Now that we have described a variety of ways in which information systems can fail and recognize the potential consequences these various failures can hold for the organization, we want to get a better understanding of why or how failures occur. It is only through understanding potential causes of systems failure that we are able to take appropriate action to avoid them.
There are a wide variety of potential threats to an organization's information systems. Exhaustive threat lists are difficult, if not impossible, to create and security professionals often use threat categories in organizing their analysis of threats. Each category could broken into additional categories, as we have done with the category of human threats, depending on the level of detail desired. A representative set of categories follows:
Human: Human threats are perhaps the most complicated in that the category includes such a wide variety of behaviors. To illustrate how the degree of detail may vary, some relevant subcategories include:
- Accidental behavior by organizational members
- Accidental behavior by technical support personnel
- Accidental behavior by organizational clients and other individuals that have authorized access to the information or information service
- Malicious behavior by organizational insider
- Malicious behavior by organizational outsider (malicious behaviors can be further broken out to include: theft, sabotage, extortion).
- Natural: Flood, fire, tornado, ice storm, earthquake, flu pandemic
- Environmental: Utility failure, chemical spill, gas line explosion.
- Technical: Hardware or software failure (whether maliciously intended or through normal ware and tear), perimeter defense failures (faulty closed circuit TV, key-code access system, fire alarm)
- Operational: A faulty process that unintentionally compromises information confidentiality, integrity or availability. For example, an operational procedure that allows application programmers to upgrade software programs without testing or notifying system operators may result in prolonged outages.
Upon reviewing the many potential causes of system failure, it becomes apparent that the use of information technology to support critical needs, while extremely beneficial, can be fraught with peril. Certainly, we do not mean to discourage the use of information technology in this chapter, but we intend to emphasize that careful information system planning, implementation and operation are required to minimize the probability of system failure as well as minimize the adverse consequences resulting from those failures which will inevitably occur.
- 1753 reads
