Case Study on "Security Awareness the Weakest Link"

Home > Topics > Computers & Internet My Account

Case Study 30 pages (8202 words) Sources: 10

[EXCERPT] . . . .

Security Awareness

The weakest link in an organization's security architecture is typically found in the user. This paper explores the concept of developing security awareness in the individual user. In addition, the definition of awareness will be presented. A discussion regarding designing awareness will further expand on the topic. From there, possible implementation strategies are presented, followed by an overview of the recommended implementation and an alternative analysis. This will be followed by a presentation of post implementation strategies and policies, to ensure the effectiveness of the implemented strategy.

Audience:

Scope:

Developing Security Awareness:

Definition of Awareness:

Development/Designing Awareness:

Implementation Strategy:

Recommended Implementation:

Alternative Analysis

Post Implementation Strategies

Policies:

Information Sensitivity Policy

Password Policy

Software Installation Policy

Anti-virus Policy

Employee Internet Use Policy

Remote Access Policy

Workstation Security Policy

Conclusion:

References

Executive Summary:

The user is the weakest link in any security system. As such, developing a security awareness program, that strengthens this link through increased knowledge, is a benefit to any

Continue scrolling to

download full paper ⤓

organization. This paper details the development of a security awareness program for JCS Architects. To this end, an assessment of the company's current assets, threats and needs is conducted. A multi-session program is designed that not only addresses the top concerns for the company, but also incorporates post-implementation strategies to ensure the program was effective and future threats are addressed. The backbone of this program will be the information security policies the organization puts into place.

Introduction:

IT professionals understand that the weakest link in any security architecture is a result of users (Emm). This is a result of the users being unaware of the risks the Internet presents and how they often cause the risks. There are no fail safe technologies that can be used to protect the integrity, confidentiality and availability of a user involved with a system. Intentional and unintentional user errors compromise systems and technology. In addition, individual systems can pose a risk to an entire enterprise, if they are not patched. JCS Architects conducts business daily without understanding how vulnerable their systems are. Before JCS's internal systems were connected to the Internet, the organization could use physical mechanisms for security, to thwart most security threats (Culnan, Foxman & Ray).

Yeo, Mahbubur and Ren note that increased dependence on information processing, for organizations, as well as the interconnectedness of a variety of information systems, thanks to the Internet, has resulted in an increased risk to these information systems. Mobile computing adds an additional challenge for JCS, with the new Internet risks it poses. Several JCS employees store company information on laptops, thumb drives, and other portable storage devices and then work on the material from home, often on unsecured home computers. Even those who utilize company laptops to work from home, often access the Internet, with these computers, using unsecured networks. For this reason, JCS not only has to worry about security attacks at the company's office, but also at their employees' homes, coffee shops, airports, hotels, and any other off-site location an employee uses to access the Internet, with company data on the computer.

As a result, JCS has increased their spending on information security technologies. Despite this, however, JCS is still vulnerable to electronic attacks. This is primarily due to the destructive and inappropriate behavior of employees who utilize the information systems. Their actions often inhibit the information security technology's effectiveness.

All organizations that are connected to the Internet are potentially vulnerable to electronic attacks. These attacks may be launched from any other computer in the world, that is connected to the Internet. "This means that the perimeter defense model for information security is no longer adequate" (Culnan, Foxman & Ray 52). JCS should still implement enterprise-level security solutions, including antivirus software and firewalls, to protect their assets; however, information security is also a socio-technological, and as such, the end users are the weakest links (Emm).

Purpose:

The purpose of this case study is to demonstrate how JCS is lacking in IT risk analysis, and as such is not aware of potential threats their organization may encounter. In order to rectify this, this paper discusses the concept of developing security awareness, including a definition of awareness and how to design awareness into systems. Possible implementation strategies JCS can utilize to improve their security, using the National Institute Standards and Technology (NIST) 800-53 recommended security controls as a reference, will be presented, as well as a discussion of the recommended implementation and an alternative analysis. Included in the approach, ideas of risks and vulnerabilities will be introduced based on where the issues currently exist. Lastly, post implementation strategies and policies will be discussed to ensure the risks to JCS stay re-mediated.

Audience:

Although the primary audience for this case study is the IT professionals within the JCS organization, others can benefit from this writing as well. Executives at JCS will need this information in order to approve suggested implementation strategies and policies. In addition, users at JCS can benefit from this information, in an effort to improve their understanding of the security risk they provide. Lastly, other organizations, in a variety of industries, can utilize this information. Although each organization's risk analysis is unique, a better understanding of the general concepts regarding security awareness is valuable to all organizations.

In general, all users of an information technology system are responsible for computer security, therefore all users of the system are potential audience members for this paper. The NIST notes that these users are also responsible for reporting security problems they experience. They are also responsible for attending the required training, such as JCS's security awareness program, to enhance security as well as for functional training ("An Introduction").

Scope:

The scope of this case study is to provide a suggested implementation strategy, for JCS, to improve their security awareness. In addition, suggestions are made regarding post implementation strategies and policies to ensure the positive efforts made with the suggested implementation are maintained. Although this case study focuses on JCS, there are security implications for organizations from a variety of industries.

Developing Security Awareness:

Connectivity and the Internet are critical to any organization, as they strive to remain competitive in today's increasingly competitive, globalized business world. Information technology is used to disseminate information and manage resources. Keeping this information, and the systems utilized to obtain, store and disseminate this information, secure is critical to an organization's success. Hrywna cites a study by the Privacy Rights Clearinghouse, a consumer information and advocacy group, in which they found between January 2005 and June 2007, 155,048,651 records were stolen that contained confidential personal information, from a variety of websites. Information theft could affect JCS in a variety of ways, including financial loss, reputation loss and negative effects on employee morale.

According to a Computer Security Institute's 2007 report on computer crime, financial loss was the largest source of organizational loss (Richardson). Not only is JCS financially liable for breaches in security that lead to the loss of confidential or personal data, they als could have assets and cash stolen by hackers. In addition, JCS could experience financial loss indirectly. Salt Lake City-based HealthInsight was held liable for more than $25,000 in losses by AT&T, after a hacker hacked into their system and made long-distance phone calls (Mims). The weaknesses in JCS's systems could open the organization up to this, and other types of, liability.

Loss of reputation, due to security breaches, is another concern for JCS. A security breach can result in reduced customer confidence in the organization. In an increasingly competitive business environment, this loss of reputation can negatively impact revenues for the organization.

Security breaches can also negatively affect JCS's employee morale. Serious, high visibility fraud, facilitated by a security breach, can result in decreased trust in employees. It can also negatively affect the employee's pride in their work and in the organization (Kolb & Abdullah). In the end, this low level morale can result in increased turnover at JCS. For this reason, developing security awareness in the organization is critical, as a first line of defense in preventing security breaches and the negative consequences these breaches can bring.

Definition of Awareness:

Kolb and Abdullah note that the National Institute of Standards and Technology (NIST) defines security awareness as, "awareness is not training. The purpose of awareness presentations are simply to focus attention as security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly" (105).

Zafra, Pitcher and Tresler state that there are three primary goals to security awareness:

To ensure that users of information and information systems understand the core set of key terms and essential information security concepts that are fundamental for the protection of information and information systems. Many of the terms and concepts should have been previously introduced in an agency's awareness briefing or other basic awareness activities. In that case, information security basics and literacy provides reinforcement and structure.

To promote personal responsibility and positive behavioral change throughout an organization's information and information system user… READ MORE

Download Full Paper

Write a New Paper for Me

Quoted Instructions for "Security Awareness the Weakest Link" Assignment:

“

1) Title Page

2) Abstract

3) Table of Contents

4) Executive Summary

5) Introduction

a) Purpose

b) Audience

c) Scope

6) Developing Security Awareness

a) Definition of Awareness

b) Development/designing Awareness

7) Implementation Strategy

a) Recommended Implementation

b) Alternative Analysis

8) Post Implementation Strategies

9) Policies

10) Conclusion

11) References

Please use Please use JCS Architects as a fictitious company; also, please use the below as the description of the problem:

Description of the problem

Typically, IT professionals in the security community understand that users are ultimately the wea***** link in any security architecture. The majority of the user population does not realize the danger that exists on the Internet or that they are the ones potentially causing the risks. No amount of technology can fully protect the confidentiality, integrity, and availability of any individual involved with a system. Systems and technology become compromised due to user errors either through intentional or unintentional actions. Additionally, specific systems that are not patched of potential threats pose a risk to the entire enterprise.

JCS Architects (JCS ***** a fictitious company) conducts everyday business without any idea as to how vulnerable and at risk their systems are. The plan is to show how JCS does not currently have any form of IT risk analysis and they have no awareness of the potential threats that they may encounter. In order to achieve accurate results, a new risk assessment approach is necessary. In order to develop an effective policy, the case study will begin with a review of the existing security program (fictitious). Next, a strategy will be created using the NIST 800-53 recommended security controls as a reference. Once the strategy has been determined, a new risk and vulnerability assessment will be created. Included in the approach, ideas of risks and vulnerabilities will be introduced based on where the issues currently exist. Finally, this case study will recommend a design to help JCS mitigate the issues found, correct the vulnerabilities, and create policies to ensure the risks stay re-mediated.

Please try to use the below references:

An Introduction to Computer Security: The NIST Handbook. (1995, October).

National Institute of Standards and technology, SP 800-12. Retrieved From http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf

Wilson, M. and Hash, J. (2003, October) Building an Information Technology Security

Awareness and Training Program. National Institute of Standards and technology, SP 800-5. Retrieved From http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

Zafra, D. E. Pitcher, S. I. Tressler, J. D. Ippolito, J.B. (1998, April) Information Technology

Security Training Requirements: A Role- and Performance-Based Model. National Institute of Standards and technology, SP 800-16. Retrieved From http://csrc.nist.gov/publications/drafts/800-16-rev1/Draft-SP800-16-Rev1.pdf

Mell, P. Kent, K. Nusbaum, J (2005, November) Guide to Malware Incident Prevention and

Handling. National Institute of Standards and technology, SP 800-83. Retrieved From http://csrc.nist.gov/publications/nistpubs/800-83/SP800-83.pdf

Pleeger, S. L. & Pleeger, C. P. (2006) Security in Computing. Prentice Hall PTR 4th Edition.

Weaver, R. (2007) Guide To Network Defense and Counter Measures. Course Technology. 2nd

Edition.

Emm, D. (2010, March 3). Patching human vulnerabilities. Securelist. Retrieved 10 August 2010, from http://www.securelist.com/en/analysis/204792104/Patching_human_vulnerabilities

*****

How to Reference "Security Awareness the Weakest Link" Case Study in a Bibliography

“Security Awareness the Weakest Link.” A1-TermPaper.com, 2010, https://www.a1-termpaper.com/topics/essay/security-awareness-weakest-link/2136398. Accessed 29 Jun 2024.

Security Awareness the Weakest Link (2010). Retrieved from https://www.a1-termpaper.com/topics/essay/security-awareness-weakest-link/2136398

A1-TermPaper.com. (2010). Security Awareness the Weakest Link. [online] Available at: https://www.a1-termpaper.com/topics/essay/security-awareness-weakest-link/2136398 [Accessed 29 Jun, 2024].

”Security Awareness the Weakest Link” 2010. A1-TermPaper.com. https://www.a1-termpaper.com/topics/essay/security-awareness-weakest-link/2136398.

”Security Awareness the Weakest Link” A1-TermPaper.com, Last modified 2024. https://www.a1-termpaper.com/topics/essay/security-awareness-weakest-link/2136398.

[1] ”Security Awareness the Weakest Link”, A1-TermPaper.com, 2010. [Online]. Available: https://www.a1-termpaper.com/topics/essay/security-awareness-weakest-link/2136398. [Accessed: 29-Jun-2024].

1. Security Awareness the Weakest Link [Internet]. A1-TermPaper.com. 2010 [cited 29 June 2024]. Available from: https://www.a1-termpaper.com/topics/essay/security-awareness-weakest-link/2136398

1. Security Awareness the Weakest Link. A1-TermPaper.com. https://www.a1-termpaper.com/topics/essay/security-awareness-weakest-link/2136398. Published 2010. Accessed June 29, 2024.