Management Information Systems IS 300 Spring 2026 Review
Management Information Systems IS 300 Spring 2026 Information Security & Technology Guide #2
Presentation Accessibility
This presentation conforms to a UMBC PowerPoint Template for Universal Accessibility.
Material is intended solely for educational use at UMBC and is not for further distribution.
Learning Objectives
Identify factors contributing to increasing vulnerability of information resources, along with specific examples of each factor.
Compare and contrast human mistakes and social engineering, accompanied by specific examples.
Discuss types of deliberate attacks on information resources.
Describe three risk mitigation strategies.
Identify major types of controls organizations can use to protect their information resources.
Discuss major software issues confronting modern organizations.
Describe the general functions of operating systems.
Identify major types of application software.
Human Errors
Social Engineering: Perpetrator uses social skills to manipulate legitimate employees into providing confidential company information (e.g., passwords).
Common Example: Attacker impersonating a company manager or information system employee over the phone.
Tailgating: Technique where the perpetrator follows a legitimate employee into restricted areas by asking them to hold the door after the employee gains entry.
Shoulder Surfing: Watching an employee's screen from behind, commonly successful in public areas (e.g., airports, trains).
The Human Factor
Personnel Risks: Employees in Human Resources and Information Systems/Technology pose the most significant risks to information security; other employees might be overlooked.
Definitions: Information Security
Security: Degree of protection against criminal activity, danger, damage, or loss.
Information Security: Processes and policies to protect organization’s information and information systems (IS) from unauthorized access, use, disclosure, disruption, modification, or destruction.
Threat: Any danger that can compromise an information system.
Exposure: Harm, loss, or damage that can result if a threat compromises an information resource.
Vulnerability: The possibility that the system will be harmed by a threat.
Cybercrime: Illegal activities conducted over computer networks, particularly the Internet.
Five Key Factors Increasing Vulnerability
Increasing interconnectedness in the business environment.
Smaller, faster, cheaper computers/storages.
Decreasing skills required for computer hacking.
Rise of international organized crime in cybercrime.
Lack of management support for security measures.
Threat Classification
Threats to information systems are categorized as:
Unintentional Threats
Deliberate (Intentional) Threats
Key Points About Threats
Computing resources located in various locations.
Multiple individuals control or access information assets.
Computer networks often reside outside the organization, complicating protection.
Rapid technological changes lead to obsolescence of controls.
Many computer crimes go undetected, challenging organizational learning.
Employees often violate security procedures due to inconvenience.
Minimal computer knowledge required for committing crimes.
High costs of preventing hazards deter organizations from comprehensive protection.
Difficulties in conducting cost-benefit justifications for controls pre-attack.
Deliberate Threats to Information Systems
Espionage or Trespass: Unauthorized access attempts to organizational information.
Information Extortion: Threatening to steal or demanding payment to not disclose stolen information.
Sabotage and Vandalism: Deliberate acts damaging organizational image and customer trust.
Theft of Equipment or Information: Smaller, powerful devices are easier to steal; includes practices like dumpster diving.
Identity Theft: Assuming another's identity for financial access or framing purposes.
Compromises to Intellectual Property: Engaging threats against trade secrets, patents, trademarks, copyrights.
Specific Deliberate Threats
SCADA Attacks: Involves large distributed systems controlling essential services like oil refineries and power plants.
Cyberterrorism and Cyberwarfare: Malicious acts causing real-world harm or disruptions for political agendas.
Software Attacks Requiring User Action
Viruses: Programs that attach to other programs with or without user permission.
Worms: Malicious code segments that replicate by themselves.
Trojan Horses: Software that disguises malicious features as benign until activated.
Key Loggers: Record keystrokes for data theft (e.g., passwords).
Back Door: A secret password allowing unauthorized access without security procedures.
Fileless: Malevolent code executed directly in RAM.
Software Attacks Explained
Spear Phishing: Targeted phishing aimed at individuals.
Ransomware: Blocks access to systems until payment is made.
Logic Bomb: Code embedded to activate destructive actions at a specific time.
Phishing: Deceptive tactics to acquire sensitive information through false communications.
Whaling Attack: Phishing targeting high-level executives for stealing sensitive information.
Alien Software
Alien Software: Software installed through dishonest means.
Adware: Causes unsolicited advertisements to appear.
Spyware: Collects personal data without consent, including keystroke loggers and screen scrapers.
Spamware: Launches unsolicited advertising through user’s computer.
Cookies: Data stored by websites for tracking purposes.
Complexity of Software
Increased software complexity leads to a higher potential for bugs.
Managing software defects, licensing, updates, and open-source concerns.
DevOps: Extension of agile methods facilitating development and operations.
Application Software: Programs providing specific functionality (e.g., word processing).
Systems Software: Intermediary instructions between hardware and application programs (operating systems).
Open Source Software
Definition: Software with available code for free use and modification, managed by a community.
Advantages: High quality, community-driven maintenance, flexibility.
Disadvantages: Potential security vulnerabilities and supply chain attacks.
Information Security Controls
Access Controls: Restrict unauthorized individuals from accessing information resources.
Major Functions:
Authentication: Confirming identity using various methods (biometrics, ID cards, etc.).
Authorization: Determining privileges granted to authenticated individuals.
Audit Trails & Procedures
Audit Trail: Documented sequence of actions for transaction verification.
Categories of Auditing Procedures:
Auditing Around the Computer: Verifying known outputs against specific inputs.
Auditing Through the Computer: Checking inputs/outputs and reviewing program logic.
Auditing With the Computer: Using a combination of client and auditor tools for data simulation.
Communication / Network Controls
Firewall: Blocks unauthorized access, often integrated into routers or standalone hardware.
Whitelisting: Allows only pre-approved software to run on systems.
Blacklist: Prevents designated software from running within an environment.
DMZ (Demilitarized Zone): Network segment that separates trusted internal networks from untrusted external networks.
Transport Layer Security (TLS): Provides encryption for secure transactions.
Anti-Malware Systems: Software identifying and eliminating malevolent software.
Intrusion Detection Systems (IDS): Monitor and respond to unauthorized access attempts.
Business Continuity Planning
Business Continuity: Protection and recovery processes aligned for continuous operations post-disaster.
Business Continuity Plan: Guidelines to maintain operations after disruptions.
Hot Sites: Fully equipped facilities with all services and resources (most expensive).
Warm Sites: Services and infrastructure without complete applications.
Cold Sites: Basic facilities with no computing hardware (least expensive).
Virtual Private Network (VPN)
Definition: Private networks using public infrastructure for encrypted data transmission.
Types of VPN Connections:
Remote Access: Via VPN client.
Site-to-Site: Between intranets and extranets.
How Encryption Works
Encryption Programs: Scramble transmitted data into ciphertext from plaintext.
Primary Methods:
Symmetric Encryption: Shared key system among sender and receiver (128 bits or greater).
Public or Asymmetric Encryption: Involves a public key and a private key (exchanged via Public Key Infrastructure).
Example Flow: Digital Certificates
Digital certificates provide authentication through these elements:
Serial Number
Issuer Name
Validity Dates
Subject Public Key
CA Signature
Types of Information Systems
Functional Area Information System (FAIS): Collection of application programs within a specific department.
Enterprise Resource Planning (ERP): Tightly integrates FAISs via common databases.
Information Systems, Business Processes, and IT Responses
Business Processes: Activities generating value through inputs, resources, and outputs evaluated by efficiency and effectiveness.
Robotic Process Automation (RPA): Automates tasks traditionally performed by employees.
Business Pressures and IT Support
Labor cost disparities encourage relocation to low-cost regions.
Societal pressure highlighted by the digital divide.
Porter's Value Chain Model: Framework for analyzing business activities.
Competitive Advantage Strategies
Cost Leadership: Produce at the lowest industry cost.
Differentiation: Offer unique products/services.
Innovation: Introduce new solutions or features.
Operational Effectiveness: Enhance internal processes effectiveness.
Customer Orientation: Focus on enhancing customer satisfaction.
Ethics in Information Technology
Ethics: Principles of right and wrong guiding actions.
Frameworks: Five widely used ethical standards to resolve organizational conflicts.
Privacy: Right to control personal information, protected under various amendments.
Ethical Considerations
Responsibility: Accept consequences for decisions.
Accountability: Determine responsibility for actions.
Liability: Legal right to recover damages.
Summary of Ethics & Privacy Concerns
Ethics guide behavior within organizations.
Privacy issues encompass data collection, accuracy, property, and accessibility.
Threats include electronic surveillance and personal data infringement.
Importance of privacy policies in mitigating legal issues around data handling.
Chapter 1: Case on Social Engineering
Social Engineering: Manipulative tactics used to trick individuals into revealing confidential information.
Digital Transformation: The process of using digital technologies to fundamentally change how operations and services are delivered.
Evolution of the IS Function:
Traditional: Focused on maintaining IT systems and providing technical support.
Consultative: Engages with business strategy, emphasizing strategic alignment with organizational goals.
Data vs. Information vs. Knowledge:
Data: Raw facts and figures without context (e.g., numbers, dates).
Information: Data that has been processed and organized to make it meaningful (e.g., sales reports).
Knowledge: Insights and understanding derived from information, allowing for decision-making (e.g., business strategies based on sales trends).
Types of Information Systems within the Organization:
Functional Area Information System (FAIS)
Enterprise Resource Planning (ERP)
Management Information Systems (MIS)
Decision Support Systems (DSS)
Executive Information Systems (EIS)
Chapter 2: BPI, BPR, BPM
BPI (Business Process Improvement): A methodology for improving existing processes.
BPR (Business Process Reengineering): A radical rethinking of business processes to achieve dramatic improvements.
BPM (Business Process Management): A systematic approach to managing and improving business processes.
Phases of BPI (Correct Order): 1. Identify processes needing improvement 2. Analyze the current process 3. Design the improved process 4. Implement changes 5. Monitor results.
Market Pressures: Competitive forces requiring businesses to adapt (e.g., cost pressures).
Technology Pressures: Rapid advancements that create new obsolescence risks and opportunities.
Societal, Political, and Legal Pressures: Changes in policies, regulations, and social expectations influencing business practices.
Globalization: The process of increasing economic integration and interdependence among countries.
Porter's Competitive Forces Model - Entry Barriers:
High capital requirements
Strong brand loyalty
Government regulations
Strategies companies use in Porter's Competitive Forces Model:
Cost Leadership: Offering products at the lowest cost.
Differentiation: Offering unique product features to stand out.
Focus Strategy: Targeting a specific market segment.
Organizational Strategy, Competitive Advantage, Ethics & Privacy
Porter's Value Chain Model: An analytical framework for identifying business operations contributing to competitive advantage.
Key Activities: Inbound logistics, operations, outbound logistics, marketing and sales, and service.
Chapter 3: Ethical Frameworks
Five Widely Used Ethical Standards:
Utilitarian Approach: Focus on outcomes and maximizing overall happiness.
Rights-Based Approach: Ensuring fundamental rights are respected.
Fairness or Justice Approach: Ensuring equal treatment or justice.
Common Good Approach: Emphasizing community and the public good.
Virtue Ethics: Focus on developing moral character.
Privacy, Accuracy, Property, Accessibility Issues:
Privacy Issues: Concerns with data collection and consent.
Accuracy Issues: Importance of maintaining accurate and up-to-date information.
Property Issues: Ownership rights regarding data.
Accessibility Issues: Ensuring information is usable and available to those who need it.
Conflict Between Free Speech and Privacy: Identifying how the Internet can facilitate free expression but potentially compromise personal privacy.
Chapter 4 & Technology Guide #2
** Social Engineering**: Techniques used to deceive individuals for sensitive information.
Human Errors: Mistakes leading to security vulnerabilities (e.g., phishing).
Supply Chain Attacks: Targeting weaknesses in an organization’s supply chain.
Five Key Factors Increasing Vulnerability of Systems:
Increasing interconnectedness.
Smaller, cheaper computing devices.
Decreased skills needed for hacking.
Rise of organized cybercrime.
Lack of management support for security.
Information Security Controls:
Authentication: Verifying user identity.
Authorization: Determining user privileges.
Deliberate Threats to Information Systems:
Espionage, extortion, sabotage, identity theft, and intellectual property compromises.
Software Attacks Requiring User Action:
Viruses, worms, Trojan horses, key loggers, and ransomware.
Trusted Networks vs. Untrusted Networks: Trusted networks are internal while untrusted networks are external to the organization.
Access Control Functions: Authentication and authorization are crucial in securing systems.
Firewalls: Monitor and control incoming and outgoing network traffic.
VPNs: Create secure connections over public infrastructure.
Risk Management
Goal: Protecting organizational assets while managing risks.
Three Major Processes: 1. Risk Identification 2. Risk Assessment 3. Risk Mitigation.
Open Source Software**
Software available for use and modification by anyone. High-quality and flexible but may have vulnerabilities.
Application Software vs. Systems Software: Application software performs tasks (e.g., word processors), while systems software manages hardware-resource communication (e.g., operating systems).
DevOps: Combines development and operations to improve product delivery speed.
Final Review Tips
Focus on understanding concepts rather than memorization.
Create visual aids or mind maps for complex ideas.
Review real-world examples to illustrate theoretical concepts.