Page 407 - Using MIS
P. 407
the grades by student name or identifier, so instead I post Megan, however, has other ideas. Because the report
the grades for each group. If you want to get the grades for is published on SharePoint, she can obtain an electronic
each student, all you have to do is combine the list from copy of it. It’s an Acrobat report, and using Acrobat’s handy
Lecture 5 with the list from Lecture 10. You might say that Search feature, she soon has a list of employees and the
the release of grades in this example does no real harm— week they were hired.
after all, it is a list of grades from one assignment. She now examines the report she received for her
But go back to Megan Cho in HR. Suppose Megan study, the one that has SalaryOfferAmount and the offer
evaluates the employee compensation program. The COO date, and she does some interpretation. During the week
believes salary offers have been inconsistent over time of July 21, three offers were extended: one for $35,000, one
and that they vary too widely by department. Accordingly, for $53,000, and one for $110,000. She also notices from
the COO authorizes Megan to receive a report that lists the “New Employees” report that a director of marketing
SalaryOfferAmount and OfferDate and a second report that programs, a product test engineer, and a receptionist were
lists Department and AverageSalary. hired that same week. It’s unlikely that they paid the recep-
Those reports are relevant to her task and seem in- tionist $110,000; that sounds more like the director of mar-
nocuous enough. But Megan realizes that she could use the keting programs. So, she now “knows” (infers) that person’s
information they contain to determine individual salaries— salary.
information she does not have and is not authorized to Next, going back to the department report and using
receive. She proceeds as follows. the employee directory, she sees that the marketing direc-
Like all employees, Megan has access to the employee tor is in the marketing programs department. There are just
directory on the Web portal. Using the directory, she can three people in that department, and their average salary is
obtain a list of employees in each department, and using $105,000. Doing the arithmetic, she now knows that the av-
the facilities of her ever-so-helpful report-authoring system erage salary for the other two people is $102,500. If she can
she combines that list with the department and average- find the hire week for one of those other two people, she can
salary report. Now she has a list of the names of employees find out both the second and third person’s salaries.
in a group and the average salary for that group. You get the idea. Megan was given just two reports to
Megan’s employer likes to welcome new employees to do her job. Yet she combined the information in those re-
the company. Accordingly, each week the company pub- ports with publicly available information and was able to
lishes an article about new employees who have been hired. deduce salaries, for at least some employees. These salaries
The article makes pleasant comments about each person are much more than she is supposed to know. This is a se-
and encourages employees to meet and greet them. mantic security problem.
DisCussion Questions
1. In your own words, explain the difference between ac- 4. What legal responsibility does an organization have to
cess security and semantic security. protect against semantic security problems?
2. Why do reporting systems increase the risk of semantic 5. Suppose semantic security problems are inevitable. Do
security problems? you see an opportunity for new products from insurance
3. What can an organization do to protect itself against ac- companies? If so, describe such an insurance product. If
cidental losses due to semantic security problems? not, explain why.
375
