Such reports are either quantitative or qualitative ("What is Risk analysis"). Risk management - includes policies, procedures, and practices needed to identify, analyze, assess, control, and avoid, minimize, or eliminate of intolerable risks. An organization may use risk retention, risk assumption, risk avoidance, risk transfer, or any other strategy to efficiently manage events that might occur in the future ("Risk Management").

Summary

The correlation between software development, risk analysis, risk management and human behavior is a complex association. This multidimensional approach to addressing the issue of IT security requires the explanation of several complicated concepts. This chapter has established what the following research endeavors to uncover. Now that the premise of the research has been established let us review some of the literature devoted to the aforementioned topics.

Chapter II Literature Review

Introduction

Software Engineering, Risk analysis and management, and security threats are all issues that effect organizations. The purpose of this literature review is to explore these issues in greater detail. The literature review will provide some insight into the factors that effect IT security. Let us begin by discussion Practical Software engineering.

Practical Software Engineering

Petkovic, Thompson & Todtenhoefer (2006) explain that changes associated with the globalization of software development necessitate newer ways of teaching software engineering. SE is defined as "The application of a systematic, disciplined, quantifiable approach to the development, operation, and maintenance of software (Petkovic, Thompson & Todtenhoefer, 2006, 294) ." In addition according to a report entitled "Software Engineering 2004: Curriculum Guidelines for Undergraduate Degree Programs in Software Engineering," Software Engineering education should merge computer science elements with engineering, coordination, teamwork, communication and project management matters (Petkovic, Thompson & Todtenhoefer, 2006, 294; "Software Engineering…," 2004).

Additionally standards associated with the delivery of curriculum claim that there is a need for practical project and team-oriented exercises to be incorporated into a significant capstone project. The author insists further that many studies have found that the majority of failures associated with delivering Software "to specs, on time and budget, and to a user "satisfaction" were in misunderstanding user needs, poor design, planning and organization (Petkovic, Thompson & Todtenhoefer, 2006, 294)."

In addition to having the proper capabilities for businesses, software must also be engineered in a manner that ensure the security of the computer system/network on which it operates. In this way software engineering must be viewed in quite broad terms. Moreover the training of software engineers must reflect the needs and security concerns that organizations face within the context of globalization and the widespread use of information technology. Now that practical software engineering has been discussed let us focus the issue of people and security.

People and Security

Attacks on Computer Systems

The increase in the use of computer systems and networks in recent years, has resulted in an increase in attacks. These attacks are both internal and external. According to the National Institute of Standards and technology organizations of all sizes are vulnerable to security threats ("Small business Corner"). The institute even notes that the threat to small and medium sized businesses can be particularly problematic as they are the foundation of the nation's economy. The NIST reports that

"In the special arena of information security, vulnerable SMBs also run the risk of being compromised for use in crimes against governmental or large industrial systems upon which everyone relies. SMBs frequently cannot justify an extensive

security program or a full-time expert. Nonetheless, they confront serious security challenges and must address security requirements based on identified needs

("Small business Corner")."

Indeed no organizations are immune to attack, in fact even the organizations that are responsible for investigating computer crimes have experienced computer attacks. Currently, the FBI and the U.S. Marshalls are dealing with a computer virus that has attacked the organizations' system. According to Barrett (2009) "Law enforcement computers were struck by a mystery computer virus Thursday, forcing the FBI and the U.S. Marshals to shut down part of their networks as a precaution (Barrett, 2009)." The article explains that only the external networks of these organizations have been effected by this virus. These external networks do not contain sensitive data and the internal networks are still running smoothly. Although this security issue is still a serious problem, it is not as harmful as...

According to Young (2008) there are several major threats to computer security. These threats are as follows
Malware and Botnets- Botnets involve a number of computers that are connected to the internet and have been infiltrated to spread viruses and/or spam ("Botnet"). The owner of the computer is unaware that their system is being used to spread these harmful transmissions ("Botnet"). Botnets are also known as zombie armies because of the manner in which they are used by the creator of the spam or virus. The author explains that most botnet computers are home systems.

"According to a report from Russian-based Kaspersky Labs, botnets -- not spam, viruses, or worms -- currently pose the biggest threat to the Internet. A report from Symantec came to a similar conclusion. Computers that are coopted to serve in a zombie army are often those whose owners fail to provide effective firewalls and other safeguards. An increasing number of home users have high speed connections for computers that may be inadequately protected. A zombie or bot is often created through an Internet port that has been left open and through which a small Trojan horse program can be left for future activation. At a certain time, the zombie army "controller" can unleash the effects of the army by sending a single command, possibly from an Internet Relay Channel (IRC) site ("Botnet")."

Although most of the computers used as botnets are home computers, the presence of botnets can be particularly devastating to companies, particularly those involved in ecommerce ("Botnet"). According to the article, the computers contained within the botnet can be programmed to redirect transmission to specific computers. This means that websites can actually be shutdown as a result of having too much traffic caused by the redirected transmissions ("Botnet"). This is known as a distributed denial-of-service attack ("Botnet"). Such attacks are designed to disable a competitors ability to make money ("Botnet"). At the same time such attacks may result in more money for the originator of the attack ("Botnet"). These types of attack are quite common amongst companies that operate solely on the internet.

In fact according to the Georgia Tech Information Security Center,

nearly 15% of online computers worldwide are part of botnets (Young, 2009). This percentage is actually 10% higher when compared to 2008 (Young, 2009). This type of malware is so detrimental and destructive because it is updated faster than the antivirus software that is designed to protect systems from such infiltration (Young, 2009). The article explains that "The bad guys can repack and rerelease their malicious code faster than the good guys can build and distribute antivirus signatures to Identify and block it (Young, 2009)" The abundance of Botnets and other forms of Malware are indeed a major security issue that must be addressed in risk analysis and risk management (Young, 2009).

Thieves. Theft is another major concern for computer systems. Young (2009) explains that there as been a marked increased in the number of thefts involving computers containing sensitive data over the last five years. This type of theft has effected every type of organization from colleges to government agencies. In fact in 2008 nearly thirty colleges reported the lost or theft of various computers containing sensitive data. The author explains that thefts are likely to increase as the size of laptops and flash drives continue to decrease in size. For this reason it recommended that organizations encrypt sensitive information so that thieves cannot access the data even if the flash drive or laptop is stolen.

Employees. can also pose a major security risk to computer systems. In some cases have used their ability to access computer networks legitimately to get customer information such as credit card numbers (Young, 2009). This information has been sold and aided others in identity theft. In other instances employees have been responsible for stealing or losing laptops containing sensitive information. This information has included everything from social security numbers to tope secret government files. In fact several reports have found that security breaches are more likely to come form inside of an organization than from hackers (Young, 2009).

Social Networks. Another major concern is social networking sites. These sites have become more popular in recent years and the risks that they pose has also become more evident. According to Young (2009) Social networking sites are vulnerable to security problems related to phishing. In fact a study conducted by Indiana University found that phishing schemes were more likely to occur through social networking sites, than through email. For this reason organizations must be aware of the types of sites that employees and…