Weakness is a better teacher than strength ... - PDF Archive
Weakness is a better teacher than strength ... - PDF Archive
Weakness is a better teacher than strength ... - PDF Archive
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
318 Chapter 9<br />
• Value to adversaries: How much <strong>is</strong> it worth to an organization to know what the<br />
competition <strong>is</strong> doing? Many organizations have establ<strong>is</strong>hed departments tasked with<br />
the assessment and estimation of the activities of their competition. Even organizations<br />
in traditionally nonprofit industries can benefit from knowing what <strong>is</strong> going on<br />
in political, business, and competitive organizations. Stories of industrial espionage<br />
abound, including the urban legend of Company A encouraging its employees to hire<br />
on as janitors at Company B. As custodial workers, the employees could snoop<br />
through open terminals, photograph and photocopy unsecured documents, and rifle<br />
through internal trash and recycling bins. Such legends support a widely accepted<br />
concept: Information can have extraordinary value to the right individuals. Similarly,<br />
stories are circulated of how d<strong>is</strong>gruntled employees, soon to be terminated, might steal<br />
information and present it to competitive organizations to curry favor and land new<br />
employment. Those who hire such applicants in an effort to gain from their larceny<br />
should consider whether benefiting from such a tactic <strong>is</strong> w<strong>is</strong>e. After all, such thieves<br />
could presumably repeat their activities when they become d<strong>is</strong>gruntled with their<br />
newest employers.<br />
• Loss of productivity while the information assets are unavailable: When a power failure<br />
occurs, effective use of uninterruptible power supply (UPS) equipment can prevent<br />
data loss, but users cannot create additional information. Although th<strong>is</strong> <strong>is</strong> not an<br />
example of an attack that damages information, it <strong>is</strong> an instance in which a threat<br />
(deviations in quality of service from service providers) affects an organization's<br />
productivity. The hours of wasted employee time, the cost of using alternatives, and<br />
the general lack of productivity will incur costs and can severely set back a critical<br />
operation or process.<br />
• Loss of revenue while information assets are unavailable: Have you ever been in a<br />
retail store when your credit card would not scan? How many times did the salesperson<br />
rescan the card before resorting to entering the numbers manually? How long did<br />
it take to enter. the numbers manually in contrast to the quick swipe? What ifthe<br />
credit card verification process was off-line? Did the organization have a manual process<br />
to validate or process credit card payment in the absence of the familiar approval<br />
system? Many organizations have all but abandoned manual backups for automated<br />
processes. Sometimes, businesses may even have to turn away customers because their<br />
automated payments systems are inoperative. Most grocery stores no longer label<br />
each item with the price, because the UPC scanners and the related databases calculate<br />
the costs and inventory levels dynamically. Without these systems, could your grocery<br />
store sell goods? How much would the store lose if it could not? It has been estimated<br />
that "43 percent of all businesses that close their doors due to a d<strong>is</strong>aster or cr<strong>is</strong><strong>is</strong>, even<br />
for one day, never reopen them again. An additional 28 percent fail during the next<br />
three to five years.,,4 Imagine, instead of a grocery store, an online book retailer such<br />
as Amazon.com suffering a power outage. The entire operation <strong>is</strong> instantly closed.<br />
Even if Amazon's offering system were operational, what if the payment systems were<br />
offline? Customers could make selections, but could not complete their purchases.<br />
While dotcom businesses may be more· susceptible to suffering a loss of revenue as a<br />
result of a loss of information, most organizations would be unable to conduct business<br />
if certain pieces of information were unavailable.<br />
Once an organization has estimated the worth of various assets, it can begin to calculate the<br />
potential loss from the exploitation of vulnerability or a threat occurrence. Th<strong>is</strong> process