Running head: SENSITIVE INFORMATION 1

Sensitive Information
Student’s Name
Institutions Affiliations
SENSITIVE INFORMATION 2

Sensitive Information
According to the definition by Weber State University, sensitive information is
information about an individual that may be used against them by an unauthorized user to
capture their identity and inflict harm (Weber State University, n.d.). Some examples of this data
type are personal name, social security number, banking details, and passwords. Protecting
sensitive information is extremely important because of the possibility that accessing it could
cause serious harm to the individual. The majority of users are uncertain whether or not to share
sensitive information on a specific website. In his article “Phishing and Pharming as Forms of
Identity Theft and Identity Abuse,” Vilić says that since most victims of cyber identity theft are
unaware that anything has been taken from them, cyber identity theft may have serious
implications (2019). Identity theft happens in many different forms, such as phishing, targeted
phishing, and pharming. These thefts occur most often. When considering protecting data, we
should contemplate what information is sensitive and what is already in the public domain.
Securing sensitive information is essential because unauthorized users can use can information
against you.”
Data that fall within the scope of the personal domain is the first category of sensitive
information. Vilić (2019) noted that personal information includes all forms of information that
could be linked to a living person. Such a form of data can be identifiable implying that it can be
directly linked to a person, for example, name, address, social security number, and credit card
number among others. Also, the data can be indirectly linked to an individual for example digital
footprints and metadata which include information regarding the behavior of an individual in an
online platform. All these forms of information are sensitive in that the person linked to them
would be at risk when they get into the hands of malicious individuals. For this reason,
information security targets to ensure that all forms of sensitive information have limited access.
The motive behind the attempt to access such information is varied with malicious
individuals targeting different people for different reasons. However, the financial motive is the
primary reason behind most of the attacks on personal information. Social security numbers and
credit card information are the primary targets associated with most of the breaches of personal
information. Wiley, McCormac, and Calic (2020) the number of credit card scams have
significantly increased with thousands of people losing their money resulting from the leakage of
such sensitive information. Identity theft is another threat to personal information that is reported
frequently. Regardless of the motive of the individual targeting sensitive information, the
damage on the victim significantly threatens various aspects of their lives. For this reason,
identifying the sensitive nature of a piece of information is a crucial starting point for providing
information security.
The business environment is another domain that requires making the right decision
regarding the sensitive information that requires security. Information Technology is a critical
element of any business transaction for an organization operating in the present-day world.
Information about the internal operations as well as the interaction of organizations with the
outside environment is mediated by an information system that is vulnerable to system attack.
SENSITIVE INFORMATION 3

According to Rajab and Eydgahi (2019), the incentive behind the attacks on the information
systems of a business is motivated by the common factors that drive the attack on other systems.
Some of the common objectives behind cyber-attacks include espionage, ransom demand,
competition, and financial gain. Understanding the motivations behind the attack can assist the
information security experts to decide the sensitive information that needs protection.
Customer information is the first critical type of information that could be targeted by the
attackers. Such information may either be the personal information of the consumers or
information of the transactions between the consumers and the target organizations. The social
security numbers and payment card information, in particular, are primarily targeted because of
the potential of the financial gain that attackers could gains when they have such information.
Employee data are also targeted for example their banking information and data related to the
authentications process for example usernames and passwords (Wiley, McCormac, and Calic,
2020). The bank information of the employees is primarily targeted by attackers motivated by
financial gain. However, the sensitive nature of the targeted data increases when the attacker
target data associated with the authentications process. Such data is very sensitive given that it
threatens information security at the company level and the outcomes could be catastrophic for
the company.
Another form of sensitive data in a business environment is intellectual property and
trade secrets. Virtually every organization in the present-day business environment stores
property information in a network (Wiley, McCormac, and Calic, 2020). Companies also store
information related to their business operations for example competitive research and product
specifications. This information is sensitive for any given organization because they ensure that
these organizations maintain the competition against other companies. Therefore, information
security for information related to maintaining a competitive advantage of a company should be
a priority for any management. Rajab and Eydgahi (2019) highlighted that most of the attacks
involving an entire information system of any organization primarily motivated by a desire to
access such information.
The most recent high-profile attack occurred on 2nd March 2021 where Microsoft
confirmed attacks on its server. Reports claimed that the attack was sponsors by the government
of China but such claims have not yet been validated (Mehrotra & Sebenius, 2021). The
companies system remained functional but the magnitude of the attack has not yet been
established as investigations into the attack continue. The attack on Microsoft is an ideal
example of an attack on an information system. The damage caused by such attacks cannot be
quantified given that the attacker is not motivated by the need for crippling the operation of the
system (Bauer and Bernroider, 2017). The main objective of such attacks is to gain sensitive
information that can be used to gain an advantage over the other company. Conceptualizing
cyber-attacks from this perspective, information security is a practice that every organization
should consider given the degree of risk involved with the failure of taking the necessary
precautions.
Understanding the sensitivity of data has become a primary concern for organizations as
well as the public in general. Also, there is a rising concern about the safety of private
SENSITIVE INFORMATION 4

information among various people in the public. Bauer and Bernroider (2017) highlighted that
social media company among other organizations which handle user information are demand
more data from their users which are sold to advertisers. The debated concerning this issue is still
in the public sphere because of the various uncertainties concerning this practice and the threats
that it possesses to the users of various social media platforms (Rajab and Eydgahi, 2019). One
of the primary concerns is the absence of regulations regarding how to get informed consent
from the users. Most users of the internet will subscribe to a specific service without having full
knowledge regarding the terms and conditions of the services.
Rajab and Eydgahi (2019) also added that there exist regulations compelling IT
companies that handle user information to provide security settings that determine how the
information's of the users. On the other hand, understanding the nature of sensitivity of data in
organizations may be challenging given that the size of data that organizations handle has rapidly
expanded over the past decades. For this reason, there exist several federal guidelines to assist
the users to determine the nature and sensitivity of the information they handle. The Federal
Information Processing Standards (FIPS) by the National Institute of Standards and Technology
(NIST) provides specific tools that organizations can apply when analyzing information security
and the nature of the information they handle. Organizations are not mandated to comply with
these guidelines but they could be used as a useful reference point when making decisions
concerning data security.

Conclusion
In conclusion, the decisions regarding data protections should envisage the sensitivity of
the information and what is already in the public domain. To secure sensitive information
Securing sensitive information is essential because unauthorized users can use can information
against you. Sensitive information may either be owned by an individual and organizations but
should only be accessed by a few individuals because of the level of damage that might occur if
such information falls into the hands of malicious individuals. Personal information such as
name, address, social security number, credit card number, and email passwords, or other login
credentials are sensitive given that they could pose both physical, mental, and economic threat to
an individual when they fall in the wrong hands. Organizations also handle a lot of information
that is sensitive and could result in a significant level of damage. Companies handle information
of their customers, employees as well as intellectual property and trade secrets. For this reason,
providing data security should begin with identifying the sensitive nature of data.
SENSITIVE INFORMATION 5

References
Bauer, S., & Bernroider, E. W. (2017). From information security awareness to reasoned
compliant action: analyzing information security policy compliance in a large banking
organization. ACM SIGMIS Database: the DATABASE for Advances in Information
Systems, 48(3), 44-68.
Mehrotra, K., & Sebenius, A. (2021, March 12). Hackers Rushed in as Microsoft Raced to Avert
Cyber-Attack. Retrieved April 6, 2021, from
https://www.bloomberg.com/news/articles/2021-03-12/hackers-rushed-in-as-microsoft-
raced-to-avert-mass-cyber-attack
Rajab, M., & Eydgahi, A. (2019). Evaluating the explanatory power of theoretical frameworks
on intention to comply with information security policies in higher education. Computers
& Security, 80, 211-223.
Vilić, V. (2019). Phishing and pharming as forms of identity theft and identity abuse. Balkan
Social Science Review, 13(13), 43-57.
Wiley, A., McCormac, A., & Calic, D. (2020). More than the individual: Examining the
relationship between culture and Information Security Awareness. Computers &
Security, 88, 101640.