testimonial avatar

I was very pleased with my thesis and the way it was written. Person who worked on it did an outstanding job, so from now, if I will need anything to be written, I will use only your services.

read all

Sample Paper on Information Security


Information in any organization is the most important asset after the human resources. Risk and security management is data centric. Efforts of protecting networks and systems are all aimed at achieving three outcomes, and they include integrity, data availability, and confidentiality. It should be noted that infrastructure security controls are not 100 percent effective.  “In a layered security model, it is often necessary to implement one final prevention control wrapped around sensitive information: encryption” (Balkin & Zarsky, 2006). Arguably, encryption should not be considered as a security panacea, as it cannot solve all data- centric issues of security. However, it is a one control among the many others.  Cryptography is a science which applies logic and mathematics to design encryptions methods that are strong. Concerns for information security and confidentiality in a university IT environment were expressed as early as 1975 (Kerievsky, 1976). Colleges and universities have been a target for cyber-attacks for two main reasons: first, because of the vast amount of computing power they possess, and second, because of the open access they provide to their constituents and to the public. As the IT industry changes so are the opportunities for risks. Although encryption has obvious benefits in, for example, cloud storage, the way that it is sometimes deployed in these services is questionable.

Cybercrimes are multifaceted and vary from negligent to disgruntled insiders to external hacking.  The 2013 Verizon Security Consultants recently gave an insight report on the risk areas in America.  From the samples of 620 breaches, the external attackers were responsible for the majority of data breaches.  92% of data breach is as a result of the external agents.  14% implicate, while insiders with business partners are responsible for 1% of the data breaches.  In terms of the methods of the attack, 92% used a malware or a hacking form, while 29% leveraged on social tactics (Brenner, 2007).  One can locate the immediate inception of cyber attack elsewhere in the USA, in a foreign nation, in the local area or cyberspace.  For an instance, Al Qaeda could be planning its attacks somewhere in Europe while obtaining financial and logistical support from Eastern Asia or Northern Africa.  The same group could do reconnaissance in their targeted USA
city while recruiting and training operatives in Yemen.  In a bid to beat intelligence, they could be doing so while sending their progressive reports to yet a different location probably in West Africa. In order to identify this kind of worldwide distributed network of threat there is an ardent need for collaborative information from evaluators located in regions that terrorists seek to strike, operate or plan.  If this is done then the information gathered by homeland police who patrol neighborhoods in the USA communities can be incorporated into the picture of global events obtained by federal agencies and then use an intelligence statement that is not sensational to warn the public of any impending strikes (Harding, 2014).

On the other hand, attacks overlap with cyber terrorism, but this depends on the context.  When talking about cyber terrorism and cyber attacks, one of the major underlying issues is the correct differentiation between the two terms.  In most cases, the two terms are interchangeably used, and this brings a lot of confusions to those not familiar with the context.  If an individual observes a specific case and its context, then the confusion might be exacerbated further by the application of similar terms such as cyber warfare.  It is not very easy to make distinctions between attacks on computer networks done by terrorists from hackers ’cyber crimes. This happens because attackers try to exploit the weak spots within the system regardless of the essence of real motives.  This notwithstanding, however, there are trends that can help in making the difference between the two acts.  In most cases, for instance, computer terrorist network attack has focused on email bombing and website defacement (Schiller, 2010).

This paper will use Claflin University as an example to illustrate the above assertions.Currently; Claflin University doesn’t have a comprehensive IT security risk management policy or guidelines that will guide the business process in the event of an IT security threat.

The policies that will be developed through this project will provide a roadmap for effectively protecting the availability, integrity and confidentiality of Claflin University’s Information Systems. A comprehensive information security policy can effectively address the risks to information systems and provide a foundation for mitigating security concerns and incidents. As Claflin expands it’s teaching and learning through online courses, it is more susceptible to security risks. The policies that will be developed through this project will protect Claflin’s information security assets and will help continue the business process.


In this case, the research will identify the various risks on the university’s IT system. It should be noted that risks tend to occur in the IT system when vulnerabilities such as weaknesses or flaws in the IT system are exploited by treats such as environmental, human and natural factors. Accordingly, the process of identifying risks will consist of three components, and this will include:

  • Identifying  the vulnerabilities in the  IT systems and their  environments
  • Identifying  credible threats  which  can  affect IT systems
  • Pairing of the vulnerabilities with  threats so as to identify  risks  that are exposed to the IT system
  • Identification of Vulnerabilities

In this case, the first component of identification of risks is by identifying vulnerabilities in the IT system and its surrounding environments. There are various frameworks and methodologies of determining the vulnerabilities of the IT system. The methodology will be selected on the basis of the IT system phase in its life cycle as follows:

  • Project Initiation Phase – in this case, the  vulnerabilities  will focus on the  organization of the   information technology  security policies, the vendor’s security products analysis, IT requirement definition and planned procedures
  • Project Definition Phase – in this phase, identification of the vulnerabilities will be expanded in order to include specific information. The assessment of the planned information technology features will be described in the system and security design system documentation.
  • Implementation Phase –  in this case, the  identification of vulnerabilities will include  the analysis of technical  and security features, as well as the  procedural  security control  that is  used in protecting the  system. The evaluations will include activities such execution of security self-assessments, affective of applications of automated vulnerabilities/ assessment/scanning tools and conducting third party penetration tools. It should be noted that the mixture of the above components will be used in getting a more comprehensible vulnerabilities list.

Determination of risk likelihood

The main goal of this step is to assign the likelihood rating of low, moderate and high to each and every risk that has been identified in the table above.  It should be noted that the rating is a judgment which is subjective and it is based on the likelihood that vulnerability may be exploited by credible threats.  The factors to be considered include: Threat-source capability and motivation, in case of threat by human beings.

Cyber-crimes are multifaceted and vary from negligent to disgruntled insiders to external hacking. The Verizon Security Consultants 2013 recently gave an insight report on the areas of risks in America. From the samples of 620 breaches, the external attackers were responsible for the majority of data breaches with 92% being attributed to the external agents. 14% implicated insiders with business partners being responsible for 1% of the data breaches.

In terms of the methods of the attack, 92% used some malware or hacking form, while 29% leveraged on social tactics. 75 percent of all the data breaches took more than one month to be discovered while 96% of the initial attacks were not difficult to execute. On the other hand,  the past few decades have seen  attackers  from “maladjusted teenagers intent on vandalizing websites or disrupting networks to individuals and groups motivated by commercial gain and state-sponsored groups seeking to steal intellectual property and/or to disrupt infrastructure of rivals or enemies” (Halder,  & Jaishankar, (2011).

Part B. Security summaries

Malicious code

This type of cyber threat is broad and consists of several threats to cyber-security. The malicious code is any softwere, firmware, hardware that is intentionally inserted or included in a system for harmful purposes. The malicious code is commonly known as malware and it includes worms, computer viruses, key loggers, Trojan horses, Rootkits, BOTs as well as any exploits of any software security. The malicious code also includes spyware. Spyware is a deceptive program which is installed without any authorization to monitor the activities of the consumers without their knowledge (Wright, Joe, and  Harmening , 2009). Notably, it can be used in sending unwanted popupads to users, in monitoring the habits of online users as well as usurping control of Internet browser users. It should, however, be noted that spyware is normally installed alongside with something users want to be installed. Users acknowledge the installation of the spyware but don’t consent the monitoring tactics of the device.

Risk identification identifies credible risks threats to the information technology systems and its environment. It should be noted that a threat will only be considered to be credible if it has the ability of exploiting identified vulnerabilities. The table below contains are some of the examples of threats. Accordingly agencies need to consult the various sources of threats information, and this includes NIST SP 800-30.   This is aimed in identifying all credible threats in the information technology system, but not creating universal lists of general threats. It should be noted that the  physical  deterrents such as  biometric devices,  card access keys an locks may be  used  to prevent criminal gangs from  gaining  physical accesses  of computer network systems. The use of strong password both for computer’s BIOS and computer system can be effective measures of fighting cyber criminals with accessing physically a computer machine.

Network attacks

An attack on network is any action that is taken to deny, disrupt, destroy or degrade information residing in computer networks and on a computer. The attack can be of four forms, and these include interception, fabrication, modification and interruption. Fabrication is the creation of some kind of deceptions so as to deceive unsuspecting users. On the other hand, interception entails the intrusion of transmission and redirecting it for unauthorized uses.  Attacks can either be passive or active. Active attacks entail the modification of transmissions to a system. On the other hand, passive attacks involve the monitoring of the attacks. The two forms can both used in obtaining information of the users, which can be used in stealing the identity of the user. The common types of network attack include Distributed Denial of Services, Denial of Services, packet sniffing, ICMP Flood, TCP SYN Flood, and IP spoofing. The Cryptography technique can be used in fighting cybercrime. In this case  information  is encrypted  using the  algorithm  known as  cipher to  mask the information  that is on transit  or in storage. For instance, tunneling  can take a payload protocol  like Internet Protocol (IP) and then  encapsulate  it in the  encrypted  protocol over Secure Sockets Layer,  Virtual Private Network , Layer 2 Tunneling Protocol, Transport Layer Security, Internet Protocol Security or Point-to-Point Tunneling Protocol  in order to ensure that there is a secure date transmission. It should, however, be noted that  encryption can be  used  on the  file level by  employing  protocols such as Triple DES, Data Encryption Standard, and Advanced Encryption Standard so as to ensure  the storage information is secure. Moreover, the  network  testing  vulnerability performed by  automated programs  or technicians  can be employed  to test  on a  full scale devices, passwords and systems used  in networks  to assess the  extent of their security. Additionally, the network tools of monitoring can be employed in detecting of suspicious traffic or intrusions on both small and large networks.

Network abuse

Generally, these are fraudelant activities which are commited with aid of computers. One of the most common forms of this abuse is SPAM.   In this case, a person emails a list of users with phishing attacks or unsolicited advertisements. In this case, an individual attempts to use social engineering to get sensitive information which can be used in identity theft, passwords, usernames etc. In pharming, the traffic of a website is redirected to a bogus website, and this is mainly done by exploiting the vulnerability of Domain Name System servers (Balkin et al, 2006). In order to focus on the efforts of risk management, one should be comprehensive when developing the lists of the risks to the information technology system. Moreover, the list should be limited to the pairs of credible threats and actual vulnerabilities. For instance, “Oracle 9i will stop responding when sent a counterfeit packet larger than 50,000 bytes” (Brenner, 2007). It should be noted that the above flaw contains vulnerability. A computer criminal or a malicious use might be tempted to exploit the above vulnerability in order to stop the information technology from functioning. Accordingly, this will constitute a treat. The vulnerability threats combine in creating a risk in that an information technology system becomes unavailable. Notably, “If an IT system running Oracle 9i is not connected to a network, however, such as the certificate authority for a Public Key Infrastructure system, then there is no credible threat, and so no vulnerability-threat pair to create a risk” (Brenner, 2007). The threats of cyber security have become more complex in the modern world; hence companies must first understand them.  The key areas of cyber security investments and levels of acceptable risks need to be taken into considerations.  Companies must prepare for successful cyber attacks, and should ensure that they have enough resources and skills to identify and isolate the problems, determine the investigation levels and maintain the normal functioning of the business. Notably, the security measures will make companies to be more resilient and not restricted to core businesses.


Neural networks are used to prevent organizational frauds through data mining. This is achieved by tracking inconsistencies in transaction activities for payment transactions for online consumer businesses, or by banking institutions. The modern technology is expanding daily in every part of the world. This has improved the communication systems which has benefited many especially the business entrepreneurs. With the many advantages of the modern technology, fraud has dramatically increased. As a result many businesses have lost billions of dollars mysteriously. Prevention technologies have been established as the best way to tackle fraud but fraudsters have with time found their way through. Some of the fraud activities most fraudsters have indulged in are money laundering, e-commerce credit card scam, telecommunication frauds well as computer intrusion (Neumann, 2003, 87).

The neural network is an information processing model controlled by the way the nervous system such as the brain receive and synthesize information. The important elements to the artificial neural network are the neurons. They are highly interconnected processing elements that work together to tackle a similar problem. The development of the neural networks was before the advent of the computers. They have been useful since they are able to extract patterns as well as trends that are difficult to be noticed by humans.

Today, neural networks have been largely put in use to prevent fraud in the banking industry. During payment of salaries in the banks fraud has evolved constantly. The fraudsters are always on the lookout for any loopholes in the payment system so as to take advantage. They seek to maximize on the results of their activities. Those who offer payment services, issuers, banks as well as merchants have adopted neural networks as the main tool to prevent fraud. Fraud detection is a process that is done in the banks that enables the separation of transactions that are vulnerable to fraud and those not. The patterns in the data are used to do this. The Bayesian models together with the neural networks are used in different ways for fraud detection (Bermúdez et al, 2005).

Data mining techniques

Data mining techniques have been widely put in used to prevent and detect financial frauds. The implementation of the techniques to detect fraud has to follow the traditional information. This is the flow of data mining; which starts with selection of feature selection, representation, data collection and management, pre – processing, data mining, post-processing, and finally performance evaluation. Data mining techniques succeed in detecting fraud because they use past circumstances of fraud to form models to be used to detect the jeopardy of fraud (Moore, 2005).

Financial statement fraud is one of the main financial frauds that are rampant worldwide and it has caused big companies to collapse due to financial losses. This has left a bad picture on the efficiency of corporate governance as well as the quality and credibility of financial reports. This fraud of financial statement fraud is a serious issue in the businesses globally (Abidogum, 2005).A neural network that detects fraud is an essential application of Data Mining. Both researchers’ and practitioners have accepted that the analytical procedures, data mining techniques along with traditional reviewing procedures are necessary to prevent and detect financial statement fraud. The probability of the occurrences of threats based on the  previous experiences or statistical data  in the case of environmental and natural threats It  should be noted that  other factors  can also be used in estimating  the likelihood.  Notably, these may include historical records and information for security organizations like US-CERT.

In modern world market, more and more organizations and government departments are increasingly linking their operational process to cyber infrastructures. As a result, an effective security cyber system is important to the institutional and organization’s ability to protect their assets which may include intellectual property, reputation, customers and staff. Most organizations believe that by investing in a sophisticated technical solutions means that they are well protected from cyber attacks.

Organizations need to address the challenges of cyber threats in the world today. In this case, business and government leaders should ensure that they have an integrated approach to security of their cyber. The cyber securities need to be tailored to a particular risk and business profile that does not only address the technical aspects of their profile, but also organizational elements and people.

List of references

Andress, Jason. Winterfeld, Steve.,2011, Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners. London: Syngress

Abidogum, O.,2005.“Data mining, fraud detection and mobiletelecommunications: Call pattern analysis with unsupervised neural networks”.PhD thesis, University of the Western Cape, Cape Town, South Africa.

Brenner, S. (2009). Cyber Threats: The Emerging Fault Lines of the Nation State. Oxford University Press

Bermúdez, L.; Pérez, J.; Ayuso, M.; Gómez, E.; Vázquez, F. A.,2007. Bayesian dichotomous model with asymmetric link for fraud in insurance. Insurance: Mathematics and Economics, vol. 42 (2): 779-786.

Balkin, J., & Zarsky, T., 2006. Cybercrime: Digital Cops in a Networked Environment, New York University Press, New York.

Brenner, S., 2007. Law in an Era of Smart Technology, Oxford: Oxford University Press Grabosky, P. (2006) Electronic Crime, New Jersey: Prentice Hall

Cashell, B., Jackson, W. D., Jickling, M., & Webel, B. ,2004. The Economic Impact of Cyber-Attacks. Congressional Research Service, Government and Finance Division. Washington DC: The Library of Congress.

Halder, D., & Jaishankar, K., 2011. Cyber crime and the Victimization of Women: Laws, Rights, and Regulations. Hershey, PA, USA: IGI Global aishankar, K., 2011. Cyber Criminology: Exploring Internet Crimes and Criminal behavior. Boca Raton, FL, USA: CRC Press, Taylor and Francis Group.

Luong, K., 2006, The other side of identity theft: Not just a financial concern. Proceedings of the 3rd Annual Conference on Information Security Curriculum Development. Kennesaw, GA: ACM.

Loibl, T., 2005, Identity Theft, Spyware, and the Law. Proceedings of the 2nd Annual Conference on Information Security Curriculum Development. Kennesaw, GA: ACM.

Neumann, G., 2003,  “Computer Security in Aviation,” presented at International Conference on Aviation Safety and Security in the 21st Century, White House Commission on Safety and Security

Novak, C. ,2007, Investigative response: After the breach. Computers & Security. v. 26, n. 2, p. 183.

Moore, R. (2005) “Cybercrime: Investigating High-Technology Computer Crime,” Cleveland, Mississippi: Anderson Publishing.

Mann and Sutton (1998). Netcrime: More change in the Organization of Thieving. British Journal of Criminology; 38: 201-229.

White, G., & Long, J. (2010). Global information security factors. International Journal of Information Security and Privacy (IJISP), 4(2), 49-60. doi:10.4018/jisp.2010040104

Willemssen, C., (2000). “FAA Computer Security”. GAO/T-AIMD-00-330. Presented at Committee on Science, House of Representatives

Wright, Joe; Jim Harmening (2009). Computer and Information Security Handbook. Morgan Kaufmann Publications. Elsevier Inc.

Dissertation Writing Service Order Page