ABSTRACT
Information security practitioners are keenly aware of the major goals of information technology: availability, integrity, and confidentiality (the AIC triad). However, none of these goals is attainable if there is a weak link in the defense or security “chain.” It has often been said that with information security, one is only as strong as one’s weakest link. When we think of information and information technology security, we tend to focus collective attention on certain technical areas of this security chain. There are numerous reference sources available to information security practitioners that describe the latest operating system, application, or hardware vulnerabilities. Many companies have built their business plans and are able to survive based on being the first to discover these vulnerabilities and then provide solutions to the public and to the vendors themselves. It is quite obvious that the focus of the security industry has been primarily on the hardware, software, firmware, and the technical aspects of information security.
