Introduction to Information Security

Questions and Answers

What amount was originally awarded in punitive damages to Richard Grimshaw after the accident involving the Ford Pinto?

• $49.5 million
• $88 million
• $3.5 million
• $125 million (correct)

The Ford Motor Company was convicted of reckless homicide in the trial following the Grimshaw case.

False (B)

What modifications were made to the Ford Pinto to address safety concerns?

Longer fuel filler neck and plastic shields

The difference between the costs of the Ford Pinto and the benefits was __________.

$88 million

Match the following events with their descriptions:

Grimshaw v. Ford = Punitive damages awarded for injuries caused by a Pinto explosion Pinto Recall = Recall of 1.5 million cars due to safety concerns Ford's Acquittal = Ford was acquitted of charges related to reckless homicide Discontinuation of Pinto = The Pinto was discontinued in fall 1980

Which of the following is NOT a type of security mentioned?

Content security (D)

Data integrity is essential for protection against phishing attacks.

False (B)

What is one challenge that makes cybersecurity hard?

Increased connectivity

Security can be defined as protection of __________ against __________.

assets

Match the following types of protection with their descriptions:

Authentication = Protection from unauthorized access Authorization = Determining access rights Privacy = Securing personal information Non-repudiation = Ensuring parties in a transaction cannot deny their actions

Which of the following contributes to the increased prevalence of cyber attacks?

Low threshold to access (D)

What is a common protection measure to combat the threat of data breaches?

Encryption

Homeland security is one of the contexts in which security is defined.

True (A)

What was the reason given for not implementing a one-pound, one-dollar piece of plastic to improve the Pinto's safety?

It was seen as extra cost and extra weight. (C)

The Pinto's gas tank was designed to withstand collisions without rupturing.

False (B)

What happens to the gas tank when the Pinto is rear-ended at over 30 miles per hour?

The rear end of the car buckles, and the gas tank is damaged, leading to fuel spillage.

The tube leading to the gas-tank cap would be ripped away from the tank itself in a serious collision, causing gas to slosh onto the _____ around the car.

road

Match the following elements involved in Pinto's crash tests with their effects:

Plastic baffle = Prevents puncturing of the gas tank Steel piece = Protects the tank from bumper impact Rubber bladder = Contains fuel inside the tank Sharp bolts = Increases risk of gas tank ruptures

What is considered the hardest aspect of security?

Identifying all possible attack scenarios (D)

What is risk mitigation primarily aimed at?

Reducing losses due to a risk (C)

Risk transfer involves taking actions to reduce losses due to a risk.

False (B)

In security, the defender must find and eliminate all exploitable vulnerabilities, while the attacker needs to find multiple vulnerabilities.

False (B)

What must security professionals ensure happens in technology-related efforts?

Something good happens.

What is the purpose of Annualized Loss Expectancy (ALE)?

To assess the expected value of potential losses due to risks.

In information management systems, an intruder is described as using any available means to subvert the security of the ______.

system

The Ford Pinto was produced between _____ and _____ and is considered one of the worst cars of all time.

1971, 1980

Match the following risk types with their corresponding Annualized Loss Expectancy (ALE):

SWIFT fraud = $250,000 ATM fraud (large) = $50,000 ATM fraud (small) = $10,000 Teller theft = $648,000

Which principle states that attackers focus on the easiest point of penetration?

Principle of easiest penetration (D)

Which of the following factors does not play a role in assessing risk?

Fashion trends (C)

Security is often prioritized over the usefulness of digital systems.

False (B)

Assessing risk is straightforward and always easy to determine.

False (B)

What do Bruce Schneier's quotes emphasize about attack strategies?

A good attack is one that engineers never thought of.

What was the mission statement of Ford during the Pinto's production era?

To provide outstanding products and services that improve people's lives.

Which of the following was a tactic used by Henry Ford II against the Federal Motor Vehicle Safety Standard 301?

Private negotiating and lawsuits (A)

The Ford Cost-Benefit Analysis calculated a higher cost per casualty for medical expenses compared to insurance administration.

True (A)

What was the total cost per fatality calculated in the Ford Cost-Benefit Analysis for 1971?

$200,725

The total benefit of avoided fatalities and injuries from the cost-benefit analysis is $______.

$49.5 million

Match the following components with their associated costs according to the Ford Cost-Benefit Analysis:

Direct Future Productivity Losses = $132,000 Total Medical Costs = $1,125 Legal and Court Costs = $3,000 Victim's Pain and Suffering = $10,000

What was the total cost involved in selling 12.5 million cars at a unit cost of $11 each?

$137.5 million (B)

The number of burned vehicles accounted for in the total benefit analysis was 2,100.

True (A)

How many serious burn injuries were accounted for in the savings of the cost-benefit analysis?

180

Flashcards

Plastic baffle in Pinto gas tank

A safety feature designed to prevent gas tank puncture in rear-end collisions by using a plastic baffle between the tank and differential bolts.

Steel reinforcement in Pinto gas tank

A safety feature aimed at preventing gas tank puncture in collisions by inserting a piece of steel between the tank and rear bumper.

Rubber bladder in Pinto gas tank

A safety feature designed to prevent gas tank puncture in collisions by using a rubber bladder inside the gas tank to absorb impact forces.

One-pound, one-dollar piece of plastic

A safety feature that failed in the Pinto during crash tests due to its inadequacy.

Pinto's rear end design

The Pinto's rear end design, which was prone to severe deformation upon impact, leading to potential gas tank rupture and fire hazards.

Security

The concept of security refers to protecting something, often assets, against potential threats. These threats can vary widely depending on the context.

Authentication

Authentication ensures you are who you claim to be. It's like a digital passport proving your identity.

Authorization

Authorization grants you the necessary permissions to access specific resources or actions within a system, based on your identity.

Privacy of Data

The assurance that data remains confidential and only those authorized to access it can do so.

Integrity of Data

Ensuring the correctness and accuracy of data. Imagine it like a document that remains unaltered and factual.

Availability

The reliable availability of resources and services. Think of it like a website being constantly accessible.

Non-repudiation

Proving you sent a specific message or performed an action, making it impossible to deny it later.

Digital system security

Protecting against unauthorized access, use, disclosure, disruption, modification, or destruction of information and systems.

Risk Mitigation

Actions taken to reduce potential losses caused by a risk. For example, installing strong security measures.

Risk Transfer

Transferring the responsibility for a risk to someone else, often through insurance policies.

Risk Management

A systematic approach to identify, assess, and manage risks.

Annualized Loss Expectancy (ALE)

A common tool for risk assessment. It analyzes potential losses, their likelihood, and the average cost over time.

Expected Value

The average cost of a risk, calculated by multiplying the value of the loss by the probability of its occurrence.

Ford Pinto

The Ford Pinto, a car produced from 1971 to 1980, known for its poor safety record and a design flaw that made it prone to fires in rear-end collisions.

Realistic Security

A situation where perfect security is not achievable and practical measures are taken to manage risks.

Risk Assessment Factors

Evaluating risks requires considering technical, economic, and psychological factors.

Security is about preventing bad things from happening.

Securing systems requires identifying potential misuse and abuse, even if the program functions as expected. It's not just about fixing bugs, but also preventing malicious actors from exploiting vulnerabilities.

The hardest thing about security is anticipating attack scenarios.

Security experts must anticipate every possible attack scenario before attackers do. It's a constant arms race to stay ahead.

Security involves defeating malicious adversaries.

Unlike traditional tech issues, security professionals face active adversaries with malicious intent, trying to exploit vulnerabilities.

The environment can be hostile to security.

A system's environment can actively work against security efforts, making it harder to maintain protection.

Attackers only need to find one vulnerability, defenders need to find all.

Security professionals must find and eliminate every vulnerability in a system, while attackers only need to find one to exploit.

Information systems are a complex environment for security.

Information systems offer many potential entry points for attackers, including hardware, software, data, and people.

The principle of easiest penetration.

attackers will use any available method to compromise a system, including vulnerabilities that are often overlooked.

Security is often an afterthought.

Security is often an afterthought, implemented after a system is built for its main purpose. It needs to be integrated from the beginning.

FMVSS 301 (Rear-End Collision Standard)

Federal Motor Vehicle Safety Standard 301 aimed to make vehicles withstand rear-end collisions at 28 mph. However, Henry Ford II and the auto industry fiercely opposed it, delaying its implementation for 8 years.

Auto Industry's Stance on Accidents

Henry Ford II and the auto industry argued that accidents are primarily caused by human error and road conditions, not vehicle design. This was a tactic to oppose safety regulations like FMVSS 301.

Industry Tactics to Delay FMVSS 301

To delay FMVSS 301 implementation, the auto industry used tactics like last-minute document submissions, challenging test results, launching lawsuits, and engaging in private negotiations.

Ford's Cost-Benefit Analysis (1971)

Ford's 1971 cost-benefit analysis evaluated the economic impact of a fatality, considering factors like lost productivity, medical expenses, property damage, and legal costs.

Cost-Benefit Analysis of a Vehicle Recall

The cost-benefit analysis for a vehicle recall estimated the financial benefits of preventing burn deaths, serious injuries, and vehicle damage. These benefits were weighed against the costs of implementing the recall.

Costs Associated with Recall

The cost-benefit analysis calculated the financial cost of a death at $200,000, a serious burn injury at $67,000, and a burned vehicle at $700. These costs were used to measure the financial impact of a recall.

Calculating the Total Cost of a Vehicle Recall

The total cost of the recall was calculated by considering the estimated number of cars and trucks affected and the cost per vehicle. In this case, the total cost was estimated at $137.5 million.

Calculating the Total Benefit of a Vehicle Recall

The total benefit of the recall was estimated by multiplying the number of prevented burn deaths, serious injuries, and vehicle damage by their respective cost estimates. The total benefit was estimated at $49.5 million.

The Ford Pinto Lawsuits

The Ford Pinto, a small car produced from 1971 to 1980, was involved in a series of lawsuits and public scrutiny due to its design flaws, particularly its vulnerability to rear-end collisions, which often resulted in gasoline tank rupture and fires, leading to serious injuries and deaths.

Grimshaw v. Ford Motor Co.

In the case of Grimshaw v. Ford Motor Co., a 13-year-old passenger in a 1971 Pinto was severely burned after a rear-end collision, leading to a large jury award of $125 million in punitive damages, demonstrating the severity of the Pinto's design flaws and Ford's alleged negligence.

Ford's Criminal Charges

Ford Motor Company faced criminal charges of reckless homicide after a 1973 Pinto, known for its defective gasoline tank, was involved in a fatal crash. Despite significant evidence, Ford was acquitted due to the complexity of the case. This event marked the first time an American corporation was prosecuted for criminal charges related to product safety.

Pinto Recall

The Pinto was eventually recalled in 1978 due to its design flaws. Modifications included a longer fuel filler neck and plastic shields to protect the gas tank from puncture during rear-end collisions. These modifications aimed at addressing safety concerns and preventing future accidents.

Ford's Profit Over Safety

Ford Motor Company's decision to prioritize profits over product safety in the development and manufacturing of the Pinto sparked ethical debates, raising questions about corporate accountability and the potential consequences of prioritizing profits over human lives.

Study Notes

Introduction to Information Security and Management

• Course code: CS 4394
• Instructor: Dr. Qingchuan Zhao
• The course material was adapted from various sources, including lectures by Dr. L.F. Kwok, Dr. W.D. Young, Prof. M. Bishop, Prof. V. Shmatikov, A. Kanagala et al., Prof. V. Paxson, and Prof. N. Li.

What Does Security Mean?

• Security is a multifaceted concept used in various contexts. Examples include personal security, corporate security, personnel security, energy security, homeland security, operational security, communication security, network security, and system security.
• Security is fundamentally about protecting assets against threats.
• This includes understanding what assets need protection and identifying the kinds of threats they face.
• The nature of protection might differ depending on the specific threat.

Security on a Personal Level

• Online retailers often request personal information.
• Individuals should consider the protections they desire against potential threats when providing their information.
• Key aspects of personal security include authentication (to prevent phishing), authorization, privacy, integrity, availability, and non-repudiation.

Security on an Institutional Level

• Examples of security challenges facing institutions include:
  • Large corporations experiencing data breaches impacting thousands of customers.
  • Students potentially altering their grades using unauthorized access to academic systems.
  • Online retailers facing massive malicious traffic overload, impacting service availability for legitimate users.
• These scenarios highlight the difficulty defining security within the digital realm.

Attacks are Becoming More Prevalent

• Increased online connectivity exposes more valuable assets.
• The barriers to accessing these targets have been lowered.
• Attacks are becoming more sophisticated with readily available tools and strategies.

Case Study: The Infamous Ford Pinto

• The Ford Pinto, produced between 1971 and 1980, was a subject of controversy due to safety concerns.
• The vehicle faced significant criticism for its design and materials choices.
• Its issues led to numerous lawsuits, highlighted by the notable "Grimshaw v. Ford Motor Co." case.
• Cost-benefit analyses regarding product safety emerged as a central point of contention.
• The analysis revealed that the cost of potentially fixing the safety concerns was less than the financial value for the product.
• Ultimately, the company opted to recall the vehicle.

Risk Management

• Identifying and assessing risk is crucial in security.
• Risk acceptance involves tolerating certain risks.
• Risk avoidance involves not engaging in activities that pose risk.
• Mitigation acts to lessen risk.
• Risk transfer moves risk to another entity (e.g., insurance).
• Risk management often includes assessing assets, threats, and vulnerabilities to prioritize measures and manage risks.
• There are specific computations associated with risk management, such as annualized loss expectancy (ALE).