Computer crime and abuse
Computer crime—illegal acts in which computers are the primary tool—costs the world economy many billions of dollars annually. Computer abuse does not rise to the level of crime, yet it involves unethical use of a computer. The objectives of the so-called hacking of information systems include vandalism, theft of consumer information, governmental and commercial espionage, sabotage, and cyberwar. Some of the more widespread means of computer crime include phishing and planting of malware, such as computer viruses and worms, Trojan horses, and logic bombs.
Phishing involves obtaining a legitimate user’s login and other information by subterfuge via messages fraudulently claiming to originate with a legitimate entity, such as a bank or government office. A successful phishing raid to obtain a user’s information may be followed by identity theft, an impersonation of the user to gain access to the user’s resources.
Computer viruses are a particularly common form of attack. These are program instructions that are able not only to perform malicious acts but also to insert copies of themselves into other programs and thus spread to other computer systems. Similar to viruses, worms are complete computer programs that replicate and propagate through telecommunications networks. Because of their ability to spread rapidly and widely, viruses and worms can inflict immense damage. The damage can be in the form of tampering with system operation, theft of large volumes of data (e.g., credit card numbers), known as data breach, or denial of service by overloading systems with a barrage of spurious requests.
In a Trojan horse attack, the malefactor conceals unauthorized instructions within an authorized program. A logic bomb consists of hidden instructions, often introduced with the Trojan horse technique, that stay dormant until a specific event occurs, at which time the instructions are activated. In one well-known case, in 1985 a programmer at an insurance company in Fort Worth, Texas, placed a logic bomb in his company’s human resources system; when he was fired and his name was deleted from the company’s employee database, the entire database was erased.
Once a system connected to the Internet is invaded, it may be used to take over many others and organize them into so-called botnets that can launch massive attacks against other systems to steal information or sabotage their operation. There is a growing concern that, in the “Internet of things,” computer-controlled devices such as refrigerators or TV sets may be deployed in botnets. The variety of devices makes them difficult to control against malware.
Information systems controls
To ensure secure and efficient operation of information systems, an organization institutes a set of procedures and technological measures called controls. Information systems are safeguarded through a combination of general and application controls.
General controls apply to information system activities throughout an organization. The most important general controls are the measures that control access to computer systems and the information stored there or transmitted over telecommunications networks. General controls include administrative measures that restrict employees’ access to only those processes directly relevant to their duties. As a result, these controls limit the damage that any individual employee or employee impersonator can do. Fault-tolerant computer systems installed in critical environments, such as in hospital information systems or securities marketplaces, are designed to control and isolate problems so that the system can continue to function. Backup systems, often in remote locations, may be activated in the case of failure of the primary information system.
Application controls are specific to a given application and include such measures as validating input data, logging the accesses to the system, regularly archiving copies of various databases, and ensuring that information is disseminated only to authorized users.
Securing information
Controlling access to information systems became profoundly more difficult with the spread of wide area networks (WANs) and, in particular, the Internet. Users, as well as interlopers, may access systems from any unattended computer within an organization or from virtually anywhere over the Internet. As a security measure, each legitimate user has a unique name and a regularly changed password. Another security measure is to require some form of physical authentication, such as an object (a physical token or a smart card) or a personal characteristic (fingerprint, retinal pattern, hand geometry, or signature). Many systems combine these types of measures—such as automatic teller machines, which rely on a combination of a personal identification number (PIN) and an identification card. Security measures placed between an organization’s internal networks and the Internet are known as firewalls. These combinations of hardware and software continually filter the incoming, and often outgoing, data traffic.
A different way to prohibit access to information is via data encryption, which has gained particular importance in electronic commerce. Public key encryption is used widely in such commerce. To ensure confidentiality, only the intended addressee has the private key needed to decrypt messages that have been encrypted with the addressee’s public key. Furthermore, authentication of both parties in an electronic transaction is possible through the digital certificates issued to both parties by a trusted third party and the use of digital signatures—an additional code attached to the message to verify its origin. A type of antitampering code can also be attached to a message to detect corruption. Similar means are available to ensure that parties to an electronic transaction cannot later repudiate their participation. Some messages require additional attributes. For example, a payment in electronic cash is a type of message, with encryption used to ensure the purchaser’s anonymity, that acts like physical cash.
To continually monitor information systems, intrusion detection systems are used. They detect anomalous events and log the information necessary to produce reports and to establish the source and the nature of the possible intrusion. More active systems also attempt to prevent the intrusion upon detection in real time.
Information systems audit
The effectiveness of an information system’s controls is evaluated through an information systems audit. An audit aims to establish whether information systems are safeguarding corporate assets, maintaining the integrity of stored and communicated data, supporting corporate objectives effectively, and operating efficiently. It is a part of a more general financial audit that verifies an organization’s accounting records and financial statements. Information systems are designed so that every financial transaction can be traced. In other words, an audit trail must exist that can establish where each transaction originated and how it was processed. Aside from financial audits, operational audits are used to evaluate the effectiveness and efficiency of information systems operations, and technological audits verify that information technologies are appropriately chosen, configured, and implemented.
Impacts of information systems
Computerized information systems, particularly since the arrival of the Web and mobile computing, have had a profound effect on organizations, economies, and societies, as well as on individuals whose lives and activities are conducted in these social aggregates.
Organizational impacts of information systems
Essential organizational capabilities are enabled or enhanced by information systems. These systems provide support for business operations; for individual and group decision making; for innovation through new product and process development; for relationships with customers, suppliers, and partners; for pursuit of competitive advantage; and, in some cases, for the business model itself (e.g., Google). Information systems bring new options to the way companies interact and compete, the way organizations are structured, and the way workplaces are designed. In general, use of Web-based information systems can significantly lower the costs of communication among workers and firms and cost-effectively enhance the coordination of supply chains or webs. This has led many organizations to concentrate on their core competencies and to outsource other parts of their value chain to specialized companies. The capability to communicate information efficiently within a firm has led to the deployment of flatter organizational structures with fewer hierarchical layers.
Nevertheless, information systems do not uniformly lead to higher profits. Success depends both on the skill with which information systems are deployed and on their use being combined with other resources of the firm, such as relationships with business partners or superior knowledge in the industrial segment.
The use of information systems has enabled new organizational structures. In particular, so-called virtual organizations have emerged that do not rely on physical offices and standard organizational charts. Two notable forms of virtual organizations are the network organization and the cluster organization.
In a network organization, long-term corporate partners supply goods and services through a central hub firm. Together, a network of relatively small companies can present the appearance of a large corporation. Indeed, at the core of such an organization may be nothing more than a single entrepreneur supported by only a few employees. Thus, network organization forms a flexible ecosystem of companies, whose formation and work is organized around Web-based information systems.
In a cluster organization, the principal work units are permanent and temporary teams of individuals with complementary skills. Team members, who are often widely dispersed around the globe, are greatly assisted in their work by the use of Web resources, corporate intranets, and collaboration systems. Global virtual teams are able to work around the clock, moving knowledge work electronically “to follow the sun.” Information systems delivered over mobile platforms have enabled employees to work not just outside the corporate offices but virtually anywhere. “Work is the thing you do, not the place you go to” became the slogan of the emerging new workplace. Virtual workplaces include home offices, regional work centres, customers’ premises, and mobile offices of people such as insurance adjusters. Employees who work in virtual workplaces outside their company’s premises are known as teleworkers.
The role of consumers has changed, empowered by the Web. Instead of being just passive recipients of products, they can actively participate with the producers in the cocreation of value. By coordinating their collective work using information systems, individuals created such products as open-source software and online encyclopaedias. The value of virtual worlds and massively multiplayer online games has been created largely by the participants. The electronic word-of-mouth in the form of reviews and opinions expressed on the Web can make or break products. In sponsored cocreation, companies attract their customers to generate and evaluate ideas, codevelop new products, and promote the existing goods and services. Virtual customer communities are created online for these purposes.
