1. What is the difference between a threat agent and a threat?
2. What is the difference between vulnerability and exposure?
3. How is infrastructure protection (assuring the security of utility services) related to
information security?
4. What type of security was dominant in the early years of computing?
5. What are the three components of the C.I.A. triad? What are they used for?
6. If the C.I.A. triad is incomplete, why is it so commonly used in security?
7. Describe the critical characteristics of information. How are they used in the study of
computer security?
8. Identify the six components of an information system. Which are most directly affected
by the study of computer security? Which are most commonly associated with its study?
9. What system is the predecessor of almost all modern multiuser systems?
10. Which paper is the foundation of all subsequent studies of computer security?
11. Why is the top-down approach to information security superior to the bottom-up approach?
12. Why is a methodology important in the implementation of information security? How
does a methodology improve the process?
13. Which members of an organization are involved in the security systems development
life cycle? Who leads the process?
14. How can the practice of information security be described as both an art and a science?
How does the view of security as a social science influence its practice?
15. Who is ultimately responsible for the security of information in the organization?
16. What is the relationship between the MULTICS project and the early development of
computer security?
1. A threat agent is a specific instance or source of danger that can exploit a vulnerability, while a threat is a potential danger that may exploit vulnerabilities in order to cause harm.
2. Vulnerability refers to flaws or weaknesses in a system that can be exploited by a threat agent, while exposure refers to the state of being vulnerable to a particular threat.
3. Infrastructure protection is related to information security because utility services often rely on information systems for their operation, and securing these systems is crucial for ensuring the availability and reliability of these services.
4. Physical security was dominant in the early years of computing, focusing on securing physical access to computer facilities and equipment.
5. The three components of the C.I.A. triad are confidentiality, integrity, and availability. They are used to ensure that information is protected from unauthorized access, tampering, and loss of availability.
6. The C.I.A. triad is commonly used in security because it covers the fundamental aspects of information security and provides a comprehensive framework for assessing and addressing security risks.
7. The critical characteristics of information are confidentiality, integrity, and availability. These characteristics are used in computer security to evaluate the effectiveness of security measures and ensure that information is adequately protected.
8. The six components of an information system are hardware, software, data, people, procedures, and networks. Hardware, software, and networks are most directly affected by computer security, while all components are commonly associated with its study.
9. The predecessor of almost all modern multiuser systems is the MULTICS project, which was a highly secure and innovative operating system developed in the 1960s.
10. The paper "Security Controls for Computer Systems" by Willis Ware is the foundation of all subsequent studies of computer security, outlining the basic principles and approaches to securing computer systems.
11. The top-down approach to information security is superior to the bottom-up approach because it starts with an overall security strategy and then implements specific controls to achieve that strategy, ensuring a more comprehensive and coherent security posture.
12. A methodology is important in the implementation of information security because it provides a structured and systematic approach to identifying and addressing security risks. A methodology improves the process by ensuring that security measures are effectively implemented and consistently applied.
13. Members of an organization involved in the security systems development life cycle may include security analysts, IT professionals, management, and end users. The process is typically led by a designated security officer or IT security manager.
14. The practice of information security can be described as both an art and a science because it requires a balance of technical knowledge and expertise with strategic thinking and decision-making. Viewing security as a social science recognizes the influence of human behavior, organizational culture, and societal factors on security practices.
15. Ultimately, the organization's senior management or executive leadership is responsible for the security of information within the organization, as they are accountable for setting security policies, allocating resources, and overseeing the implementation of security measures.
16. The MULTICS project was instrumental in the early development of computer security as it introduced innovative security features and concepts, such as access control mechanisms, that have had a lasting impact on modern security practices and systems.