Information Security and Cyber Laws: Threats, Controls, Privacy and Ethics (Overview)

In MIS, information is a critical asset. If information is stolen, changed, or becomes unavailable, business operations and decisions suffer. Therefore, organizations focus on information security (protecting data and systems) and follow cyber laws (legal rules related to digital transactions and misuse). Along with law, privacy and ethics ensure responsible and fair use of data and technology.

This topic is typically asked as:

• define information security; explain CIA triad
• types of cyber threats (malware, phishing, hacking)
• security controls (preventive/detective/corrective)
• privacy and ethical issues
• basic idea of cyber laws (meaning, objectives; examples of cyber crimes)

Meaning of information security

Information security means protecting information and information systems from:

• unauthorized access (confidentiality loss)
• unauthorized change (integrity loss)
• disruption/unavailability (availability loss)

Goal: ensure information is secure, accurate and available for authorized users.

CIA triad (Confidentiality, Integrity, Availability)

The CIA triad is the foundation of information security:

• Confidentiality: only authorized people can access data.
  • Example: salary records visible only to HR.
• Integrity: data is correct and not altered without permission.
  • Example: invoice amount cannot be changed without authorization.
• Availability: data and systems are accessible when needed.
  • Example: banking system should work during business hours (and ideally 24×7).

Cyber threats: meaning and classification

A cyber threat is any potential danger that can exploit a vulnerability and cause harm to data/systems.

Threats can be classified as:

• malware-based (virus, worm, trojan, ransomware)
• social engineering (phishing, fake calls, OTP fraud)
• network attacks (DoS/DDoS, sniffing, man-in-the-middle)
• unauthorized access (hacking, password cracking)
• insider threats (misuse by employees/partners)

Common threats: malware (virus, worm, trojan, ransomware)

Malware is malicious software designed to damage, disrupt or steal.

• Virus: attaches to a file/program and spreads when executed.
• Worm: self-replicates across networks without needing user action.
• Trojan: looks like legitimate software but performs malicious actions.
• Ransomware: encrypts files and demands payment to unlock.

Basic impact:

• data loss, system slowdown, unauthorized access, financial loss.

Common threats: phishing, social engineering and identity theft

Phishing

Phishing is a fraudulent attempt to steal sensitive information through fake emails/SMS/websites.

Example:

• “Your bank account is blocked. Click this link and enter OTP.”

Social engineering

Manipulating people to reveal information or perform actions (sharing password/OTP).

Identity theft

Using someone’s personal data to impersonate them (fraudulent transactions/loans).

Common threats: hacking, DoS/DDoS and data breach

Hacking / unauthorized access

Accessing systems without permission to steal/modify data.

DoS / DDoS

• DoS: making a service unavailable by flooding it with requests.
• DDoS: same attack from many systems simultaneously.

Data breach

Unauthorized exposure of sensitive information (customer data, passwords).

Security controls: preventive, detective, corrective (with examples)

Preventive controls (avoid incidents)

• strong authentication (MFA/OTP/biometrics)
• access control (RBAC, least privilege)
• firewalls, secure configurations, patch management
• awareness training (avoid suspicious links)

Detective controls (find incidents)

• intrusion detection and security monitoring
• audit logs and alerts
• vulnerability scanning

Corrective controls (recover)

• incident response plan
• backup restore and disaster recovery
• patching and system hardening after incident

Authentication, authorization and access control

These three are core security concepts:

• Authentication: verify identity (password, OTP, biometrics).
• Authorization: what the authenticated user is allowed to do (roles/permissions).
• Access control: the overall mechanism that enforces authorization and prevents unauthorized access.

Example:

• User logs in (authentication) → system checks role (authorization) → system allows only permitted actions (access control).

Encryption and secure communication (basics)

Encryption converts readable data into coded form so that only authorized parties can read it.

Where it is used:

• data in transit: HTTPS/SSL/TLS protects data between user and server.
• data at rest: database encryption protects stored data.

Benefit:

• even if data is intercepted or stolen, it is hard to read without keys.

Backup, recovery and incident response (basics)

Backup and recovery

• regular backups protect against ransomware, accidental deletion, crashes.
• recovery restores operations quickly, reducing downtime.

Incident response

Basic steps:

• detect incident → contain → investigate → eradicate → recover → document lessons.

Privacy: meaning and best practices

Privacy is the right of individuals to control how their personal information is collected, used, shared and stored.

Good privacy practices:

• collect only necessary data (data minimization)
• take consent and give clear notice (transparency)
• secure storage and limited access
• delete data when no longer required (retention policy)

Ethics in IT: common issues

Ethics refers to moral principles guiding correct behavior in using IT.

Common ethical issues:

• unauthorized access to data
• software piracy (illegal copying)
• spreading fake information and misuse of social media
• misuse of employee/customer data (privacy violation)
• plagiarism and misuse of AI/content

Ethical use builds trust and protects reputation.

Cyber laws: meaning, objectives and examples

Cyber laws are legal rules dealing with:

• online transactions and digital evidence
• cyber crimes and punishments
• protection of data and privacy (where applicable)

Objectives:

• prevent and punish cyber crimes (hacking, fraud, identity theft)
• provide legal recognition to electronic records and digital signatures
• protect users and encourage safe online business

Examples of cyber crimes:

• phishing and online fraud
• hacking and unauthorized access
• spreading malware, ransomware
• data theft and privacy breach

Note: Specific acts/sections differ by country; in exams, focus on meaning, objectives, and examples.

Mini tables & flowcharts for exam answers

Table 1: CIA triad with examples

Table 2: Malware types (quick)

Flowchart: Basic incident response

Detect → Contain → Investigate → Eradicate → Recover → Review/Improve

Quick Recap (1-minute revision)

• Information security protects data using CIA: confidentiality, integrity, availability.
• Threats: malware, phishing/social engineering, hacking, DoS/DDoS, data breach.
• Controls: preventive, detective, corrective; plus access control, encryption, backup and IR.
• Privacy = proper collection and use of personal data; ethics = responsible use of IT.
• Cyber laws define rules for online transactions and punish cyber crimes.