MIS 111 Chapters for Exam

privilege

is a collection of related computer system operations that a user is authorized to perform.

Business process management (BPM)

is a management technique that includes methods and tools to support the design, analysis, implementation, management, and optimization of business processes.

Authentication

confirms the identity of the person requiring access. After the person is authenticated (identified), the next step is authorization.

Authorization

determines which actions, rights, or privileges the person has, based on his or her verified identity. Let's examine these functions more closely.

Passwords

present a huge information security problem in all organizations. Most of us have to remember numerous passwords for different online services, and we typically must choose complicated strings of characters to make them harder to guess.

adware

software that causes pop-up advertisements to appear on your screen. Adware is common because it works. According to advertising agencies, for every 100 people who close a pop-up ad, 3 click on it. This "hit rate" is extremely high for Internet advertising.

The Spear-Phishing Attack.

the attackers launched a spear-phishing attack on IT staff and system administrators at three of the power distribution companies in Ukraine. The attack sent e-mails to employees that contained a malicious Word file. If an employee clicked on the document, a popup window told them to enable macros for that file.

risk mitigation

the organization takes concrete actions against risks. Risk mitigation has two functions: (1) implementing controls to prevent identified threats from occurring, and (2) developing a means of recovery if the threat becomes a reality. There are several risk mitigation strategies that organizations can adopt. The three most common are risk acceptance, risk limitation, and risk transference.

Single-factor authentication

which is notoriously weak, commonly consists simply of a password. Two-factor authentication consists of a password plus one type of biometric identification (e.g., a fingerprint). Three-factor authentication is any combination of three authentication methods.

least privilege

which posits that users be granted the privilege for an activity only if there is a justifiable need for them to perform that activity.

Risk limitation:

Limit the risk by implementing controls that minimize the impact of the threat.

Risk analysis

(1) assessing the value of each asset being protected, (2) estimating the probability that each asset will be compromised, and (3) comparing the probable costs of the asset's being compromised with the costs of protecting that asset. The organization then considers how to mitigate the risk.

Given the importance of business and IT alignment, why do so many organizations fail to implement this policy? The major reasons are the following:

- Business managers and IT managers have different objectives. - The business and IT departments are ignorant of the other group's expertise. - A lack of communication.

five key factors are contributing to the increasing vulnerability of organizational information resources, making it much more difficult to secure them:

- Today's interconnected, interdependent, wirelessly networked business environment - Smaller, faster, cheaper computers and storage devices - Decreasing skills necessary to be a computer hacker - International organized crime taking over cybercrime - Lack of management support

Manufacturing companies typically perform five primary activities in the following sequence:

1. Inbound logistics (inputs) 2. Operations (manufacturing and testing) 3. Outbound logistics (storage and distribution) 4. Marketing and sales 5. Services

There are six characteristics of excellent alignment:

1. Organizations view IT as an engine of innovation that continually transforms the business, often creating new revenue streams. 2. Organizations view their internal and external customers and their customer service function as supremely important. 3. Organizations rotate business and IT professionals across departments and job functions. 4. Organizations provide overarching goals that are completely clear to each IT and business employee. 5. Organizations ensure that IT employees understand how the company makes (or loses) money. 6. Organizations create a vibrant and inclusive company culture.

competitive forces model

A business framework devised by Michael Porter that analyzes competitiveness by recognizing five major forces that could endanger a company's position.

value chain

A sequence of activities through which the organization's inputs, whatever they are, are transformed into more valuable outputs, whatever they are.

Risk acceptance:

Accept the potential risk, continue operating with no controls, and absorb any damages that occur.

Market pressures:

An example of a market pressure is powerful customers. Customer relationship management is an effective IT response that helps companies achieve customer intimacy.

Societal/political/legal pressures:

An example of a societal/political/legal pressure is social responsibility, such as the state of the physical environment. Green IT is one response that is intended to improve the environment.

Technology pressures:

An example of a technology pressure is information overload. Search engines and business intelligence applications enable managers to access, navigate, and use vast amounts of information.

threat

Any danger to which an information resource may be exposed.

The bargaining power of customers (buyers)

Buyer power is high when buyers have many choices from whom to buy and low when buyers have few choices. For example, in the past, there were few locations where students could purchase textbooks

Customer orientation strategy

Concentrate on making customers happy.

Customer orientation strategy

Concentrate on making customers happy. Web-based systems are particularly effective in this area because they can create a personalized, one-to-one relationship with each customer.

Physical controls

Controls that restrict unauthorized individuals from gaining access to a company's computer facilities.

piracy

Copying a software program (other than freeware, demo software, etc.) without making payment to the owner.

Threat of entry of new competitors

For most firms, the web increases the threat that new competitors will enter the market by reducing traditional barriers to entry. Frequently, competitors need only to set up a website to enter a market.

blacklisting

allows everything to run unless it is on the blacklist. A blacklist, then, includes certain types of software that are not allowed to run in the company environment.

Operational effectiveness strategy

Improve the manner in which a firm executes its internal business processes so that it performs these activities more effectively than its rivals. Such improvements increase quality, productivity, and employee and customer satisfaction while decreasing time to market.

Operational effectiveness strategy

Improve the manner in which internal business processes are executed so that a firm performs similar activities better than its rivals.

The rivalry among existing firms in the industry:

In the past, proprietary information systems provided strategic advantage for firms in highly competitive industries. The visibility of Internet applications on the web makes proprietary systems more difficult to keep secret. Therefore, the web makes strategic advantage more short-lived.

value system

Includes the producers, suppliers, distributors, and buyers, all with their own value chains.

Innovation strategy

Introduce new products and services, add new features to existing products and services, or develop new ways to produce them. A classic example is the introduction of automated teller machines (ATMs) by Citibank. The convenience and cost-cutting features of this innovation gave Citibank a huge advantage over its competitors. Like many innovative products, the ATM changed the nature of competition in the banking industry.

Innovation strategy

Introduce new products and services, put new features in existing products and services, or develop new ways to produce them.

malware

Malicious software such as viruses and worms.

The threat of substitute products or services:

New technologies create substitute products very rapidly, and the web makes information about these products available almost instantly. As a result, industries (particularly information-based industries) are in great danger from substitutes (e.g., music, books, newspapers, magazines, software).

Differentiation strategy

Offer different products, services, or product features than your competitors. Southwest Airlines, for example, has differentiated itself as a low-cost, short-haul, express airline. This has proved to be a winning strategy for competing in the highly competitive airline industry.

Differentiation strategy

Offer different products, services, or product features.

Cost leadership strategy

Produce products and services at the lowest cost in the industry.

cost leadership strategy

Produce products and services at the lowest cost in the industry. An example is Walmart's automatic inventory replenishment system, which enables Walmart to reduce inventory storage requirements. As a result, Walmart stores use floor space only to sell products, and not to store them, thereby reducing inventory costs.

entry barrier

Product or service feature that customers expect from organizations in a certain industry; an organization trying to enter this market must provide this product or service at a minimum to be able to compete.

The bargaining power of suppliers.

Supplier power is high when buyers have few choices from whom to buy and low when buyers have many choices. Therefore, organizations would rather have more potential suppliers so that they will be in a stronger position to negotiate price, quality, and delivery terms.

strategic information systems (SISs)

Systems that help an organization gain a competitive advantage by supporting its strategic goals and increasing performance and productivity.

employee monitoring systems

Systems that monitor employees' computers, e-mail activities, and Internet surfing activities.

The Difficulties in Protecting Information Resources

The Difficulties in Protecting Information Resources - Hundreds of potential threats exist. - Computing resources may be situated in many locations. - Many individuals control or have access to information assets. - Computer networks can be located outside the organization, making them difficult to protect. - Rapid technological changes make some controls obsolete as soon as they are installed.

Disabling the uninterruptible power supply

The attackers now rejigged the supply of uninterruptible power to the three systems' control centers. They wanted to cut power to the operators as well as the customers.

Disabling the converters.

The attackers then coded malicious software to supersede the actual software on converters at power company substation control systems.

Reconnaissance.

The spear-phishing attack allowed the intruders to access the power distribution companies' corporate networks. However, the intruders still had to gain access to the supervisory control and data acquisition (SCADA) networks that actually operated the power grid, but the power companies had competently separated those networks from corporate networks with a firewall.

business-information technology alignment

The tight integration of the IT function with the strategy, mission, and goals of the organization.

the bargaining power of suppliers:

The web enables buyers to find alternative suppliers and to compare prices more easily, thereby reducing suppliers' bargaining power. From a different perspective, as companies use the web to integrate their supply chains, participating suppliers can lock in customers, thereby increasing suppliers' bargaining power.

the bargaining power of customers (buyers):

The web provides customers with incredible amounts of choices for products, as well as information about those choices. As a result, the web increases buyer power. However, companies can implement loyalty programs in which they use the web to monitor the activities of millions of customers. Such programs reduce buyer power.

primary activities

Those business activities related to the production and distribution of the firm's products and services, thus creating value.

Risk transference:

Transfer the risk by using other means to compensate for the loss, such as by purchasing insurance.

certificate authority

acts as a trusted intermediary between the companies. The certificate authority issues digital certificates and verifies the integrity of the certificates.

Public-key encryption

also known as asymmetric encryption—uses two different keys: a public key and a private key (see Figure 4.4). The public key (locking key) and the private key (the unlocking key) are created simultaneously using the same mathematical formula or algorithm.

Computing devices and storage devices (theft of equipment etc.)

are becoming smaller yet more powerful with vastly increased storage (e.g., laptops, personal digital assistants, smartphones, digital cameras, thumb drives, iPods).

Sabotage and vandalism

are deliberate acts that involve defacing an organization's website, potentially damaging the organization's image and causing its customers to lose faith. One form of online vandalism is a hacktivist or cyberactivist operation.

anti-malware systems (antivirus software)

are software packages that attempt to identify and eliminate viruses and worms, and other malicious software. AV software is implemented at the organizational level by the IS department. Hundreds of AV software packages are currently available. Among the best known are Norton AntiVirus

Security

can be defined as the degree of protection against criminal activity, danger, damage, or loss

Tunneling

encrypts each data packet to be sent and places each encrypted packet inside another packet. (VPNs use this process)

The threat of substitute products or services

if there are many alternatives to an organization's products or services, then the threat of substitutes is high. If there are few alternatives, then the threat is low.

virtual private network (VPN)

is a private network that uses a public network (usually the Internet) to connect users. VPNs essentially integrate the global connectivity of the Internet with the security of a private network and thereby extend the reach of the organization's networks.

whitelisting

is a process in which a company identifies the software that it will allow to run on its computers. Whitelisting permits acceptable software to run, and it either prevents any other software from running or lets new software run only in a quarantined environment until the company can verify its validity.

Business process reengineering (BPR)

is a radical redesign of business processes that is intended to improve the efficiency and effectiveness of an organization's business processes. The key to BPR is for enterprises to examine their business processes from a "clean sheet" perspective and then determine how they can best reconstruct those processes to improve their business functions.

passphrase

is a series of characters that is longer than a password but is still easy to memorize. Examples of passphrases are "maytheforcebewithyoualways" and "goaheadmakemyday." A passphrase can serve as a password itself, or it can help you create a strong password.

Copyright

is a statutory grant that provides the creators or owners of intellectual property with ownership of the property, also for a designated period. Current U.S. laws award patents for 20 years and copyright protection for the life of the creator plus 70 years.

firewall

is a system that prevents a specific type of information from moving between untrusted networks, such as the Internet, and private networks, such as your company's network. Put simply, firewalls prevent unauthorized Internet users from accessing private networks.

Tailgating

is a technique designed to allow the perpetrator to enter restricted areas that are controlled with locks or card entry. The perpetrator follows closely behind a legitimate employee and, when the employee gains entry, the attacker asks him or her to "hold the door."

Social engineering

is an attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords

biometrics

is an authentication method that examines a person's innate physical characteristics. Common biometric applications are fingerprint scans, palm scans, retina scans, iris recognition, and facial recognition.

digital certificate

is an electronic document attached to a file that certifies that the file is from the organization it claims to be from and has not been modified from its original format.

Transport layer security (secure socket layer)

is an encryption standard used for secure transactions such as credit card purchases and online banking. TLS encrypts and decrypts data between a web server and a browser end to end.

FIDO

is an industry consortium to address the lack of interoperability among strong authentication devices and the problems that users face in creating and remembering multiple usernames and passwords. FIDO is that identifiers such as a person's fingerprint, iris scan, and the unique identifier of any USB device or contactless ring will not be sent over the Internet.

trade secret

is an intellectual work, such as a business plan, that is a company secret and is not based on public information. An example is the formula for Coca-Cola.

patent

is an official document that grants the holder exclusive rights on an invention or a process for a specified period of time.

trusted network

is any network within your organization and an untrusted network is any network external to your organization.

Alien software

is clandestine software that is installed on your computer through duplicitous methods. It typically is not as malicious as viruses, worms, or Trojan horses, but it does use up valuable system resources.

Spamware

is pestware that uses your computer as a launch pad for spammers.

Spyware

is software that collects personal information about users without their consent. Two common types of spyware are keystroke loggers and screen scrapers.

Identity theft

is the deliberate assumption of another person's identity, usually to gain access to his or her financial information or to frame him or her for a crime. Techniques for illegally obtaining personal information include the following: - Stealing mail or dumpster diving - Stealing personal information in computer databases - Infiltrating organizations that store large amounts of personal information (e.g., data aggregators such as Acxiom) - Impersonating a trusted organization in an electronic communication (phishing

vulnerability

is the possibility that the system will be harmed by a threat.

risk

is the probability that a threat will impact an information resource. (risk analysis, risk mitigation, and controls evaluation)

Encryption

is the process of converting an original message into a form that cannot be read by anyone except the intended receiver.

Intellectual property

is the property created by individuals or corporations that is protected under trade secret, patent, and copyright laws.

risk management

is to identify, control, and minimize the impact of threats. In other words, risk management seeks to reduce risk to acceptable levels.

Spam

is unsolicited e-mail, usually advertising for products and services. When your computer is infected with spamware, e-mails from spammers are sent to everyone in your e-mail address book, but they appear to come from you.

demilitarized zone (DMZ)

located between the two firewalls. Messages from the Internet must first pass through the external firewall. If they conform to the defined security rules, they are then sent to company servers located in the DMZ. These servers typically handle web page requests and e-mail

Information extortion

occurs when an attacker either threatens to steal, or actually steals, information from a company.

Espionage or trespass

occurs when an unauthorized individual attempts to gain illegal access to organizational information. It is important to distinguish between competitive intelligence and industrial espionage. Competitive intelligence consists of legal information gathering techniques, such as studying a company's website and press releases, attending trade shows, and similar actions.

exposure

of an information resource is the harm, loss, or damage that can result if a threat compromises that resource.

controls

or defense mechanisms (also called countermeasures). These controls are designed to protect all of the components of an information system, including data, software, hardware, and networks.

Cyberterrorism and cyberwarfare

refer to malicious acts in which attackers use a target's computer systems, particularly through the Internet, to cause physical, real-world harm or severe disruption, often to carry out a political agenda.

SCADA

refers to a large-scale distributed measurement and control system. ______ systems are used to monitor or to control chemical, physical, and transport processes such as those used in oil refineries, water and sewage treatment plants, electrical generators, and nuclear power plants. Essentially, ______ systems provide a link between the physical world and the electronic world.

information security

refers to all of the processes and policies designed to protect an organization's information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction.

Cybercrime

refers to illegal activities conducted over computer networks, particularly the Internet.

Access control

restrict unauthorized individuals from using information resources. These controls involve two major functions: authentication and authorization.

Communications controls (network controls)

secure the movement of data across networks. Communications controls consist of firewalls, anti-malware systems, whitelisting and blacklisting, encryption, virtual private networks (VPNs), transport layer security (TLS), and employee monitoring systems.