Lecture 9 - Information Systems Control and Security

What is Risk Management?

The process of finding, assessing, and controlling threats to an organisation's financial security — including identifying threats, considering how to handle them, putting controls in place, and having plans ready for when a risk materialises.

Why does Risk Management matter to organisations?

It protects finances, reputation, employees, and customers, and ensures compliance with regulatory responsibilities such as GDPR. 62% of organisations have experienced a critical risk event in the past three years.

What are the five main risk strategies?

1. Avoiding risk (most effective — 0% chance of loss from that factor) 2. Transferring risk (e.g. insurance) 3. Preventing risk (putting measures in place to reduce impact) 4. Retaining risk (handling internally rather than outsourcing) 5. Spreading risk (e.g. reinsurance industry).

What is Cyber Risk?

Any risk of financial loss, disruption, or reputational damage arising from failure of an organisation's IT systems — including deliberate breaches, accidental breaches, and operational IT risks from poor system integrity.

What are the three categories of Cyber Risk in practice?

1. Procedural failures (e.g. no backups, data on unencrypted laptops) 2. System failures (e.g. disasters causing data loss) 3. Cyber threats (deliberate attacks on the organisation).

What are the nine sources of cyber threats?

National governments, terrorists, industrial secret agents, rogue employees, hackers, business competitors, organisation insiders, accidents, and natural disasters.

What are the three types of cyber threat classification based on attacker resources, organisation, and funding?

1. Unstructured Threats — individual/small group, little organisation, negligible funding, uses freely available tools. 2. Structured Threats — well-trained individual/group, well-planned, funded, targets individuals or organisations. 3. Highly Structured Threats — extensive organisation, resources and planning, long-term attack using technical, social, and insider methods.

What is a Logic Bomb?

A form of sabotage where malicious code is embedded in a system and triggered at a specific time or event — e.g. the 2013 South Korea attack that wiped hard drives of banks and media companies simultaneously.

What is a Backdoor attack?

A method of bypassing normal authentication to gain access to an operating system or application — e.g. the Huawei/US Government controversy.

What is a Man-in-the-Middle (MitM) attack?

An attack that intercepts and relays messages between two parties who believe they are communicating directly with each other.

What is a Denial of Service (DoS) attack?

An attack where the attacker attempts to prevent authorised users from accessing a service, typically by overwhelming the system with traffic.

What is SQL Injection?

A common web application vulnerability where a malicious actor inserts SQL code into an input field to steal or alter data in a website's database.

What is a Zero-Day Exploit?

An attack that exploits a vulnerability in a system or device that has been disclosed but not yet patched by the vendor.

What is a Virus?

Malicious software that, when executed, replicates itself by modifying other computer programs and inserting its own code.

What is a Network Worm?

Standalone malware that replicates itself to spread across computers without needing to attach to a host programme.

What is a Trojan Horse?

A program that claims to perform a legitimate function (e.g. removing viruses) but instead introduces malicious code onto the system.

What is Ransomware?

Malware that prevents or limits users from accessing their system — by locking the screen or encrypting files — until a ransom is paid.

What is Spyware?

Software hidden from the user that gathers information about internet interactions, keystrokes, passwords, and other valuable data.

What is a Botnet?

A network of infected devices used to perform Distributed Denial of Service (DDoS) attacks, steal data, send spam, or allow attacker access to devices.

What is a Vulnerability in the context of cybersecurity?

A flaw in a system that can leave it open to attack — composed of three elements: a flaw in the system, the attacker's access to that flaw, and the attacker's capability to exploit it.

What are the six categories of vulnerability?

Hardware, Software, Network, Personnel, Physical site, and Organisational.

What are the three types of cyber crime perpetrators and their motivations?

1. Activists — opportunistic, seek embarrassment or curiosity. 2. Criminals — financially motivated, use sophisticated methods including blackmail. 3. Spies — state-controlled, use the most sophisticated techniques targeting IP or national infrastructure.

What is "Technical Debt" in the context of cybersecurity?

The security risk accumulated from poorly supported legacy systems, inadequate patching controls, and underinvestment in security — making it easier for attackers to exploit weaknesses.

What are the three main impacts of a successful cyber attack?

Financial loss, reputational damage, and legal consequences (e.g. GDPR fines, regulatory action).

What is the difference between direct losses and consequential losses from a security breach?

Direct losses are the immediate costs of the breach itself. Consequential losses — such as inability to deliver services, loss of customer confidence, and reputational damage — are often far larger.

What happened in the Travelex ransomware attack (2019)?

Travelex was hit by the REvil ransomware gang on 31 December 2019; 5GB+ of data was encrypted and $6m ransom demanded. Systems were offline for nearly two weeks, banking partners (RBS, Lloyds, Barclays) could not process travel money, and the firm eventually collapsed into administration. They paid ~$2.3m in Bitcoin and still faced ICO/GDPR disciplinary action.

What were the root causes of the TSB IT migration failure (2018)?

Testing was offline only (not in a live environment); the new platform was not ready for TSB's full customer base; supplier Sabis was unprepared; 2,000+ defects existed at go-live (board only told of 800); unrealistic time constraints; and a Big Bang rollout was used instead of a phased migration.

What were the outcomes and costs of the TSB IT failure?

£330m in compensation, fraud losses, and expenses; loss of 80,000 customers; parliamentary inquiry; fraud attacks 70 times higher than normal; and significant reputational damage.

What caused the British Airways IT outage (2017)?

A power engineer pulled the incorrect cable during routine maintenance, taking out the UPS and entire data centre power. An uncontrolled power restoration caused a surge that physically damaged servers. There was no surge protection in place, and the dual power supply fed back to the same main supply.

What were the costs and outcomes of the British Airways outage?

75,000 passengers stranded, 726 flights cancelled, £80m cost, 3% share price fall, and further IT outages in 2019 (plus a separate $230m fine for a data breach).

What are the key architectural measures for protecting against system threats?

Structured system designs, backups of all systems and data, mirroring, dual data writes, dual data centres, high availability (Active-Active configurations), defined Recovery Time Objectives (how long to recover) and Recovery Point Objectives (how much data can be lost).

What is PCI DSS?

The Payment Card Industry Data Security Standard — defines what a company must have in place to meet regulatory requirements for handling customer card payment data.

What are three key frameworks for IT security best practice?

IRM (Institute of Risk Management) for business and cyber risk; ITIL (IT Infrastructure Library) for delivering IT as a service including cyber best practices; TOGAF (The Open Group Architecture Framework) for secure architectural standards.

Why is effective information security a very high priority for organisations?

Information is increasing in value and pervasiveness; higher levels of inter-connectivity increase exposure; and the more dependent an organisation is on IT, the greater the financial implications of serious security lapses. Security decisions must be guided by cost-benefit analysis.