1. events that occur in organizations or the
Why Organization are heavily
reliant on information system
information system can be technically defined as a set of related components
that collect (or recover), process, store, and distribute information to
support decision-making and control in an organization. In addition to
supporting decision-making, coordination and control, information systems can
also help managers and workers analyze problems, see complex issues and create
new products. Information systems contain information about people, places and
things important in the organization or environment around them. For
information, we mean data that has been modeled in a meaningful and useful form
for humans. Data, on the other hand, is the flow of untreated events that
represent events that occur in organizations or the physical environment before
they are organized and organized in a way that people can understand and use.
definition of an information system is based on the more general concept of the
work system. Companies operate through work systems. Typical business
organizations include work systems that provide materials to suppliers,
manufacture physical and / or information products, deliver products to
customers, find customers, create financial relationships, hire employees,
coordinate work , send taxes and perform other functions. A work system is a
system in which participants and / or machines perform work (processes and
activities) using information, technologies and other resources to produce
specific products and / or services for internal customers or specific externalities.
An information system is a work system whose processes and activities are devoted
to processing information, i.e., capturing, transmitting, storing, retrieving,
manipulating, and displaying information. Thus, an information system is a
system in which human participants and/or machines perform work (processes and
activities) using information, technology, and other resources to produce
informational products and/or services for internal or external customers.
organizations rely heavily on the information system to succeed in the business
world, and people’s lifestyles are changing rapidly because we can not exhaust
our information system in our day-to-day lives. Wireless communications,
including laptops and mobile computing devices, enable managers, employees,
customers, suppliers, and business partners to stay connected in any way they
can. E-mail, online conferences, the Web and the Internet offer new and
different communication channels for all businesses, large and small. By
increasing communication channels and reducing communication costs, customers
need more activities in terms of services and products at lower cost.
E-commerce is changing the way companies should attract and respond to
customers. The following facts are reason why information system is so
essential to the organizations,
the cost of installing and maintaining an information system is quite high
(depending on the type of system) initially, but in due course, the costs are
decreasing and seem fair in relation to the types of profits being exploited.
help from that. Moreover, over time, the cost of information systems tends to
decrease, while the costs of their substitutes (eg labor) tend to increase
historically (Laudon, 1990). In addition, computer systems use networks, which
help an organization reduce transaction costs, allowing the organization to
engage external vendors rather than using internal resources.
Information Systems Improve Performance:
systems are designed to improve the overall efficiency and effectiveness of a
process. Information systems speed up the process and reduce the time by
removing additional steps of the operation. For example, in 1977, Citibank
developed ATMs and debit cards (Laudon and Laudon 9th Ed.). He facilitated
financial transactions and was a huge success. In addition, banks have
continued to innovate and, today, with the help of reliable and secure
information systems from TEMENOS, Infosys, Oracle, etc., most customers can
make the largest number of transactions since their personal computer or even
from the cell phone. In addition, information systems provide real-time
information that reduces the magnitude of errors, thereby increasing the
quality of the output of the process.
Importance in Decision Making:
systems provide managers with tools to monitor, plan and forecast more
accurately and faster than ever before. In addition, they enable managers to
react more quickly and adapt quickly to the rapidly changing business
environment. Decision support systems can significantly improve results on both
quantitative and qualitative fronts. For example, in the United States, about
142 million employees generate $ 12.2 trillion in gross domestic product. If
the quality of decision of these employees could only be improved by 1% in one
year, the GDP could increase considerably.
Organizational Behavior Change:
research shows that computer systems facilitate the flattening of hierarchies
by expanding the distribution of information to empower lower-level employees.
It pushes the decision to make rights at the lowest level of the organization,
as lower-level employees receive the information they need to make decisions
that eliminate the need for middle managers. This also leads to a reduction in
the administrative costs of the organization.
2.Various types of
security threats to any information system of an organization.
followings are types of security treats to information system;
a) Malicious software: Viruses, Worms,
Trojan Horses and Spyware
software programs are referred as malware and includes a variety of threats,
such as computer viruses, worms, and Trojans. A computer virus is malware that
attaches to other software or files. data to execute, usually without the
knowledge or permission of the user. Worms, which are standalone computer
programs copied from one computer to another on a network. Unlike viruses,
worms can work alone without connecting to other computer program files and
relying less on human behavior to spread from one computer to another. A Trojan
is software that seems to be benign, but does something different than
expected. The Trojan itself is not a virus because it does not replicate, but
it is often a way to introduce viruses or other malicious code into a computer
system. Spyware also acts as malware. These small programs sneak onto computers
to monitor users’ web browsing activity and to advertise.
b) Hackers and Computer Crime
hacker is an individual who intends to gain unauthorized access to a computer
system. Hacker activities have broadened beyond mere system intrusion to
include theft of goods and information, as well as system damage and
cybervandalism, the intentional disruption, defacement, or even destruction of
a Web site or corporate information system. In a denial-of-service (DoS)
attack, hackers flood a network server or Web server with many thousands of
false communications or requests for services to crash the network. The network
receives so many queries that it cannot keep up with them and is thus
unavailable to service legitimate requests. A distributed denial-of-service
(DDoS) attack uses numerous computers to inundate and overwhelm the network
from numerous launch points. Most hacker activities are criminal offenses, and
the vulnerabilities of systems we have just described make them targets for other
types of computer crime as well. Computer crime is defined by the U.S.
Department of Justice as “any violations of criminal law that involve a
knowledge of computer technology for their perpetration, investigation, or
prosecution.” Many companies are reluctant to report computer crimes because
the crimes may involve employees, or the company fears that publicizing its
vulnerability will hurt its reputation. The most economically damaging kinds of
computer crime are denial of service attacks, activities of malicious insiders,
and Web-based attacks.
c) Internal Threats: Employee
tend to think that threats to the security of a company are born outside the
organization. In fact, the workers in the company raise serious security
problems. Employees have access to insider information and, in the presence of
sloppy internal security procedures, they can often move around an
organization’s systems without a trace. End-users and information system
specialists are also a major source of errors introduced into information
systems. End users introduce errors by entering incorrect data or by not
following the correct instructions for data processing and computer equipment
use. IT specialists can create software errors when designing and developing new
software or maintaining existing programs.
errors are a constant threat to information systems, leading to unquantified
productivity losses and sometimes putting people who use or rely on systems at
risk. The increasing complexity and size of software, as well as demands for
timely delivery to markets, have contributed to increased software defects or
vulnerabilities. A major problem with the software is the presence of hidden
errors or flaws in the program code.
3. The Impact of Ransomware on Business
word Ransomware is a combination of ransom and software, and a program that is
designed to attack a targeted system with the aim of holding the user as a
hostage, and restricting users from accessing their devices. It can also be
used to encrypt the user’s data, forcing the victim to pay the ransom.
Generally, ransomware uses malware and Trojan forms to bypass and infect the
targeted system. Ransomware consists of two major types: lockers, which prevent
the user from the entire system, and crypto ransomware, which only encrypts the
user files. Ransomware vastly attacks companies and endpoint users. Ransomware
attacks may happen in different contexts such as email attachment, compromised
websites, advertising, running untrusted program on the machine, sharing
networks and communicating with an infected system. The world has experienced a
massive global ransomware cyber-attack known as “WannaCrypt” or “WannaCry”
since Friday, May 12 2017. Hundreds of thousands’ computers worldwide have been
hit and affected more than 150 countries. WannaCry is far more dangerous than
other common ransomware types because of its ability to spread itself across an
organization’s network by exploiting a critical vulnerability in Windows
computers. The malware has the capability to scan heavily over TCP port 445
(Server Message Block/SMB), spreading similar to a worm, compromising hosts,
encrypting files stored on them then demanding a ransom payment in the form of
Bitcoin. It is important to note that this is not a threat that simply scans
internal ranges to identify where to spread, it is also capable of spreading
based on vulnerabilities it finds in other externally facing hosts across the
are approximately 30–40 publicly named companies among the likely thousands
that were impacted by this ransomware. Examples include the Russian Interior
Ministry, Telefonica (Spain’s largest telecommunications company) and FedEx.
The UK National Health Service (NHS) was badly hit, with 16 of the 47 NHS
trusts being affected, and routine surgery and doctor appointments being
canceled as the service recovers. There are reports that in China over 40,000
organizations have been affected, including over 60 academic institutions.
Russia appears to be the heaviest hit by the WannaCry attack. Kaspersky Labs
attributes this to Russian organizations running a relatively large proportion
of dated and unpatched systems. WannaCry seems to be designed specifically for
an international attack: it may appear ransom in 28 languages.
that infected ransom were heading to negative consequences such as
or permanent loss of sensitive and important information
to business operation
financial losses due to restore systems and files
potential harm to an organization’s reputation.
can be use with badly for productivity. It make all projects on hold until
access to important files is recovered and the system is protected. If your
computers have been infected with Ransomware, all sensitive information may
fall into the wrong hands and be erased from your devices. A data breach
containing information about customers or customers’ employees creates a crisis
that no company wants to deal with. Sensitive information is at stake, but
paying hackers does not guarantee that the information has not been copied yet.
Paying the repurchase does not guarantee the safe return of all files.
companies have an IT strategy and disaster recovery plan, but surprisingly, few
are sufficiently prepared to deal with a ransomware attack. This is partly
because they do not understand the risks, and because ransomware threats evolve
at a rate that antivirus software struggles to keep up.
4. Prevention and risk mitigation plan
should be practice the following Control measure for prevention of future
(A) Conduct ongoing, documented, and
thorough information security risk assessments
an ongoing information security risk assessment program that considers new and
evolving threats to online accounts and adjusts customer authentication,
layered security, and other controls in response to identified risks. Identify,
prioritize, and assess the risk to critical systems, including threats to
applications that control various system parameters and other security and
fraud prevention measures.
(B) Securely configure systems and
such as logical network segmentation, offline backups, air gapping, maintaining
an inventory of authorized devices and software, physical segmentation of
critical systems, and other controls may mitigate the impact of a cyber-attack
involving ransomware. Consistency in system configuration promotes the
implementation and maintenance of a secure network. Essential components of a
secure configuration include the removal or disabling of unused applications,
functions, or components.
(C) Protect against unauthorized access
the number of credentials with elevated privileges across the organization,
especially administrator accounts and the ability to easily assign elevated
privileges that access critical systems. Review access rights periodically to
reconfirm approvals are appropriate to the job function. Establish stringent
expiration periods for unused credentials, monitor logs for use of old
credentials, and promptly terminate unused or unwarranted credentials.
Establish authentication rules, such as time of-day and geolocation controls,
or implement multifactor authentication protocols for systems and services
(e.g., virtual private networks). In addition, conduct regular audits to review
the access and permission levels to critical systems for employees and
contractors. Implement least privileges access policies across the entire
enterprise. In particular, do not allow users to have local administrator rights
on workstations, and remove access to the temporary download folder.
(D) Perform security monitoring, prevention, and
that protection and detection systems, such as intrusion detection systems and
antivirus protection, are up to date and that firewall rules are configured
properly and reviewed periodically. Establish a baseline environment to enable
the ability to detect anomalous behavior. Monitor system alerts to identify,
prevent, and contain attack attempts from all sources.
(E) Perform Update information security
awareness and training programs
regular, mandatory information security awareness training across the
institution, including how to identify, prevent, and report phishing attempts
and other potential security incidents. Ensure that the training reflects the
functions performed by employees.
(F) Implement and regularly test
controls around critical systems
that appropriate controls, such as access control, segregation of duties,
audit, and fraud detection, and monitoring systems are implemented for systems
based on risk. Limit the number of sign-on attempts for critical systems and
lock accounts once such thresholds are exceeded. Implement alert systems to
notify employees when baseline controls are changed on critical systems. Test
the effectiveness and adequacy of controls periodically. Report test results to
senior management and to the board of directors or a committee of the board of
directors. Include in the report recommended risk mitigation strategies and
progress to remediate findings.
(G) Review, update, and test incident
response and business continuity plans periodically
the effectiveness of incident response plans at the organization and with third
party service providers to ensure that all employees, including individuals
responsible for managing risk, information security, vendor management, fraud
detection, and customer inquiries, understand their respective responsibilities
and their institution’s protocols.
Ethical issues that may arise
from using connected devices in an organization
refers to the principles of right and wrong that individuals, acting as free
moral agents, use to make choices to guide their behaviors. (Kenneth C
Laudon, Jane P Laudon, 2017) Ethical issues in
information systems have been given new urgency by the rise of the Internet and
electronic commerce. Internet and digital firm technologies make it easier than
ever to assemble, integrate, and distribute information, unleashing new concerns
about the appropriate use of customer information, the protection of personal
privacy, and the protection of intellectual property.
must be trained and kept aware of a number of topics related to information
security, not the least of which are the expected behaviors of an ethical
employee. This is especially important in information security, as many
employees may not have the formal technical training to understand that their
behavior is unethical or even illegal. Proper ethical and legal training is
vital to creating an informed, well prepared, and low-risk system user.
technology is as important in our lives as serious ethical issues, and IT
professionals and information technology users should be prepared for these
challenges. As more and more information technologies are emerging on the
market, most IT professionals and users do not know how to handle the
challenges of these technologies. Information technologies are facing great
difficulties that lack privacy, security, copyright infringement and increased
cybercrime. The criminals are very enthusiastic about the many holes in the
circuit offered by technology. Cybercrime has become an increasingly common
profession, with information technology that has greatly contributed to
speeding up, flowing and accessing information. Many companies and
organizations can become cyber victims every day because most, if not all, of
their jobs are based on a digital network. There is also the potential threat
of unfaithful or vindictive employees who can use information technology to
achieve their personal goals that could be harmful to an organization. This is
not bad in itself, but the way in which human beings use the tools provided by
information technology has raised serious challenges.