Article Preview
TopThe IS security literature covers topics and issues related to IS security problems and tools and methods for reducing or minimizing vulnerability to such problems. Table 1 highlights the breadth of situations that are associated with IS security. It illustrates that these situations involve more than traditional cybersecurity topics such as virus protection, firewalls, “social engineering” schemes, digital rights management, business continuity, or management attention. Two examples related to Wells Fargo, a major US bank, show how IS security concerns applied to sociotechnical systems that seem far removed from virus protection and firewalls:
A lawyer for a former Wells Fargo employee suing the bank for defamation requested emails and documents related to the lawsuit. He was surprised when he received 1.4 gigabytes of files containing information about tens of thousands of the banks wealthiest customers, including information such as social security numbers, details of their portfolios, and fees that the bank charged them. The information had been sent by accident. (Kovaleski and Cowley, 2017)
A review related to a long simmering scandal at Wells Fargo involving unauthorized enrollments of customers in accounts found 1.4 million more unauthorized accounts that had been set up to meet employee quotas and obtain performance bonuses for their managers. Other patterns of wrongdoing such as inappropriate charges and withholding of refunds had been found in the investigations. (Cowley, 2017).
Table 1. Important types of situations related to IS security
| Unintentional | Intentional |
Internal source | • Accidents (e.g., accidentally releasing confidential information) • Design or programming bugs (autopilots that respond incorrectly to human pilots in unanticipated situations) • Inadequate training or awareness (Many examples of email users clicking on links that allowed downloads of malware). | • Malfeasance (e.g., auditing system that produces flawed audit results) • Theft (e.g, theft of government documents by government employees or contractors) • Sabotage (e.g., creation of electronic time bombs by employees about to be fired) |
External sources | • Natural disasters (e.g., floods or fires destroy IT facilities) • Simultaneous need for the same required resources (e.g., use of cloud capabilities by one organization may affect others) • Infrastructure failures (e.g., internet failures disrupt web sites and company operations) | • Theft (e.g., theft of personal data or intellectual property by breaking into corporate information systems • Sabotage (e.g., attack that erases or corrupts data) • Extortion (e.g., ransomware – malware that prevents access to computing resources) |
Both situations involve misuse of information systems, in one case carelessly exposing important private information and in the other using client information in a corporate information system to perform unauthorized transactions. Neither involves an external attack or a virus, but both situations reveal important IS security shortcomings. Those problems should not have occurred in a properly controlled system. Some of the many articles in the IS security literature that address related topics include Dhillon & Backhouse (2001), Hu et al. (2007), Warkentin & Willison (2009), Crossler et al. (2013), and Cisco (2014).