《通信工程专业英语（第二版）》课件Unit 10

Unit10TextAInformationSecurityInformationSecurityInformationsecurity[1],sometimesshortenedto

InfoSec,isthepracticeofpreventingunauthorizedaccess,use,disclosure,disruption,modification,inspection,recordingordestructionof

information.Itisageneraltermthatcanbeusedregardlessoftheformthedatamaytake(e.g.electronic,physical).TextTextWordsNotesDiscussionHome1.Overview(1)ITsecuritySometimesreferredtoas

computersecurity,informationtechnologysecurity(ITsecurity)isinformationsecurityappliedtotechnology(mostoftensomeformofcomputersystem).Itisworthwhiletonotethata

computer

doesnotnecessarilymeanahomedesktop.Acomputerisanydevicewitha

processor

andsomememory.Suchdevicescanrangefromnon-networkedstandalonedevicesassimpleascalculators,tonetworkedmobilecomputingdevicessuchassmartphonesandtabletcomputers.ITsecurityspecialistsarealmostalwaysfoundinanymajorenterprise/establishmentduetothenatureandvalueofthedatawithinlargerbusinesses.Theyareresponsibleforkeepingallofthe

technology

withinthecompanysecurefrommaliciouscyberattacksthatoftenattempttobreachintocriticalprivateinformationorgaincontroloftheinternalsystems.TextTextWordsNotesDiscussionHome(2)InformationassuranceTheactofprovidingtrustoftheinformation,thattheConfidentiality,IntegrityandAvailability(CIA)oftheinformationarenotviolated,e.g.ensuringthat

data

isnotlostwhencriticalissuesarise.Theseissuesinclude,butarenotlimitedto:naturaldisasters,computer/servermalfunctionorphysicaltheft.Sincemostinformationisstoredoncomputersinourmodernera,informationassuranceistypicallydealtwithbyITsecurityspecialists.Acommonmethodofprovidinginformationassuranceistohaveanoff-sitebackupofthedataincaseoneofthementionedissuesarise.TextWordsNotesDiscussionHome(3)ThreatsInformationsecuritythreatscomeinmanydifferentforms.Someofthemostcommonthreatstodayaresoftwareattacks,theftofintellectualproperty,identitytheft,theftofequipmentorinformation,sabotage,andinformationextortion.Mostpeoplehaveexperiencedsoftwareattacksofsomesort.Viruses,worms,phishingattacks,andTrojanhorsesareafewcommonexamplesofsoftwareattacks.ThetheftofintellectualpropertyhasalsobeenanextensiveissueformanybusinessesintheITfield.Identitytheftistheattempttoactassomeoneelseusuallytoobtainthatperson'spersonalinformationortotakeadvantageoftheiraccesstovitalinformation.(tobecontinued)TextWordsNotesDiscussionHome(Continued)Theftofequipmentorinformationisbecomingmoreprevalenttodayduetothefactthatmostdevicestodayaremobile.Cellphonesarepronetotheftandhavealsobecomefarmoredesirableastheamountofdatacapacityincreases.Sabotageusuallyconsistsofthedestructionofanorganization′swebsiteinanattempttocauselossofconfidenceonthepartofitscustomers.Informationextortionconsistsoftheftofacompany′spropertyorinformationasanattempttoreceiveapaymentinexchangeforreturningtheinformationorpropertybacktoitsowner,aswithransomware.Therearemanywaystohelpprotectyourselffromsomeoftheseattacksbutoneofthemostfunctionalprecautionsisusercarefulness.TextWordsNotesDiscussionHomeGovernments,military,corporations,financialinstitutions,hospitalsandprivatebusinessesamassagreatdealofconfidentialinformationabouttheiremployees,customers,products,researchandfinancialstatus.Mostofthisinformationisnowcollected,processedandstoredonelectroniccomputersandtransmittedacrossnetworkstoothercomputers.TextWordsNotesDiscussionHomeShouldconfidentialinformationaboutabusiness'customersorfinancesornewproductlinefallintothehandsofacompetitororablackhathacker,abusinessanditscustomerscouldsufferwidespread,irreparablefinancialloss,aswellasdamagetothecompany'sreputation.Fromabusinessperspective,informationsecuritymustbebalancedagainstcost;theGordon-LoebModel[2]providesamathematicaleconomicapproachforaddressingthisconcern.TextWordsNotesDiscussionHomeFortheindividual,informationsecurityhasasignificanteffectonprivacy,whichisviewedverydifferentlyinvariouscultures.TextWordsNotesDiscussionHomeThefieldofinformationsecurityhasgrownandevolvedsignificantlyinrecentyears.Itoffersmanyareasforspecialization,includingsecuringnetworksandalliedinfrastructure,securingapplicationsanddatabases,securitytesting,informationsystemsauditing,businesscontinuityplanninganddigitalforensics.TextWordsNotesDiscussionHome(4)ResponsestothreatsPossibleresponsestoasecuritythreatorriskare:•reduce/mitigate–implementsafeguardsandcountermeasurestoeliminatevulnerabilitiesorblockthreats•assign/transfer–placethecostofthethreatontoanotherentityororganizationsuchaspurchasinginsuranceoroutsourcing•accept–evaluateifcostofcountermeasureoutweighsthepossiblecostoflossduetothreat•ignore/reject–notavalidorprudentdue-careresponseTextWordsNotesDiscussionHome2.DefinitionsThedefinitionsofInfoSecsuggestedindifferentsourcesaresummarizedbelow(adoptedfrom).1)"Preservationofconfidentiality,integrityandavailabilityofinformation.Note:Inaddition,otherproperties,suchasauthenticity,accountability,non-repudiationandreliabilitycanalsobeinvolved."(ISO/IEC27000:2009)2)"Theprotectionofinformationandinformationsystemsfromunauthorizedaccess,use,disclosure,disruption,modification,ordestructioninordertoprovideconfidentiality,integrity,andavailability."(CNSS,2010)TextWordsNotesDiscussionHome3)"Ensuresthatonlyauthorizedusers(confidentiality)haveaccesstoaccurateandcompleteinformation(integrity)whenrequired(availability)."(ISACA,2008)4)"InformationSecurityistheprocessofprotectingtheintellectualpropertyofanorganisation."(Pipkin,2000)5)"...informationsecurityisariskmanagementdiscipline,whosejobistomanagethecostofinformationrisktothebusiness."(McDermottandGeer,2001)TextWordsNotesDiscussionHome6)"Awell-informedsenseofassurancethatinformationrisksandcontrolsareinbalance."(Anderson,J.,2003)7)"Informationsecurityistheprotectionofinformationandminimizestheriskofexposinginformationtounauthorizedparties."(VenterandEloff,2003)TextWordsNotesDiscussionHome8)"InformationSecurityisamultidisciplinaryareaofstudyandprofessionalactivitywhichisconcernedwiththedevelopmentandimplementationofsecuritymechanismsofallavailabletypes(technical,organizational,human-orientedandlegal)inordertokeepinformationinallitslocations(withinandoutsidetheorganization'sperimeter)and,consequently,informationsystems,whereinformationiscreated,processed,stored,transmittedanddestroyed,freefromthreats.Threatstoinformationandinformationsystemsmaybecategorizedandacorrespondingsecuritygoalmaybedefinedforeachcategoryofthreats.(tobecontinued)TextWordsNotesDiscussionHome(Continued)Asetofsecuritygoals,identifiedasaresultofathreatanalysis,shouldberevisedperiodicallytoensureitsadequacyandconformancewiththeevolvingenvironment.Thecurrentlyrelevantsetofsecuritygoalsmayinclude:confidentiality,integrity,availability,privacy,authenticity&trustworthiness,non-repudiation,accountabilityandauditability."(CherdantsevaandHilton,2013)TextWordsNotesDiscussionHome3.Basicprinciples(1)KeyconceptsTheCIAtriadofconfidentiality,integrity,andavailabilityisattheheartofinformationsecurity.(ThemembersoftheclassicInfoSectriad—confidentiality,integrityandavailability—areinterchangeablyreferredtointheliteratureassecurityattributes,properties,securitygoals,fundamentalaspects,informationcriteria,criticalinformationcharacteristicsandbasicbuildingblocks.)Thereiscontinuousdebateaboutextendingthisclassictrio.OtherprinciplessuchasAccountabilityhavesometimesbeenproposedforaddition–ithasbeenpointedoutthatissuessuchasnon-repudiationdonotfitwellwithinthethreecoreconcepts.TextWordsNotesDiscussionHomeIn1992andrevisedin2002,theOECD'sGuidelinesfortheSecurityofInformationSystemsandNetworksproposedtheninegenerallyacceptedprinciples:awareness,responsibility,response,ethics,democracy,riskassessment,securitydesignandimplementation,securitymanagement,andreassessment.Buildinguponthose,in2004theNIST'sEngineeringPrinciplesforInformationTechnologySecurityproposed33principles.Fromeachofthesederivedguidelinesandpractices.TextWordsNotesDiscussionHomeIn2002,DonnParkerproposedanalternativemodelfortheclassicCIAtriadthathecalledthesixatomicelementsofinformation.Theelementsareconfidentiality,possession,integrity,authenticity,availability,andutility.ThemeritsoftheParkerianHexadareasubjectofdebateamongstsecurityprofessionals.TextWordsNotesDiscussionHome(Continued)Asetofsecuritygoals,identifiedasaresultofathreatanalysis,shouldberevisedperiodicallytoensureitsadequacyandconformancewiththeevolvingenvironment.Thecurrentlyrelevantsetofsecuritygoalsmayinclude:confidentiality,integrity,availability,privacy,authenticity&trustworthiness,non-repudiation,accountabilityandauditability."(CherdantsevaandHilton,2013)TextWordsNotesDiscussionHomeIn2011,TheOpenGrouppublishedtheinformationsecuritymanagementstandardO-ISM3.Thisstandardproposedanoperationaldefinitionofthekeyconceptsofsecurity,withelementscalled"securityobjectives",relatedtoaccesscontrol,availability,dataquality,complianceandtechnical.Thismodelisnotcurrentlywidelyadopted.TextWordsNotesDiscussionHome(2)ConfidentialityIninformationsecurity,confidentiality"istheproperty,thatinformationisnotmadeavailableordisclosedtounauthorizedindividuals,entities,orprocesses"(ExcerptISO27000).TextWordsNotesDiscussionHome(3)IntegrityIninformationsecurity,dataintegritymeansmaintainingandassuringtheaccuracyandcompletenessofdataoveritsentirelife-cycle.

Thismeansthatdatacannotbemodifiedinanunauthorizedorundetectedmanner.Thisisnotthesamethingas

referentialintegrity

in

databases,althoughitcanbeviewedasaspecialcaseofconsistencyasunderstoodintheclassic

ACID[3]

modelof

transactionprocessing.Informationsecuritysystemstypicallyprovidemessageintegrityinadditiontodataconfidentiality.TextWordsNotesDiscussionHome(4)AvailabilityForanyinformationsystemtoserveitspurpose,theinformationmustbe

available

whenitisneeded.Thismeansthatthecomputingsystemsusedtostoreandprocesstheinformation,the

securitycontrols

usedtoprotectit,andthecommunicationchannelsusedtoaccessitmustbefunctioningcorrectly.

Highavailability

systemsaimtoremainavailableatalltimes,preventingservicedisruptionsduetopoweroutages,hardwarefailures,andsystemupgrades.Ensuringavailabilityalsoinvolvespreventing

denial-of-serviceattacks,suchasafloodofincomingmessagestothetargetsystemessentiallyforcingittoshutdown.TextWordsNotesDiscussionHome(5)Non-repudiationInlaw,

non-repudiation

impliesone'sintentiontofulfilltheirobligationstoacontract.Italsoimpliesthatonepartyofatransactioncannotdenyhavingreceivedatransactionnorcantheotherpartydenyhavingsentatransaction.TextWordsNotesDiscussionHomeItisimportanttonotethatwhiletechnologysuchascryptographicsystemscanassistinnon-repudiationefforts,theconceptisatitscorealegalconcepttranscendingtherealmoftechnology.Itisnot,forinstance,sufficienttoshowthatthemessagematchesadigitalsignaturesignedwiththesender'sprivatekey,andthusonlythesendercouldhavesentthemessageandnobodyelsecouldhavealtereditintransit(dataintegrity).Theallegedsendercouldinreturndemonstratethatthedigitalsignaturealgorithmisvulnerableorflawed,orallegeorprovethathissigningkeyhasbeencompromised.Thefaultfortheseviolationsmayormaynotliewiththesenderhimself,andsuchassertionsmayormaynotrelievethesenderofliability,buttheassertionwouldinvalidatetheclaimthatthesignaturenecessarilyprovesauthenticityandintegrity;and,therefore,thesendermayrepudiatethemessage(becauseauthenticityandintegrityarepre-requisitesfornon-repudiation).TextWordsNotesDiscussionHomeunauthorizedadj.非法的；未被授权的；独断的desktopn.桌面；台式机cyberadj网络的，计算机的confidentialityn.机密，[计]机密性integrityn.[计算机]保存完整；诚实；

malfunctionvi.&n.发生故障；不起作用；故障；失灵WordsWordsTextWordsNotesDiscussionHomeoff-siteadj.界外的；装置外的backupadj.&vt.支持的；备份的

；做备份extortionn.勒索；[法]敲诈；强夺prevalentadj.流行的；普遍的，广传的ransomwaren.勒索软件auditv.&n.审计；检查WordsTextWordsNotesDiscussionHomeforensicsn.辩论学；辩论术mitigatev.使缓和，使减轻countermeasuren.对策，反措施，对抗(或报复)手段outweighvt.比…重（在重量上）；比…有价值authenticityn.真实性，确实性；可靠性accountabilityn.有义务；有责任；可说明性WordsTextWordsNotesDiscussionHomepropertyn.性质；财产；所有权multidisciplinaryadj.多学科的adequacyn.足够；适当；妥善性conformancen.一致性；顺应trioadj.三件一套；三个一组triadn.三和音；三个一组compliancen.顺从，服从；承诺entityn.实体；存在；本质WordsTextWordsNotesDiscussionHomereferentialadj.指示的；用作参考的outagen.储运损耗；中断供应repudiationn.否认；抛弃，断绝关系cryptographicadj.用密码写的，关于暗号的realmn.领域，范围；王国assertionn.断言，主张，要求；认定invalidatevt.使无效；使无价值pre-requisiteadj.&n.必须的；首要的；首要事WordsTextWordsNotesDiscussionHome[1]informationsecurity：信息安全是指信息系统（包括硬件、软件、数据、人、物理环境及其基础设施）受到保护，不受偶然的或者恶意的原因而遭到破坏、更改、泄露，系统连续可靠正常地运行，信息服务不中断，最终实现业务连续性。TextWordsNotesDiscussionNotesHome[2]Gordon-LoebModel：戈登-洛布模型（Gordon-LoebModel）是分析最优信息安全投资水平的数理经济学模型。模型指出在一般情况下，一个公司需要用于保护信息安全的花费仅应当是预期损失（信息安全漏洞所造成的损失的预期值）的一小部分。更为具体的说，多于信息安全漏洞预期损失百分之三十七的信息安全（包括网络安全）投资，通常是不经济的。同时，戈登-洛布模型指出，针对一定水平的潜在损失，用于保护一个信息集合的最优投资水平并不总随着信息集脆弱性的增强而增加。

TextWordsNotesDiscussionHome[3]ACID：指数据库事务正确执行的四个基本要素的缩写。包含：原子性（Atomicity）、一致性（Consistency）、隔离性（Isolation）、持久性（Durability）。一个支持事务（Transaction）的数据库，必需要具有这四种特性，否则在事务过程（Transactionprocessing）当中无法保证数据的正确性，交易过程极可能达不到交易方的要求。TextWordsNotesDiscussionHomeQuestionsfordiscussion1.Whatdoesinformationsecurityreferto?2.WhatisITsecurity?3.WhatarethemostcommonthreatstoInformationsecurity?TextWordsNotesDiscussionHomeAnswerstoquestionsfordiscussionTextWordsNotesDiscussionHome1.Whatdoesinformationsecurityreferto?Informationsecurity,InfoSecforshort,referstothepracticeofpreventingunauthorizedaccess,use,disclosure,disruption,modification,inspection,recordingordestructionof

information.Itisageneraltermthatcanbeusedregardlessoftheformthedatamaytake(e.g.electronic,physical).TextWordsNotesDiscussionHome2.WhatisITsecurity?Sometimesreferredtoas

computersecurity,informationtechnologysecurity(ITsecurity)isinformationsecurityappliedtotechnology(mostoftensomeformofcomputersystem).Herea

computer

doesnotnecessarilymeanahomedesktop.Acomputerisanydevicewitha

processor

andsomememory.Suchdevicescanrangefromnon-networkedstandalonedevicesassimpleascalculators,tonetworkedmobilecomputingdevicessuchassmartphonesandtabletcomputers.TextWordsNotesDiscussionHome3.WhatarethemostcommonthreatstoInformationsecurity?Someofthemostcommonthreatstodayaresoftwareattacks,theftofintellectualproperty,identitytheft,theftofequipmentorinformation,sabotage,andinformationextortion.Mostpeoplehaveexperiencedsoftwareattacksofsomesort.

Viruses,worms,

phishingattacks,and

Trojanhorses

areafewcommonexamplesofsoftwareattacks.TextWordsNotesDiscussionHomeThankyou!Unit10TextBInformationSecurityRiskManagementInformationSecurityRiskManagement1.IntroductionInmodernconditionsadigitaltransformationofthebusinesstakeplaceandfurtherthistrendwillintensify.Inordertodevelopinstepwiththetimes,theenterpriseneedstocarryoutautomatizationofbusinessprocesses,implementadvancedinformationtechnologiesandnewmanagementmethodscorrespondingtothem.Thispathrequiresausageofprofessionalinformationassetsmanagement,whichisbecomingincreasinglyimportantforenterprises.Todaybusinessshouldbeabletoprevent,predictandrecognizeinformationsecuritythreats,takemeasuresagainstthemandimproveapproaches.TextTextWordsNotesDiscussionHome2.InformationSecurityAnassetisanythingthathasvaluetotheorganisation.Informationisanimportantassetthatisessentialtotheorganization’sbusinessneeds.Informationcanexistinvariousforms.Itcanbeprintedorwrittenonpaper,storedonelectronicmedia,sentbymailore-mail,displayedinvideoclipsortransmittedorally.InformationSecurity(IS)–preservationofconfidentiality,integrityandavailabilityofinformation.TextTextWordsNotesDiscussionHomeItisbasedonthreecategoriesdescribedintheinformationsecuritymanagementstandardISO27001:•confidentiality–propertythatinformationisnotmadeavailableordisclosedtounauthorizedindividuals,entities,orprocesses;•availability–thepropertyofbeingaccessibleandusableupondemandbyanauthorisedentity;•integrity–propertyofaccuracyandcompleteness.TextWordsNotesDiscussionHome3.InformationSecurityRisksWiththetransitionofpartofbusinessprocessestothedigitalenvironment,manycompaniesarefacedwithnewrisksandthreatsthatarisefromthiscontext.Thenewsmoreandmoreoftenspeaksaboutdataleaks,cyberattacks[1],duetowhichpersonaldataofcustomers,employees,andfinancialassetsofcompaniessuffer.Bothlargeandsmallbusinessesareexposedtosuchrisks.TextWordsNotesDiscussionHomeTextTextWordsNotesDiscussionHomeRisk–effectofuncertaintyonobjectives.Threat–apotentialcauseofanunwantedincidentthatmayresultinharmtoasystemororganization.By2018KasperskyLab[2]providesthefollowingstatistics:•duringtheyear30,01%ofthecomputersofinternetusersintheworldatleastoncewereattackedbyMalwareclassattack;•KasperskyLabsolutionsrepelledan1876998691attack,whichwascarriedoutfromInternetresourceslocatedindifferentcountriesoftheworld;•554159621uniqueURLswererecordedonwhichthewebantiviruswastriggered;TextTextWordsNotesDiscussionHome•KasperskyLabwebantivirusdetected21643946uniquemaliciousobjects;•ransomware[3]attacksarereflectedoncomputersof765538uniqueusers;•duringthereportingperiod,minersattacked5638828uniqueusers;•attemptstolaunchmalwaretostealfundsthroughonlineaccesstobankaccountsarereflectedonthedevicesof830135users.TextTextWordsNotesDiscussionHomeTextTextWordsNotesDiscussionHomeInformationsecuritythreatscostthousandsofdollars,manyhoursofdowntimeandalotofnervesforlargeandsmallcompanies.Theyleadtosignificantdamagetoinformationassets:forexample,thelossofdatastoredonservers(supplierdata,customerpersonaldata,etc.)consequentlytofinanciallosses,deteriorationofbusinessreputation.Obviously,anyenterprisetodayneedstoinvestresourcesinthedevelopmentofinformationsecuritymanagementsystem,usemodernmethodsforidentifyingandassessinginformationsecurityrisksanddevelopplanstocontrolthem.4.The«SwissCheeseModel»MethodTheSwissCheeseModelmethodallowstoidentifyinformationassetsthreatsanddevelopaninformationsecuritymanagementactionplan.Whileusingthismethod,itisnecessarytodeterminewhatexactlyisbeingprotected,i.e.identifyinformationassetsoftheenterprise.Itisrecommendedtocompilearegisterofassetsindicatingtheirlocationsandowners.Thenextstepistoanalyzethreatsthatcanleadtoinformationassetdamage.Threatscanbeeitherexternal(hackerattack)orinternal(actionsofcompanyemployees,technicalmalfunctions).Amultilevelprotectionmustbebuiltinacompanytoprotectinformationassetsfrompossiblethreats.Itshouldconsistoforganizationalmethodsaswellastechnicalsolutions.Eachoftheprotectionlevelsisevaluatedforvulnerabilities(weaknesses).TextTextWordsNotesDiscussionHomeVulnerability–weaknessofanassetorcontrolthatcanbeexploitedbyoneormorethreats.ThetaskofISmanagementistotimelymonitortheemergenceofnewthreatsandstrengthenexistingones,identifyweaknessesinassetsanddevelopmeasurestomanageinformationsecurityandimproveappliedapproaches.TextWordsNotesDiscussionHome5.InformationSecurityRiskManagementThelargerthecompany,thelargeritslossesduetothelowlevelofinformationsecurity.Thatiswhybigbusinesstakesprotectivemeasuresinthefirstplace.LargecompaniesalmostalwaysinviteIT-securityprofessionalstotrainemployeesinbestpracticesandwaystoprotectdataandreduceISrisks.TextTextWordsNotesDiscussionHomeHowcanasmallbusinesshelpitself?Asmallbusinesscantakeovertheexperienceoflargecompanies,takingintoaccountthedifferenceinthesizeofcompaniesandmakingappropriateamendmentstotheprotectionsystem.Let`sconsidertheuseofISriskmanagementtoolsforsmallbusiness,usingtheexperienceoflargecompaniesasanexample.TextTextWordsNotesDiscussionHome(1)Example1•Threat:hackingintoafinancialaccount•Damage:theftofcash•Controlmeasure:theseparationofbusinessandpersonalOntheearlystagesofsmallbusinessdevelopment,companyownersoftendonotsharepersonalandbusinessfinances.Fromthefirststagesofestablishingabusiness,eveniftherearenoinvestorsandallthefundscomefromtheowner,itisadvisabletoopenabusinessaccountinareliablebank,whichwillbeseparatefromthepersonalaccount.Thiswillfacilitatethecalculationoftaxesandincreaseinformationsecurity-ifoneoftheseaccountsishacked,thesecondwillremainsafe.TextTextWordsNotesDiscussionHome(2)Example2•Threat:anexternalcyberattackoncompanydata•Damage:lossofintegrityandconfidentialityofapartofdata•Controlmeasure:anintegratedapproachtodataprotectionofallkindsTextTextWordsNotesDiscussionHomeMostcompaniesprotecttheirstructureddata,i.e.datawithahighdegreeoforganization,forexample,incustomerdatabasesorinotherfilecollections.Atthesametime,largecompaniesalsoprotectunstructureddata,whichinclude,forexample,dataandinformationstoredinemployeemailboxes.Mailboxesareaweaklinkincyberattacksandcybercriminalscaneasilyaccessvaluableunstructureddatastoredinthem.Anintegratedapproachtoprotectingdataofallkindsisimportantforabusinessofanysize.Suchastrategymayincludetheuseofsecuritysoftware,aswellastrainingemployeesinbestpracticesforprotectingdatafromleaks.TextTextWordsNotesDiscussionHome(3)Example3•Threat:dataleakagefromacompanyemployee•Damage:lossofprivacyofapartofdata•Controlmeasure:accesstoinformationassetsbasedonofficialneedTextTextWordsNotesDiscussionHomeSometimesemployeescombinedifferentlaborfunctions,becauseofwhichtheirresponsibilitiesbecomewider,andthelevelofriskincreases.Analarmingfact:manydataleaksarecausednotbycybercriminals,butbyemployeesofcompaniesthatstealinformationthattheyhaveworkingaccessto.Bylimitingemployeeaccesstoinformation,businessownerreducestheriskofdataleakage.Sucharestrictiveapproachtoprovidingaccessdoesnotmeanthathedoesnottrusthisemployees;rather,itshowsthatheisasmartbusinessowner.TextTextWordsNotesDiscussionHomeMakingtherightdecisionsinthefieldofinformationsecurityriskmanagementisthelessonthatsmallbusinessmustlearn«fromanearlyage»andtheycanlearnitfromlargebusiness.Thisisnotatallasexpensiveasitmightseemtotheownerofasmallbusiness-itcanbecomparedwithspendingoninsurance,whichintheendcansavebusinessmoney.Andgiventhecurrentcontextandtheincreasingimmersionofmodernenterprisesinthedigitaleconomy,knowledgeofriskmanagementisbecomingvitalformanaginginformation