23.2 Damage

The damage that programmed threats do ranges from the merely annoying to the catastrophic?for example, the complete destruction of all data on a system by a low-level disk format, or the intentional corruption of account files by the introduction of untracable fictitious records. Many threats may seek specific targets?their authors may wish to damage a particular user's files, destroy a particular application, or completely initialize a certain database to hide evidence of some other activity.

Disclosure of information is another type of damage that may result from programmed threats. Rather than simply altering information on disk or in memory, a threat can make some information readable, send it out as mail, post it on a bulletin board, or print it on a printer. This information could include sensitive material, such as system passwords or employee data records, or something as damaging as trade secret software. Programmed threats may also allow unauthorized access to the system, and may result in unauthorized accounts being installed, passwords being changed, or normal controls being circumvented. The type of damage done varies with the motives of the people who write the malicious code. In recent years, significant numbers of confidential documents have been revealed by computer viruses that randomly chose a Microsoft Word file on the victim's hard drive and then sent this file (infected with a copy of the virus) to an email address randomly chosen from an address book on the infected machine.

Malicious code can cause indirect damage, too. If your firm ships software that inadvertently contains a virus or logic bomb, there are several forms of potential damage to consider. Certainly, your corporate reputation will suffer. Your company could also be held accountable for customer losses as well; licenses and warranty disclaimers used with software might not protect against damage suits in such a situation.

You cannot know with certainty that any losses (of either kind?direct or indirect) will be covered by business insurance. If your company does not have a well-defined security policy and your employees fail to exercise precautions in the preparation and distribution of software, your insurance may not cover subsequent losses. Ask your insurance company about any restrictions on its coverage of such incidents.

    Part VI: Appendixes