Ask Management Information System Expert

Semantic Security

Security is a very difficult problem- and risks grow larger every year. Not only do we have cheaper, faster computers (remember Moore's Law). We also have more data, more systems for reporting and querying that data, and easier, faster, and broader communication. All of these combine to increase the chances that we inadvertently divulge private or proprietary information.

Physical security is hard enough: How do we know that the person (or program) who signs on as Megan Cho really is Megan Cho? We use passwords, but files of passwords can be stolen. Setting that issue aside, we need to know that Megan Cho's permissions are set appropriately. Suppose Megan works in the HR department, so she has access to personal and private data of other employees.

We need to design the reporting system so that Megan can access all of the data she needs to do her job, and no more. Also, the delivery system must be secure. An application server is an obvious and juicy target for any would-be intruder. Someone can break in and change access permissions. Or, a hacker could pose as someone else to obtain reports. Application servers help the authorized user, resulting in faster access to more information. But, without proper security reporting servers also ease the intrusion task for unauthorized users.

All of these issues relate to physical security. Another dimension to security is equally serious and far more problematic: semantic security. Semantic security concerns the unintended release of protected information through the release of a combination of reports or documents that are independently not protected. Take an example from class. Suppose I assign a group project, and I post a list of groups and the names of students assigned to each group.

Later, after the assignments have been completed and graded, I post a list of grades on the Web site. Because of university privacy policy, I cannot post the grades by student name or identifier; so instead, I post the grades for each group. If you want to get the grades for each student, all you have to do is combine the list from Lecture 5 with the list from Lecture 10. You might say that the release of grades in this example does no real harm-after all, it is a list of grades from one assignment. But go back to Megan Cho in HR. Suppose Megan evaluates the employee compensation program. The COO believes salary offers have been inconsistent over time and that they vary too widely by department. Accordingly, the COO authorizes Megan to receive a report that lists SalaryOfferAmount and OfferDate and a second report that lists Department and AverageSalary.

Those reports are relevant to her task and seem innocuous enough. But Megan realizes that she could use the information they contain to determine individual salaries-information she does not have and is not authorized to receive. She proceeds as follows. Like all employees, Megan has access to the employee directory on the Web portal. Using the directory, she can obtain a list of employees in each department, and using the facilities of her ever-so-helpful report-authoring system she combines that list with the department and average-salary report.

Now she has a list of the names of employees in a group and the average salary for that group. Megan's employer likes to welcome new employees to the company. Accordingly, each week the company publishes an article about new employees who have been hired. The article makes pleasant comments about each person and encourages employees to meet and greet them. Megan, however, has other ideas.

Because the report is published on the Web portal, she can obtain an electronic copy of it. It's an Acrobat report, and using Acrobat's handy Search feature, she soon has a list of employees and the week they were hired. She now examines the report she received for her study, the one that has SalaryOfferAmount and the offer date, and she does some interpretation. During the week of July 21, three offers were extended: one for $35,000, one for $53,000, and one for $110,000.

She also notices from the "New Employees" report that a director of marketing programs, a product test engineer, and a receptionist were hired that same week. It's unlikely that they paid the receptionist $110,000; that sounds more like the director of marketing programs. So, she now "knows" (infers) that person's salary. Next, going back to the department report and using the employee directory, she sees that the marketing director is in the marketing programs department.

There are just three people in that department, and their average salary is $105,000. Doing the arithmetic, she now knows that the average salary for the other two people is $102,500. If she can find the hire week for one of those other two people, she can find out both the second and third person's salaries. You get the idea. Megan was given just two reports to do her job. Yet she combined the information in those reports with publicly available information and is able to deduce salaries, for at least some employees. These salaries are much more than she is supposed to know. This is a semantic security problem.

Discussion Questions

1. In your own words, explain the difference between access security and semantic security.

2. Why do reporting systems increase the risk of semantic security problems?

3. What can an organization do to protect itself against accidental losses due to semantic security problems?

4. What legal responsibility does an organization have to protect against semantic security problems?

5. Suppose semantic security problems are inevitable. Do you see an opportunity for new products from insurance companies? If so, describe such an insurance product. If not, explain why not.

Management Information System, Management Studies

  • Category:- Management Information System
  • Reference No.:- M92645205

Have any Question?


Related Questions in Management Information System

Search the csu library the internet or any specific

Search the CSU library, the Internet, or any specific websites, and scan IT industry magazines to find an example of an IT project that had problems due to organizational issues. Write a paper summarizing the key stakeho ...

Question how can company protect the new emerging

Question : How can company protect the new emerging technology ventures from profit pressures of the parent organization (APA format required, Turntin check required . Minimum 250 words essay) How do companies overcome l ...

Communication and team decision makingpart 1 sharpening the

Communication and Team Decision Making Part 1: Sharpening the Team Mind: Communication and Collective Intelligence A. What are some of the possible biases and points of error that may arise in team communication systems? ...

Question provide an explanation of ifwherehow does active

Question : Provide an explanation of if/where/how does Active Directory support network security,14 pages (2,000-2,500) in APA format. Include abstract and conclusion. Do not include wikis, message boards, support forums ...

Question how companies could effectively use emerging

Question : How companies could effectively use emerging technology to win over its competitors. APA format required. 250 words essay required. The response must be typed, single spaced, must be in times new roman font (s ...

Question how customers could effectively use emerging

Question : How customers could effectively use emerging technology to win over its customers. APA format required. 250 words essay required. turntin check require. The response must be typed, single spaced, must be in ti ...

Part 1 - create an 8 slide powerpoint presentation on

Part 1 - Create an 8 slide PowerPoint presentation on foundational concepts specific to physical security. Part 2 - Write 4 pages detailing the framework for the design of an integrated data center. Assessment Instructio ...

In chapter 2 of the text - managing amp using information

In Chapter 2 of the text - Managing & Using Information Systems: A Strategic Approach, the chapter discusses why information systems experience failure often because of organizational strategy. A classic example of this ...

Review at least 4 articles on balanced scorecard and

Review at least 4 articles on Balanced Scorecard and complete the following activities: 1. Write annotated summary of each article. Use APA throughout. 2. As an IT professional, discuss how you will use Balanced Scorecar ...

Data resources management questionsq1 the dama dmbok

Data Resources Management QUESTIONS Q1. The DAMA DMBOK textbook describes the following two core activities as part of the Data Architecture management exercise: "Understanding enterprise information needs" and "Develop ...

  • 4,153,160 Questions Asked
  • 13,132 Experts
  • 2,558,936 Questions Answered

Ask Experts for help!!

Looking for Assignment Help?

Start excelling in your Courses, Get help with Assignment

Write us your full requirement for evaluation and you will receive response within 20 minutes turnaround time.

Ask Now Help with Problems, Get a Best Answer

Why might a bank avoid the use of interest rate swaps even

Why might a bank avoid the use of interest rate swaps, even when the institution is exposed to significant interest rate

Describe the difference between zero coupon bonds and

Describe the difference between zero coupon bonds and coupon bonds. Under what conditions will a coupon bond sell at a p

Compute the present value of an annuity of 880 per year

Compute the present value of an annuity of $ 880 per year for 16 years, given a discount rate of 6 percent per annum. As

Compute the present value of an 1150 payment made in ten

Compute the present value of an $1,150 payment made in ten years when the discount rate is 12 percent. (Do not round int

Compute the present value of an annuity of 699 per year

Compute the present value of an annuity of $ 699 per year for 19 years, given a discount rate of 6 percent per annum. As