case study on information security management with examples

• Artificial Intelligence
• Generative AI
• Business Operations
• IT Leadership
• Application Security

Business Continuity

• Cloud Security
• Critical Infrastructure
• Identity and Access Management
• Network Security
• Physical Security
• Risk Management
• Security Infrastructure
• Vulnerabilities
• Software Development
• Enterprise Buyer’s Guides
• United States
• United Kingdom
• Newsletters
• Foundry Careers
• Terms of Service
• Privacy Policy
• Cookie Policy
• Member Preferences
• About AdChoices
• E-commerce Links
• Your California Privacy Rights

Our Network

• Computerworld
• Network World

Security Case Studies

Selected case studies on security challenges and solutions.

Security case studies: Selected in-depth explorations of how leading organizations have approached critical security challenges.

These case studies provide the chance to learn from your peers, whether you are creating an overall strategy or working to solve a specific tactical security problem. (Note: None of these articles were written or sponsored by product and service providers.)

Case study collection updated 10/16/2012.

Leadership and Organizational Issues

Governance, risk and compliance

Fiserv’s GRC process and software implementation (2012)

GRC is a process, not a technology. Fiserv identifies the benefits and challenges of its GRC work.

Alignment with corporate mission and profitability

Dunkin’ Brands security focuses on making dough (2010)

Aligning corporate security with corporate priorities makes everyone’s fortunes rise. A look behind the counter at Dunkin’ Donuts’ parent company. [Full article requires

E-discovery

NBC Universal takes e-discovery inhouse (2010)

NBC Universal saw requests for e-discovery services soar in just a few years. The company’s CISO, Jonathan Chow, knew there had to be a more efficient and cost-effective way to handle it.

Digital and Physical Security Convergence:

Constellation Energy (2005)

What does it take to make security convergence happen? One secret is to sneak up on it, the way Constellation Energy did, by seeming to be doing something else entirely.

Enterprise Risk Management:

All systems go at Georgetown University (2010)

ERM might seem a lofty concept, but Georgetown University provides an example of turning that concept into specific systems and projects that reduce risk.

Information Risk Management:

Harland-Clarke Rechecks Risk Management (2007)

New security program adds more systematic processes for evaluating, prioritizing and mitigating risk.

Departmental Organization:

Reinventing T-Mobile’s Security Function (2006)

T-Mobile needed to reinvent its security function, so it recruited a veteran team to shape a new asset protection division. The goal: Inject risk calculations into every business decision.

Safety and Community Relations:

Boston’s Infectious Disease Research Lab (2006)

When controversy hit, Kevin Tuohey became the public face of a high-profile plan to study deadly diseases in Boston. To succeed, the security director would have to become part diplomat, part great communicator.

Security Metrics, Budgets and ROI

Cost management:

IT security on a shoestring budget (2011)

Michael Dent, CISO of Fairfax County Government in Virginia, created an enterprise-wide IT security program with a fraction of the budget he wanted.

Budgeting, Metrics and Security Value:

American Water (2006)

How American Water’s Bruce Larson uses a simple metric to build bridges with business partners and justify security spending at the same time.

Project ROI:

Digital Video Surveillance at Intel (2005)

Allen Rude, security manager at Intel, invested more than four years in an ROI study to justify the cost of digital video surveillance.

Threats and Defenses

Advanced Persistent Threats:

APT in action: The Heartland breach

Heartland Payment Systems CTO Kris Herrin talks about the attack that changed his views on data security.

What’s the business case for GRC? (2012)

Governance, risk and compliance (GRC) can be a dauntingly complex undertaking. But for Fiserv, the alternative was even more complicated.

Situational Awareness:

Inside the new World Trade Center (2011)

Louis Barani leads the construction of an integrated system to help identify security and safety issues by connecting the dots faster.

Cloud security:

More tales from the cloud (2011)

Challenges and solutions at three companies moving into cloud-based IT services:

• Mohawk Fine Papers

Identity management:

How DTCC took on ID management (2011)

A look at why DTCC deployed identity and access management software from Hitachi ID Systems to automate its password management processes.

Access control:

Policy-based access control at a university (2010)

One school’s approach to maintaining security in an open environment.

Virtualization Security:

Virtual Server Security at Schwan Foods (2010)

When it comes to sampling innovative technology, Schwan Foods, a multibillion-dollar frozen food producer, digs right in.

DDOS and Online Extortion:

How a Bookmaker and a Whiz Kid Took On a DDOS-based Online Extortion Attack (2005)

What it’s like to get hit with a DDoS attack (2010)]

Facing an online extortion threat, bookmaker Mickey Richardson bet his Web-based business on a networking whiz from Sacramento who first beat back the bad guys, then helped the cops nab them.

Anatomy of a Fraud (2004)

Most fraud victims clam up. In this check-tampering case, the victim-a small-business owner-decided to speak out. The resulting cautionary tale offers a rare, detailed look into the mechanics and psychology of fraud. And its aftermath.

Phishing and Incident Response:

Midsize Bank (2005)

What happens after a phishing attack? Here’s one midsize bank’s phishing incident response plan.

Product Counterfeiting:

Drug Busters: Novartis (2005)

Novartis deploys a global team to track down counterfeit drugs and help authorities prosecute counterfeiters.

Video Surveillance:

Surveillance Cameras at Secaucus Junction (2005)

New Jersey Transit’s new station finds additional benefits in its security cameras.

School Security:

Securing the Suburban High School (2007)

Privacy, safety, security and budgeting considerations collide.

Crisis Communication: 

Gale Global Facilities Services (2006)

With good planning, Web and mobile technologies can help find and inform employees in the event of a disaster. A global company shows how.

Simulations and exercises:

USAA’s Disaster Drill: Practice Makes Perfect (2003)

As one of the nation’s largest insurance companies, USAA is in the business of managing risk. So it makes sense that the company uses exercises, simulations and drills to learn how to respond in the event of a disaster.

Related content

10 tips to keep ip safe, us supreme court ruling suggests change in cybersecurity disclosure process, hacker dumps data of 2.8 million giant tiger customers, 6 bad cybersecurity habits that put smbs at risk, from our editors straight to your inbox.

Derek helped create and launch CSO in 2002, and served as Editor in Chief of the magazine and website from 2006 through 2013.

More from this author

33 questions to ask about your company’s security, sample erm organizational charts, 2011 state of the cso, getting the board on board, most popular authors.

Show me more

Open-source scanner can identify risky microsoft sccm configurations.

Attackers exploit critical zero-day flaw in Palo Alto Networks firewalls

CISA orders US government agencies to check email systems for signs of Russian compromise

CSO Executive Sessions: Geopolitical tensions in the South China Sea - why the private sector should care

CSO Executive Sessions: 2024 International Women's Day special

CSO Executive Sessions: Former convicted hacker Hieu Minh Ngo on blindspots in data protection

LockBit feud with law enforcement feels like a TV drama

Sponsored Links

• Tomorrow’s cybersecurity success starts with next-level innovation today. Join the discussion now to sharpen your focus on risk and resilience.

An official website of the United States government

Here’s how you know

Official websites use .gov A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS A lock ( Lock A locked padlock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

https://www.nist.gov/itl/smallbusinesscyber/cybersecurity-basics/case-study-series

Small Business Cybersecurity Corner

Small business cybersecurity case study series.

Ransomware, phishing, and ATM skimming are just a few very common and very damaging cybersecurity threats that Small Businesses need to watch out for. The following Case Studies were created by the National Cyber Security Alliance , with a grant from NIST, and should prove useful in stimulating ongoing learning for all business owners and their employees.

• Case 1: A Business Trip to South America Goes South Topic: ATM Skimming and Bank Fraud
• Case 2: A Construction Company Gets Hammered by a Keylogger Topic: Keylogging, Malware and Bank Fraud
• Case 3: Stolen Hospital Laptop Causes Heartburn Topic: Encryption and Business Security Standards
• Case 4: Hotel CEO Finds Unwanted Guests in Email Account Topic: Social Engineering and Phishing
• Case 5: A Dark Web of Issues for a Small Government Contractor Topic: Data Breach

Building a culture of cyber security

• Call for Change
• When Tech Meets Human Ingenuity
• A Valuable Difference
• Meet the Team
• Related Capabilities

Call for change

Before 2010, threats of ransomware and malicious malware seldom, if ever, made the news headlines. But as more and more information moved to the cloud and digital technologies expanded, so did the frequency and sophistication of such cyber attacks. This shift prompted organizations and individuals to do more to protect the information they stored and transferred within these infrastructures.

Within Accenture, a small team was tasked with formulating a response, strengthening and expanding our security defenses beyond technical systems, tools and controls by restructuring our security approach to meet Information Security Management System (ISMS) standards. Such standards looked to manage cyber security with a focus on people, processes and technologies, and served to establish the framework to protect Accenture’s global and increasingly mobile workforce.

Further, the team also undertook a formal assessment process in 2011, designed to create a comprehensive Information Security Risk Profile for the company. This move helped identify and prioritize security risks, as well as the actions necessary to prevent and protect against them. These transformative steps led Accenture to formally create the company’s information security organization.

Now with over 50,000 physical and virtual servers operating our business and supporting our clients, the Information Security organization is more than 800 people strong across the globe. The team’s expertise spans technical architecture and security operations, governance and risk management, acquisition integration, threat response and intelligence, compliance and behavior change.

“To protect the data we are entrusted with, our Information Security organization continues to adapt and optimize its risk resilience, addressing current cyber threats while preparing for new issues tomorrow might bring.” — KRIS BURKHARDT , Accenture Chief Information Security Officer

When tech meets human ingenuity

Our Information Security organization was developed around a strategy focused on building a resilient buffer against evolving threats and risks facing Accenture and our clients. This strategy also fosters a mindset within Accenture where everyone takes accountability for putting security first. A further aspect of the strategy is the establishment of several distinct areas and an extensive governance network led by the Chief Information Security Officer.

This network of accountability plays a critical and necessary role in maintaining Accenture’s security posture. The Information Security organization, which operates 24/7/365, can quickly respond to and address attacks, threat intelligence, system patching, vulnerabilities and workstation remediation. With Accenture’s increasing organic and inorganic growth, the areas of assessing acquisition security environments, employee security training and protecting our client data have become even more significant in the day to day activity of our organization.

As our Information Security organization has matured, cross-functional teams have been put in place to monitor and provide oversight to the security practices across a wider swath of Accenture’s business. Now, cross-collaborative groups like the Policy & Advisory Committee, Security Steering Committee and Accenture Information Security Leads meet and communicate regularly to ensure good security standings company-wide, or that concerns are raised and escalated promptly.

A valuable difference

Given an environment of aggressively growing cyber threats, Accenture’s risk tolerance has changed. In response, the industrialized processes of our Information Security organization continue to prove value, most visibly through the overall culture of shared accountability that has developed across the company. Through our team’s fine-tuned programs and processes, every Accenture employee understands they each play a role in keeping Accenture and its clients secure.

One tangible way this understanding has manifested is in employee participation in the award-winning Information Security Advocates program. This program engages each person in bite-sized, “gamified” security training exercises each quarter. Learning experiences on topics like social engineering , credential theft and working remotely are modified and refreshed regularly as new threat realities are identified. This training—a lot of which is voluntary—has shown that with each completion employees are much less likely to be involved in a security incident. And, on average, 99% of all employees become Information Security Advocates each year.

Another valuable capability from the evolution of Information Security is the I SO-certified Client Data Protection (CDP) program . This program provides Accenture client engagement teams with a standardized approach to managing risk through a set of security processes, controls and metrics. A CDP plan is developed for each client project and provides end-to-end security risk management measures covering physical, application, infrastructure and data security.

A further valuable outcome is detailed reporting. Key security performance indicators (KPIs) from across the business are captured and fed into a comprehensive Security Posture Scorecard (SPS). The contents are used to report out to the highest levels of Accenture leadership weekly, and to the Board of Directors twice a year. The dozen-plus KPIs include measures such as vulnerabilities, out-of-compliance servers, and misconfigured networked devices. In reviewing the SPS, Information Security teams have a very near real-time view of the global security posture. This view gives them the ability to take corrective actions more proactively and plan strategically.

Our Information Security organization’s continuous flexibility through a constant state of change and our ability to reinforce a security mindset across a global workforce, demonstrates one Accenture that protects client and Accenture information.

“Protecting our services and data are an absolute top priority and a cornerstone of our client relationships.” — JO DEBLAERE , Accenture Chief Operating Officer

Employee commitment

99% of all Accenture people are Information Security Advocates.

Secure devices

~1M workstations, servers, wireless access points and mobile devices secured.

Protecting client data

+2K client projects with active CDP plans.

Maintains certification for data-privacy standards.

CSA Security, Trust & Assurance Registry (STAR)

Awarded, and maintains, the highest Gold-level certification for Accenture-managed cloud infrastructure.

Accenture ranks top among its peers in maintaining a strong defense against threats, as reported by the leading cyber security rating vendors in each risk category.

Meet the team

Kris Burkhardt

Steve Zutovsky

Related capabilities, how accenture does it, information security at accenture.

Making excellence a habit

• Verify a certificate

Buy standards

Popular searches

• ISO 27001 Information Security
• ISO/IEC 27701 Privacy Information Management
• ISO 13485 Quality Management System
• GRI training
• ISO 31000 Risk Management

Suggestions

Case studies and testimonial for ISO/IEC 27001

ISO/IEC 27001 is the international standard for information security management. By implementing the standard, organizations can identify security risks and put controls in place to manage or eliminate them, gain stakeholder and customer trust that their confidential data is protected, and help achieve preferred supplier status helping to win new business.

Read how our customers have benefited from implementing the standard.

ISO/IEC 27001 Case Study - CogentHub

CogentHub is a global provider focused on the delivery of business solutions integrated with the latest technologies. We bring together data and technology to enable our clients to attain their strategic business goals and gain competitive advantage. With our considerable experience across several industries and technology expertise, we deliver outsourcing and management consulting services.

ISO/IEC 27701 Case Study - Befree

Befree, are among the leading organizations to achieve ISO certification in ISO/IEC 27701:2019 for Data protection and standardization to secure data assets certified by British Standard Institution (BSI).

Save 10% on All AnalystPrep 2024 Study Packages with Coupon Code BLOG10 .

• Payment Plans
• Product List
• Partnerships

• Try Free Trial
• Study Packages
• Levels I, II & III Lifetime Package
• Video Lessons
• Study Notes
• Practice Questions
• Levels II & III Lifetime Package
• About the Exam
• About your Instructor
• Part I Study Packages
• Parts I & II Packages
• Part I & Part II Lifetime Package
• Part II Study Packages
• Exams P & FM Lifetime Package
• Quantitative Questions
• Verbal Questions
• Data Insight Questions
• Live Tutoring
• About your Instructors
• EA Practice Questions
• Data Sufficiency Questions
• Integrated Reasoning Questions

Case Study: Cyberthreats and Information Security Risk

After completing this reading , you should be able to :

• Provide examples of cyber threats and information security risks and describe frameworks and best practices for managing cyber risks.
• Describe lessons learned from the Equifax case study.

Examples of Cyber Threats and Information Security Risk

Cyber, technological, data protection, and information security risks are routinely ranked as the top concerns for operational risk practitioners in yearly surveys.

Typology of Information Security Risks

The term “information security” goes beyond just cyber dangers. Information may be misplaced, stolen, or accidentally made public, as well as lost from the theft or loss of paper records and other non-digital data.  These dangers have many root causes and distinct mitigation strategies.

The table below uses a four-quadrant technique to convey information security risks:

• Internal factors versus external factors (such as third parties).
• Data loss (including willful data corruption) versus data theft  (including involuntary corruption and accidental disclosure).

Table 1.1: Information Security Risks

$$\small{\begin{array}{l|l|l} \textbf{Data Incidents} & \textbf{Theft or Corruption} & \textbf{Loss or Involuntary Disclosure} \\ \hline \begin{array}{@{\labelitemi\hspace{\dimexpr\labelsep+0.5\tabcolsep}}l@{}}\text{Third parties and}\\\text{external causes}\end{array} & \begin{array}{@{\labelitemi\hspace{\dimexpr\labelsep+0.5\tabcolsep}}l@{}}\text{Physical theft.}\\\text{Digital hacking,}\\\text{cyberattacks}\\\text{and phishing.}\end{array} & \begin{array}{@{\labelitemi\hspace{\dimexpr\labelsep+0.5\tabcolsep}}l@{}}\text{System failures and third-party loss.}\end{array} \\ \hline \begin{array}{@{\labelitemi\hspace{\dimexpr\labelsep+0.5\tabcolsep}}l@{}}\text{Internal causes}\end{array} & \begin{array}{@{\labelitemi\hspace{\dimexpr\labelsep+0.5\tabcolsep}}l@{}}\text{Theft or loss}\\\text{of information}\\\text{both digital}\\\text{and physical}\\\text{by employee.}\end{array} & \begin{array}{@{\labelitemi\hspace{\dimexpr\labelsep+0.5\tabcolsep}}l@{}}\text{Database and backup loss.}\\\text{Loss of company devices by employees.}\\\text{Errors when sending documents.}\\\text{Loss of printed documents.}\\\text{Accidental disclosure of information}\\\text{ to outsiders.}\end{array} \end{array}}$$

Cyberattacks – Cases and Threats

Although the financial sector is particularly vulnerable to cyber risk due to the high value of the transactions it facilitates, cyber threats are not unique to this sector.

Example 1: The Paradise Papers

One of the biggest data hacks in history was the Paradise Papers. Private information was taken in November 2017 from the Bermuda-based offshore legal firm Appleby and supplied to a German publication, which then shared the information with the International Investigative Journalists. Leaked information on high-profile individuals, companies, government officials, enterprises, and nations’ offshore interests exposed them to reputational harm and public outcry.

Example 2: Equifax

One of the biggest credit-scoring companies in the world, Equifax, was the target of a cyberattack in 2017 that made the data of 147 million people public. An outside hack on Equifax servers led to the breach. Following the release of this news, Equifax’s market capitalization decreased by nearly $5 billion.

Information Leaks – Malicious Insiders

Information security still applies to data leaks caused by dissatisfied or dishonest employees. Such occurrences are more comparable to internal fraud situations than external cyberattacks.

Example 1: Data Leak at an Insurance Company

A UK insurance provider experienced a data breach that affected 500,000 clients. An employee fraudulently copied names, dates of birth, and some contact information and offered them for sale on the dark web. Even though the offending employee was fired, the company faced repercussions. The regulator upped its monitoring and levied a £175,000 regulatory penalty.

Example 2: Cryptocurrency Leaks

In November 2021, a developer’s private keys were stolen in a phishing attack against bZx, a US-based blockchain platform for lending and trading, resulting in a $55 million loss.

Frameworks and Best Practices for Managing Cyber Risks

A number of market standards and advice materials are released and updated on a regular basis for two reasons. To begin with, these market standards and advice materials assist businesses in developing cybersecurity protection. Besides, they offer high-quality benchmarks useful for mitigating and measuring cyber fraud and technology risks. Businesses that seek to adhere to industry-related regulations usually need cybersecurity frameworks. 

Three cybersecurity standards dominate the market:

• The US National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST CSF).
• The Center for Internet Security Critical Security Controls (CIS).
• The International Standards Organization (ISO) frameworks ISO/IEC 27001 and 27002.

The NIST Framework for Improving Critical Infrastructure Cybersecurity

The framework, which is optional, provides organizations with a summary of the best practices to assist them to choose where to concentrate their cybersecurity defense efforts.

The framework offers guidelines on how to analyze threats and vulnerabilities, weigh their consequences, and reduce the risks with specific solutions in order to help enterprises understand their cybersecurity risks. In addition to giving direction on how to respond to and recover from cybersecurity occurrences, the framework also encourages the use of root-cause analysis and use of lessons learned.

The framework’s main component is a set of cybersecurity tasks that adhere to the five fundamental processes of cyber defense: identify, protect, detect, respond, and recover. The following information is provided for each step by NIST:

Make a list of every piece of hardware, software, and information you use, such as computers, cellphones, tablets, and point-of-sale systems.

Create and distribute a company cybersecurity policy that details roles and duties for personnel and anyone else with access to sensitive information, as well as precautions to take to repulse attacks and minimize damage in the event that one does take place.

Control who accesses your network and uses your computers, other devices, and security software to protect your data. You should also frequently back up your data, update your security software, and have formal procedures for properly getting rid of electronic waste and devices.

Keep an eye on software, hardware (such as USB drives), and illegal employee access to your systems. Look for any unusual behavior by your personnel or on your network.

Make and test a strategy for notifying clients, staff members, and anyone else whose data may be in danger,  maintaining the smooth operation of the business, notifying law enforcement and other authorities of the attack, analyzing and preventing an attack, and preparing for unplanned occurrences that could endanger data, such as weather emergencies.

Repair and restore damaged equipment and network components after an attack and inform staff and clients of your response and recovery efforts.

Center for Internet Security (CIS)

Prioritized CIS measures are used to reduce the most common cyberattacks against systems and networks. The 18 CIS Critical Security Controls are:

$$\begin{array}{l|l} \text{Control 1} & \text{Inventory and Control of Enterprise Assets} \\ \hline \text{Control 2} & \text{Inventory and Control of Software Assets} \\\hline \text{Control 3} & \text{Data Protection} \\\hline \text{Control 4} & \text{Secure Configuration of Enterprise Assets and Software} \\\hline \text{Control 5} & \text{Account Management} \\\hline \text{Control 6} & \text{Access Control Management} \\\hline \text{Control 7} & \text{Continuous Vulnerability Management} \\\hline \text{Control 8} & \text{Audit Log Management} \\\hline \text{Control 9} & \text{E-mail and Web Browser Protections} \\\hline \text{Control 10} & \text{Malware Defenses} \\\hline \text{Control 11} & \text{Data Recovery} \\\hline \text{Control 12} & \text{Network Infrastructure Management} \\\hline \text{Control 13} & \text{Network Monitoring and Defense} \\\hline \text{Control 14} & \text{Security Awareness and Skills Training} \\\hline \text{Control 15} & \text{Service Provider Management} \\\hline \text{Control 16} & \text{Application Software Security} \\\hline \text{Control 17} & \text{Incident Response Management} \\\hline \text{Control 18} & \text{Penetration Testing} \end{array}$$

The CIS recommendations are useful for businesses setting up or reviewing their cybersecurity procedures and an additional framework that can coexist with other industry-specific compliance requirements.

ISO/IEC 27001 – International Standard Organization

The International Standard ISO/IEC 27001 gives businesses general guidance on how to set up risk management processes for information security, as well as for its governance, policies, support, and communication. It offers guidance on operational planning and control, risk assessment for information security, and risk management. According to the standard, management reviews and audits both have a place in the context of information security.

The framework stipulates that an enterprise implementing ISO 27001 must have an information security management system that systematically controls its information security risks by locating threats and weaknesses in order to be eligible for certification. Organizations must also develop and implement information security policies, use a continuous risk management procedure, and always strive to update and improve their systems.

Essentials of Cybersecurity Protection and Monitoring

Technical safety precautions combined with suitable human actions result in effective risk minimization.  Confidentiality, Integrity, and Availability (CIA) are the three aspects of information protection. Two main categories can be used to classify information controls: Behavioral controls and technical controls.

Behavioral Controls

They relate to how people behave when managing and safeguarding information, and they are applicable to all kinds of information security concerns. They include awareness-raising initiatives, conduct, password management, data transfer rules, oversight, and penalties.

Technical Controls

This is related to detection and prevention. Preventative controls are aimed at external risks and pertain to system architecture, access, firewalls, encryption, passwords, and patching. Data breaches can be detected early using detective measures, whether they are internal or external.

Since information security measures are costly, the advantages of risk reduction must be weighed against the cost of control.

KRIs for Information Security

Risk monitoring examines how well controls are working as well as any unanticipated departures from the usual, such as adjustments to exposure, traffic, or employee conduct. The IT department is the first line of defense where all monitoring takes place. The second line of defense is the information security division. This department and IT may be separated. A set of behavioral and technical controls should be created, maintained, and monitored by the information security department, with failures and deviations acting as KRIs.

Lessons Learned from the Equifax Case Study

In the United States, Equifax is one of the biggest credit reporting companies. It has access to credit data for millions of people and companies. Hackers broke into Equifax’s networks in 2017 by taking advantage of a flaw in one of the systems. The attackers took credit card accounts, names, addresses, dates of birth, and other personally identifiable information from Equifax’s data bank.

The company’s cybersecurity procedures, guidelines, and resources were old and insufficiently managed. At the time of the attack, an audit had detected weaknesses in the patch management process. Equifax’s website had already been breached a year before the attack, exposing 430,000 names, addresses, social security numbers, and other pieces of sensitive data. Three days prior to the incident, an alert was sent to Equifax and communicated to 400 workers about the vulnerability that was the basis of the hack. However, not all relevant employees were in the email list. The National Institute of Standards and Technology (NIST), using the Common Vulnerability Scoring System, gave the discovered flaws in the patch management process the highest criticality score.

Equifax made up to $700 million in fines and restitution, of which $300 million was given to the people whose personal information was compromised in the hack.

The following significant flaws were identified in the case after analysis:

• The absence of a thorough inventory of IT assets.
• The patch management policy’s lax enforcement.
• Inconsistent staff communication regarding the fix of security flaws.
• An expired SSL certificate intended to examine network traffic that is encrypted.
• Ineffective external communication during crisis management.

Events with such high operational risk do not have a single root cause. They appear in weak operating environments that are marked by numerous governance and operational flaws, communication failures, and a lack of prioritizing in alerts and actions.

Practice Question During a quarterly audit meeting, Pacifica Financial, a leading finance company, reviews its cybersecurity protocols. An executive on the team, Jane, brings up the Equifax data breach as a reminder of the vulnerabilities even the most prominent institutions can face. She presents a slide on lessons learned from the Equifax case study and asks for insights from the team. Which of the following represents the most significant lesson Pacifica should prioritize to avoid a similar fate?” A. Instituting robust password policies that mandate password changes every 30 days. B. Ensuring a thorough and timely patching process for identified software vulnerabilities. C. Regularly updating the company’s firewall systems. D. Shifting all data to cloud-based storage solutions to minimize physical security risks. Solution The correct answer is B . One of the primary factors in the Equifax data breach was the failure to patch a known vulnerability in a timely manner. A patch was available for the Apache Struts vulnerability almost two months before the breach, but Equifax did not apply it in time. This oversight allowed hackers to exploit the vulnerability and access sensitive data. Thus, ensuring a rigorous and prompt patching process for identified software vulnerabilities is crucial. A is incorrect: While having strong password policies is essential for cybersecurity, the Equifax breach did not primarily occur due to weak passwords or a lack of password rotation. Instituting robust password policies would help in many cybersecurity scenarios but would not have prevented the Equifax breach. C is incorrect: Regularly updating a company’s firewall systems is crucial for protecting against potential threats. However, in the context of the Equifax breach, the main vulnerability exploited was not directly related to firewall breaches. Therefore, while this is a good practice, it wouldn’t have been the primary lesson from the Equifax case. D is incorrect: The Equifax breach was not due to physical security risks, so moving data to a cloud-based storage solution would not have directly prevented it. While cloud storage can offer various security benefits, it also comes with its own set of risks. Moreover, the decision to shift to cloud storage should be based on a comprehensive analysis of security needs, not solely as a response to the Equifax incident. Things to Remember Proactiveness is Key: Equifax’s delay in patching a known vulnerability, despite the availability of a patch, highlights the importance of being proactive in addressing security concerns. Timeliness Matters: Acting promptly on identified vulnerabilities can be the difference between safeguarding data and experiencing a massive breach. Size Doesn’t Equate to Security: Even major corporations with extensive resources can be susceptible to breaches if proper cybersecurity protocols aren’t followed. Every Threat is Unique: Tailoring responses based on specific threats is critical. Not all security measures apply uniformly to every potential breach scenario. Continuous Vigilance: Institutions should maintain regular security audits and reviews, learning from past incidents, both internal and external, to bolster their defenses.

Offered by AnalystPrep

Integrated Risk Management

Case study: financial crime and fraud, review of the federal reserve’s supe ....

After completing this reading, you should be able to: Describe the events leading... Read More

Managing And Pricing Deposit Services

After completing this reading, you should be able to: Differentiate between the various... Read More

Sample Moments

After completing this reading, you should be able to: Estimate the mean, variance,... Read More

Capital Planning at Large Bank Holding ...

After completing this reading, you should be able to: Describe the Federal Reserve’s... Read More

Cyber Insight

What is case study in cyber security? Learn from real-life examples.

June 27, 2023

As a cyber security expert with years of experience, I understand how intimidating it can be to protect one’s digital presence in today’s world. We constantly hear about security breaches, ransomware attacks, and hackers stealing sensitive data. However, it’s not just the industry professionals who can learn to protect themselves from cyber-attacks. With the right knowledge, anyone can learn how to spot and neutralize potential threats.

One of the best ways to gain this knowledge is through real-life examples. That’s where case studies come in. These case studies allow us to learn from actual cyber-security incidents and understand what went wrong, why it happened, and how it could have been prevented. As a reader, you’ll be able to apply this knowledge to your own digital presence, and protect yourself, your family, and your business from cyber-attacks.

So, in this post, we’ll dive into what exactly a case study is in the context of cyber-security. I’ll show you how to use these case studies to learn from past security incidents, how they can help you understand the risks you face, and ultimately, how to protect yourself from becoming a victim of a cyber-attack. Are you ready to learn from some real-life examples in cyber-security? Let’s get started!

What is case study in cyber security?

The team responsible for conducting a cyber security case study typically employs a variety of methods to get a complete perspective on the threat environment. Some of the methods they may use include:

• Collecting data from internal security systems, such as firewalls and intrusion detection systems, to identify potential threats
• Analyzing data on cyber-related threats from external sources, such as threat intelligence feeds and open-source intelligence (OSINT)
• Engaging with other organizations or industry groups to share information and best practices
• Conducting interviews with employees and other stakeholders to gather insights and information about the incident

Once the team has collected and analyzed all the necessary data, they develop a detailed report outlining their findings and recommendations for improving the organization’s cyber security posture. This report may be used to inform the development of new policies and procedures, or to train employees on how to better detect and respond to cyber threats. Ultimately, the goal of a cyber security case study is to help organizations become more resilient and better prepared to defend against cyber attacks.

???? Pro Tips:

1. Understand the purpose of a case study in cyber security. A case study is an in-depth analysis of a particular cybersecurity event or incident, which is used to identify the weaknesses in the system or processes and provide insights into how to improve them.

2. Choose the right case study. When selecting a case study for analysis, ensure that it is relevant to your organization’s cybersecurity practices and challenges. Consider factors such as industry, size, and security posture while selecting a case study.

3. Analyze the case study thoroughly. When analyzing a case study, pay attention to the details of the event or incident being studied. Take note of what went wrong, how it could have been prevented, and what the organization did to recover. This analysis will provide valuable insights into improving your organization’s cybersecurity defenses.

4. Discuss the findings with your team. Once you have analyzed the case study, share your findings and insights with your cybersecurity team. Use the case study as a learning opportunity to explain the importance of cybersecurity management and how to develop proactive strategies to prevent similar incidents.

5. Use the insights to strengthen your organization’s defense. After reviewing the case study and discussing its implications with your team, develop strategies and tactics to strengthen your organization’s cybersecurity defenses. Use the insights gained from analyzing the case study to better protect your organization from similar cyber attacks.

Understanding Case Study in Cyber Security

A case study is an in-depth analysis of a particular problem or situation. In the context of cyber security, a case study focuses on the use of specific tools and techniques to identify, analyze, and mitigate cyber threats. Cyber security case studies are valuable resources that help organizations better understand real-world threats and develop effective strategies to protect their assets against them. Case studies provide insight into how attackers target specific businesses, the methods they use, and the impact of their actions.

The Importance of Threat Monitoring in Cyber Security

Threat monitoring is one of the most crucial aspects of cyber security. It involves regularly monitoring and collecting data on cyber-related threats around the globe, which could affect the sector or business. The goal is to identify potential threats and notify the relevant teams so that they can take appropriate action to prevent or mitigate the risk. Without effective threat monitoring, organizations are vulnerable to a wide range of cyber threats, including malware, phishing attacks, ransomware, and other malicious activities.

Methods Used to Collect Data on Cyber-Related Threats

There are various methods used to collect data on cyber-related threats, including:

• Network scanning: This involves scanning the organization’s network to identify potential vulnerabilities and threats.
• Vulnerability assessments: This involves identifying and assessing potential vulnerabilities in the organization’s hardware, software, and network infrastructure.
• Penetration testing: This involves simulating a cyber-attack to identify weaknesses and vulnerabilities in the system.
• Intelligence gathering: This involves collecting and analyzing information from various sources, including social media, open-source databases, and other traditional intelligence sources, to identify potential threats.

Analyzing the Overall Threat Environment

An essential aspect of threat intelligence is analyzing the overall threat environment. Cyber security experts collect large amounts of data on threats and vulnerabilities to gain a complete perspective of the threat environment. This analysis involves identifying patterns, trends, and emerging threats that could affect an organization. There are numerous tools and techniques used to analyze the overall threat environment, including:

• Machine learning algorithms: This involves analyzing data using artificial intelligence and machine learning techniques to identify patterns and trends.
• Data visualization tools: This involves using charts, graphs, and other visual aids to represent data and identify trends.
• Threat intelligence platforms: This involves using specialized software and tools to automate threat intelligence gathering and analysis.

Assessing Threats and Motivations to Target a Business

Assessing threats and motivations to target a business is a critical aspect of cyber security. Cyber criminals are motivated by different factors, including financial gain, political motives, espionage, and so on. Understanding the motivations behind a cyber-attack can help organizations better prepare for and prevent or mitigate possible threats. Some common motivations include:

• Financial gain: Cyber criminals target businesses to steal sensitive data, intellectual property, or financial details that could help them steal money.
• Political motives: Hackers might target businesses to protest or create political unrest, this may go in line with their ideologies.
• Sabotage: Some cyber-attacks aim to sabotage a business’s operations or reputation.

Implementing Effective Cyber Security Measures

Effective cyber security measures involve identifying threats and implementing strategies to mitigate them. There are various ways to implement cybersecurity measures, including:

• Implementing security protocols: Security protocols ensure that all members of the organization follow the same procedures to maintain the security of the system. This includes guidelines for passwords, access control, and network security.
• Train employees: Training employees, every member of an organization is a potential entry point for a cyber attack, so all employees should be trained to identify and prevent cyber-attacks.
• Upgrading software and hardware: Outdated software and hardware are more vulnerable to cyber-attacks. Upgrades to the latest versions can help prevent many cyber threats.

Staying Ahead of Emerging Cyber Threats

Staying ahead of emerging cyber threats is an essential aspect of cyber-security. Hackers are continuously developing new techniques and tools to circumvent security measures. To keep up with the ever-evolving threat landscape, cyber-security experts must continuously monitor the threat environment, track emerging trends, and implement new security protocols to mitigate new threats. In summary, cyber security experts must remain vigilant, employ a variety of threat monitoring methods and stay appraisable on emerging cyber threats.

most recent

Cybersecurity Basics

What are the three approaches to security in cyber security: explained.

Services & Solutions

What is security solution and why it matters: ultimate guide.

Training & Certification

Is a masters in cybersecurity worth the investment.

What is the Cyber Security Strategy Objective? Protecting Against Breaches.

What is Dart in Cyber Security? A Powerful Tool for Threat Detection.

Decoding SLED: Is Public Sector Cybersecurity the Same?

PH +1 000 000 0000

24 M Drive East Hampton, NY 11937

© 2024 INFO

• Get IGI Global News

• All Products
• Book Chapters
• Journal Articles
• Video Lessons
• Teaching Cases
• Recommend to Librarian
• Recommend to Colleague
• Fair Use Policy

• Access on Platform

Export Reference

• Advances in Information Security, Privacy, and Ethics
• e-Book Collection
• Computer Science and Information Technology e-Book Collection
• Security and Forensics e-Book Collection
• e-Book Collection Select
• Computer Science and IT Knowledge Solutions e-Book Collection

Information Security Management System: A Case Study of Employee Management

Introduction.

A computer based network organisation works by communication/ transformation of information with the help of their employee. Therefore it is need to develop Information management system so that it is possible for an organisation to develop the process for getting right information to the right person at the right place and at the right time. It is possible in an organisation that some employees can reveal secret/sensitive information. So, there need to develop some policies and procedures for systematically managing an organisation’s sensitive data. It is necessary to manage data in proper way so that risk level with respect to secret/sensitive data should low. The goal of Information security management system should run an organisation smoothly and continuously by limiting the risk level very low. An ISMS mainly consists of (i) Human resource (HR) (ii) Organizational processes and procedures and (iii) Information and technologies. The key factors of ISMS are working on Data integrity, Availability and Confidentiality of information. (a) Data integrity : Access restriction and protection of data from unauthorized resources (b) Availability : Organizational information available to authorized resources without any issues. (c) Confidentiality : Protection of information from unauthorized resources. Employee management is the effort to help employee to their best. An organization always wants to take service from an employee with minimum cost expenditure and getting maximum profit. An employee has to do different types of tasks in Information Security Management System. [C.S.Park et al. 2010].To maintains information should be secure, the following criteria should be following with respect to employee in ISMS:-

Selection: Selection is initial stage of entry of employee in an organization. It is necessary to choose right person for doing right job so that ISMS can run properly.

Monitoring: The working process of an employee should be monitored. There should be some observation group for observing the whole process of employee and this will helpful manage performance of employee in ISMS.

Interaction: Employee should interact with each other properly and confidentially. The flow of information should be secure among employee so that ISMS can be implemented smoothly.

Reward: Employee should be rewarded with respect to their working ability and performance. This will work as catalyst among employee and organization performance will be tend in higher profit.

Discipline: The information of an organization will remain secure if some major disciplinary action against employee who is revealing information to unauthorized person. Role of an employee always plays an important role in an organization. An employee may leak all the information of an organization during working of job or after leaving the job.

The role of employee can greatly increase in maintaining a safe and secure environment after creating and maintaining an information security management. Achieving information security is huge challenge for an organization. There is needed to look ISMS from some mathematical methods so that information can be remaining secure for an organization. IoT platform can help organization to reduce cost through improved process efficiency, assets utilization and productivity. In an organization employee can connect, analyze, integrate and take active participation with the help of IoT based technology. To make an organization secure IoT based technology should be apply to serve auto Shift / roster management, Email/SMS notifications of employee’s attendance, automatically manages leave records of employees etc... Organization can establish their own policy for attendance, leave, ON duty, office time, and working place of employee and leave management system. The designing, developing, and maintaining and enabling the large technology to IoT system in an organization is quite complicated. In this paper some features related to security of information by the employee have discussed. As the devices of IoT interact and communicate with each other and do lot of task for an organization so it is required to discuss some security risk related from employee of an organization.

Complete Chapter List

Emerging Trends in Information Systems pp 99–115 Cite as

Integrating Case Studies into Information Security Education

• Alexandra Savelieva 6 &
• Sergey Avdoshin 7  
• First Online: 26 November 2015

1028 Accesses

Part of the book series: Progress in IS ((PROIS))

Today the demand is growing for information security experts capable of analyzing problems and making decisions in business situations that involve risk or uncertainty. These skills can be acquired through systematic studying of various information security incidents. In this paper we propose a framework of methods, tools and taxonomies for analysis of case studies in information security field. Our framework allows to study every situation in a formal rather than ad-hoc way, and apply a wide range of threat modeling, risk analysis and project management techniques under lifelike conditions. We illustrate it by providing two case studies based on real situations: a conflict between a free email service provider and a commercial bank, and an attack on a famous security company by a powerful hacktivist group. The first situation explores the risks of using cloud services, while the second highlights the importance of applying secure code principles for in-house software development. Although the cases are seemingly different, we demonstrate that they can be analyzed with similar tools.

This work was done in 2011–2012 when Alexandra Savelieva was with Higher School of Economics in Moscow, Russia. Now she is working in Microsoft Corporation in Redmond, USA.

This is a preview of subscription content, log in via an institution .

Buying options

• Available as PDF
• Read on any device
• Instant download
• Own it forever
• Available as EPUB and PDF
• Compact, lightweight edition
• Dispatched in 3 to 5 business days
• Free shipping worldwide - see info
• Durable hardcover edition

Tax calculation will be finalised at checkout

Purchases are for personal use only

Ayyagari, R., & Tyks, J. (2012). Disaster at a university: A case study in information security. Journal of Information Technology Education, 11 (Innovations in practice).

Google Scholar  

Herreid, C. F. (Ed.). (2007). Start with a story: The case study method of teaching science . Arlington, VA: National Science Teachers Association. pp. 466.

Workshop on Teaching Information Assurance Through Case Studies and Hands-on Experiences. http://teaching-ia.appspot.com/

Logan, P., & Christofero, T. (2009). Giving failure a place in information security: Teaching students to use the post-mortem as a way to improve security. In: Proceedings of the 13th colloquium for information systems security education. University of Alaska, Fairbanks Seattle, WA, June 1–3, 2009.

Hartel, P. H., & Junger, M. (2012). Teaching information security students to “think thief” . Technical report TR-CTIT-12-19, Centre for Telematics and Information Technology, University of Twente, Enschede. ISSN 1381–3625.

Savelieva, A. (2011). Special considerations in using the case-study method in teaching information security. In: Proceedings of “IT security for the next generation”. TUM, Germany: Garching, Boltzmannstr. http://www.kaspersky.com/images/alexandra_savelieva-10-95017.pdf

Savelieva, A. A., & Avdoshin, S. M. (2011). Information security education and awareness: Start with a story. In: Proceedings of “2011 workshop on cyber security and global affairs”. http://www.internationalcybercenter.org/workshops/cs-ga-2011/asavelieva

Bishop, M. (2006, September). Teaching context in information security. Journal on Educational Resources in Computing, 6 (3).

Homepage — ECCH for educators. http://www.ecch.com/educators/

McNulty, E. (2007). Boss, I think someone stole our customer data. Harvard Business Review, September , 37–42.

ISO/IEC 27001:2005. (2005). Information technology security techniques information security management systems requirements.

Parker, D. B. (1998). Fighting computer crime . New York: Wiley.

Parker, D. B. (2009). Toward a new framework for information security. In S. Bosworth, M. E. Kabay, & E. Whyne (Eds.), The computer security handbook (5th ed.). New York: Wiley.

Howard, M., & Lipner, S. (2006). The security development lifecycle: SDL: A process for developing demonstrably more secure software (pp. 304). Microsoft Press.

Landwehr, C. E., & Bull, A. R. (1994). A taxonomy of computer program security flaws, with examples. ACM Computing Surveys, 26 (3), 211–254.

Article   Google Scholar  

Lindqvist, U., & Jonsson, E. (1997). How to systematically classify computer security intrusions (pp. 154–163). IEEE Symposium on Security and Privacy, Los Alamitos, CA.

Paulauskas, N., & Garsva, E. (2006). Computer system attack classification (2nd ed., Vol. 66). Kaunas: Technology.

Weber, D. J. (1998). A taxonomy of computer intrusions . Master’s thesis, Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology.

Howard, J. D., & Longstaff, T. A. (1998). A common language for computer security incidents . Technical report, Sandia National Laboratories.

Serdiouk, V. A. (2007). Advances in technologies for protection against attacks in corporate networks . Moscow: Tekhnosphera.

Event Chain Methodology in Project Management. White Paper by Intaver Institute Inc., http://www.intaver.com/Articles/Article_EventChainMethodology2011.pdf

Zetter, K. (2011). Bank sends sensitive E-mail to wrong Gmail address, Sues Google . Wired, September 21, 2009. http://www.wired.com/threatlevel/2009/09/bank-sues-google/

Bright, P. (2011). Anonymous speaks: the inside story of the HBGary hack . ArsTechnica, http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack . 12 Alexandra Savelieva, Sergey Avdoshin.

Honan, M. (2012). How Apple and Amazon security flaws led to my epic hacking . Wired.com. http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

Honan, M. (2012). How I resurrected my digital life after an epic hacking . Wired.com. http://www.wired.com/gadgetlab/2012/08/mat-honan-data-recovery/

Russian Court Website Defaced in Support of Pussy Riot. (2012). Moscow: AFP. http://www.straitstimes.com/breaking-news/world/story/russian-court-website-defaced-support-pussy-riot-20120821

Rivner, U. (2011). Anatomy of an attack. Copyright 2011 EMC Corporation, http://blogs.rsa.com/anatomy-of-an-attack/

Tamai, T. (2009). Social impact of information system failures. IEEE Computer, 42 (6), 58–65.

Avdoshin, S. M., Savelieva, A. A., & Serdiouk, V. A. (2010). Microsoft technologies and products for information protection . Microsoft Faculty Resource Center, https://www.facultyresourcecenter.com/curriculum/pfv.aspx?ID=8476&Login=

Kaspersky Lab Global Website. IT security for the next generation. http://www.kaspersky.com/about/events/educational-events/it_security_conference#tab=tab-4

Foundation for Educational Innovations. Best proposals-2011 , http://www.hse.ru/org/hse/iff/methodics_2011

Download references

Acknowledgements

The present work benefited from the input of reviewers and participants of BIR 2012 Workshop on Teaching Business Informatics Intelligent Educational Systems and E-learning, thanks to Dr. Prof. Oleg Kozyrev, Director of HSE Nizhny Novgorod campus, and other members of the organizing committee, who made it possible for the authors to give a talk in teleconference mode. Alexandra Savelieva wishes to thank Oksana Chernenko, Executive Director of the HSE Foundation for Education Innovations, for her support, encouragement and guidance throughout the development of this educational project. The authors also wish to express their gratitude to Dr. Anatoli Shkred, CEO and Rector at INTUIT. RU, and Dr. Alexander Gavrilov, Academic Lead at Microsoft Russia, whose positive feedback and useful comments encouraged them to continue the work after the publication of the first case study-based electronic course on information security. The authors would like to sincerely thank Dr. Prof. Arun Sood, Co-Director, International Cyber Center, for the opportunity to present the idea of using case studies to a broad audience of professional specific target groups involved in cyber security all around the world participating in “2011 Workshop on Cyber Security and Global Affairs”, and Dr. Prof. Vladimir Azarov, Deputy Director of Research at MIEM HSE, for the invitation to MQ&ISM-2012 conference collocated with an intensive course on the ISO 27000 series of standards by CIS Austria.

Author information

Authors and affiliations.

Microsoft Corporation, Redmond, WA, USA

Alexandra Savelieva

National Research University Higher School of Economics, Moscow, Russia

Sergey Avdoshin

You can also search for this author in PubMed   Google Scholar

Corresponding author

Correspondence to Sergey Avdoshin .

Editor information

Editors and affiliations.

ERCIS, University of Münster, Münster, Germany

Jörg Becker

Higher School of Economics, National Research University, Nizhny Novgorod, Russia

Oleg Kozyrev

Eduard Babkin

Victor Taratukhin

Natalia Aseeva

Appendix: A Case Study #1: The Dangers of Keeping Corporate Mail in a Cloud

The first application of our case study analysis framework is a story that triggered a lot of discussions in the professional community due to its complicated nature and interesting background [ 22 ]. Event chain for the case study is depicted in Fig.  4 .

Case study #1: event chain

When the bank employee receives a call from the client, he has no reliable way to verify the identity of the person calling (i.e. the authenticity property of client’s request is questionable). We cannot be confident at this point that the email address communicated during this call as the client agent’s address was received by the bank employee correctly, due to possible noise at the phone line and human error when reading and writing texts (especially by hand). Although the probability of such error is low, the impact of sending confidential information to an unintended recipient is high, as stated in the table for information asset ‘Client agent’s email address’ and security property ‘Integrity’.

Next, the employee sends the requested data to the wrong email address. We know that he also attaches a file containing data of 1324 other clients, and that this information should have never left the bank boundaries. Thus, we can assume that neither authorization system to limit the employees’ access to sensitive client data nor outgoing mail filtering system were in place. Had it been the case, the utility of this information assets would be zero since the employee would not be able to retrieve it and send to an untrusted address because the email would have been automatically blocked.

Nevertheless, the email did leave the bank. Without evidence that someone read the message, we cannot say that the confidentiality was affected. Instead, the bank lost control of the email information contents (had it been encrypted, there would be no reasons to worry). The bank employee had no way to check whether the email was accessed at all: for example, it could be mistaken by the recipient for spam due to the huge amount of financial fraud spam circulating in the world (as we know from the information about the case revealed later, this was indeed the case: the user put the letter to his junk mail box without even opening it). The information about email status could have been easily retrieved if the email had been sent to a bank corporate mail, or some service rented by the bank from an external mail service provider under appropriate agreement. This was not the case, so the employee followed up with a second email asking the recipient to disregard and remove the previous email and urgently contact the bank for further information. By doing so, he was arguably increasing the probability of the situation when the fact of information leakage from the bank becomes public: even if the user disposed of the previous email, he could become curious about the situation; if not, there was no guarantee that he wouldn’t copy the email contents before disposing of the email as requested. In any case, he was very unlikely to contact the bank for clarification.

Further development of the situation affects the email service provider not willing to disclose the recipient’s identity due to its user policy without appropriate court order. The Bank then sued the email service provider requesting the user’s identity to be revealed and account suspended, insisting that the case should be filed under seal. The information assets and security properties affected at this point were the e-mailbox owner’s identity (confidentiality), his or her email archive (availability). Finally, the fact of information leakage from the bank eventually became publicly known.

Table representation of the case study analysis is provided in Table  3 .

Appendix: B Case Study #2: The Shoemaker’s Son Always Goes Barefoot

The situation analyzed in this section is an example of so-called advanced persistent threat, or APT. Unlike case study #1 where the information security breach was a result of a series of mishaps, this story is about a hacker group which intentionally targets its persistent efforts at a specific entity. The irony is that the target entity appears to be a famous company that specializes in providing services in information security area. See [ 23 ] and other relevant publications in press and online media for more information on the notorious security incident.

The concept of Attack Lifecycle (Fig.  2 in Sect.  3.3 ) is very instrumental for building the Event Chain diagram. At the first stage, the target information system is the company custom content management system (CMS) from a third party developer.

Reconnaissance—the hackers analyze CMS vulnerabilities and discover a possibility to apply SQL injection attack;

Penetration—the hackers apply SQL injection;

Information damage—the hackers retrieve CMS contents from the database;

Proliferation—the hackers identify employees’ aliases and hashed passwords as useful piece of information for further extension of the attack.

Proliferation phase of the first attack serves as the Reconnaissance phase for the next attacks, where the target information systems are the support machine and the email service provider used by the company. Penetration involves breaking the cryptographic algorithm MD5 used for hashing users’ passwords, and so on.

A simplified information security event chain of the case is presented in Fig.  5 .

Case study #2: event chain

Case study analysis table representation is provided below in Table  4 . Utility, unlike other security properties, is considered here from the attacker’s perspective, i.e. we assume that the information asset is of no utility (useless) to the attacker if handled properly. Therefore, by ’risk’ we mean probability and impact of the situation when the information asset becomes useful to the attacker.

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this chapter

Cite this chapter.

Savelieva, A., Avdoshin, S. (2016). Integrating Case Studies into Information Security Education. In: Becker, J., Kozyrev, O., Babkin, E., Taratukhin, V., Aseeva, N. (eds) Emerging Trends in Information Systems. Progress in IS. Springer, Cham. https://doi.org/10.1007/978-3-319-23929-3_9

Download citation

DOI : https://doi.org/10.1007/978-3-319-23929-3_9

Published : 26 November 2015

Publisher Name : Springer, Cham

Print ISBN : 978-3-319-23927-9

Online ISBN : 978-3-319-23929-3

eBook Packages : Business and Management Business and Management (R0)

Share this chapter

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

• Publish with us

Policies and ethics

• Find a journal
• Track your research

We use cookies to enhance our website for you. Proceed if you agree to this policy or learn more about it.

• Essay Database >
• Essay Examples >
• Essays Topics >
• Essay on Management

Information Security Risk Management Case Study Examples

Type of paper: Case Study

Topic: Management , Information , Organization , Risk Management , Attack , Violence , Risk , Security

Words: 1100

Published: 05/18/2021

ORDER PAPER LIKE THIS

Information security in an organization is designed to protect the integrity, confidentiality and availability of the computer system data or information from those who have malicious intentions of altering records, stealing confidential information, bringing down the network and many more. Information risk management is, therefore, very important. It covers information infrastructure in the organization, identifies information to be protected and the level of protection required to align the organization’s tolerance in case of risk. It helps the IT personnel in the organization to identify the weaknesses and vulnerabilities that their systems have and in turn device ways of countering them, either reactively of proactively. Every organization depends on information because it is a hugely valuable asset like other business assets. Therefore, it should be protected by all means for the smooth running of a business. Information management is extremely beneficial to this organization because it is in an interconnected business environment. Also, the company’s crucial information may be exposed to the wide and growing variety of vulnerabilities and threats. Many causes of damage such as computer hacking, denial of service attacks and malicious codes have become more ambitious, increasingly sophisticated and more common than never before.

Risk management in an organization is hugely prominent because it helps in ensuring that all the critical information is secure from any attack or intrusion. With proper management of the risks, the organization will give its customers the confidence in the organization because their information like credit cards numbers financial record is kept secure. It also helps in making the organizations activities run smoothly without any interruption from any attack.

The consequences of neglecting risk management are severe. If the company’s financial details are compromised in any way, it may lead to a great loss. When the information systems are not well managed, service delivery to the customers will be extremely poor. This is because, if, in any case, a problem arises from the systems used, the IT people, who are responsible for the maintenance, may not be able to pinpoint the cause of the problem immediately. This will take quite a long time to be corrected as a result of this wasting a lot of valuable time.

There are some risk management techniques that can be used by the company. One of them is identifying likely attack methods, techniques and tools. Listing all the threats that the organization faces which will help the security administrator identify the various techniques, tools and methods that can be used in the attack. There are several methods of attack which range from passwords, worms to viruses and email cracking. It is exceedingly mandatory that the administrator be familiar of this area continuously this is because new tools, techniques and methods for circumventing security measures are devised constantly.

Another technique is by establishing reactive and proactive strategies. In each method, therefore, the security plan should comprise of reactive strategy as well as the proactive strategy. The proactive strategy is a set of steps that can help in minimizing vulnerabilities of existing security policy and developing a contingency plan. In order to develop a proactive strategy, the damage that an attack can cause on the system and vulnerabilities and weaknesses that are exploited during an attack are determined. Reactive strategy helps the personnel to assess the damage caused. They also help the personnel to, either quickly recovery from damage, or to implement a contingency plan that will aid to get business functions in place running.

The third method is testing. It involves performing attacks that are simulated on the organizations systems with the aim of assessing where the vulnerabilities exist. It will then help in adjusting controls and security policies accordingly. This test should not be done on live production systems. This is because its outcomes can be disastrous. All the scenarios of attacks should be tested physically, and documented. This is done so that it can be used to determine the best security policies and controls that should be implemented. Testing should be revised and evaluated periodically because it is an interactive process.

If an adverse event occurs in an organization, like loss of data or information, which is extremely critical to the organization, and there was no backup done, the organization will suffer a significant loss. This loss will, adversely, affect all the functions and activities in the organization. For example if all the financial records are lost, the organization will run into a considerable loses financially because they will not be able to track their financial records and transactions.

Since the organization covers a large geographical area, the different locations are interconnected by a network. If in case this connection if interfered with or disconnected by attackers, it will be devilishly hard for the IT technicians to pinpoint the cause of the problem and find a solution. If this network disconnection is not resolved quickly, there will be no link between the stations, therefore, all the activities of the organization will be stalled, and, as a result, no transaction will occur, hence, gargantuan losses and time wastage will be experienced.

If a hacker gains accesses to the company’s confidential information especially finance records, he or she may do anything with this information including altering the figures in the financial database or even deleting them. In this case, the organization’s financial officers will not be able to give the real figures. The organization will be in substantial problems because its records will never reconcile leading to mistrust and eventually bringing down the business.

The results of the risk identification include the following. The organization should employ competent IT personnel who will be able to put into consideration the security of the information in the organization's network. Also, the organization should create awareness to its employee on the different basic security measures. This will, in return, make the work of the IT personnel easy hence smooth running of activities.

Therefore, Information Security Risk Management is extremely crucial in the organization's risk awareness. Protection and information security are critical to the organization, but it cannot guarantee success. In order to facilitate effective information protection, risk management approach that will balance the need of information security against all the organizations needs enables the organization to be successful and efficient in its activities. For a long time information have been associated with value but recently motivated and capable adversaries have exploited this value. So the organization need to make information risk management its priority if it needs to keep its data secure, upstanding reputation and gain the competitive advantage and finally all these will bring the organization success in all aspects of its operation.

Cite this page

Share with friends using:

Removal Request

Finished papers: 2899

This paper is created by writer with

If you want your paper to be:

Well-researched, fact-checked, and accurate

Original, fresh, based on current data

Eloquently written and immaculately formatted

275 words = 1 page double-spaced

Get your papers done by pros!

Other Pages

Children course work, marketing course work, company course work, alcoholism course work, teenagers course work, computers course work, economics course work, poetry course work, president course work, europe course work, club case studies, free article review on sociology, article review on a tale of two corporations managing uncertainty during organizational change, the kalabari family movie review examples, free essay on hypothesis phase, free essay about the use of ethos in a journal article, free essay on fortune 100 ceo, example of long term care essay, free movie review on wristcutters a love story, monday argumentative essay, good example of essay on barbaric rewrite, good example of essay on starbucks external analysis, mongol empire and islamic theory argumentative essays example, essay on modern architectural styles, free chemistry in the kitchen literature review sample, the petrification of myth pandora and narcissus research paper samples, example of term paper on th 207, seaside essays, pedal essays, mattress essays, batting essays, immigration issues essays, when genius failed essays, kirman essays, fridell essays, walter scott essays, plastic surgeon essays, anesthesia essays, casts essays, client centered therapy essays, negative aspects essays, pash essays, cetin essays.

Password recovery email has been sent to [email protected]

Use your new password to log in

You are not register!

By clicking Register, you agree to our Terms of Service and that you have read our Privacy Policy .

Now you can download documents directly to your device!

Check your email! An email with your password has already been sent to you! Now you can download documents directly to your device.

or Use the QR code to Save this Paper to Your Phone

The sample is NOT original!

Short on a deadline?

Don't waste time. Get help with 11% off using code - GETWOWED

No, thanks! I'm fine with missing my deadline