Professional Documents
Culture Documents
Data Security:
The Misuse of Technology and Points of
Vulnerability in Everyday Information Systems
Otobong Inieke, Independent Researcher - Graduate of Middlesex University Mauritius Campus, Nigeria
https://orcid.org/0000-0001-9906-4028
ABSTRACT
Data security in the information age is a critical facet in the integrity and reliability
of the various information systems making up value structures of businesses,
organizations etc. Aside from professionals directly involved with securing data within
these systems, the importance of data security is not readily apparent to the everyday
user of devices in the information systems. The purpose of this literature review is
to highlight challenges related to data security and business information systems
in conjunction with digital literacy. An extensive literature review was conducted
with the aim of identifying and describing scenarios of technology misuse as well as
vulnerabilities in vital business information systems. A gap in awareness continues to
plague those who leverage information systems for its myriad uses because everyday
users will in most cases dismiss data security advice as alarmist or jargon-laden. This
falls in line with a 2018 cyber security survey from Statista which showed that 22%
of data security tasks was preventing malware while 17% of tasks were dedicated to
preventing social engineering and phishing attacks. This literature review will describe
possible data insecurity solutions as well as potential areas of further research. The
paper will point out the importance of digital literacy as well as recommendations
for its improvement in society and also ongoing research in that regard. The essence
of this literature review is to identify certain everyday information systems such as
decision support systems and transaction processing systems; while pointing out
vulnerabilities and threat nature i.e. technical or non-technical and also demonstrating
the importance of digital literacy and lack thereof.
Keywords
Cloud Computing, Digital Literacy, Information Systems, Malware, Online Privacy
DOI: 10.4018/IJDLDC.2019100102
Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
25
International Journal of Digital Literacy and Digital Competence
Volume 10 • Issue 4 • October-December 2019
INTRODUCTION
The transfer, reception and effective utility of data constitutes large aspects of today’s
business environment, and an important part of effective data usage of the security
of said data. Data security being a broad term by itself is a reference to the passive
or active measures for protecting data; proprietary or otherwise from unauthorized
access throughout its period of usefulness (Comodo, 2019). Organizations and
businesses looking to operate seamlessly and remain competitive are well aware of the
importance of securing critical assets such as data which has led to more investments
in data security and information technology (Comodo, 2019). While organizations
prioritize brand/intellectual property protection and customer details etc., the main
elements around data security threat detection and response are the people involved,
the processes facilitating the usage of data and the technology utilized in context
(MicroFocus, n.d.).
When considering the threats to data security, it should be highlighted that the
growth of the data/cyber-security industry has not stalled the proliferation of methods,
techniques and tools used to undermine the security and/or integrity of data. With
approximately 68% of funds irretrievably lost to cyber-attacks and the increasing
difficulty in detecting malicious threats, the cost of poorly implemented data security
measures is undeniable (Dascalescu, 2018). Furthermore, threats to information
systems could be of a technical or non-technical nature which further diversifies the
vectors through which malicious actions are launched against said systems. Threats
of a technical nature could include exploits of software vulnerabilities, malware and
various forms of phishing etc. while those of a non-technical nature can include social
engineering and careless or malicious insiders (Dascalescu, 2018). The following
section will simply cover threats of a technical and non-technical nature;
TECHNICAL THREATS
According to (Techopedia, n.d.), a threat can be considered as anything or a potential
that can cause harm to computer systems, networks or peripheral devices. These
can range from malware and viruses to Trojans and outright hacker attacks using
sophisticated tools. Threats that are designed as malicious software by skilled
individuals with extensive cyber-security knowledge can be considered as ‘technical
threats.’ The following sub-headings are examples of technical threats;
Malware
Firstly, the word ‘malware’ is a shortened form of ‘malicious software’, it is an
encompassing term for hostile, dangerous or intrusive computer programs and code
and includes spyware, viruses, Trojans etc. (Sanchez, 2010). A study carried out by
PandaLabs showed that throughout 2015, roughly 84 million new malwares were both
identified and stopped with an average of 230,000 new malware created daily in that
same period (PandaSecurity, 2016). The study also showed that of the 304 million
total malware identified, 27.63% of that total was created in 2015. Such profound
26
International Journal of Digital Literacy and Digital Competence
Volume 10 • Issue 4 • October-December 2019
• Transmit personal information saved on the computer which could in turn be used
for spam messaging, or possible identity theft.
• Create access for a remoter intruder using the Remote Access Trojan (RAT) for
file modification, etc.
• Search for vulnerabilities or log keyboard strokes for confidential details such as
passwords.
Successful spyware exploits are also a huge cost to overall productivity, efficiency
and performance of computer systems. Computers can have their critical processes
interrupted by spyware, they can also have abnormal boot-times or power consumption
with a negative impact to normal operations. The menace of spyware in the various
spheres of information systems, can be tackled through planning, education of
consumers as well as application of appropriate legislation (Thompson, 2005).
27
International Journal of Digital Literacy and Digital Competence
Volume 10 • Issue 4 • October-December 2019
NON-TECHNICAL THREATS
These threats will not necessarily have an electronic or computer-based origin but can
be as a result of theft, sabotage or illegal tampering. Natural disasters or ‘Acts of God’
such as lightning strikes, fires and extreme weather events can cause direct damage
to infrastructure housing vital information systems and assets (Society Insurance,
2018). Disgruntled and malicious company insiders can also undermine data security
by stealing, modifying or corrupting vital information. Less technical individuals can
be manipulated psychologically by criminals to either provide sensitive information
(passwords, financial details) or perform inappropriate actions on information systems,
this is basically referred to as social engineering (Dascalescu, 2018).
As a spotlight to the seriousness of social engineering, Dark Reading – a cyber-
security news website – reported in 2015 on how a cyber-crime ring, operating out
of eastern Europe was able to steal about $1bn from 100 unique banks in almost 30
countries over a period of 2 years using spear phishing emails aimed at bank employees
(Nayyar, 2015). Furthermore, it has been shown that 59% of employees steal sensitive
corporate data when they quit or are fired (Dascalescu, 2018). This simply brings
consumer education back in focus because concerned individuals can be trained on
how to protect shared documents and systems and also resist social engineering tactics
which builds discerning professionals who are less likely to be victims of phishing
attacks and malicious software from unknown sources.
28
International Journal of Digital Literacy and Digital Competence
Volume 10 • Issue 4 • October-December 2019
THREATS
The security of information systems still ranks highly among the pressing issues
and or threats that face professionals dealing with these systems. The threats range
through vulnerabilities as described above; natural disasters, disgruntled insiders,
malicious hackers etc. Executives utilizing information systems express valid concern
about potential security threats, particularly computer viruses, a study conducted by
29
International Journal of Digital Literacy and Digital Competence
Volume 10 • Issue 4 • October-December 2019
30
International Journal of Digital Literacy and Digital Competence
Volume 10 • Issue 4 • October-December 2019
Human Elements
In this context of data security, an added threat to the integrity of information systems
is the abuse of privilege by individuals with elevated access to sensitive aspects of
business activities (Kim-Kwang, 2011). A compromised employee may be motivated
to alter or steal information for reasons such as monetary gain, competitive advantage
or sabotage. Additionally, in a bid to carry out disruptive activities, malicious insiders
with technical knowledge can proceed to subvert security measures and further exploit
vulnerabilities in networked information systems. Furthermore, theft of the actual
devices used to transfer or save information (thumb drives, computers) has been a
leading concern. According to a study conducted by Symantec, 37% of all data breaches
that could lead to identity theft in 2009 were as a result of theft or loss of computing
devices and mediums e.g. thumb drives, hard drives (Symantec, 2010).
DATA MISUSE
Following the increased dependence of businesses on information systems and related
devices, an unwanted side effect of this fact is the risk of misuse of data and IT systems.
It was shown in a study by the Computer Security Institute that, according to their
computer crime and security survey, employee abuse of work-related information
technology (IT) resources constituted the most frequent and expensive type of data
misuse (Richardson, 2008). Furthermore, negative impacts as a result of data misuse
by employees can include; overall loss of productivity, potential legal costs, loss of
public trust and a tainted image. It should also be noted that the predisposed need
for social approval as well as beliefs, moral or otherwise, are major determinants in
behavior regarding technology misuse (D’Arcy & Devaraj, 2012).
Typically, data/information system misuse can be overseen by laws and policies
governing the ethical use of IT systems, however, the potential for misuse increases
(Team ObserveIT, 2018). According to an ObserveIT report, differentiating between
a malicious insider from an unwitting one is crucial, and although organizations may
have data loss prevention solutions, one can only determine what was transferred or
lost and not the context of the insider’s actions (Team ObserveIT, 2018). A high-profile
case of data misuse occurred in 2014 involving Uber –the online transport service
company- where fewer than 10 employees had abused an internal company application
feature called “God View”, which tracks customers and drivers in real-time without
their express consent (Smith, 2016).
In 2015, DarkReading, a cyber-security news website reported that an employee
of Morgan Stanley had inappropriately obtained 10% of client details (about 350,000
people) in an investment database and proceeded to publicly post 900 of said details
on PasteBin which is a content hosting service that allows users to store text online
for a period of time (Chickowski, 2015).
With sufficient research documenting the misuse of data and IT resources,
individuals involved may not always have malicious intent. For example, an employee
with insufficient web security knowledge may browse the internet to a website with
31
International Journal of Digital Literacy and Digital Competence
Volume 10 • Issue 4 • October-December 2019
32
International Journal of Digital Literacy and Digital Competence
Volume 10 • Issue 4 • October-December 2019
Table 1, from the (Dodel & Mesch, 2018) study further demonstrates disparities
between Israeli internet users showing antivirus usage behavior as it shows that roughly
15% of respondents regularly scan files before opening them as opposed to 45% who
never scan files before opening them. It can also be observed that about 60% of the
respondents do not install or update antivirus on mobile devices compared to the
15.5% who do so consistently. Considering the mentioned statistics, businesses and
institutions can become vulnerable to cyberthreats if there is insufficient training of
digital literacy, a wide information gap or an unwillingness to practice online safety
techniques;
A 2012 European Union Cyber-Security study showed that 12% of internet users
experienced online fraud and 8% suffered identity theft (European Commission, 2012).
Moreover, in correlation with age factors and digital inequalities as mentioned above,
the study showed that 11% of respondents over the age of 55 were unlikely to have
seen anything about cybercrime on the internet while 80% of respondents between
ages 25-39 had heard or read about cybercrime 12 months before the survey i.e. 2012
(European Commission, 2012).
Researchers from the Russian State Social University carried out a survey that
demonstrated a willingness to join the digital economy -the economy applied via digital
telecommunications- although respondents lacked competence in digital education/
literacy (Khitskov, et al., 2017). The study pointed out 4 main challenges respondents
faced with joining the digital economy and they are as follows;
33
International Journal of Digital Literacy and Digital Competence
Volume 10 • Issue 4 • October-December 2019
• The research team observed that respondents were not in full control of activities
within the digital environment such as; providing and acquiring goods and services
through existing payment technologies, lacking skills for online research and
documentation etc.
• 29% had a partial awareness of digital reputation, 40% partly understood digital
ethics and 41% had an awareness of digital culture.
CONCLUSION
Finally, the importance of data security is apparent and extensive research has been
conducted proving this fact. The persisting challenge lies in the inherent vulnerabilities
of information systems and computing devices, and in this vein, further training and
34
International Journal of Digital Literacy and Digital Competence
Volume 10 • Issue 4 • October-December 2019
Table 2. DigiComp 2.0 framework, competence areas and competences (UNESCO, 2018)
sensitization of employees have shown positive results. The existing gap between
adoption of modern information systems and security implications of said systems is
in the least being addressed by ground breaker cyber security research and solutions.
Various organizations and institutions are also at the helm of addressing digital literacy
issues around the world with measured progress. Through the course of this review,
data security, digital literacy and various threats to information systems have been
addressed, and in lieu of further research, building a culture of security and awareness
within institutions and organizations can serve to further mitigate unwanted IT-related
risks.
35
International Journal of Digital Literacy and Digital Competence
Volume 10 • Issue 4 • October-December 2019
REFERENCES
36
International Journal of Digital Literacy and Digital Competence
Volume 10 • Issue 4 • October-December 2019
37
International Journal of Digital Literacy and Digital Competence
Volume 10 • Issue 4 • October-December 2019
Smith, C. (2016). Uber allegedly spied on celebrities like Beyonce for years. NY Post.
Retrieved from https://nypost.com/2016/12/13/uber-allegedly-spied-on-celebrities-
like-beyonce-for-years/
Society Insurance. (2018). Common Data Threats and Vulnerabilities. Retrieved from
https://blog.societyinsurance.com/common-data-threats-and-vulnerabilities/
Symantec. (2010). Symantec Global Internet Security Threat Report: Trends for 2009.
Team ObserveIT. (2018). 5 Examples of Data & Information Misuse. Retrieved from
https://www.observeit.com/blog/importance-data-misuse-prevention-and-detection/
Techopedia. (n.d.). What is a Threat in Computing - Definition from Techopedia.
Retrieved from https://www.techopedia.com/definition/25263/threat
Thompson, R. (2005). Why spyware poses multiple threats to security. Communications
of the ACM, 48(8), 41–43. doi:10.1145/1076211.1076237
UNESCO. (2018). A Global Framework of Reference on Digital Literacy Skills for
Indicator 4.4.2. Montreal: UNESCO Institute for Statistics.
Zaharia, A. (2017). Security Alert: WannaCry leaves Exploited Computers Vulnerable
to Round Two. Heimdal Security. Retrieved from https://heimdalsecurity.com/blog/
security-alert-wannacry-computers-vulnerable/
38
International Journal of Digital Literacy and Digital Competence
Volume 10 • Issue 4 • October-December 2019
39