Ch.

11
Computer Crime and Information
Technology Security
高立翰
OUTLINE
Carter’s taxonomy

Risks and threats

IT controls

COBIT
 Learning objectives
1. Explain Carter’s taxonomy of computer
crime.
2. Identify and describe business risks and
threats to information systems.
3. Discuss ways to prevent and detect
computer crime.
4. Explain the main components of the CoBIT
framework and their implications for IT
security.

AIS - Ch. 11 (http://ppt.cc/mJFq) 3

 Carter’s taxonomy (1/2)
Four-part system for classifying computer
crime
A specific crime may fit more than one
classification
The taxonomy provides a useful framework
for discussing computer crime in all types of
organizations.

AIS - Ch. 11 (http://ppt.cc/mJFq) 4

 Carter’s taxonomy (2/2)
 Target
 Targets system or its data
 Example: DOS attack

 Instrumentality
 Uses computer to further criminal end
 Example: Phishing
 Incidental
 Computer not required, but related to crime
 Example: Extortion

 Associated
 New versions of old crimes
 Example: Cash larceny

AIS - Ch. 11 (http://ppt.cc/mJFq) 5

 Business risks and threats (1/2)
See page 197-200 for detailed description
Fraud
Error
Service interruption and delays
Disclosure of confidential information
Intrusions

AIS - Ch. 11 (http://ppt.cc/mJFq) 6

 Business risks and threats (2/2)

Information manipulation
Malicious software
Denial-of-service attacks
Web site defacements
Extortion

AIS - Ch. 11 (http://ppt.cc/mJFq) 7

 IT controls – Basic principles
Confidentiality
 Data are held in confidence
and are protected from
unauthorized disclosure
Data integrity
 Data are stored in an
information system are the
same in the source
documents
Availability Fig. 11.1
The C-I-A Triad

 Data can be obtained within

the required time frame

AIS - Ch. 11 (http://ppt.cc/mJFq) 8

 IT controls – Control taxonomy
Physical controls Fig. 11.2
Control taxonomy
 Guards, locks, fire
suppression systems Physical Technical
controls controls

Technical controls
 Biometric access controls,
Administrative
malware protection controls

Administrative controls
 Password rotation policy,
password rules, overall IT
security strategy
AIS - Ch. 11 (http://ppt.cc/mJFq) 9
 What is CoBIT?
 Control Objectives for Information and Related
Technology
 From Information Systems Audit and Control
Association (ISACA)
 It’s a framework for IT governance and
management
 Two main parts:
 Principles
• Five ideas that form the foundation of strong IT governance
and management
 Enablers
• Seven tools that match the capabilities of IT tools with users’
needs

AIS - Ch. 11 (http://ppt.cc/mJFq) 10

CoBIT five principles (1/3)

1. Meeting
stakeholder
needs

5. Separating 2. Covering
governance the
from enterprise
management end-to-end
CoBIT 5
principles

3. Applying
4. Enabling a
a single
holistic
integrated
approach
framework

AIS - Ch. 11 (http://ppt.cc/mJFq) 11

 CoBIT five principles (2/3)
1. Meeting stakeholder needs
 Different stakeholder groups have different
information needs.
2. Covering the enterprise end-to-end
 A well-designed plan for managing information
covers the whole entity, not just the IT function.
3. Applying a single integrated framework
 The principle incorporates and builds on other
frameworks to produce a unified set of ideas.

AIS - Ch. 11 (http://ppt.cc/mJFq) 12

 CoBIT five principles (3/3)
4. Enabling a holistic approach
 CoBIT 5 integrates functions through out the
entity, whether its organizational structure is
based on function, product, or some other
principles.
5. Separating governance from management
 Governance focuses on strategic decision making,
goal setting, and prioritization
 Management focuses more on the day-to-day
action needs to achieve those goals

AIS - Ch. 11 (http://ppt.cc/mJFq) 13

 CoBIT seven enablers

See Table 11.1 (p.204) for examples

AIS - Ch. 11 (http://ppt.cc/mJFq) 14

 Q&A

AIS - Ch. 10 (http://ppt.cc/mJFq) 15