Computer Security and Information Technology Failure

Although many people think of the world of information privacy and security as one characterized by hackers, cyber terrorists, or government-sponsored information espionage, in reality the scope of information privacy and security is much broader. One way of understanding this scope is to consider computer security from the perspective of IT failures. Modern information technologies can fail for many different reasons. First, consider physical failures. These are, after all, hardware devices, and hardware can and does fail. Even in the modern era many of our computational technologies still rely on moving parts, and the failure of any of these moving parts can cascade to cause a wider failure of the information technology as a whole. Further, electronic components can fail, and when such components fail intermittently, the cause of the problem can be more difficult to diagnose than when they fail permanently. It is therefore important for managers and system administrators not only to expect that their physical IT devices will fail, but also to develop plans for how to address those failures when they inevitably occur.

Beyond physical failures, there are also other types of information technology failures, and these can best be understood by considering the intersection of two different dimensions, as shown in the diagram above. Along one dimension, we have a spectrum which ranges from malicious to non-malicious. That is, the source of the failure is caused by someone either intentionally or unintentionally. Along the other dimension, we have a spectrum which ranges from harmless to catastrophic. Plotting these two dimensions against each other provides us with a geometric space in which we can easily classify our non-physical information technology failures. Failure, then, might be non-malicious and harmless, it might be non-malicious but catastrophic, it might be malicious but cause no harm, or in the worst scenario, it may be a malicious attack that causes catastrophic damage to our information assets. Again remember that information security has a broad scope, and information security addresses each of these different types of failures. What’s more, information security addresses failures that have never before been seen, or which do not currently exist. That sentiment, I believe, speaks to the dynamism and constant change that characterize the world of information security.