Feeling Insecure? System Design and Security

One of the steps in information system development involves system security. There are many points to consider when planning for the security of a system. One of the things to consider is the type of organization. While it is prudent to give the customers of a company the highest possible security when it comes to their personal information, the truth is that some information doesn't warrant the highest security available. As we look at a business plan, we can determine cost of security implementation vs. the risk. A balance has to be reached between the value of the information to the organization on the one hand and the cost of the personnel, administrative and technological security measures on the other hand. The security measures put in place need to be less expensive than the potential damage caused by the loss of confidentiality, integrity and availability of the information." (EDP Audit Committee International Organisation of Supreme Audit Institutions October 1995.) It's obvious that a small private owned pet store will require less security than a large financial investment brokerage firm.

The information stored on the system will determine how aggressive and how often the system will be attacked. Financial and personal information that can be used to commit fraud is highly sought after by crackers who can sell the information or make use of it for their own gain.

Another consideration is the popularity of the organization. Microsoft is despised by many as being a greedy, corporate giant that destroys competitors in an attempt to create something close to a monopoly. This reputation has caused the cracker community to attack Microsoft systems regularly, exposing the flaws in the software and turning many towards other, safer alternatives. This has cost the organization product sales revenue, as well as large amounts of money invested in security updates and patches developed and released to fix the weaknesses.

When working with a company manager in the analysis and design of an information system, often times it is all about the profit, or the "bottom line". It may be difficult at times to see a return on the investment into security, but the results of inadequate security can be disastrous and cost much more than the initial investment into adequate security.