions that m ight lead to a violation o f one or more security goals. The term “threat” is not limited to the adversary that could cause harm but to events that could lead to harm (Tsiakis and Stephanides 2005).

According to Pfleeger and Pfleeger (2007, p.6), security threats can be defined as

“circumstances that have the potential to cause loss or harm ” . This loss could consist of the absence o f data or a resource within an information system, financial loss, or

loss o f company credibility (Mitchell et al. 1999). In addition, the DTI Information Security Policy Team stated, “a threat is a potential cause o f an unwanted incident which may result in harm to a system or organisation” (DTI 2004a, p.7). Furthermore, the National Information Systems Security Glossary (NSTISSI 4009 2000, p.55) defined a threat as “any circumstance or event with the potential to adversely impact an IS through unauthorised access, destruction, disclosure, m odification o f data and/or denial o f service”.

It can be concluded that security threats are any event that can have an adverse impact on a company’s IS in general and AIS in particular. These threats can either be singular or form part o f a combination o f m ultiple threats, and they can come both from inside and from outside the company.

A risk represents “the possibility that a particular threat will adversely im pact an IS by exploiting a particular vulnerability” (NSTISSI 4009 2000, p.47). A risk is “the level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation o f an inform ation system given the potential impact o f a threat and the likelihood o f that threat occurring”

(NIST 800-53 2005, p.26). Straub and Welke (1998) indicated that security risk is that the company’s information and IS are not sufficiently protected against certain kinds of damage or loss. A risk is the possibility that a certain threat will have a negative effect on a com pany’s IS in general and AIS in particular.

The National Information Systems Security Glossary (NSTISSI 4009 2000, p.62) defined a vulnerability as “a weakness in an IS, system security procedures, internal controls, or implementation that could be exploited” . A vulnerability represents a weakness o f an asset or group o f assets that can be exploited by a threat (DTI 2004a, p.7). A vulnerability is a weakness in IS in general or AIS in particular that can be exploited by a certain threat or by a group o f threats.

An incident is “an assessed occurrence having actual or potentially adverse effects on an IS” (NSTISSI 4009 2000, p.29). An information security incident is “one or more unwanted or unexpected events that have a significant probability o f com promising business operations and threatening information security” (DTI 2004a, p.7).

Therefore, an IS security incident represents one or more unexpected events that can have an adverse impact on a com pany’s IS in general or on AIS in particular.

On the other hand, an attack is a type o f incident involving the intentional act o f attempting to bypass one or more security controls o f IS (NSTISSI 4009 2000) in general and AIS in particular.

Thus, the literature supports the view that companies and their IS and AIS are subject to increasing numbers and types o f security threats.

2J.2 Classifications of security threats

The literature reveals that there are various classifications o f security threats. As mentioned, some previous studies focused on security threats in general, others addressed AIS security threats, others were concerned with com puter security threats, while others presented inform ation security threats.

Parker (1981) classified security threats according to the type o f act into natural disasters, errors and omissions, and intentional acts. Rainer et al. (1991) also classified AIS security threats under three main groups: physical threats; unauthorised access; and authorised users, which may be caused by internal and external sources.

Loch et al. (1992) presented a four-dimensional IS threat classification system including sources, perpetrators, intent and consequences. The sources o f threats can be inside or outside the com pany; the perpetrators can be hum an or non-human; the intent can be accidental or intentional; and the consequences can be disclosure, modification, destruction or denial o f service. Abu-M usa (2003) added another dimension in which security threats can be classified into physical or logical security threats. Chang and Yeh (2006) also classified IS assets and the corresponding threats into two types: IT and non-IT-related threats. IT-related threats are those involving software, hardware, data and network, while, non-IT-related threats are those related to personnel, adm inistration and physical/environm ental facilities.

Regarding the inform ation security threats, Icove et al. (1999) grouped information threats into seven categories: software, hardware, data, network, physical, personnel

and administration, where adm inistration includes security regulations and policies. In addition, Mitchell et al. (1999) classified information security threats into passive and active threats. The passive threats represent unpredictable natural or physical disasters and accidental hum an errors occurring completely at random, while the active threats represent deliberate and m alicious attacks on IS, which can potentially be predicted and avoided, can be carried out by insiders or outsiders and may be the result o f direct or indirect action.

Posthumus and Von Solms (2004) presented three main sources from which business information risks may arise: natural risks, technical risks and hum an risks. Natural risks include events such as floods, earthquakes or fires, w hich can cause considerable damage, not only to the com pany’s business inform ation assets, but also to its physical structures. Technical risks arise as a result o f a growing dependence on technology and include num erous potential hardware and software failures that can occur, whereas, human risks result from the deliberate or accidental acts o f human beings and can possibly create the greatest area o f concern regarding the protection o f a company’s critical inform ation assets.

In addition, Wiant (2005) presented four principal m eans by w hich sensitive information is exposed. Those means include intentional theft by unauthorised agents outside the company; theft or sabotage by form er em ployees or disgruntled current staff; accidental exposure by current employees; and other various types o f disclosures by com pany m em bers and from inappropriate use o f inform ation among secondary users. Parker (1984) argued that the accidental exposure by employees is the most common problem, which is usually due to em ployees’ negligence, ignorance or carelessness. M anrique (2005) and W hitman (2004) confirm ed that the accidental acts by employees rem ain a high priority threat to inform ation security.

With respect to com puter security threats, Qureshi and Siegel (1997) classified computer security risks into three major categories: destruction, m odification and disclosure, where each may be further classified into intentional and unintentional acts. Threats can also com e from com puter criminals and disgruntled em ployees who intend to defraud, sabotage and hack, and com puter users who are careless or

negligent. In addition, threats can come from the environment in the form o f natural disasters.

Katz (2000) indicated that a com puter network can be attacked in a num ber o f ways with different degrees o f damage, and these attacks can take different forms: a denial of service (an attack on the availability o f information); theft o f inform ation (an attack on the ownership o f inform ation) and the corruption o f data (an attack on the integrity of information). In addition, Garg et al. (2003) classified IT security incidents into web site defacement, denial o f service, theft o f custom er and credit card information.

Moreover, Austin and D arby (2003) stated that threats to digital security come in many shapes and sizes; however, they fall into three main categories: netw ork attacks, intrusions, and m alicious acts.

Based on the above, it seem s that security threats concerning inform ation, IS, AIS, computers or IT can be classified into:

- Passive/active security threats;

- Internal/external security threats;

- Human/non-human security threats;

- Intentional/non-intentional security threats;

- Physical/logical security threats; and - IT-related/non-IT-related threats.