Critical characteristics of information
Availability:
Availability enables authorized users—persons or computer systems—to access information without
interference or obstruction and to receive it in the required format. Consider, for example, research
libraries that require identification before entrance. Librarians protect the contents of the library so that
they are available only to authorized patrons. The librarian must accept a patron’s identification before
that patron has free access to the book stacks. Once authorized patrons have access to the contents of
the stacks, they expect to find the information they need available in a useable format and familiar
language, which in this case typically means bound in a book and written in English.
Accuracy:
Accuracy Information has accuracy when it is free from mistakes or errors and it has the value that the
end user expects. If information has been intentionally or unintentionally modified, it is no longer
accurate. Consider, for example, a checking account. You assume that the information contained in your
checking account is an accurate representation of your finances. Incorrect information in your checking
account can result from external or internal errors. If a bank teller, for instance, mistakenly adds or
subtracts too much from your account, the value of the information is changed. Or, you may
accidentally enter an incorrect amount into your account register. Either way, an inaccurate bank
balance could cause you to make mistakes, such as bouncing a check.
Authenticity:
Authenticity of information is the quality or state of being genuine or original, rather than a
reproduction or fabrication. Information is authentic when it is in the same state in which it was created,
placed, stored, or transferred. Consider for a moment some common assumptions about e-mail. When
you receive e-mail, assume that a specific individual or group created and transmitted the e-mail—
assume that the origin of the e-mail is known. This is not always the case. E-mail spoofing, the act of
sending an e-mail message with a modified field, isa problem, because often the modified field is the
address of the originator. Spoofing the sender’s address can fool e-mail recipients into thinking that
messages are legitimate traffic, thus inducing them to open e-mail they otherwise might not have.
Spoofing can also alter data being transmitted across a network, as in the case of user data protocol
(UDP) packet spoofing, which can enable the attacker to get access to data stored on computing
systems. Another variation on spoofing is phishing, when an attacker attempts to obtain personal or
financial information using fraudulent means, most often by posing as another individual or
organization. Pretending to be someone you are not is sometimes called pretexting when it is
undertaken by law enforcement agents or private investigators. When used in a phishing attack, e-mail
spoofing lures victims to a Web server that does not represent the organization it purports to, in an
attempt to steal their private data such as account numbers and passwords.
Confidentiality
Confidentiality ensures that only those with the rights and privileges to access information are able to
do so. When unauthorized individuals or systems can view information, confidentiality is breached. To
protect the confidentiality of information, there is number of measures, including the following:
� Information classification
Secure document storage
Application of general security policies
Education of information custodians and end users
Confidentiality, like most of the characteristics of information, is interdependent with other
characteristics and is most closely related to the characteristic known as privacy. The value of
confidentiality of information is especially high when it is personal information about employees,
customers, or patients. Individuals who transact with an organization expect that their personal
information will remain confidential, whether the organization is a federal agency, such as the Internal
Revenue Service, or a business. Problems arise when companies disclose confidential information.
Sometimes this disclosure is intentional, but there are times when disclosure of confidential information
happens by mistake For example, when confidential information is mistakenly e-mailed to someone
outside the organization rather than to someone inside the organization. Several cases of privacy
violation are outlined in Offline: Unintentional Disclosures. Other examples of confidentiality breaches
are an employee throwing away a document containing critical information without shredding it, or a
hacker who successfully breaks in to an internal database of a Web-based organization and steals
sensitive information about the clients, such as names, addresses, and credit card numbers. As a
consumer, you give up pieces of confidential information in exchange for convenience or value almost
daily. By using a “members only” card at a grocery store, you disclose some of your spending habits.
When you fill out an online survey, you exchange pieces of your personal history for access to online
privileges. The bits and pieces of your information that you disclose are copied, sold, replicated,
distributed, and eventually coalesced into profiles and even complete dossiers of yourself and your life.
A similar technique is used in a criminal enterprise called salami theft. A deli worker knows he or she
cannot steal an entire salami, but a few slices here or there can be taken home without notice.
Eventually the deli worker has stolen a whole salami. In information security, salami theft occurs when
an employee steals a few pieces of information at a time, knowing that taking more would be noticed—
but eventually the employee gets something complete or useable.
Integrity:
Integrity Information has integrity when it is whole, complete, and uncorrupted. The integrity of
information is threatened when the information is exposed to corruption, damage, destruction, or other
disruption of its authentic state. Corruption can occur while information is being stored or transmitted.
Many computer viruses and worms are designed with the explicit purpose of corrupting data. For this
reason, a key method for detecting a virus or worm is to look for changes in file integrity as shown by
the size of the file. Another key method of assuring information integrity is file hashing, in which a file is
read by a special algorithm that uses the value of the bits in the file to compute a single large number
called a hash value. The hash value for any combination of bits is unique. If a computer system performs
the same hashing algorithm on a file and obtains a different number than the recorded hash value for
that file, the file has been compromised and the integrity of the information is lost. Information integrity
is the cornerstone of information systems, because information is of no value or use if users cannot
verify its integrity. File corruption is not necessarily the result of external forces, such as hackers. Noise
in the transmission media, for instance, can also cause data to lose its integrity. Transmitting data on a
�circuit with a low voltage level can alter and corrupt the data. Redundancy bits and check bits can
compensate for internal and external threats to the integrity of information. During each transmission,
algorithms, hash values, and the error-correcting codes ensure the integrity of the information. Data
whose integrity has been compromised is retransmitted.
Utility:
The utility of information is the quality or state of having value for some purpose or end. Information
has value when it can serve a purpose. If information is available, but is not in a format meaningful to
the end user, it is not useful. For example, to a private citizen U.S. Census data can quickly become
overwhelming and difficult to interpret; however, for a politician, U.S. Census data reveals information
about the residents in a district, such as their race, gender, and age. This information can help form a
politician’s next campaign strategy.
Possession:
The possession of information is the quality or state of ownership or control. Information is said to be in
one’s possession if one obtains it, independent of format or other characteristics. While a breach of
confidentiality always results in a breach of possession, a breach of possession does not always result in
a breach of confidentiality. For example, assume a company stores its critical customer data using an
encrypted file system. An employee who has quit decides to take a copy of the tape backups to sell the
customer records to the competition. The removal of the tapes from their secure environment is a
breach of possession. But, because the data is encrypted, neither the employee nor anyone else can
read it without the proper decryption methods; therefore, there is no breach of confidentiality. Today,
people caught selling company secrets face increasingly stiff fines with the likelihood of jail time. Also,
companies are growing more and more reluctant to hire individuals who have demonstrated dishonesty
in their past.
