Matakuliah
Tahun
Versi
:A0334/Pengendalian Lingkungan Online
: 2005
: 1/1
Pertemuan 4
Information at Risk
1
Learning Outcomes
Pada akhir pertemuan ini, diharapkan mahasiswa
akan mampu :
• Mahasiswa dapat menyatakan Resiko
Informasi
2
Outline Materi
• The Marketing Dimension
–
–
–
–
What ‘Marketing Aspects’?
These Marketing Aspects!
The Expectation: Experience Equation
But What Can Happen?
• The ‘Mistake’ (or “I didn’t Mean to destroy Your Livelihood’)
• The ‘Game’ (‘I Wanted to Prove That I Could “Take Someone Out”’)
• The ‘Idiot’ (or someone Who Thinks that They are ‘Above All of
This’)
• The ‘Good Idea’ (or ‘Let’s Do This Using “e”’ – Without Thinking)
• The ‘Unhappy Employee’ (either as A Cause or as A Victim)
– Summary
• Stamping Out The Bugs
3
The Marketing Dimension
• What ‘Marketing Aspects’?
• These Marketing Aspects!
• The Expectation: Experience Equation
4
• But What Can Happen?
– The ‘Mistake’ (or “I didn’t Mean to destroy Your
Livelihood’)
– The ‘Game’ (‘I Wanted to Prove That I Could “Take
Someone Out”’)
– The ‘Idiot’ (or someone Who Thinks that They are
‘Above All of This’)
– The ‘Good Idea’ (or ‘Let’s Do This Using “e”’ – Without
Thinking)
– The ‘Unhappy Employee’ (either as A Cause or as A
Victim)
• Summary
5
What ‘Marketing Aspects’?
• Marketing surrounding the ‘e-world’ should be
simple – everyone will utilise ‘e’, there fore turn
your communications to directing prospects and
clients to the appropriate website and to your
email address and carry on.
• Most of us have computers.
• Suddenly the marketing manager is looking
rather vulnerable, because his/her organisation
is vulnerable, and the fallout will be lack of trust
and reputation. Which leads to brand problems.
We all know that good brand reputation is
difficult to create, easy to damage and problems.
And today, damage is far easier to create.
6
• You were pretty clear about whether or not your
organisation was a ‘target’.
• It is never the other way round: you have to take
the information risk management decisions at
board level and then inform the IT department of
the criteria against which to work. It is madness
to expect the IT people to understand the
relative value of each type of information within
your organisation and its relative importance in
terms of confidentiality, integrity and availability.
7
These Marketing Aspects!
• You are responsible for the protection and
enhancement of your brand.
• Pre-‘e’ your brand was similarly affected
by your reputation.
• What is worse, they often do not realise
what they are doing to you – they do not
understand the consequences of their
actions.
8
• It is too easy to do damage electronically
and it is made too easy by the very fact
that we rely on communicating by a
system that was never designed to be
secure. The internet was originally built to
allow communication amongst academic
groups, now for their preference for
sharing information. It was not supposed
to be the world’s ‘trusted business
backbone’.
9
• The other reason why it is too easy to
create ‘electronic damage’ is that too many
organisations and individuals do not
understand why they must take steps to
protect their ‘e’-base. They think (if they
think about it at all) that ti is ‘someone
else’s responsibility’. It is seen as a
technological issue – even by managers
who should know better.
10
• Trust and confidence affect brands and
marketing has responsibility for the brand.
Therefore marketing has direct responsibility for
ensuring that your organisation promotes and
ensures ‘e-trust’ and ‘e-confidence’.
Furthermore, marketing must also take
responsibility for all internal and external
communications on this issue, otherwise they
will occur in a piecemeal fashion, undertaken by
people who are not trained in communications
skills.
11
The Expectation: Experience Equation
• Whatever we do, we cannot claim to have
‘e-trust’ and ‘e-confidence’ unless we have
genuinely got it. Remember that many socalled ‘hackers’ carry out attacks just to be
able to say that they have got through a
specific organisation’s defences. You may
claim to be secure – they may well try you
out.
12
But What Can Happen?
• Viruses, worms, trojans, deliberate attacks
(external hackers, internal hackers, recent
leaver-hackers, hactivists), random attacks
from the same communities and errors (as
all the above can be ‘let in’ by mistake) an,
in addition, simple human error can, in a
poorly protected system, wreak havoc.
13
The ‘Mistake’ (or “I didn’t Mean to
destroy Your Livelihood’)
• Recently a ‘hactivist’ (someone who
believes that their hacking is ‘ethical’
because they only break into sites and
systems that are owned or run by
organisations that they don’t agree with)
destroyed a company that was totally
innocent, even of the so-called ‘crime’ that
the hactivist was so worked-up about.
14
The ‘Game’ (‘I Wanted to Prove That I
Could “Take Someone Out”’)
• Even more recently an Internet service
Provider (ISP) – not exactly on
organisation without ‘e’-technical nous –
suffered a total ‘distributed denial of
service’ attack. This meant that none of
their customers could use their services
for over a week – they went out of
business as a direct result.
15
The ‘Idiot’ (or someone Who Thinks that
They are ‘Above All of This’)
• A large IT company has a very costly virus
attack; despite the fact that it prides itself
on assisting many areas of ‘UK plc’ to
solve technology challenges.
16
The ‘Good Idea’ (or ‘Let’s Do This Using
“e”’ – Without Thinking)
• A company offered free internet
advertising to clients of another service.
Someone ‘hacked in’ and changed the
prices shown. Apart from the nightmare of
sorting it all out, the reputation of the
company was badly shaken when the
object of the exercise was the complete
opposite!
17
The ‘Unhappy Employee’ (either as A
Cause or as A Victim)
• Consider two scenarios.
• The first involved a person who saw a
pornographic scene on another
employee’s PC screen.
18
• The second involved someone who was,
appropriately, fired from their job. Their
employer was excellent in providing new
employees with passwords etc – but not at
all good at removing them when people
left even in bad circumstances. The exemployee decided to ‘get even’ and logged
into the company system using their
passwords, and altered many detailed
items in areas such as personnel records,
payroll and costing and pricing.
19
Summary
• It is marketing’s job to control communication
about information security, inside and outside
the organisation. A company’s approach to
security will directly affect its marketing
positioning and organisational differentiation.
Security failure can destroy a company’s
reputation – or even the company itself.
• Information security is not a cost, it is a
marketing investment.
• E-business and e-government demand the
electronic exchange of ever-more important
information.
20
• Marketing should identify and promote the
internal and external advantages of having
appropriate information security.
• Marketing should create two
communications plans: one internal, one
external. Finally, marketing must ensure
that al communications are written in
suitable language for each target audience
– internal and external – otherwise the
messages will not be understood.
21
Stamping Out The Bugs
• Tony Neate has spent a total of 27 years
as a detective, 13 years of this working in
commercial fraud and eight years in
computer crime, so he knows all about
crime – cybercrime and other forms.
22
The End
23