Without disclosing names and titles
docx
keyboard_arrow_up
School
University of Maryland, University College *
*We aren’t endorsed by this school
Course
660
Subject
Information Systems
Date
Dec 6, 2023
Type
docx
Pages
6
Uploaded by nalalover1992
Without disclosing names and titles, can you think of
examples that you have encountered in your work, or
read of (bring us links to online stories) that illustrate
the types of human risks to systems that IT auditors
have to be thinking about?
What do you think is the most common?
1) Human risks to systems that IT auditors have to be
thinking about
Examples:
i.
A staff that increased his credit card spending limit
because he oversaw approving the credit card of
customers. This individual may swindle the organization
by millions of dollars if the auditors had not discovered
the unusual and high volume of activity on his account.
ii.
The American and naturalized Russian former computer
intelligence consultant and whistleblower with
codename” Verax” is a prime example of an insider
threat. He used the passwords of his co-workers to obtain
sensitive data about the government and was a single
point of failure for several data breaches.
iii.
Another example I experienced was the delayed
termination of vendor users after deployment of the
application into the production environment. The client
handles Electronic Protected Health Information (EPHI),
and the terms of the contract and the Statement of Works
(SOW) is that vendor users who are super users will be
disabled after the Go-live date, but because of the
euphoria of the successful launch of the application, the
process owner did not terminate the vendor users timely.
One of the super users had a personal issue with a
patient, she accessed the health information of the
patient and disclosed it on social media. The patient
instituted legal proceedings, and the health institution
had to agree on out- of- court settlement with the patient
to avoid the bad publicity and the damage to their
reputation.
iv.
Another one I experienced was a cleaning crew member
who disconnected the server while cleaning the server
room, and this disrupted the back-up process of the
organization.
v.
A typographical error describing an illegitimate email as
legitimate was the proximate cause of the data breach
that led to the loss of election, the incident is tagged by
the American public “but her emails.” Russian hackers
accessed the emails during the 2016 election because of
an error by a member of the campaign team.
vi.
A fictitious network name was broadcast to the Wi-Fi
network users at the Coffee shop making users believe
that they are connected to the right network, but a
software was retrieving personal information from their
devices.
What do you think is the most common?
Human Error is the most common that IT auditors must be
thinking about. Human Error is unintentional mistakes or
oversights by employees that can lead to IT system
vulnerabilities and breaches. This can include actions such as
misconfigurations, accidental data deletions, incorrect
software installations, or improper handling of sensitive
information
.
The root causes of data breaches are human
errors, manual processes, legacy, or incompatible systems (Li
et al, 2023).
Human risks to IT systems are vulnerabilities and breaches
that may occur because of lack of training, it may be
intentional by a disgruntled staff or from external malicious
attackers.
Insider threat is from legitimate users with authorized access
who abused the privileges (Jones, 2022). Insider threat may be
from malicious users, vendors, and contractors.
Other examples are:
1.
Lack of risk assessment: The lack of an existing formal
strategic risk assessment to cover assets that are critical
to an organization is a likelihood for vulnerabilities to be
exploited by threats. Risk assessment is a process to
identify potential hazards and analyze what could happen
if a hazard occurs through a business impact analysis.
2.
Social Engineering Attacks: Social engineering is not a
cyberattack but a major human threat to IT systems that
occurs when bad actors or unscrupulous individuals gain
the trust of their targets to lower their guard and give up
sensitive information that compromise IT systems. It is
psychologically manipulating IT system users to instill
fear, excitement, or urgency. Techniques used in social
engineering attacks include phishing emails (attack to
steal money or identity), pretexting (creating a false
scenario to obtain information), baiting (using enticing
incentives), or impersonation (pretending to be another
person). Regular user awareness training can reduce
social engineering attacks, such as complying with
password complexity, being able to identify phishing
scams, not sharing sensitive information through insecure
channels. Social engineering is also called human
hacking.
3.
Physical Security Breaches: Physical security breaches
occur when unauthorized individuals gain physical access
to areas where IT systems are located. This can result in
theft or unauthorized copying of data, tampering with
hardware or network infrastructure, or unauthorized use
of computing resources. Physical security can be
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
achieved with the use of warning signs, trenches, security
guards, bollards, and restricted access points
4.
Third-Party Risks: Organizations often rely on third-party
vendors, contractors, or service providers who may have
access to IT systems. Inadequate security practices by
these third parties, such as weak authentication
measures or poor data protection, can introduce risks to
the organization's IT systems.
5.
Bring Your Own Device (BYOD): The use of personal
devices, such as smartphones or laptops, within the
workplace can introduce security risks. Unsecure devices,
unpatched software, or unauthorized applications on
BYOD devices can lead to data breaches or unauthorized
access to IT systems.
6.
Mishandling Data: Improper handling, storage, or disposal
of sensitive data can result in breaches or unauthorized
access. This can happen through actions like leaving
sensitive documents unattended, improper use of
removable media, or failing to encrypt or securely delete
data.
7.
Inadequate security awareness training makes employees
prone to disregarding relevant policies and procedures.
Security awareness training is a component in effective
cybersecurity to stop human errors and insider threats
from causing data breaches (Li et al., 2023). It is an
organization-wide initiative to help employees identify
and avoid cyber-threats in the workplace.
Conclusion: According to Tysiac (2015), to mitigate these
human risks, organizations should implement robust
cybersecurity policies, implement IT governance, provide
regular training and awareness programs, enforce strong
access controls and authentication mechanisms, and regularly
monitor and audit user activities. In addition, the skills gap of
internal auditors needs to be developed, while complex issues
are outsourced to subject matter experts. Creating a security-
conscious culture and promoting good cybersecurity practices
among employees is crucial in reducing human risks to IT
systems.
References
Harding, L. (2016, December). Top Democrat's emails hacked
by Russia after aide made typo, investigation finds. The
Guardian.
https://www.theguardian.com/us-news/2016/dec/14/dnc-
hillary-clinton-emails-hacked-russia-aide-typo-investigation-
finds
Jones, T. (2022, December). The 12 Latest Types of Social
Engineering Attacks (2023). AURA.
https://www.aura.com/learn/types-of-social-engineering-
attacks
Li et al. (2023, March). Where Is It in Information Security? The
Interrelationship among IT. Investment, Security Awareness,
and Data Breaches. MIS Quarterly.
https://eds-s-ebscohost-
com.ezproxy.umgc.edu/eds/pdfviewer/pdfviewer?
vid=2&sid=1451bec8-a87e-41d9-98c5-
189ade4ce158%40redis
Martijn, M. (2014, October). Maybe Better If You Don’t Read
This Story on Public Wi-Fi. Matter.
https://medium.com/matter/heres-why-public-wifi-is-a-public-
health-hazard-dd5b8dcb55e6#.jpmoralkx
Tysiac, K. (2015, August). How internal audit can help manage
10 top technology risks. Journal of Accountancy.
https://www.journalofaccountancy.com/news/2015/aug/internal
-audit-technology-risks-201512911.html
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help