You are here

Defining what constitutes system failure: Confidentiality, integrity and availability

8 September, 2015 - 16:42

Information systems are somewhat unique with respect to the specification of failure conditions relative to other organizational assets. Typically, an asset failure can be described in terms of availability. That is, if the organization relies on a truck for transporting goods or a drill press for manufacturing products, failure occurs when the asset is broken or stolen. The asset is simply not available to support its intended use. Information systems, however, are a bit trickier in that they may well be present and appear to be running, when they are in fact in a failure mode.

Unlike tangible assets, information does not necessarily disappear when it has been stolen. If an organization holds confidential information, perhaps a list of potential clients or information describing a new manufacturing process, the information may be downloaded by an unauthorized individual but remain available to the organization.

Exposure of information to unauthorized personnel constitutes a breach of confidentiality irrespective of whether the information is actually lost during the breach.

Another type of system failure occurs when the integrity of the information can no longer be trusted. That is, rather than an unauthorized exposure of information, there are unauthorized changes to the information. A bank may be perfectly willing to allow its customers to log on and check their account balances but it certainly does not want to permit customers to adjust their account balances without ensuring that funds have actually been deposited. A business website containing documentation about how to configure or repair its products might suffer serious financial harm if an intruder were able to modify those instructions leading customers to mis-configure or even ruin the product they have purchased.

Finally, denial of access to the information or information service represents another type of information failure. Access denial is referred to as a breach of availability and constitutes another type of system failure. Failure of a payroll system resulting in a delay of depositing pay to employee accounts can result in serious hardship. But there can be even more serious consequences of system failures. If a doctor is prevented from accessing the results of diagnostic tests, a patient may unnecessarily suffer or might even die. A commercial website might lose important sales if it were to fail for an extended time.

We see then that defining failure for information systems can be more complicated than one might at first expect. Organizational management must work with its IT professionals to understand the types of failures that can occur and to assess adverse consequences should failures do occur. While a variety of techniques to minimize the probability of experiencing system failures are discussed in following sections of this chapter, all organizations must recognize that some failures will inevitably occur and should establish recovery procedures to minimize adverse consequences when they do.