Month: June 2020

“The Advertising Standards Council of India (ASCI)“, established in 1985, is a self-regulatory voluntary organization of the advertising industry in India. It is a non-Government body. ASCI is committed to the cause of self- regulation in advertising ensuring the protection of the interest of consumers. ASCI seeks to ensure that advertisements conform to its Code for Self-Regulation, which requires advertisements to be legal, decent, honest and truthful and not hazardous or harmful while observing fairness in competition. ASCI looks into complaints across ALL MEDIA such as Print, TV, Radio, hoardings, SMS, Emailers, Internet / web-site, product packaging, brochures, promotional material and point of sale material etc. ASCI’s role has been acclaimed by various Government bodies including The Department of Consumer Affairs (DoCA), Food Safety and Standards Authority of India (FSSAI), Ministry of AYUSH as well as the Ministry of Information and Broadcasting. The association with these Government bodies is to co-regulate and curb misleading and objectionable advertisements in the respective sectors. In January 2017, the Supreme Court of India in its judgement has also affirmed and recognized the self-regulatory mechanism as an effective pre-emptive step to statutory provisions in the sphere of advertising content regulation for TV and Radio in India. ASCI is a part of the Executive Committee of International Council on Ad Self-Regulation (ICAS). Among several awards bestowed by the European Advertising Standards Alliance (EASA), ASCI bagged two Gold Global Best Practice Awards for the Mobile App “ASCIonline” (2016) and for reducing the time taken to process complaints (2013).

Members

ASCI’s team consists of the Board of Governors, the Consumer Complaints Council (CCC) and its Secretariat. ASCI has 16 members in its Board of Governors, four each representing the key sectors such as Advertisers, advertising agencies, media and allied professions such as market research, consulting, business education etc. The CCC currently has about 28 members: 6 are from within the industry and 8 are from the civil society like well-known doctors, lawyers, journalists, academicians, consumer activists, etc. The CCC’s decision on complaint against any ad is final. ASCI also has its own independent Secretariat of 5 members which is headed by the Secretary General.

There is no other non-governmental body in India which regulates the advertising content that is released in India. If an ad that is released in India seems objectionable, a person can write to ASCI with their complaint. This complaint will be deliberated on by the CCC after providing due process to advertiser to defend the ad against the complaint and depending on whether the ad is in alignment with the ASCI code and law of the land, the complaint is upheld or not upheld and if upheld then the ad is voluntarily either withdrawn or modified.

In 2007, the Government of India amended the Cable TV Network Rules’ Advertising Code by which ads which violate ASCI code cannot be permitted on TV.

Self-Regulation

Almost all professional fields have self-regulatory bodies governing their activities. For the advertising fraternity, until 1985 there was none. Due to this there was a lot of false, misleading and offensive advertising. This led to consumers losing faith in advertising and hence resenting it. It was decided that if this continued it would not take time for statutory regulations such as censorship to be imposed on advertising content.

In 1985, the ASCI adopted a Code for Self-Regulation in Advertising. With the introduction of the code, the aim is to promote honest and decent advertising and fair competition in the industry. It will also ensure the protection of consumer interests and all concerned with the ad industry – advertisers, media, advertising agencies and others who help in the creation or placement of advertisements.

As the fraternity starts accepting the code, it will result in fewer false claims, fewer unfair advertisements and increased respect for advertisers.

Need for ASCI

When an advertiser is creating an ad, the consumer is his audience. The feedback from a consumer is important to the advertiser so he can be assured if his message has been correctly conveyed. If a consumer feels that a particular advertisement is in bad taste or is false in its claims, they need a body or council to whom they can air their grievances and who will take any appropriate action, if necessary. ASCI as a self-regulatory body governing advertising content is the ideal medium as its purpose is to serve both the advertisers as well as the consumers.

Public Service Advertising

Public service advertisement is a type of marketing that is circulated in the market without any cost and is for the public welfare. These are designed and broadcast for the societal improvements and for collective wellbeing of community as a whole. Also these are broadcast by the mass media to let the general public know and inform about the social matters. Along with the attraction the public service advertisement always have some specific purpose behind its agenda. Public service advertisement evolved after the First World War and instead of making money, it is for covering some specific agenda and to resolve some societal problem in a disguised form.

It is to change the behavioral aspect of community as a whole rather than to make giant sales. The approach that is used by such types of advertisement is to make such action plans, which forces people to think about various societal issues. These plans are design in such a way that they inspire people and motivate them to think about those issues that may be environmental, health or human rights. Ads made by the non-profit organizations for the people’s sake. They accommodate the issues that are in public interest rather than their own, such as the advertisement for the donation for blind people by LBRT to remove the shadow of darkness from their memories and to brighten up their lives.

Purpose of Public Service Advertisement

Public service advertisements involve the collective interest of a community and are concerned to spread the awareness for a purpose that is broadcast without any charge by the government for the promotion of some state programs or other social agendas. These kind of advertisements can be broadcast by using any media source such as print, electronic (television or by sending mail) or billboards. These ads can be made on air in any form to stimulate the minds of general public.

Structure of PSA

The public service messages are economical and inexpensive, but the procedures and instructions for such kind of campaigns are the same as for paid media. But the target of such kind of ads is the whole community, so you have to maintain the reliability of the ad. For launching PSA you have to consider:

1. For employing such kind of ads first make brief analysis of your message to deliver whether it is in the benefits of the overall society. You are not making it to sell any of your product and not for maintaining the name and goodwill of your organization, but rather to educate the people. So the first step is to decide the message in brief way that you want to communicate for response.
2. Then decide which advertising mode will be more beneficial in public interest to deliver the message and with the help of which broadcasting medium it will show significant result. Try to portray the message in an informative way that will enlighten the society in the long run.
3. Now is the time to select your target audience whom you want to approach, whether that is for the awareness of whole community or for some specific audience that you want to approach on the basis of different segmentation like age, gender race or some other. This target market approach will help you to retain your energy both in form of time and money. Along with being economical it will also directly hit the minds of the targeted audience efficiently and in an effective way.
4. The 4^th step is to determine the budget. The main question is that what budget is allocated by the state/government or non-profit organization for that specific campaign. Being economical and including any influential personality will it improve the effectiveness of the message?
5. Determine the tool and technique with the help of which you want to communicate and reach your target audience. Analyze that which medium will be the most beneficial and cost effective.
6. Because of huge competition in media, before starting any PSA campaign meet higher authority, public service advertisement representatives and directors to come to know their  attention level for that particular issue so that you may not waste your time and resources. Due to tough competition not every PSA get time and space to be broadcasted.  Convince them about the importance of the agenda or choose some other tool to launch.

Public Service Advertising Examples

Instead of being boring kinds of ads, make them interested and eye catching, so that they can lead the minds of the overall society and can bring a change by educating the society. The area that can be covered under such campaigns include:

• Voting right
• Quit smoking
• Child abuse
• Donationfor hospitals
• Sexual abuse
• Environmental issues
• Go green
• Drive safely

Corporate Advertising

Corporate advertising is the advertising done for an entire institution/ company/ organization and not for individual brands or products. This kind of activity is an extension of the Public Relations (PR) activity done by the company to improve its image in the minds of the general public and increase its goodwill which is an extremely important intangible asset.

Instead of advertising for its individual brands and products, the corporate advertises to build its own image. We know many companies across the globe which have numerous brands under them. HUL, P&G, Volkswagen, General motors are some examples. All of these companies also take part in corporate branding, wherein instead of branding only one particular product or brand, they brand the corporate itself.

These companies invest in improving the overall perception of the company itself. They want to prove that the company is ethical and all its brands and products are secondary. The primary focus for these companies are their customers, which is what they try to prove through corporate advertising.

The main objective of corporate advertising is to improve the image of the company and make it a more desirable workplace at times and also a desirable corporation to buy from.

The objectives of corporate marketing:

1. Creating a positive brand image of the firm
2. Explain a view point to the public and to take a stand during controversial times
3. Engage and enhance employee morale
4. Maintain good relations with labour unions
5. Establish company identity and macro level positioning of the brand

Advocacy Advertising

Advocacy Marketing is a form of marketing that emphasizes getting existing customers to talk about the company and its products. More than 80% of shoppers research online before buying, and having people publicly advocating for the product gives these researchers something to find and study.

These simple strategies can help any company encourage advocacy (and improve their business at the same time).

• Be Consistent: The company should strive to be as consistent as possible in all of its dealings. Customer support should answer questions within a set period of time. Products should be shipped within a certain number of days. The website should be available as much as possible. When customers know they can rely on a company to do things in a certain way, they’re more likely to advocate for it customers don’t want to suggest things they believe other people won’t like.
• Offer an Outstanding Experience: Customers make purchases and expect to get a certain degree of value from that purchase and they ultimately judge companies by how well the product they get matches their expectations. By making them feel like they received more than they paid for, it’s possible to create a better experience for the customer and satisfied customers are inherently more likely to advocate for the company in the future.
• Build a Brand Narrative: Customers rarely advocate for companies they’ve forgotten. A strong brand narrative can help the customer remember who the company is and how it helped them and making customers a part of the narrative encourages them to show loyalty to the brand.

Advertising is praised but also criticized by critics in their own ways. Advertising has many positive impacts along with its negative pictures. As the President of American Association of Advertising Agencies, John O’ Toole has described advertise is something else. It is not related to studies, but it educates. It is not a journalist but gives all information. And it is not an entertaining device but entertains everyone.

Social role of Advertising:

There are some positive and some negative aspects of advertising on the social ground. They are as follows.

• Deception in Advertising:

The relation between the buyers and sellers is maintained if the buyers are satisfied with what they saw in advertise and what they got after buying that product. If seller shows a false or deceptive image and an exaggerated image of the product in the advertisement, then the relation between the seller and buyers can’t be healthy. These problems can be overcome if the seller keep their ads clean and displays right image of the product.

• The Subliminal Advertising:

Capturing the Minds of the consumers is the main intention of these ads. The ads are made in such a way that the consumers don’t even realizes that the ad has made an impact on their minds and this results in buying the product which they don’t even need. But “All ads don’t impress all consumers at all times”, because majority of consumers buy products on basis of the price and needs.

• Effect on Our Value System:

The advertisers use puffing tactics, endorsements from celebrities, and play emotionally, which makes ads so powerful that the consumers like helpless preys buy those products.

These ads make poor people buy products which they can’t afford, people picking up bad habits like smoking and drinking, and buy products just because their favorite actor endorsed that product. This affects in increased the cost of whole society and loss of values of our own selves.

• Offensiveness:

Some ads are so offensive that they are not acceptable by the buyers. For example, the ads of denim jeans showed girls wearing very less clothes and making a sex appeal. These kinds of ads are irrelevant to the actual product. Btu then there is some ads which are educative also and now accepted by people. Earlier ads giving information about birth control pills was considered offensive but now the same ads are considered educative and important.

• Development of society and growth of technologies
• Employment
• Gives choices to buyers with self interest
• Welcomes healthy competition
• Improving standard of living.
• Give information on social, economic and health issues.

Cultural impact of Advertising:

• Shaping Cultural Values and Norms

Advertisements often reflect and reinforce cultural values and norms. By depicting certain lifestyles, behaviors, and ideals as desirable, advertising can influence societal perceptions of what is considered normal, acceptable, or desirable.

• Defining Beauty Standards

Advertising plays a significant role in shaping beauty standards and ideals. Through images of models and celebrities, advertisements convey societal expectations of beauty, often promoting unrealistic and unattainable standards that can affect individuals’ self-esteem and body image.

• Impacting Social Trends

Advertisements have the power to influence social trends and behaviors by promoting certain products, activities, or lifestyles. From fashion trends to dietary habits, advertising can drive consumer preferences and shape cultural practices on a large scale.

• Reflecting Cultural Diversity

Advertising campaigns that embrace diversity and inclusivity can contribute to positive cultural change by challenging stereotypes and promoting representation across various demographics. Conversely, insensitive or stereotypical portrayals in advertising can perpetuate harmful cultural biases and prejudices.

• Reinforcing Gender Roles

Advertisements often reinforce traditional gender roles and stereotypes by portraying men and women in stereotypical roles or associating specific products with gendered characteristics. However, there is a growing trend towards more gender-inclusive advertising that challenges these norms and promotes gender equality.

• Influencing Consumer Behavior

Advertising has a direct impact on consumer behavior by shaping perceptions, attitudes, and purchase decisions. Effective advertising campaigns can create brand awareness, evoke emotional responses, and persuade consumers to buy products or adopt certain behaviors.

• Fostering Cultural Conversations

Advertisements can spark cultural conversations and debates by addressing social issues, challenging taboos, or advocating for change. Brands that take a stand on social or political issues through their advertising can influence public discourse and drive awareness of important societal issues.

• Reflecting Technological Advancements

Advertising often reflects technological advancements and cultural shifts by incorporating new media formats, digital platforms, and communication technologies. As consumer habits evolve, advertising adapts to meet changing preferences and behaviors.

• Preserving Cultural Heritage

Advertisements can play a role in preserving and promoting cultural heritage by celebrating traditional practices, cultural icons, and historical landmarks. Brands that incorporate elements of local culture into their advertising campaigns can foster pride and appreciation for cultural heritage.

• Fostering Brand Loyalty and Community

Effective advertising campaigns can foster a sense of belonging and community among consumers by aligning with their values, interests, and identities. Brands that connect with consumers on a cultural level can build strong emotional bonds and foster brand loyalty over time.

Economic Role of Advertising

• Value of Products:

The advertised products are not always the best products in the market. There are some unadvertised products also present which are good enough. But advertising helps increase value for the products by showing the positive image of the product which in turn helps convincing customers to buy it. Advertising educates consumers about the uses of the products hence increasing its value in minds of the consumers. For e.g. mobile phones were first considered as necessity but nowadays the cell phones come with number of features which makes them mode of convenience for consumers.

• Effect on Prices:

Some advertised products do cost more than unadvertised products but the vice versa is also true. But if there is more competition in the market for those products, the prices have to come down, for e.g., canned juices from various brands. Thus, some professional like chartered accountants and doctors are not allowed to advertise.

But some products do not advertise much, and they don’t need much of it and even their prices are high but they are still the leaders in market as they have their brand name. e.g., Porsche cars

• Effect on Consumer Demand and Choices:

Even if the product is heavily advertised, it does not mean that the demand or say consumption rates will also increase. The product has to be different with better quality, and more variety than others. For E.g., Kellogg’s cornflakes have variety of flavours with different ranges to offer for different age groups and now also for people who want to lose weight thus giving consumers different choices to select from.

• Effect on Business cycle:

Advertising no doubt helps in employing more number of people. It increases the pay rolls of people working in this field. It helps collecting more revenues for sellers which they use for betterment of product and services. But there are some bad effects of advertisements on business cycle also. Sometimes, consumer may find the foreign product better than going for the national brand. This will definitely effect the production which may in turn affect the GDP of the country.

The economic aspects are supported by the Abundance Principle which says producing more products and services than the consumption rate which helps firstly keeping consumers informed about the options they have and secondly helps sellers for playing in healthy and competitive atmosphere with their self interest.

As for preteens, advertisers spend many billions of dollars per year making sure their products get in front of their eyes, and they have more places to capture their attention: television, the Internet, games, movies, apps you name it. Advertisers also know that kids greatly influence their parents’ buying decisions, to the tune of $500 billion per year. The most significant aspect of marketing to preteens, though, is that now they can talk back.  Although companies are limited in the data they can collect from kids under 13, they can still gain insights into their behavior and preferences.

Finally, teens are one of the most important demographics for marketers. Their brand preferences are still gelling, they have money to spend, and they exert a strong influence on their parents’ spending (even on big-ticket items such as cars). Because 25 percent of teens access the Internet through mobile devices, companies are targeting them where they hang out: in apps, in games, and on websites that stream music and video and offer other downloadable content. Teen-focused brands use a combination of traditional marketing techniques and new communication methods to influence product preferences.

Methods marketers use to reach young kids:

Hooking them young. Getting the product in front of a target audience as much as possible strengthens a company’s ability to capture consumers “from the cradle to the grave.” Think cartoon characters on diapers.

Dividing and targeting genders. Brands try to establish a preference for gendered toys as early as possible. The sooner your child has a desire for “boy” toys or “girl” toys, the sooner he or she becomes a customer. That opens the door for even more gendered products. 

Developing taste preferences. Junk-food marketing to kids is a $2 billion-per-year industry. Cartoon characters appear on cereal boxes, toys appear inside boxes, and characters shill for brands on TV — for example, Mr. and Mrs. Potato Head advertise potato chips. And it works.

Methods marketers use to reach preteens:

The need for stimulation. If you’re wondering why commercials for tweens look like they were filmed by a caffeine-addled jackrabbit, it’s because tween brains crave and respond strongly to stimulation. If something is exciting, they take notice.

The desire to engage. Brands bury their sales pitches to this age. Preteens are swayed by experience, not lectures hence games, apps, contests, and other interactive gimmicks to attract and hold their attention.

The craving for emotional connection. If you have a tween, you know that kids at this age are not entirely rational. They LOVE a specific dress, they MUST HAVE a particular song, they’re OBSESSED with a certain game. Marketers use strategies that stir up emotions so kids identify with a product.

Methods marketers use to reach teens:

Exploiting insecurities. Brands appealing to teens take advantage of their particular vulnerabilities: the desire to fit in, to be perceived as attractive, and to not be a huge dork. Teens are extremely attuned to their place in the peer hierarchy, and advertising acts as a kind of “super peer” in guiding them toward what’s cool and what’s acceptable. Both teen boys and girls are highly susceptible to messages around body image, and marketers use this to their advantage.

Tracking data. Once kids turn 13, companies have little restrictions over marketing to them and collecting their data. The information they collect isn’t personally identifiable it’s far more valuable. Tracking teens’ digital trails helps companies precisely determine their tastes, interests, purchase histories, preferences, and even their locations so they can market products to them or sell that data to other companies. Talk to teens about using privacy settings and understanding what information they’re unwittingly giving to companies.

Using peer influence on social media. Advertisers actively enlist teen followers on social media to market products. You can find this in online stores such as J. Crew’s, where you can share items you like with friends. Many brands encourage teens to broadcast their interactions with brands (such as uploading pics of themselves with a particular purse, drink, or outfit). These techniques reinforce the idea that brands “make” the person, and it’s essential to help teens realize that their self-worth is not determined by what they own (or don’t own).

A computer system threat is anything that leads to loss or corruption of data or physical damage to the hardware and/or infrastructure. Knowing how to identify computer security threats is the first step in protecting computer systems. The threats could be intentional, accidental or caused by natural disasters.

Security Threat

Security Threat is defined as a risk that which can potentially harm computer systems and organization. The cause could be physical such as someone stealing a computer that contains vital data. The cause could also be non-physical such as a virus attack. In these tutorial series, we will define a threat as a potential attack from a hacker that can allow them to gain unauthorized access to a computer system.

Physical Threats

A physical threat is a potential cause of an incident that may result in loss or physical damage to the computer systems.

The following list classifies the physical threats into three (3) main categories;

• Internal: The threats include fire, unstable power supply, humidity in the rooms housing the hardware, etc.
• External: These threats include Lightning, floods, earthquakes, etc.
• Human: These threats include theft, vandalism of the infrastructure and/or hardware, disruption, accidental or intentional errors.

To protect computer systems from the above mentioned physical threats, an organization must have physical security control measures.

The following list shows some of the possible measures that can be taken:

• Internal: Fire threats could be prevented by the use of automatic fire detectors and extinguishers that do not use water to put out a fire. The unstable power supply can be prevented by the use of voltage controllers. An air conditioner can be used to control the humidity in the computer room.
• External: Lightning protection systems can be used to protect computer systems against such attacks. Lightning protection systems are not 100% perfect, but to a certain extent, they reduce the chances of Lightning causing damage. Housing computer systems in high lands are one of the possible ways of protecting systems against floods.
• Humans: Threats such as theft can be prevented by use of locked doors and restricted access to computer rooms.

Non-physical threats

A non-physical threat is a potential cause of an incident that may result in;

• Loss or corruption of system data
• Disrupt business operations that rely on computer systems
• Loss of sensitive information
• Illegal monitoring of activities on computer systems
• Cyber Security Breaches
• Others

The non-physical threats are also known as logical threats. The following list is the common types of non-physical threats;

• Virus
• Trojans
• Worms
• Spyware
• Key loggers
• Adware
• Denial of Service Attacks
• Distributed Denial of Service Attacks
• Unauthorized access to computer systems resources such as data
• Phishing
• Other Computer Security Risks

To protect computer systems from the above-mentioned threats, an organization must have logical security measures in place. The following list shows some of the possible measures that can be taken to protect cyber security threats

To protect against viruses, Trojans, worms, etc. an organization can use anti-virus software. In additional to the anti-virus software, an organization can also have control measures on the usage of external storage devices and visiting the website that is most likely to download unauthorized programs onto the user’s computer.

Unauthorized access to computer system resources can be prevented by the use of authentication methods. The authentication methods can be, in the form of user ids and strong passwords, smart cards or biometric, etc.

Intrusion-detection/prevention systems can be used to protect against denial of service attacks. There are other measures too that can be put in place to avoid denial of service attacks.

• A threat is any activity that can lead to data loss/corruption through to disruption of normal business operations.
• There are physical and non-physical threats
• Physical threats cause damage to computer systems hardware and infrastructure. Examples include theft, vandalism through to natural disasters.
• Non-physical threats target the software and data on the computer systems.

Cyber attackers are day by day changing their attacking techniques and gaining access of a organizations system. There are different types of security threats to organizations, which can affect business continuity of an organization. So, there is no way to be completely sure that an organization is free from cyber security threats or attacks.

Types of Security Threats

In this post, we will discuss on different types of security threats to organizations, which are as follows:

1. Computer Viruses

A virus is a software program that can spread from one computer to another computer or one network to another network without the user’s knowledge and performs malicious attacks.

It has capability to corrupt or damage organization’s sensitive data, destroy files,  and format hard drives.

How Does a Virus Attack?

There are different ways that a virus can be spread or attack, such as:

• Clicking on an executable file
• Installing free software and apps
• Visiting an infected and unsecured website
• Clicking on advertisement
• Using of infected removable storage devices, such USB drives
• Opening spam email or clicking on URL link
• Downloading free games, toolbars, media players and other software.

2. Trojans Horse

Trojan horse is a malicious code or program that developed by hackers to disguise as legitimate software to gain access to organization’s systems. It has designed to delete, modify, damage, block, or some other harmful action on your data or network.

 How Does Trojans Horse Attack?

The victim receives an email with an attachment file which is looking as an original official email. The attachment file can contain malicious code that is executed as soon as when the victim clicks on the attachment file.

In that case, the victim does not suspect or understand that the attachment is actually a Trojan horse.

3. Adware

Adware is a software program that contains commercial and marketing related advertisements such as display advertisements through pop-up windows or bars, banner ads, video on your computer screen.

Its main purpose is to generate revenue for its developer (Adware) by serving different types advertisements to an internet user.

How Does Adware Attack?

• When you click on that type of advertisements then it redirect you to an advertising websites and collect information from to you.
• It can be also used to steal all your sensitive information and login credentials by monitoring your online activities and selling that information to the third party.

4. Spyware

Spyware is unwanted types of security threats to organizations which installed in user’s computer and collects sensitive information such as personal or organization’s business information, login credentials and credit card details without user knowledge.

This type of threats monitor your internet activity, tracking your login credentials, and spying on your sensitive information.

So, every organization or individual should take an action to prevent from spyware by using anti-virus, firewall and download software from trusted sources.

How Does Spyware Install?

It can be automatically installs itself on your computer or hidden component of software packages or can be install as traditional malware such as deceptive ads, email and instant messages.

5. Worm

Computer worm is a type of malicious software or program that spreads within its connected network and copies itself from one computer to another computer of an organization.

How Does Worm Spreads?

It can spread without any human assistance and exploit the security holes of the software and trying to access in order to stealing sensitive information, corrupting files and installing a back door for remote access to the system.

6. Denial-of-Service (Dos) Attacks

Denial-of-Service is an attack that shut down a machine or network or making it inaccessible to the users. It typically flooding a targeted system with requests until normal traffic is unable to be processed, resulting in denial-of-service to users.

How Does Dos Attack?

• It occurs when an attacker prevents legitimate users from accessing specific computer systems, devices or other resources.
• The attacker sends too much traffic to the target server
• Overloading it with traffic and the server is overwhelmed, which causes to down websites, email servers and other services which connect to the Internet.

7. Phishing

Phishing is a type of social engineering attack that attempt to gain confidential information such as usernames, passwords, credit card information, login credentials, and so more.

How Does Phishing Attack?

• In a phishing email attack, an attacker sends phishing emails to victim’s email that looks like it came from your bank and they are asked to provide your personal information.
• The message contains a link, which redirects you to another vulnerable website to steal your information.
• So, it is better to avoid or don’t click or don’t open such type of email and don’t provide your sensitive information.

8. SQL Injection

SQL injection is type of an injection attack and one of the most common web hacking techniques that allows attacker to control the back end database to change or delete data.

How Does SQL Injection Attack?

It is an application security weakness and when an application fails to properly sanitize the SQL statements then attacker can include their own malicious SQL commands to access the organization database. Attacker includes the malicious code in SQL statements, via web page input.

9. Rootkit

Rootkit is a malicious program that installs and executes malicious code on a system without user consent in order gain administrator-level access to a computer or network system.

There are different types of Rootkit virus such as Bootkits, Firmware Rootkits, Kernel-Level Rootkits and application Rootkits.

How Does Rootkit Install?

It can be infected in a computer either by sharing infected disks or drives. It is typically installed through a stolen password or installed through by exploiting system vulnerabilities, social engineering tactics, and phishing techniques without the victim’s knowledge.

10. MALWARE

Malware is software that typically consists of program or code and which is developed by cyber attackers. It is types of cyber security threats to organizations which are designed to extensive damage to systems or to gain unauthorized access to a computer.

How Does Malware Attack?

• There are different ways that a malware can infect a device such as it can be delivered in the form of a link or file over email and it requires the user to click on that link or open the file to execute the malware.
• This type of attack includes computer viruses, worms, Trojan horses and spyware.

11. Ransomware

Ransomware is type of security threats that blocks to access computer system and demands for bitcoin in order to access the system. The most dangerous ransomware attacks are  WannaCry, Petya, Cerber, Locky and CryptoLocker etc.

How Does Ransomware Install?

All types of threats typically installed in a computer system through the following ways:

• When download and open a malicious email attachment
• Install an infected software or apps
• When user visit a malicious or vulnerable website
• Click on untrusted web link or images

12. Data Breach

A data breach is a security threat that exposes confidential or protected information and the information is accessed from a system without authorization of the system’s owner.

The information may involve sensitive, proprietary, or confidential such as credit card numbers, customer data, trade secrets etc.

13. Zero Day Attack

Zero day attack is the application based cyber security threats which is unknown security vulnerability in a computer software or application. When an organization going to launch an application, they don’t what types of vulnerability is there?

How Does Zero Day Attack?

When the patch has not been released or the software developers were unaware of or did not have sufficient time to fix the vulnerability of the application.

If the vulnerability is not solved by the developer then it can affect on computer programs, data, or a network.

14. Careless Employees of Organization

Employees are the greatest security risk for any organization, because they know everything of the organizations such as where the sensitive information is stored and how to access it. In addition to malicious attacks, careless employees are other types of cyber security threats to organizations.

How Does Attack?

They use very simple password to remember their mind and also share passwords. Another common problem is that employees opening suspicious email attachments, clicking on the link or visit malicious websites, which can introduce malware into the system.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk related to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization’s business processes or mission, ranging from inconsequential to catastrophic in scale.

Assessing the probability or likelihood of various types of event/incident with their predicted impacts or consequences, should they occur, is a common way to assess and measure IT risks. Alternative methods of measuring IT risk typically involve assessing other contributory factors such as the threats, vulnerabilities, exposures, and asset values.

Your IT systems and the information that you hold on them face a wide range of risks. If your business relies on technology for key operations and activities, you need to be aware of the range and nature of those threats.

Types of risks in IT systems

Threats to your IT systems can be external, internal, deliberate and unintentional. Most IT risks affect one or more of the following:

• Business Or Project Goals
• Service Continuity
• Bottom Line Results
• Business Reputation
• Security
• Infrastructure

Examples of IT risks

Looking at the nature of risks, it is possible to differentiate between:

• Physical threats: Resulting from physical access or damage to IT resources such as the servers. These could include theft, damage from fire or flood, or unauthorised access to confidential data by an employee or outsider.
• Electronic threats: Aiming to compromise your business information – eg a hacker could get access to your website, your IT system could become infected by a computer virus, or you could fall victim to a fraudulent email or website. These are commonly of a criminal nature.
• Technical failures: Such as software bugs, a computer crash or the complete failure of a computer component. A technical failure can be catastrophic if, for example, you cannot retrieve data on a failed hard drive and no backup copy is available.
• Infrastructure failures: Such as the loss of your internet connection can interrupt your business – eg you could miss an important purchase order.
• Human error: Is a major threat – eg someone might accidentally delete important data, or fail to follow security procedures properly.

Managing various types of IT risks begins with identifying exactly:

• The type of threats affecting your business
• The assets that may be at risks
• The ways of securing your IT systems

Criminal IT threats

Specific or targeted criminal threats to IT systems and data include:

• Hackers: People who illegally break into computer systems
• Fraud: Using a computer to alter data for illegal benefit
• Passwords theft: Often a target for malicious hackers
• Denial-of-service: Online attacks that prevent website access for authorised users
• Security breaches: Includes physical break-ins as well as online intrusion
• Staff dishonesty: Theft of data or sensitive information, such as customer details.

Natural disasters and IT systems

Natural disasters such as fire, cyclone and floods also present risks to IT systems, data and infrastructure. Damage to buildings and computer hardware can result in loss or corruption of customer records/transactions.

Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a data center. Comparable to risk reduction, risk mitigation takes steps to reduce the negative effects of threats and disasters on business continuity (BC). Threats that might put a business at risk include cyberattacks, weather events and other causes of physical or virtual damage to a data center.

Risk mitigation planning is the process of developing options and actions to enhance opportunities and reduce threats to project objectives. Risk mitigation implementation is the process of executing risk mitigation actions. Risk mitigation progress monitoring includes tracking identified risks, identifying new risks, and evaluating risk process effectiveness throughout the project.

Risk Mitigation Strategies

General guidelines for applying risk mitigation handling options are shown in Figure 2. These options are based on the assessed combination of the probability of occurrence and severity of the consequence for an identified risk. These guidelines are appropriate for many, but not all, projects and programs.

Figure 2. Risk Mitigation Handling Options

Risk mitigation handling options include:

• Assume/Accept: Acknowledge the existence of a particular risk, and make a deliberate decision to accept it without engaging in special efforts to control it. Approval of project or program leaders is required.
• Avoid: Adjust program requirements or constraints to eliminate or reduce the risk. This adjustment could be accommodated by a change in funding, schedule, or technical requirements.
• Control: Implement actions to minimize the impact or likelihood of the risk.
• Transfer: Reassign organizational accountability, responsibility, and authority to another stakeholder willing to accept the risk.
• Watch/Monitor: Monitor the environment for changes that affect the nature and/or the impact of the risk.

Each of these options requires developing a plan that is implemented and monitored for effectiveness. More information on handling options is discussed under best practices and lessons learned below.

From a systems engineering perspective, common methods of risk reduction or mitigation with identified program risks include the following, listed in order of increasing seriousness of the risk:

• Intensified technical and management reviews of the engineering process
• Special oversight of designated component engineering
• Special analysis and testing of critical design items
• Rapid prototyping and test feedback
• Consideration of relieving critical design requirements
• Initiation of fallback parallel developments

When determining the method for risk mitigation, the MITRE SE can help the customer assess the performance, schedule, and cost impacts of one mitigation strategy over another. For something like “parallel” development mitigation, MITRE SEs could help the government determine whether the cost could more than double, while time might not be extended by much (e.g., double the cost for parallel effort, but also added cost for additional program office and user engagement). For conducting rapid prototyping or changing operational requirements, MITRE SEs can use knowledge in creating prototypes and using prototyping and experimenting for projecting the cost and time to conduct a prototype to help mitigate particular risks (e.g., requirements). Implementing more engineering reviews and special oversight and testing may require changes to contractual agreements. MITRE systems engineers can help the government assess these (schedule and cost) by helping determine the basis of estimates for additional contractor efforts and providing a reality check for these estimates. MITRE’s CASA [Center for Acquisition and Systems Analysis] and the CCG [Center for Connected Government] Investment Management practice department have experience and a knowledge base in many development activities across a wide spectrum of methods and can help with realistic assessments of mitigation alternatives.

Types of Risk Mitigation

1. Risk Acceptance

Risk acceptance does not reduce any effects however it is still considered a strategy. This strategy is a common option when the cost of other risk management options such as avoidance or limitation may outweigh the cost of the risk itself. A company that doesn’t want to spend a lot of money on avoiding risks that do not have a high possibility of occurring will use the risk acceptance strategy.

2. Risk Avoidance

Risk avoidance is the opposite of risk acceptance. It is the action that avoids any exposure to the risk whatsoever. It’s important to note that risk avoidance is usually the most expensive of all risk mitigation options.

3. Risk Limitation

Risk limitation is the most common risk management strategy used by businesses. This strategy limits a company’s exposure by taking some action. It is a strategy employing a bit of risk acceptance along with a bit of risk avoidance or an average of both. An example of risk limitation would be a company accepting that a disk drive may fail and avoiding a long period of failure by having backups.

4. Risk Transference

Risk transference is the involvement of handing risk off to a willing third party. For example, numerous companies outsource certain operations such as customer service, payroll services, etc. This can be beneficial for a company if a transferred risk is not a core competency of that company. It can also be used so a company can focus more on their core competencies.

So how can I be a leader in Business Continuity Management (BCM) Governance, Risk and Compliance (GRC) and balance my risks and opportunities?

All of these four risk mitgiation strategies require montioring. Vigilence is needed so that you can recognize and interrperet changes to the impact of that risk.

IT Risk Management is the application of risk management methods to information technology in order to manage IT risk, i.e.: The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise or organization

IT risk management can be considered a component of a wider enterprise risk management system.

The establishment, maintenance and continuous update of an Information Security Management System (ISMS) provide a strong indication that a company is using a systematic approach for the identification, assessment and management of information security risks.

Different methodologies have been proposed to manage IT risks, each of them divided into processes and steps.

According to the Risk IT framework, this encompasses not only the negative impact of operations and service delivery which can bring destruction or reduction of the value of the organization, but also the benefit enabling risk associated to missing opportunities to use technology to enable or enhance business or the IT project management for aspects like overspending or late delivery with adverse business impact.

Because risk is strictly tied to uncertainty, decision theory should be applied to manage risk as a science, i.e. rationally making choices under uncertainty.

Steps to IT Risk Management

IT risk management is the application of risk management methods to information technology to manage the risks inherent in that space. To do that means assessing the business risks associated with the use, ownership, operation and adoption of IT in an organization. Follow these steps to manage risk with confidence.

1. Identify the Risk

You can’t prepare for risk without first figuring out, to the best of your ability, where and when it might arise. Therefore, both manager and team must be alert to uncovering and recognizing any risks, then detailing them by explaining how they might impact the project and outcomes. One method is using an IT risk assessment template.

2. Analyze the Risk

Once you’ve identified risk, you then must analyze it and discern if it’s big, small or minimal in its impact. Also, what would be the impact for each of the risks. Study the risk and how it might influence the project in various ways. You’ll add these findings to your risk assessment.

3. Evaluate and Rank the Risk

Once you evaluate the impact of risks and prioritize them, you can begin to develop strategies to control them. This is done by understanding what the risk can do to the project, which is determining the likelihood of it occurring and the magnitude of its impact. Then you can say that the risk must be addressed or can be ignored without faulting the overall project. Again, these rankings would be added to your risk assessment.

4. Respond to the Risk

After all this, if the risk becomes an actual issue, then you’re no longer in the theoretical realm. It’s time for action. This is what’s called risk response planning in which you take your high-priority risks and decide how to treat them or modify them, so they place as lower priority. Risk mitigation strategies apply here, as well as preventive and contingency plans. Add these approaches to your risk assessment.

5. Monitor & Review the Risk

Once you act, you must track and review the progress on mitigating the risk. Use your risk assessment to track and monitor how your team is dealing with the risk to make sure that nothing is left out or forgotten.

IT Risk Management Strategies

Strategies are a way to provide a structured approach to identify, access and manage risks. They provide a process to regularly update and review the assessment based on changes.

1. Apply Safeguards

This is an avoidance strategy, where the company decides to avoid risk at all costs and focuses a great deal of resources to that end. If you can avoid the risk, then it is no longer a threat to the project. However, there is a downside to this. If you avoid the risk, you also avoid the associated potential of its return and opportunity. So, it’s a decision not to take lightly.

2. Transfer the Risk

This is a transference strategy, when the company transfers the risk to another entity. This redistribution can be onto the company members, some outsource entity or an insurance policy.

3. Reduce the Impact

This is a mitigation strategy, where the company works to reduce the impact of the risk through methodology, teams or whatever resources are at its disposal. It can involve small changes, but always must come by process and a plan.

4. Accept the Risk

This is an acceptance strategy, where you know there is risk and accept that, so when and if it occurs you can deal with it then and there. This is sometimes unavoidable, but manageable if you have followed the steps in your project risk assessment template.

Best Practices for IT Risk Management

Here are six best practices when managing risk in IT.

• Evaluate Early & Often: There’s no better time to start on the risk management process than now, so begin early. Remember it is a process and so it will continue throughout the project. Then continue monitoring all the time. Risk never sleeps.
• Lead from the Top: Good leadership is many things. One aspect is developing a risk culture at the organization. That means valuing input from everyone, believing in the importance of acknowledging risk and keeping a positive attitude about responding.
• Communications: Having a clear channel to communicate risk throughout the organization is paramount to identifying and responding quickly and effectively to risk.
• Strong Policies: If there is not already a process and plan to deal with risk, you’re always going to be one step behind. This is again why a project risk assessment is key, but so is understanding roles and responsibilities for everyone on the project team, having a continuity plan, etc.
• Involve Stakeholders: A great resource that is often overlooked are the project stakeholders, who have a unique perspective and can provide insight into areas where risk might arise. So, involve them throughout the process, from asking for their participation with the risk assessment template and over the whole course of the project.
• Get Signoffs: At every stage of your risk management, get people to sign-off on the strategy, which includes the stakeholders.

Information systems security, more commonly referred to as INFOSEC, refers to the processes and methodologies involved with keeping information confidential, available, and assuring its integrity.

It also refers to:

• Access controls, which prevent unauthorized personnel from entering or accessing a system.
• Protecting information no matter where that information is, i.e. in transit (such as in an email) or in a storage area.
• The detection and remediation of security breaches, as well as documenting those events.

Information systems security does not just deal with computer information, but also protecting data and information in all of its forms, such as telephone conversations.

Risk assessments must be performed to determine what information poses the biggest risk. For example, one system may have the most important information on it and therefore will need more security measures to maintain security. Business continuity planning and disaster recovery planning are other facets of an information systems security professional. This professional will plan for what could happen if a major business disruption occurs, but still allow business to continue as usual.

MIS security refers to measures put in place to protect information system resources from unauthorized access or being compromised. Security vulnerabilities are weaknesses in a computer system, software, or hardware that can be exploited by the attacker to gain unauthorized access or compromise a system.

People as part of the information system components can also be exploited using social engineering techniques. The goal of social engineering is to gain the trust of the users of the system.

1. Computer viruses

These are malicious programs as described in the above section. The threats posed by viruses can be eliminated or the impact minimized by using Anti-Virus software and following laid down security best practices of an organization.

2. Unauthorized access

The standard convention is to use a combination of a username and a password. Hackers have learnt how to circumvent these controls if the user does not follow security best practices. Most organizations have added the use of mobile devices such as phones to provide an extra layer of security.

Let’s take Gmail as an example, if Google is suspicious of the login on an account, they will ask the person about to login to confirm their identity using their android powered mobile devices or send an SMS with a PIN number which should supplement the username and password.

If the company does not have enough resources to implement extra security like Google, they can use other techniques. These techniques can include asking questions to users during signup such as what town they grew up in, the name of their first pet, etc. If the person provides accurate answers to these question, access is granted into the system.

3. Data loss

If the data center caught fire or was flooded, the hardware with the data can be damaged, and the data on it will be lost. As a standard security best practice, most organizations keep backups of the data at remote places. The backups are made periodically and are usually put in more than one remote area.

Biometric Identification – this is now becoming very common especially with mobile devices such as smartphones. The phone can record the user fingerprint and use it for authentication purposes. This makes it harder for attackers to gain unauthorized access to the mobile device. Such technology can also be used to stop unauthorized people from getting access to your devices.

Ethical & Security Issues in Information Security System

Information systems have made many businesses successful today. Some companies such as Google, Facebook, EBay, etc. would not exist without information technology. However, improper use of information technology can create problems for the organization and employees.

Criminals gaining access to credit card information can lead to financial loss to the owners of the cards or financial institute. Using organization information systems i.e. posting inappropriate content on Facebook or Twitter using a company account can lead to lawsuits and loss of business.

• Cyber-crime
• Information system Security
• Information system Ethics
• Information Communication Technology (ICT) policy