1. decision making and control in an

Why Organization are heavily
reliant on information system


information system can be defined technically as a set of interrelated components
that collect (or retrieve), process, store, and distribute information to
support decision making and control in an organization. In addition to
supporting decision making, coordination, and control, information systems may also
help managers and workers analyze problems, visualize complex subjects, and
create new products. Information systems contain information about significant
people, places, and things within the organization or in the environment
surrounding it. By information we mean data that have been shaped into a form
that is meaningful and useful to human beings. Data, in contrast, are streams
of raw facts representing events occurring in organizations or the physical
environment before they have been organized and arranged into a form that
people can understand and use. (Kenneth C Laudon, Jane P Laudon,

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

definition of an information system is based on the more general concept of
work system. Businesses operate through work systems. Typical business
organizations contain work systems that procure materials from suppliers,
manufacture physical and/or informational products, deliver products to
customers, find customers, create financial reports, hire employees, coordinate
work across departments, submit tax payments, and perform many other functions.
A work system is a system in which human participants and/or machines perform
work (processes and activities) using information, technology, and other
resources to produce specific products and/or services for specific internal or
external customers.

information system is a work system whose processes and activities are devoted
to processing information, i.e., capturing, transmitting, storing, retrieving,
manipulating, and displaying information. Thus, an information system is a
system in which human participants and/or machines perform work (processes and
activities) using information, technology, and other resources to produce
informational products and/or services for internal or external customers. (Alter, 2008)

days, organizations are heavily relying on information system for getting
success in business and also people’s life style are changing rapidly as we
can’t stand without information system in our daily life. Wireless
communications, including computers and mobile hand-held computing devices, are
keeping managers, employees, customers, suppliers, and business partners
connected in every way possible. Email, online conferencing, the Web, and the
Internet, are providing new and diverse lines of communication for all
businesses, large and small. Through increased communication channels and
decreased costs of the communications, customers are demanding more of
businesses in terms of service and product, at lower costs. E-commerce is
changing the way businesses must attract and respond to customers.

following facts are reason why information system is so essential to the

Economic Importance:

the cost of installing and maintaining an information system is quite high
(depending on the type of system) initially, but in due course, the costs are
decreasing and seem fair in relation to the types of profits being exploited.
help from that. Moreover, over time, the cost of information systems tends to
decrease, while the costs of their substitutes (eg labor) tend to increase
historically (Laudon, 1990). In addition, computer systems use networks, which
help an organization reduce transaction costs, allowing the organization to
engage external vendors rather than using internal resources.

Information Systems Improve Performance:

systems are designed to improve the overall efficiency and effectiveness of a
process. Information systems speed up the process and reduce the time by
removing additional steps of the operation. For example, in 1977, Citibank
developed ATMs and debit cards (Laudon and Laudon 9th Ed.). He facilitated
financial transactions and was a huge success. In addition, banks have
continued to innovate and, today, with the help of reliable and secure
information systems from TEMENOS, Infosys, Oracle, etc., most customers can
make the largest number of transactions since their personal computer or even
from the cell phone. In addition, information systems provide real-time
information that reduces the magnitude of errors, thereby increasing the
quality of the output of the process.

Importance in Decision Making:

systems provide managers with tools to monitor, plan and forecast more
accurately and faster than ever before. In addition, they enable managers to
react more quickly and adapt quickly to the rapidly changing business
environment. Decision support systems can significantly improve results on both
quantitative and qualitative fronts. For example, in the United States, about
142 million employees generate $ 12.2 trillion in gross domestic product. If
the quality of decision of these employees could only be improved by 1% in one
year, the GDP could increase considerably.


Organizational Behavior Change:

research shows that computer systems facilitate the flattening of hierarchies
by expanding the distribution of information to empower lower-level employees.
It pushes the decision to make rights at the lowest level of the organization,
as lower-level employees receive the information they need to make decisions
that eliminate the need for middle managers. This also leads to a reduction in
the administrative costs of the organization.


2.         Various types of security threats to
any information system of an organization.

followings are types of security treats to information system;

a)       Malicious software: Viruses, Worms,
Trojan Horses and Spyware

software programs are referred as malware and includes a variety of threats,
such as computer viruses, worms, and Trojans. A computer virus is malware that
attaches to other software or files. data to execute, usually without the
knowledge or permission of the user. Worms, which are standalone computer
programs copied from one computer to another on a network. Unlike viruses,
worms can work alone without connecting to other computer program files and
relying less on human behavior to spread from one computer to another. A Trojan
is software that seems to be benign, but does something different than
expected. The Trojan itself is not a virus because it does not replicate, but
it is often a way to introduce viruses or other malicious code into a computer
system. Spyware also acts as malware. These small programs sneak onto computers
to monitor users’ web browsing activity and to advertise.

b)      Hackers and Computer Crime

hacker is an individual who intends to gain unauthorized access to a computer
system. Hacker activities have broadened beyond mere system intrusion to
include theft of goods and information, as well as system damage and
cybervandalism, the intentional disruption, defacement, or even destruction of
a Web site or corporate information system. In a denial-of-service (DoS)
attack, hackers flood a network server or Web server with many thousands of
false communications or requests for services to crash the network. The network
receives so many queries that it cannot keep up with them and is thus
unavailable to service legitimate requests. A distributed denial-of-service
(DDoS) attack uses numerous computers to inundate and overwhelm the network
from numerous launch points. Most hacker activities are criminal offenses, and
the vulnerabilities of systems we have just described make them targets for
other types of computer crime as well. Computer crime is defined by the U.S.
Department of Justice as “any violations of criminal law that involve a
knowledge of computer technology for their perpetration, investigation, or
prosecution.” Many companies are reluctant to report computer crimes because
the crimes may involve employees, or the company fears that publicizing its
vulnerability will hurt its reputation. The most economically damaging kinds of
computer crime are denial of service attacks, activities of malicious insiders,
and Web-based attacks.

c)       Internal Threats: Employee

tend to think that threats to the security of a company are born outside the
organization. In fact, the workers in the company raise serious security
problems. Employees have access to insider information and, in the presence of
sloppy internal security procedures, they can often move around an
organization’s systems without a trace. End-users and information system
specialists are also a major source of errors introduced into information
systems. End users introduce errors by entering incorrect data or by not
following the correct instructions for data processing and computer equipment
use. IT specialists can create software errors when designing and developing
new software or maintaining existing programs.

       d)  Software

errors are a constant threat to information systems, leading to unquantified
productivity losses and sometimes putting people who use or rely on systems at
risk. The increasing complexity and size of software, as well as demands for
timely delivery to markets, have contributed to increased software defects or
vulnerabilities. A major problem with the software is the presence of hidden
errors or flaws in the program code.

3.         The Impact of Ransomware on Business

word Ransomware is a combination of ransom and software, and a program that is
designed to attack a targeted system with the aim of holding the user as a
hostage, and restricting users from accessing their devices. It can also be
used to encrypt the user’s data, forcing the victim to pay the ransom.
Generally, ransomware uses malware and Trojan forms to bypass and infect the
targeted system. Ransomware consists of two major types: lockers, which prevent
the user from the entire system, and crypto ransomware, which only encrypts the
user files. Ransomware vastly attacks companies and endpoint users. Ransomware
attacks may happen in different contexts such as email attachment, compromised
websites, advertising, running untrusted program on the machine, sharing
networks and communicating with an infected system. The world has experienced a
massive global ransomware cyber-attack known as “WannaCrypt” or “WannaCry”
since Friday, May 12 2017. Hundreds of thousands’ computers worldwide have been
hit and affected more than 150 countries. WannaCry is far more dangerous than
other common ransomware types because of its ability to spread itself across an
organization’s network by exploiting a critical vulnerability in Windows
computers. The malware has the capability to scan heavily over TCP port 445
(Server Message Block/SMB), spreading similar to a worm, compromising hosts,
encrypting files stored on them then demanding a ransom payment in the form of
Bitcoin. It is important to note that this is not a threat that simply scans
internal ranges to identify where to spread, it is also capable of spreading
based on vulnerabilities it finds in other externally facing hosts across the

are approximately 30–40 publicly named companies among the likely thousands
that were impacted by this ransomware. Examples include the Russian Interior
Ministry, Telefonica (Spain’s largest telecommunications company) and FedEx.
The UK National Health Service (NHS) was badly hit, with 16 of the 47 NHS
trusts being affected, and routine surgery and doctor appointments being
canceled as the service recovers. There are reports that in China over 40,000
organizations have been affected, including over 60 academic institutions.
Russia appears to be the heaviest hit by the WannaCry attack. Kaspersky Labs
attributes this to Russian organizations running a relatively large proportion
of dated and unpatched systems. WannaCry appears to be specifically designed
for an international attack: it can demand the ransom in 28 languages.

which infected ransom were leading to negative consequences such as

or permanent loss of sensitive and important information

to business operation

financial losses incurred to restore systems and files

potential harm to an organization’s reputation.

can be devastating for productivity. It puts all projects on hold until access
to important files is recovered and the system is protected. If your computers
have been infected with Ransomware, all sensitive information may fall into the
wrong hands and be erased from your devices. A data breach containing
information about customers or customers’ employees creates a crisis that no
company wants to deal with. Sensitive information is at stake, but paying
hackers does not guarantee that the information has not been copied yet. Paying
the repurchase does not guarantee the safe return of all files.

companies have an IT strategy and disaster recovery plan, but surprisingly, few
are sufficiently prepared to deal with a ransomware attack. This is partly
because they do not understand the risks, and because ransomware threats evolve
at a rate that antivirus software struggles to keep up.


4.         Prevention and risk mitigation plan
to organizations


should be practice the following Control measure for prevention of future

(A)  Conduct ongoing, documented, and
thorough information security risk assessments

an ongoing information security risk assessment program that considers new and
evolving threats to online accounts and adjusts customer authentication,
layered security, and other controls in response to identified risks. Identify,
prioritize, and assess the risk to critical systems, including threats to applications
that control various system parameters and other security and fraud prevention

(B)  Securely configure systems and

such as logical network segmentation, offline backups, air gapping, maintaining
an inventory of authorized devices and software, physical segmentation of
critical systems, and other controls may mitigate the impact of a cyber-attack
involving ransomware. Consistency in system configuration promotes the
implementation and maintenance of a secure network. Essential components of a
secure configuration include the removal or disabling of unused applications,
functions, or components.

(C)  Protect against unauthorized access

the number of credentials with elevated privileges across the organization,
especially administrator accounts and the ability to easily assign elevated
privileges that access critical systems. Review access rights periodically to
reconfirm approvals are appropriate to the job function. Establish stringent
expiration periods for unused credentials, monitor logs for use of old
credentials, and promptly terminate unused or unwarranted credentials.
Establish authentication rules, such as time of-day and geolocation controls,
or implement multifactor authentication protocols for systems and services
(e.g., virtual private networks). In addition, conduct regular audits to review
the access and permission levels to critical systems for employees and
contractors. Implement least privileges access policies across the entire
enterprise. In particular, do not allow users to have local administrator rights
on workstations, and remove access to the temporary download folder.

(D)   Perform security monitoring, prevention, and
risk mitigation

that protection and detection systems, such as intrusion detection systems and
antivirus protection, are up to date and that firewall rules are configured
properly and reviewed periodically. Establish a baseline environment to enable
the ability to detect anomalous behavior. Monitor system alerts to identify,
prevent, and contain attack attempts from all sources.


(E)   Perform Update information security
awareness and training programs

regular, mandatory information security awareness training across the
institution, including how to identify, prevent, and report phishing attempts
and other potential security incidents. Ensure that the training reflects the
functions performed by employees.


(F)   Implement and regularly test
controls around critical systems

that appropriate controls, such as access control, segregation of duties,
audit, and fraud detection, and monitoring systems are implemented for systems
based on risk. Limit the number of sign-on attempts for critical systems and
lock accounts once such thresholds are exceeded. Implement alert systems to notify
employees when baseline controls are changed on critical systems. Test the
effectiveness and adequacy of controls periodically. Report test results to
senior management and to the board of directors or a committee of the board of
directors. Include in the report recommended risk mitigation strategies and
progress to remediate findings.


(G)  Review, update, and test incident
response and business continuity plans periodically

the effectiveness of incident response plans at the organization and with third
party service providers to ensure that all employees, including individuals
responsible for managing risk, information security, vendor management, fraud
detection, and customer inquiries, understand their respective responsibilities
and their institution’s protocols.





Ethical issues that may arise
from using connected devices in an organization

refers to the principles of right and wrong that individuals, acting as free
moral agents, use to make choices to guide their behaviors. (Kenneth C
Laudon, Jane P Laudon, 2017) Ethical issues in
information systems have been given new urgency by the rise of the Internet and
electronic commerce. Internet and digital firm technologies make it easier than
ever to assemble, integrate, and distribute information, unleashing new
concerns about the appropriate use of customer information, the protection of
personal privacy, and the protection of intellectual property.

must be trained and kept aware of a number of topics related to information
security, not the least of which are the expected behaviors of an ethical
employee. This is especially important in information security, as many
employees may not have the formal technical training to understand that their
behavior is unethical or even illegal. Proper ethical and legal training is
vital to creating an informed, well prepared, and low-risk system user.

much as information technology is important to our lives, it is facing some
serious ethical challenges and it is up to the IT experts and users of
information technology to be ready for these challenges. As more emerging
information technologies pop up on the market, most of the IT experts and users
do not know how to go about the challenges brought about by these technologies.
Information technology is facing major challenges which are lack of privacy,
security, copyright infringement and increased computer crimes. Criminals have
been eagerly utilizing the many loop holes technology offers. Since information
technology greatly aid the speed, flow and access of information, cyber-crime
has become an ever-rising profession. Many businesses and organizations are at
risk of becoming a cyber victim on a daily basis, as most, if not all business
is based on some digital network.

is also the possible threat of unfaithful or vengeful employees that can use
information technology to achieve their personal goals which might be harmful
to an organization. IT is not bad in itself, but the way humans use the tools provided
by information technology has brought some serious challenges.


I'm Alfred!

Would you like to get a custom essay? How about receiving a customized one?

Check it out