Internal threats mean we tend to think the security threats to a business originate outside the organization. In fact, the largest financial threats to business institutions come from insiders. Some of the largest disruptions to service, destruction of e-commerce sites, and diversion of customer credit data and personal information have come from insiders—once trusted employees. Employees have access to privileged information, and in the presence of sloppy internal security procedures, they are often able to roam throughout an organization‘s systems without leaving a trace.
Studies have found that users‘ lack of knowledge is the single greatest cause of network security breaches. Many employees forget their passwords to access computer systems or allow other coworkers to use them, which compromises the system. Malicious intruders seeking system access sometimes trick employees into revealing their passwords pretending to be legitimate members of the company in need of information. This practice is called social engineering.
Employees—both end users and information systems specialists—are also a major source of errors introduced into an information system. Employees can introduce errors entering faulty data or not following the proper instructions for processing data and using computer equipment.
Information systems specialists can also create software errors as they design and develop new software or maintain existing programs.
Software Vulnerability means the Software errors also pose a constant threat to information systems, causing untold losses in productivity
A major problem with software is the presence of hidden bugs, or program code defects. Studies have shown that it is virtually impossible to eliminate all bugs from large programs. The main source of bugs is the complexity of decision-making code. Important programs within most corporations may contain tens of thousands or even millions of lines of code, each with many alternative decision paths. Such complexity is difficult to document and design—designers may document some reactions incorrectly or may fail to consider some possibilities. Even after rigorous testing, developers do not know for sure that a piece of software is dependable until the product proves itself after much operational use.