ABSTRACT
Ideally, information systems security enables management
to have confidence that their computational systems will
provide the information requested and expected, while
denying accessibility to those who have no right to it.
The analysis of incidents resulting in damage to informa-
tion systems show that most losses were still due to errors
or omissions by authorized users, actions of disgruntled
employees, and an increase in external penetrations of
systems by outsiders. Traditional controls are normally
inadequate in these cases or are focused on the wrong
threat, resulting in the exposure of a vulnerability.