Computer Security Overview
There are many characterizations of computer security. The one used in this article is related to the term information technology security. Information technology security is defined in a document [ITSE91] created by the European Community, which has gained some recent international acceptance. The document [ITSE91] defines information technology (IT) security to include the following:
• Confidentiality. Prevention of unauthorized disclosure of information.
• Integrity. Prevention of unauthorized modification of information.
• Availability. Prevention of unauthorized withholding of information or resources.
This article describes four broad areas of computer misuse: theft of computational resources, disruption of computational services, unauthorized information disclosure, and unauthorized information modification. These four areas correspond to threats to IT security. The first two categories correspond to threats to availability; the third corresponds to a threat to confidentiality; and the fourth to the integrity of the information. (Note that in this essay, theft of computational resources is considered to threat to availability of resources since it fundamentally results in the withholding of the stolen resources from those who are paying to use them.)
Integrity, which is also traditionally referred to as data integrity [TNI87], means that information is modified only by those who have the right to do so. However, integrity has meanings other than the meaning used here. These alternate meanings vary greatly from such a broad definition as “soundness” to the definition of system integrity, meaning that the hardware and software generally operate as expected. Program integrity means that programs can be invoked only by programs that are lower in integrity. This arrangement is intended to prevent corruption (that is, by unauthorized modification) of higher integrity programs [SHIR81] by lower integrity programs (for example, by viruses or other Trojan horses that might be in them).
It has been shown [SCHE86] that program integrity is just a special case of the data integrity described here. Although in other contexts integrity may be used differently, integrity in context of computer security in this article is used with the first meaning given above — that of data integrity. Information is therefore expected to be modified only by those who have the right to do so.
