CHAPTER 10
Securing Information Systems
CHAPTER OBJECTIVES
After reading this chapter, you will be able to do the following:
1. Describe the effects of cybercrime on organizations and individuals.
2. Identify the main cyberthreats and organizational vulnerabilities.
3. Explain other online threats and legal countermeasures.
4. Discuss the process of managing IS security using preventive, detective, and corrective
controls.
CHAPTER OUTLINE
PREVIEW
Managing in the Digital World: Cyberattack Bringing Down Pharmacies
CYBERCRIME
The Interplay between Threats, Vulnerabilities, and Impact
Breaches of Confidentiality
Compromised Integrity
Loss of Availability
WHAT’S IN IT FOR YOU? Protecting Your Personal CIA Triad
Who Commits Cybercrime?
Cybercriminals
UNDERSTANDING THE CYBERTHREAT LANDSCAPE
“Traditional” Attack Methods
Social Engineering Attacks
Malware Attacks
Computer Viruses
Worms, Trojan Horses, and Other Sinister Programs
Spyware
Ransomware
Man-in-the-Middle Attacks
Denial-of-Service Attacks
Internet of Things Attacks
SUSTAINABILITY Green IT vs. Cybersecurity: Conflict or Synergy?
Injection Attacks
AI-Powered Attacks
The Rise of Botnets and the Cyberattack Supply Chain
Threats to Security and Privacy: Spam and Cookies
Human and Organizational Vulnerabilities
WHEN THINGS GO WRONG Software Monocultures, Single Points of
Failure, and Global IT Outages
,2 Information Systems Today, 10th Edition, Instructor’s Manual
OTHER TYPES OF CYBERCRIME
Cyberharassment, Cyberstalking, and Cyberbullying
Online Piracy
Cybersquatting
Legal Countermeasures
Cyber Forensics
MANAGING CYBERSECURITY
Assessing Risks
Developing a Security Strategy
Preventive Controls
Access Restrictions
SECURITY MATTERS Back to the Future: Analog May Be the Future of
Securing Critical Infrastructure
Firewalls
Zero Trust
Encryption
Endpoint Protection
Systems Development Controls
Policies and Procedures
USING AI PROJECT Using AI Project: Building Webpage Prototypes
Secure Data Centers
TECHNOLOGY TODAY AND TOMORROW Selling Fear or Protecting
Systems?
Detective Controls
Security Operations Center
ETHICAL DILEMMA Safeguarding Information Systems: Privacy vs. Security
IS Auditing
The Sarbanes-Oxley Act
Corrective Controls
Backups
Designing the Recovery Plan
Responding to Security Incidents
INDUSTRY ANALYSIS Cybercops Track Cybercriminals
Key Points Review
Key Terms
Review Questions
Self-Study Questions
Problems and Exercises
Application and Analytics Exercises
Teamwork Exercise
Answers to the Self-Study Questions
Copyright © 2027
Pearson Education, Inc.
, Information Systems Today, 10th Edition, Instructor’s Manual 3
References
END OF CHAPTER CASES
Case 1: Ethics and Cyberwar: Just Because We Can, Should We?
Case 2: Not So “Anonymous”—Activists, Hacktivists, or Just Plain Criminals?
TEACHING SUGGESTIONS
This chapter presents many opportunities for class discussion about securing information systems.
The instruction should include an in-depth look at cybercrime and the laws surrounding it.
Included in this discussion should be hacking, cracking, the different types of cybercriminals,
viruses, internet hoaxes, cybersquatting, cyber harassment, cyberstalking, cyberbullying, and
software piracy. In addition, students could be instructed to search the internet and find current
articles on examples of the different kinds of security breaches and how it impacted the target
company.
A look at cyberwar and cyber-terrorism should take place as well as how we can secure our
information systems. Safeguarding IS resources should include technological and human
safeguards.
Instruction should conclude with a discussion on how to manage IS security, including creation of
a security plan, and the type of controls needed to support IS auditing and enforce Sarbanes-Oxley
Act requirements.
ANSWERS TO REVIEW QUESTIONS
10-1. Define cybercrime and list several examples.
Answer:
Cybercrime refers to the use of digital devices and/or networks to commit an illegal act.
This definition of cybercrime includes the following:
Targeting a computer while committing an offense. For example, someone gains
unauthorized entry to a computer system to cause damage to the computer system or
to the data it contains
Using a computer to commit an offense. In such cases, computer criminals may steal
credit card numbers from websites or a company’s database, skim money from bank
accounts, or make unauthorized electronic fund transfers from financial institutions
Using computers to support criminal activity even though computers are not actually
targeted. For example, drug dealers and other professional criminals may use
computers to store records of their illegal transactions or use wire transfers for the
purpose of electronic money laundering, an increasingly popular type of computer
crime.
LO: 1—Describe the effects of cybercrime on organizations and individuals.
AACSB: Reflective Thinking Skills
10-2. Describe the interplay between threats, vulnerabilities, and impact.
Answer:
Copyright © 2027
Pearson Education, Inc.
, 4 Information Systems Today, 10th Edition, Instructor’s Manual
Any information system has vulnerabilities, which are weaknesses that can be exploited to
cause damage. External threats, such as computer criminals, try to find and exploit such
vulnerabilities to cause damage. Typically, cyber incidents impact organizations in one (or
more) of three ways:
Breaches of confidentiality
Compromised integrity
Loss of availability.
LO: 1—Describe the effects of cybercrime on organizations and individuals.
AACSB: Reflective Thinking Skills
10-3. Explain the purpose of the Computer Fraud and Abuse Act of 1986 and the Electronic
Communications Privacy Act of 1986.
Answer:
The Computer Fraud and Abuse Act of 1986 prohibits:
Stealing or compromising data about national defense, foreign relations, atomic
energy, or other restricted information
Gaining unauthorized access to computers owned by any agency or department of the
U.S. government
Violating data belonging to banks or other financial institutions
Intercepting or otherwise intruding upon communications between states or foreign
countries
Threatening to damage computer systems to extort money or other valuables from
persons, businesses, or institutions
Threatening the U.S. president, vice president, members of Congress, and other
administrative members (even if it’s just in a critical email)
The Electronic Communications Privacy Act of 1986 prohibits the breaking into of any
communications service, including telephone services.
LO: 3—Explain other online threats and legal countermeasures.
AACSB: Reflective Thinking Skills
10-4. Contrast the impacts arising from breaches of confidentiality, compromised integrity, and
loss of availability.
Answer:
Data breaches of confidentiality can target customers’ personally identifiable information
(PII), that is, data that can be used to identify an individual. A competitor’s employees
may pose as interns to steal proprietary information about products or corporate strategies.
Whether the data breach targets customer PII, employee PII, intellectual property, or other
corporate data, the costs can be tremendous.
In addition to accessing private or proprietary data, some cybercriminals attempt to change
or modify it in some way, such as when crackers hack into government websites and
change content or when employees give themselves electronic raises and bonuses. This
undermines business decisions, impacts automated processes, and can result in operational
downtime, reputational damage, and legal consequences.
Loss of availability of an organization's data or systems disrupts operations and can result
in significant costs due to loss of productivity and revenue. As with breaches of
confidentiality and compromised data integrity, loss of availability can also lead to
Copyright © 2027
Pearson Education, Inc.
Securing Information Systems
CHAPTER OBJECTIVES
After reading this chapter, you will be able to do the following:
1. Describe the effects of cybercrime on organizations and individuals.
2. Identify the main cyberthreats and organizational vulnerabilities.
3. Explain other online threats and legal countermeasures.
4. Discuss the process of managing IS security using preventive, detective, and corrective
controls.
CHAPTER OUTLINE
PREVIEW
Managing in the Digital World: Cyberattack Bringing Down Pharmacies
CYBERCRIME
The Interplay between Threats, Vulnerabilities, and Impact
Breaches of Confidentiality
Compromised Integrity
Loss of Availability
WHAT’S IN IT FOR YOU? Protecting Your Personal CIA Triad
Who Commits Cybercrime?
Cybercriminals
UNDERSTANDING THE CYBERTHREAT LANDSCAPE
“Traditional” Attack Methods
Social Engineering Attacks
Malware Attacks
Computer Viruses
Worms, Trojan Horses, and Other Sinister Programs
Spyware
Ransomware
Man-in-the-Middle Attacks
Denial-of-Service Attacks
Internet of Things Attacks
SUSTAINABILITY Green IT vs. Cybersecurity: Conflict or Synergy?
Injection Attacks
AI-Powered Attacks
The Rise of Botnets and the Cyberattack Supply Chain
Threats to Security and Privacy: Spam and Cookies
Human and Organizational Vulnerabilities
WHEN THINGS GO WRONG Software Monocultures, Single Points of
Failure, and Global IT Outages
,2 Information Systems Today, 10th Edition, Instructor’s Manual
OTHER TYPES OF CYBERCRIME
Cyberharassment, Cyberstalking, and Cyberbullying
Online Piracy
Cybersquatting
Legal Countermeasures
Cyber Forensics
MANAGING CYBERSECURITY
Assessing Risks
Developing a Security Strategy
Preventive Controls
Access Restrictions
SECURITY MATTERS Back to the Future: Analog May Be the Future of
Securing Critical Infrastructure
Firewalls
Zero Trust
Encryption
Endpoint Protection
Systems Development Controls
Policies and Procedures
USING AI PROJECT Using AI Project: Building Webpage Prototypes
Secure Data Centers
TECHNOLOGY TODAY AND TOMORROW Selling Fear or Protecting
Systems?
Detective Controls
Security Operations Center
ETHICAL DILEMMA Safeguarding Information Systems: Privacy vs. Security
IS Auditing
The Sarbanes-Oxley Act
Corrective Controls
Backups
Designing the Recovery Plan
Responding to Security Incidents
INDUSTRY ANALYSIS Cybercops Track Cybercriminals
Key Points Review
Key Terms
Review Questions
Self-Study Questions
Problems and Exercises
Application and Analytics Exercises
Teamwork Exercise
Answers to the Self-Study Questions
Copyright © 2027
Pearson Education, Inc.
, Information Systems Today, 10th Edition, Instructor’s Manual 3
References
END OF CHAPTER CASES
Case 1: Ethics and Cyberwar: Just Because We Can, Should We?
Case 2: Not So “Anonymous”—Activists, Hacktivists, or Just Plain Criminals?
TEACHING SUGGESTIONS
This chapter presents many opportunities for class discussion about securing information systems.
The instruction should include an in-depth look at cybercrime and the laws surrounding it.
Included in this discussion should be hacking, cracking, the different types of cybercriminals,
viruses, internet hoaxes, cybersquatting, cyber harassment, cyberstalking, cyberbullying, and
software piracy. In addition, students could be instructed to search the internet and find current
articles on examples of the different kinds of security breaches and how it impacted the target
company.
A look at cyberwar and cyber-terrorism should take place as well as how we can secure our
information systems. Safeguarding IS resources should include technological and human
safeguards.
Instruction should conclude with a discussion on how to manage IS security, including creation of
a security plan, and the type of controls needed to support IS auditing and enforce Sarbanes-Oxley
Act requirements.
ANSWERS TO REVIEW QUESTIONS
10-1. Define cybercrime and list several examples.
Answer:
Cybercrime refers to the use of digital devices and/or networks to commit an illegal act.
This definition of cybercrime includes the following:
Targeting a computer while committing an offense. For example, someone gains
unauthorized entry to a computer system to cause damage to the computer system or
to the data it contains
Using a computer to commit an offense. In such cases, computer criminals may steal
credit card numbers from websites or a company’s database, skim money from bank
accounts, or make unauthorized electronic fund transfers from financial institutions
Using computers to support criminal activity even though computers are not actually
targeted. For example, drug dealers and other professional criminals may use
computers to store records of their illegal transactions or use wire transfers for the
purpose of electronic money laundering, an increasingly popular type of computer
crime.
LO: 1—Describe the effects of cybercrime on organizations and individuals.
AACSB: Reflective Thinking Skills
10-2. Describe the interplay between threats, vulnerabilities, and impact.
Answer:
Copyright © 2027
Pearson Education, Inc.
, 4 Information Systems Today, 10th Edition, Instructor’s Manual
Any information system has vulnerabilities, which are weaknesses that can be exploited to
cause damage. External threats, such as computer criminals, try to find and exploit such
vulnerabilities to cause damage. Typically, cyber incidents impact organizations in one (or
more) of three ways:
Breaches of confidentiality
Compromised integrity
Loss of availability.
LO: 1—Describe the effects of cybercrime on organizations and individuals.
AACSB: Reflective Thinking Skills
10-3. Explain the purpose of the Computer Fraud and Abuse Act of 1986 and the Electronic
Communications Privacy Act of 1986.
Answer:
The Computer Fraud and Abuse Act of 1986 prohibits:
Stealing or compromising data about national defense, foreign relations, atomic
energy, or other restricted information
Gaining unauthorized access to computers owned by any agency or department of the
U.S. government
Violating data belonging to banks or other financial institutions
Intercepting or otherwise intruding upon communications between states or foreign
countries
Threatening to damage computer systems to extort money or other valuables from
persons, businesses, or institutions
Threatening the U.S. president, vice president, members of Congress, and other
administrative members (even if it’s just in a critical email)
The Electronic Communications Privacy Act of 1986 prohibits the breaking into of any
communications service, including telephone services.
LO: 3—Explain other online threats and legal countermeasures.
AACSB: Reflective Thinking Skills
10-4. Contrast the impacts arising from breaches of confidentiality, compromised integrity, and
loss of availability.
Answer:
Data breaches of confidentiality can target customers’ personally identifiable information
(PII), that is, data that can be used to identify an individual. A competitor’s employees
may pose as interns to steal proprietary information about products or corporate strategies.
Whether the data breach targets customer PII, employee PII, intellectual property, or other
corporate data, the costs can be tremendous.
In addition to accessing private or proprietary data, some cybercriminals attempt to change
or modify it in some way, such as when crackers hack into government websites and
change content or when employees give themselves electronic raises and bonuses. This
undermines business decisions, impacts automated processes, and can result in operational
downtime, reputational damage, and legal consequences.
Loss of availability of an organization's data or systems disrupts operations and can result
in significant costs due to loss of productivity and revenue. As with breaches of
confidentiality and compromised data integrity, loss of availability can also lead to
Copyright © 2027
Pearson Education, Inc.
