1. Why is the top-down approach to information security superior to the bottom-up approach?
2. What is the difference between a threat agent and a threat?
3. What was important about Rand Report R-609?
4. What type of security was dominant in the early years of computing?
5. What is the relationship between the MULTICS project and the early development of computer security?
6. What is the difference between vulnerability and exposure?
7. If the C.I.A. triangle is incomplete, why is it so commonly used in security?
8. What are the three components of the C.I.A. triangle? What are they used for?
9. Why is a methodology important in the implementation of information security? How does a methodology improve the process?
10. Who decides how and when data in an organization will be used or controlled? Who is responsible for seeing that these decisions are carried out?
11. Identify the six components of an information system. Which are most directly affected by the study of computer security? Which are most commonly associated with its study?
12. Which paper is the foundation of all subsequent studies of computer security?
13. Describe the critical characteristics of information. How are they used in the study of computer security?
14. Who is ultimately responsible for the security of information in the organization?
15. What system is the predecessor of almost all modern multi-user systems?
16. Who should lead a security team? Should the approach to security be more managerial or technical?
17. Which members of an organization are involved in the security system development life cycle? Who leads the process?
18. How has computer security evolved into modern information security?
19. What are the type of password attacks? What can a systems administrator do to protect against them?
20. Why is information security a management problem? What can management do that technology cannot?
21. What measures can individuals take to protect against shoulder surfing?
22. Why are employees one of the greatest threats to information security?
23. Which management groups are responsible for implementing information security to protect the organization's ability to function?
24. What is buffer overflow, and how is it used against a Web server?Why does polymorphism cause greater concern than traditional malware? How does is affect detection?
25. What is information extortion? Describe how such an attack can cause losses, using an example not found in the text.
26. What are the various types of malware? How do worms differ from viruses? Do trojan horses carry viruses or worms?
27. Why is data the most important asset an organization possesses? What other assets in the organization require protection?
28. What is the difference between a denial-of-service (DoS) attack and a distributed denial-of-service (DDoS) attack? Which is more dangerous? Why?
29. What are the various forces of nature? Which type might be of greatest concern to an organization in Las Vegas? Jakarta? Oklahoma City? Amsterdam? Miami? Tokyo?
30. Which law amended the Computer Fraud and Abuse Act of 1986, and what did it change?
31. What is another name for the Kennedy-Kassebaum Act (1996), and why is it important to organizations that are not in the healthcare industry?
32. What is the difference between law and ethics?
33. What is privacy in an information security context?
34. What is the primary purpose of the USA PATRIOT Act?
35. What is intellectual property (IP)? Is it afforded the same protection in every country of the world? What laws currently protect it in the United States and Europe?
36. What is the best method for preventing an illegal or unethical activity?
37. What are the three general categories of unethical and illegal behavior?
38. What are the primary examples of public law?
39. How is due diligence different from due care? Why are both important
40. How has the PATRIOT Act been revised since its original passage?
41. What is containment, and why is it part of the planning process?
42. Where can a security administrator find information on established security framework?
43. According to Sun Tzu, what two key understandings must you achieve to be successful in battle?
44. What are vulnerabilities and how do you identify them?