Security Awareness the Weakest Link Case Study

Pages: 30 (8202 words)  ·  Bibliography Sources: 10  ·  File: .docx  ·  Level: Master's  ·  Topic: Education - Computers

Buy full Download Microsoft Word File paper
for $19.77

Security Awareness

The weakest link in an organization's security architecture is typically found in the user. This paper explores the concept of developing security awareness in the individual user. In addition, the definition of awareness will be presented. A discussion regarding designing awareness will further expand on the topic. From there, possible implementation strategies are presented, followed by an overview of the recommended implementation and an alternative analysis. This will be followed by a presentation of post implementation strategies and policies, to ensure the effectiveness of the implemented strategy.

Audience:

Scope:

Developing Security Awareness:

Definition of Awareness:

Development/Designing Awareness:

Implementation Strategy:

Recommended Implementation:

Alternative Analysis

Post Implementation Strategies

Policies:

Information Sensitivity Policy

Password Policy

Software Installation Policy

Anti-virus Policy

Employee Internet Use Policy

Remote Access Policy

Workstation Security Policy

Conclusion:

References

Executive Summary:

The user is the weakest link in any security system. As such, developing a security awareness program, that strengthens this link through increased knowledge, is a benefit to any organization. This paper details the development of a security awareness program for JCS Architects. To this end, an assessment of the company's current assets, threats and needs is conducted. A multi-session program is designed that not only addresses the top concerns for the company, but also incorporates post-implementation strategies to ensure the program was effective and future threats are addressed. The backbone of this program will be the information security policies the organization puts into place.

Introduction:

IT professionals understand that the weakest link in any security architecture is a result of users (Emm). This is a result of the users being unaware of the risks the Internet presents and how they often cause the risks. There are no fail safe technologies that can be used to protect the integrity, confidentiality and availability of a user involved with a system. Intentional and unintentional user errors compromise systems and technology. In addition, individual systems can pose a risk to an entire enterprise, if they are not patched. JCS Architects conducts business daily without understanding how vulnerable their systems are. Before JCS's internal systems were connected to the Internet, the organization could use physical mechanisms for security, to thwart most security threats (Culnan, Foxman & Ray).

Yeo, Mahbubur and Ren note that increased dependence on information processing, for organizations, as well as the interconnectedness of a variety of information systems, thanks to the Internet, has resulted in an increased risk to these information systems. Mobile computing adds an additional challenge for JCS, with the new Internet risks it poses. Several JCS employees store company information on laptops, thumb drives, and other portable storage devices and then work on the material from home, often on unsecured home computers. Even those who utilize company laptops to work from home, often access the Internet, with these computers, using unsecured networks. For this reason, JCS not only has to worry about security attacks at the company's office, but also at their employees' homes, coffee shops, airports, hotels, and any other off-site location an employee uses to access the Internet, with company data on the computer.

As a result, JCS has increased their spending on information security technologies. Despite this, however, JCS is still vulnerable to electronic attacks. This is primarily due to the destructive and inappropriate behavior of employees who utilize the information systems. Their actions often inhibit the information security technology's effectiveness.

All organizations that are connected to the Internet are potentially vulnerable to electronic attacks. These attacks may be launched from any other computer in the world, that is connected to the Internet. "This means that the perimeter defense model for information security is no longer adequate" (Culnan, Foxman & Ray 52). JCS should still implement enterprise-level security solutions, including antivirus software and firewalls, to protect their assets; however, information security is also a socio-technological, and as such, the end users are the weakest links (Emm).

Purpose:

The purpose of this case study is to demonstrate how JCS is lacking in IT risk analysis, and as such is not aware of potential threats their organization may encounter. In order to rectify this, this paper discusses the concept of developing security awareness, including a definition of awareness and how to design awareness into systems. Possible implementation strategies JCS can utilize to improve their security, using the National Institute Standards and Technology (NIST) 800-53 recommended security controls as a reference, will be presented, as well as a discussion of the recommended implementation and an alternative analysis. Included in the approach, ideas of risks and vulnerabilities will be introduced based on where the issues currently exist. Lastly, post implementation strategies and policies will be discussed to ensure the risks to JCS stay re-mediated.

Audience:

Although the primary audience for this case study is the IT professionals within the JCS organization, others can benefit from this writing as well. Executives at JCS will need this information in order to approve suggested implementation strategies and policies. In addition, users at JCS can benefit from this information, in an effort to improve their understanding of the security risk they provide. Lastly, other organizations, in a variety of industries, can utilize this information. Although each organization's risk analysis is unique, a better understanding of the general concepts regarding security awareness is valuable to all organizations.

In general, all users of an information technology system are responsible for computer security, therefore all users of the system are potential audience members for this paper. The NIST notes that these users are also responsible for reporting security problems they experience. They are also responsible for attending the required training, such as JCS's security awareness program, to enhance security as well as for functional training ("An Introduction").

Scope:

The scope of this case study is to provide a suggested implementation strategy, for JCS, to improve their security awareness. In addition, suggestions are made regarding post implementation strategies and policies to ensure the positive efforts made with the suggested implementation are maintained. Although this case study focuses on JCS, there are security implications for organizations from a variety of industries.

Developing Security Awareness:

Connectivity and the Internet are critical to any organization, as they strive to remain competitive in today's increasingly competitive, globalized business world. Information technology is used to disseminate information and manage resources. Keeping this information, and the systems utilized to obtain, store and disseminate this information, secure is critical to an organization's success. Hrywna cites a study by the Privacy Rights Clearinghouse, a consumer information and advocacy group, in which they found between January 2005 and June 2007, 155,048,651 records were stolen that contained confidential personal information, from a variety of websites. Information theft could affect JCS in a variety of ways, including financial loss, reputation loss and negative effects on employee morale.

According to a Computer Security Institute's 2007 report on computer crime, financial loss was the largest source of organizational loss (Richardson). Not only is JCS financially liable for breaches in security that lead to the loss of confidential or personal data, they als could have assets and cash stolen by hackers. In addition, JCS could experience financial loss indirectly. Salt Lake City-based HealthInsight was held liable for more than $25,000 in losses by AT&T, after a hacker hacked into their system and made long-distance phone calls (Mims). The weaknesses in JCS's systems could open the organization up to this, and other types of, liability.

Loss of reputation, due to security breaches, is another concern for JCS. A security breach can result in reduced customer confidence in the organization. In an increasingly competitive business environment, this loss of reputation can negatively impact revenues for the organization.

Security breaches can also negatively affect JCS's employee morale. Serious, high visibility fraud, facilitated by a security breach, can result in decreased trust in employees. It can also negatively affect the employee's pride in their work and in the organization (Kolb & Abdullah). In the end, this low level morale can result in increased turnover at JCS. For this reason, developing security awareness in the organization is critical, as a first line of defense in preventing security breaches and the negative consequences these breaches can bring.

Definition of Awareness:

Kolb and Abdullah note that the National Institute of Standards and Technology (NIST) defines security awareness as, "awareness is not training. The purpose of awareness presentations are simply to focus attention as security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly" (105).

Zafra, Pitcher and Tresler state that there are three primary goals to security awareness:

To ensure that users of information and information systems understand the core set of key terms and essential information security concepts that are fundamental for the protection of information and information systems. Many of the terms and concepts should have been previously introduced in an agency's awareness briefing or other basic awareness activities. In that case, information security basics and literacy provides reinforcement and structure.

To promote personal responsibility and positive behavioral change throughout an organization's information and information system user… [END OF PREVIEW]

Two Ordering Options:

?
Which Option Should I Choose?
1.  Buy full paper (30 pages)Download Microsoft Word File

Download the perfectly formatted MS Word file!

- or -

2.  Write a NEW paper for me!✍🏻

We'll follow your exact instructions, guaranteed!
Chat with the writer 24/7.

Security Policy Dr. Fossett's Dental Office Term Paper


Risk Identification in Information Security Thesis


Adolescent's Awareness and Their Lack of Implementing Term Paper


Management Information Systems Security Term Paper


Broadening the Agenda of Security Thesis


View 137 other related papers  >>

Cite This Case Study:

APA Format

Security Awareness the Weakest Link.  (2010, October 29).  Retrieved December 12, 2019, from https://www.essaytown.com/subjects/paper/security-awareness-weakest-link/2136398

MLA Format

"Security Awareness the Weakest Link."  29 October 2010.  Web.  12 December 2019. <https://www.essaytown.com/subjects/paper/security-awareness-weakest-link/2136398>.

Chicago Format

"Security Awareness the Weakest Link."  Essaytown.com.  October 29, 2010.  Accessed December 12, 2019.
https://www.essaytown.com/subjects/paper/security-awareness-weakest-link/2136398.