In today's world where Information Technology is an integral part of the vast majority of organisations, security is a major issue that must be addressed. Organisations cannot ignore the fact that their systems and data must be protected from a variety of threats and backed-up in case of breakdown or certain failures. President Bush's recent budget proposal called for the United States' I.T. security spending to increase to $4.2 billion in this fiscal year compared to $2.7 billion last year. Global spending within this area is expected to rise from $47.8 to $52.4 billion under the budget's proposal. These figures clearly indicate how important the security of information systems is within modern society.
This point was highlighted by Andrew Pickup, small business manager for Microsoft, who said "over the last twelve months, we have seen two key trends in the small business I.T. market [one being] a significant increase in investment in I.T. security." Hoffman (1977, p.2) defines data security as "the protection of data against accidental or intentional destruction, disclosure, or modification." He then defines computer or system security as referring to "the technological safeguards and managerial procedures which can be applied to computer hardware, programs and data to assure that organisational assets and individual privacy are protected." A definition for the generalised term of information systems security given by Peppard (1993, p.170) is "the protection of the confidentiality, integrity and availability of information processed by an information system, and of the system itself."
An organisation must identify the main threats to both types of security in order to operate as efficiently and as safely as possible. An investigation by APSAIRD (an association of French Insurance Companies) in 1986 listed the estimated losses due to information system security breaches. There were a number of different categories of breaches - physical accidents and breakdowns for example. Fraud was identified as the top threat, in terms of money lost, with physical accident second and theft last. Please refer to Appendice 1 for the complete figures found during the investigation.
A more recent study by the British Chamber of Commerce has discovered that 7% of companies have had their information systems hacked into in the last twelve months, while an enormous 93% had experienced virus attacks. Kanish (1997) defines a virus as "a computer program that is intentionally written to attach itself to other programs or disk boot sectors and replicate whenever those programs are executed or those infected disks are accessed." It must be explained, however, that a properly coded, or well-written virus will not damage a system, as it will only attach itself to program files. The real damage that occurs from virus infections is caused by intentionally destructive code that normally executes when certain conditions are met - a set time or date for example.
A more modern definition by Clifton, Ince & Sutcliffe (2000, p.450) sees a virus as "a hidden piece of program intended to cause errors, corruption or destruction of data or programs at a subsequent date." A recent and very prominent example of the damage a virus can cause is the 'Melissa' e-mail virus. This particular virus clogged up e-mail systems worldwide when it was released in 1999, eventually causing an estimated $80 million worth of damage to personal, business and government computer systems by jamming servers.
The e-mail that contained the virus promised passwords to numerous pornographic websites but simply infected the user's computer when it was opened. Once accessed, the e-mail would then be sent to every person within that computer's address book, causing a massive influx of mail to many servers. The designer, David Smith (now sentenced to 20 months in jail), deliberately made the virus undetectable to the majority of modern anti-virus software.
The figures from the British Chamber of Commerce and the example above reinforce the fact that organisations must take precautions and secure their systems against virus attacks. There are a wide variety of virus detecting packages available off-the-shelf, Norton or McAfee for example. The example of the Melissa virus only serves to demonstrate, however, that they are not foolproof by any means, and that competent programmers can evade them. Anti-virus software is likely to be more than adequate for a home PC, but for an organisation looking to protect its systems, other methods must be explored.