User Account

All Pages

What can an organization do to protect itself

Assignment Help Management Information Sys
Reference no: EM131816841

Semantic Security

Security is a very difficult problem- and risks grow larger every year. Not only do we have cheaper, faster computers (remember Moore's Law). We also have more data, more systems for reporting and querying that data, and easier, faster, and broader communication. All of these combine to increase the chances that we inadvertently divulge private or proprietary information.

Physical security is hard enough: How do we know that the person (or program) who signs on as Megan Cho really is Megan Cho? We use passwords, but files of passwords can be stolen. Setting that issue aside, we need to know that Megan Cho's permissions are set appropriately. Suppose Megan works in the HR department, so she has access to personal and private data of other employees.

We need to design the reporting system so that Megan can access all of the data she needs to do her job, and no more. Also, the delivery system must be secure. An application server is an obvious and juicy target for any would-be intruder. Someone can break in and change access permissions. Or, a hacker could pose as someone else to obtain reports. Application servers help the authorized user, resulting in faster access to more information. But, without proper security reporting servers also ease the intrusion task for unauthorized users.

All of these issues relate to physical security. Another dimension to security is equally serious and far more problematic: semantic security. Semantic security concerns the unintended release of protected information through the release of a combination of reports or documents that are independently not protected. Take an example from class. Suppose I assign a group project, and I post a list of groups and the names of students assigned to each group.

Later, after the assignments have been completed and graded, I post a list of grades on the Web site. Because of university privacy policy, I cannot post the grades by student name or identifier; so instead, I post the grades for each group. If you want to get the grades for each student, all you have to do is combine the list from Lecture 5 with the list from Lecture 10. You might say that the release of grades in this example does no real harm-after all, it is a list of grades from one assignment. But go back to Megan Cho in HR. Suppose Megan evaluates the employee compensation program. The COO believes salary offers have been inconsistent over time and that they vary too widely by department. Accordingly, the COO authorizes Megan to receive a report that lists SalaryOfferAmount and OfferDate and a second report that lists Department and AverageSalary.

Those reports are relevant to her task and seem innocuous enough. But Megan realizes that she could use the information they contain to determine individual salaries-information she does not have and is not authorized to receive. She proceeds as follows. Like all employees, Megan has access to the employee directory on the Web portal. Using the directory, she can obtain a list of employees in each department, and using the facilities of her ever-so-helpful report-authoring system she combines that list with the department and average-salary report.

Now she has a list of the names of employees in a group and the average salary for that group. Megan's employer likes to welcome new employees to the company. Accordingly, each week the company publishes an article about new employees who have been hired. The article makes pleasant comments about each person and encourages employees to meet and greet them. Megan, however, has other ideas.

Because the report is published on the Web portal, she can obtain an electronic copy of it. It's an Acrobat report, and using Acrobat's handy Search feature, she soon has a list of employees and the week they were hired. She now examines the report she received for her study, the one that has SalaryOfferAmount and the offer date, and she does some interpretation. During the week of July 21, three offers were extended: one for $35,000, one for $53,000, and one for $110,000.

She also notices from the "New Employees" report that a director of marketing programs, a product test engineer, and a receptionist were hired that same week. It's unlikely that they paid the receptionist $110,000; that sounds more like the director of marketing programs. So, she now "knows" (infers) that person's salary. Next, going back to the department report and using the employee directory, she sees that the marketing director is in the marketing programs department.

There are just three people in that department, and their average salary is $105,000. Doing the arithmetic, she now knows that the average salary for the other two people is $102,500. If she can find the hire week for one of those other two people, she can find out both the second and third person's salaries. You get the idea. Megan was given just two reports to do her job. Yet she combined the information in those reports with publicly available information and is able to deduce salaries, for at least some employees. These salaries are much more than she is supposed to know. This is a semantic security problem.

Discussion Questions

1. In your own words, explain the difference between access security and semantic security.

2. Why do reporting systems increase the risk of semantic security problems?

3. What can an organization do to protect itself against accidental losses due to semantic security problems?

4. What legal responsibility does an organization have to protect against semantic security problems?

5. Suppose semantic security problems are inevitable. Do you see an opportunity for new products from insurance companies? If so, describe such an insurance product. If not, explain why not.

Reference no: EM131816841

Questions Cloud

What was the probability of returning : Altogether, about 1,676,200 of those children returned to their homes. What was the probability of returning?
How do you prepare for the press meeting : What conclusions do you make regarding the use of decision trees for categorizing student applicants?
Explain why performance reviews are difficult conversations : Explain why performance reviews are difficult conversations. Analyze the contracting aspects of a consulting engagement.
Prepare flexible budgets for the company at sales volumes : Pebco Company's 2011 master budget included the following fixed budget report. Prepare flexible budgets for company at sales volumes of 14,000 and 16,000 units
What can an organization do to protect itself : What can an organization do to protect itself against accidental losses due to semantic security problems?
Compute the loss on disposal of the original machine : Suppose the Oak Street TCBY manager replaces the original machine. Compute the "loss on disposal" of the original machine.
Discuss which role you think would more challenging and why : Discuss the key differences between internal and external consultants. Discuss which role you think would be more challenging and why.
Summarize the concerns expressed by this contrarian : Summarize the concerns expressed by this contrarian. Do you think the concerns raised here are sufficient to avoid data mining projects altogether?
How do results for your company compare to industry averages : Calculate the following ratios for the most recent two years and comment on the results of your ratio analysis

Reviews

Write a Review

Management Information Sys Questions & Answers

  Analyze the fundamental impact of enterprise architecture

Analyze the fundamental impact of IT architecture or enterprise architecture on information management for your chosen company or industry.

  A paper on the weaknesses of biometric authentication

Submit a paper on the weaknesses of biometric authentication.There are numerous examples of weaknesses.

  Explain primary issue associate with patient confidentiality

From the scenario, analyze the primary problems associated with information management, and analyze the primary issues associated with patient confidentiality.

  Examine risks of going global with an e-commerce business

Compare the major advantages and disadvantages of starting an e-commerce business versus a traditional brick-and-mortar business. Examine the significant risks of going global with an e-Commerce business.

  Perform a crude analysis to show the interactivity

Create a behavioral state machine for each of the complex classes in the class diagram. Perform a CRUDE analysis to show the interactivity of the objects in the system

  Characteristics and challenges in effective and efficient

characteristics and challenges in effective and efficient global supply chain implementationwhat are some common

  What are the challenges of outlier detection

What are outliers? List four applications of outlier detection. What are the challenges of outlier detection?

  Create chart showing your quarterly revenue for each product

Create a chart showing your quarterly revenue for each product. Create a chart showing your daily revenue for quarters 1 and 2. (Since this chart is showing daily values, represent this as a line chart.)

  Please have carlos holmes as my expert carlos is working

please have carlos holmes as my expert carlos is working with me on this on-going assignment and knows the content.this

  Discuss the effective application of standard human

discuss the effective application of standard human resource practices in small to mid-sized manufacturing enterprises

  What positive and negative effects have these laws had

What are the ethical and legal responsibilities of your company in designing its interface and implementing security protocols to its systems? What ethical and legal issues should you consider in order to determine your response when confidential..

  Do you consider siem systems sufficient for information

In your own words: provide and explain 3 advantages and 3 disadvantages of using SIEM systems for security in business environments.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd