1. What is the difference between a threat agent and a threat?

Threat source is commonly used interchangeably with the more generic term
threat. Technically there are two terms in order to simplify discussion will continue
to use the term threat to describe the threat sources while in Threat Agent who
causes or attempts to cause harm to an organization
1. What is the difference between a threat agent and a threat?
Threat source is commonly used interchangeably with the more generic term
threat. Technically there are two terms in order to simplify discussion will continue
to use the term threat to describe the threat sources while in Threat Agent who
causes or attempts to cause harm to an organization
1.What is the difference between a threat agent and a threat?
Threat source is commonly used interchangeably with the more generic term
threat. Technically there are two terms in order to simplify discussion will
continueto use the term threat to describe the threat sources while in Threat
Agent who causes or attempts to cause harm to an organization.
2. What is the difference between vulnerability and exposure?
Vulnerability is an ability weak point in an asset or its protective manipulate
system(s). Some examples of vulnerabilities are a flaw in a software program
package, an unprotected system port, and an unlocked door while exposure
means is the metric based on how a threat steals data and what it does with the
stolen data. This field is associated with information theft. Most, if not all,
malware contains data theft routines. These routines steal specific information.
2. What is the difference between vulnerability and exposure?
Vulnerability is an ability weak point in an asset or its protective manipulate
system(s). Some examples of vulnerabilities are a flaw in a software program
package, an unprotected system port, and an unlocked door while exposure
means is the metric based on how a threat steals data and what it does with the
stolen data. This field is associated with information theft. Most, if not all,
malware contains data theft routines. These routines steal specific information.
2.What is the difference between vulnerability and exposure?
Vulnerability is an ability weak point in an asset or its protective manipulate
system(s). Some examples of vulnerabilities are a flaw in a software
program package, an unprotected system port, and an unlocked door while
exposure means is the metric based on how a threat steals data and what it
does with the stolen data. This field is associated with information theft.
Most, if not all, malware contains data theft routines. These routines steal
specific information
 3.What is a loss in the context of information security?
4. What type of security was dominant in the early years of computing?
Physical Security only data and connection was not focused on.
5.What are the three components of the C.I.A. triad?
What are they used for?
The confidentiality, integrity, and availability of information is crucial to the
operation of a business, and the CIA triad segments these three ideas into
separate focal points. This differentiation is helpful because it helps guide
security teams as they pinpoint the different ways in which they can address
each concern.
Confidentiality involves the efforts of an organization to make sure data is
kept secret or private. To accomplish this, access to information must be
controlled to prevent the unauthorized sharing of data—whether intentional
or accidental. A key component of maintaining confidentiality is making
sure that people without proper authorization are prevented from accessing
assets important to your business. Conversely, an effective system also
ensures that those who need to have access have the necessary privileges.

Integrity involves making sure your data is trustworthy and free from
tampering. The integrity of your data is maintained only if the data is
authentic, accurate, andreliable.

Availability is even if data is kept confidential and its integrity maintained, it

is often useless unless it is available to those in the organization and the
customersthey serve. This means that systems, networks, and applications
must be functioning as they should and when they should. Also, individuals
with access tospecific information must be able to consume it when they
need to, and getting tothe data should not take an inordinate amount of time
6. If the C.I.A. triad is incomplete, why is it so commonly used in security?
1. While the C.I.A triangle may have been incomplete, it was the foundation
around
2. which most security models arose, and vast amounts of material is based on
it.
3. The concepts were sound, and most models that have been developed since
4. build off the concepts expressed in it.
5. While the C.I.A triangle may have been incomplete, it was the foundation
around
6. which most security models arose, and vast amounts of material is based on
it.
7. The concepts were sound, and most models that have been developed since
8. build off the concepts expressed in it.
While the C.I.A triangle may have been incomplete, it was the foundation
around which most security models arose, and vast amounts of material is
based on it. The concepts were sound, and most models that have been
developed since build off the concepts expressed in it.
7.Describe the critical characteristics of information. How are they used in
the study of computer security?
The critical characteristics of information define the value of information.
Changing any one of its characteristics changes the value of the information
itself. There are seven characteristics of information:
- Availability enables authorized users - either persons or computer systems - to
access information without interference or obstruction, and to receive it in the
required format.
- Accuracy occurs when information is free from mistakes or errors and it has
the value that the end user expects.
- Authenticity of information is the quality or state of being genuine or original,
rather than a reproduction or fabrication. Information is authentic when it is in
the same state in which it was created, placed, stored, or transferred.
- Confidentiality is achieved when disclosure or exposure of information to
unauthorized individuals or systems is prevented. Confidentiality ensures that
only those with the rights and privileges to access information are able to do so
- Integrity of information is maintained when it is whole, complete, and
uncorrupted.
- Utility of information is the quality or state of that information having value
for some purpose or end. Information has value when it serves a particular
purpose.
 - Possession of information is the quality or state of ownership or control of
someobject or item. Information is said to be in one's possession if one obtains
it, independent of format or other characteristics.
8.Identify the six components of an information system. Which are most
directly affected by the study of computer security? Which are most
commonly associated with its study?
People would be impacted most by the study of computer security. People can
be the weakest link in an organization's information security program. And unless
policy, education and training, awareness, and technology are properly employed
to prevent people from accidentally or intentionally damaging or losing
information, they will remain the weakest link. Social engineering can prey on the
tendency to cut corners and the commonplace nature of human error. It can be
used to manipulate the actions of people to obtain access information about a
system.
Procedures, written instructions for accomplishing a specific task, could be
another component, which will be impacted. The information system will be
effectively secured by teaching employees to both follow and safeguard the
procedures. Following procedure reduces the likelihood of employees
erroneously creating information insecurities. Proper education about the
protection of procedures can avoid unauthorized access gained using social
engineering. Hardware and software are the components that are historically
associated with the study of computer security. However, the IS component that
created much of the need for increased computer and information security is
networking
People would be impacted most by the study of computer security. People can be
the weakest link in an organization's information security program. And
unlesspolicy, education and training, awareness, and technology are properly
employedto prevent people from accidentally or intentionally damaging or losing
information, they will remain the weakest link. Social engineering can prey on
thetendency to cut corners and the commonplace nature of human error. It can be
used to manipulate the actions of people to obtain access information about a
system.
Procedures, written instructions for accomplishing a specific task, could be another
component, which will be impacted. The information system will be effectively
secured by teaching employees to both follow and safeguard the procedures.
Following procedure reduces the likelihood of employees erroneously creating
information insecurities. Proper education about the protection of procedures can
avoid unauthorized access gained using social engineering. Hardware and software
are the components that are historically associated with the study of computer
security. However, the IS component that created much of the need for increased
computer and information security is networking.
9. What is the McCumber Cube, and what purpose does it serve?
The McCumber Cube is a comprehensive model framework created by John
McCumber to enhance the security of information systems in organizations.
10. Which paper is the foundation of all subsequent studies of computer
security?
Rand Report R-609, sponsored by the Department of Defense paper, is the
foundation of all subsequent studies of computer security
Rand Report R-609
11. Why is the top-down approach to information security superior to the
bottom-up approach?
Because top-down approach has a higher probability of success. With this
approach, the project is initiated by upper-level managers who issue policies, and
processes; dictate the goals and expected outcomes; and determine
accountability for each required action
Because top-down approach has a higher probability of success. With this
approach, the project is initiated by upper-level managers who issue policies,
andprocesses; dictate the goals and expected outcomes; and determine
accountability for each required action
12. Describe the need for balance between information security and access
to information in information systems.
13. How can the practice of information security be described as both an
art and a science? How does the view of security as a social science
influence its practice?
14. Who is ultimately responsible for the security of information in the
organization?
Chief Information Systems Officer (CIS))
15. What is the relationship between the MULTICS project and the early
development of computer security?
MULTICS, or Multiplexed Information and Computing Service, was the
first operating system created with security as its primary goal. It was a
mainframe, time-sharing operating system developed through a
partnership among GE, Bell Labs, and MIT. Much of the early focus for
research on computer security was centered on this system..
16.How has computer security evolved into modern information security?
Computer security consisted of securing a system's physical location
with badges, keys, and facial recognition. To ensure total security, the
information itself, as well as the hardware used to transmit and store it,
needed to be protected. Information security developed from this need.
17. What was important about RAND Report R-609?
1st widely recognized published document to identify the role of management
policy issues in computer security
18. Who decides how and when data in an organization will be used or
controlled? Who is responsible for seeing that these decisions are carried
out?
Data owners, who are responsible for the security and use of a particular
set of information.
Data custodians, who work directly with data owners and are
responsible for the storage, maintenance, and protection of information.
Data users are end users who work with the information to perform their
daily jobs and support the mission of the organization.
19. Who should lead a security team? Should the approach to security be
more managerial or technical?
A project manager, who may be a departmental line manager or staff unit
manager, would lead a security team.
The approach to security should be more managerial than technical, although
the technical ability of the resources who perform day-to-day activities is
critical
20. Besides the champion and team leader, who should serve on an
information security project team?