More and more we have become dependent on information systems. Many aspects of our daily life are at some point influenced by computers. Energy supplies, transport, business, recreation are all domains where information systems are commonly used to provide services that people rely upon. There are therefore a great many reasons why both individuals and organizations to keep information and access to information systems secure. Secure systems protect staff, business assets, information, business reputation, income. An organization might be held liable in court if one of their computers was used as a relay system to break into another computer system. Security breaches have an impact on the reputation of an organization. If a company loses its reputation, it loses customers and turnover and consequently its profits will decrease.
Threats on the safety of systems and confidentiality of information can originate from different sources, ranging from organized crime to teenagers hacking into computer systems for fun. The motives can vary as well -- to demonstrate skills, to make money -- and possible damage done could be intentional or accidental.
Insurance companies, banks and other financial institutions for instance are obvious targets for criminals and crooks. Some criminals may try to get in through the front door, some may use more sophisticated ways and in doing so will use their knowledge of technology to remain undetected or unidentified. There are many ways to get unauthorized access to data or assets, and not only by technological means. Social engineering is very popular way of finding passwords and confidential information.
But why is it that computers are so susceptible?
In recent years computer systems have become increasingly powerful and cheaper at the same time1.1. This undoubtedly contributed to the popularity of personal computers during the eighties and certainly nineties, which in turn brought about increasing computer literacy amongst the general public.
Whereas in the sixties and seventies the management agenda was primarily focused on technology, nowadays the stress is on flexibility and communication of information. Computers are highly accessible, mainly because of networks: insecure leased lines, dial-up facilities, interception of mobile communications, terminals that can pretend they are other terminals. It is difficult to trace the origin of the attack and to find out what the attacker is doing on your system, especially once they have managed to get access. It is extremely difficult to improve security once you have a hacker inside. Moreover, a lot of damage may already have been done. Compression techniques are widely available and storage media are cheap, making information on computer media highly portable.
User friendliness amplifies the effects of computer literacy. User friendly systems make it easier to use a computer and the target possibly gives a certain amount of information on how to get in. It is not exceptional to see welcome screens telling a user what commands to use to enter the system.
Certain specialized and highly skilled people have access to vulnerable parts of information systems and sometimes the temptation is there. The greater the temptation, the more likely that people will succumb to that, especially when the chance of being caught is minimal. Programmers could place logic bombs that are extremely difficult to discover. Tendencies in program development practices like bad documenting of programming code makes the job of finding malicious code even more difficult. Furthermore it is almost an impossible task to test, verify and validate large computer programs entirely, especially when changes have to happen on live systems. You can only be relatively sure of the parts that you tested and of the conditions that you tested for.
Finally, there exists something like the ``Robin Hood syndrome'': the impersonal nature of computers makes people take a view that they are taking money from a machine, not from other people -- ``it is not really stealing''.
In order to set up a decent security system, it is therefore important to determine the threats. Protecting computing resources is part of an overall ICT1.2 security concern, which main aims are to protect the staff, secure an organization's assets, protect its customers and prevent loss through crime. The underlying idea of setting up a security system is that you cannot stop crime. But what you can do is make it more difficult, try to foresee the possible loss and consequently try to minimize the risk of crime.