- 1. Chapter 13 Security and Ethical Challenges James A. O'Brien,
and George Marakas.Management Information Systems with MISource
2007, 8 thed. Boston, MA: McGraw-Hill, Inc., 2007. ISBN: 13
9780073323091
2. Learning Objectives
- Identify several ethical issues in how the use of information
technologies in business affects: employment, individuality,
working conditions, Privacy, crime, health, and solutions to
societal problems
- Identify several types of security management strategies and
defenses, and explain how they can be used to ensure the security
of business applications of information technology
- Propose several ways that business managers and professionals
can help to lessen the harmful effects and increase the beneficial
effects of the use of IT
Chapter 13 Security and Ethical Challenges 3. Case 1 Cyberscams
and Cybercriminals
- Cyberscams are todays fastest-growingcriminal niche
-
- 87 percent of companies surveyed reporteda security
incident
-
- The U.S. Federal Trade Commission saysidentity theft is its top
complaint
-
- eBay has 60 people combating fraud;Microsoft has 65
-
- Stolen credit card account numbers areregularly sold
online
Chapter 13 Security and Ethical Challenges 4. Case Study
Questions
- What are several reasons why cyberscams are todays
fastest-growing criminal niche?
-
- Explain why the reasons you give contribute to the growth of
cyberscams
- What are several security measures that could be implemented to
combat the spread of cyberscams?
-
- Explain why your suggestions would be effective in limiting the
spread of cyberscams
- Which one or two of the four top cybercriminals described in
this case poses the greatest threat to businesses? To
consumers?
-
- Explain the reasons for your choices, and how businesses and
consumers can protect themselves from these cyberscammers
Chapter 13 Security and Ethical Challenges 5. IT Security,
Ethics, and Society
- IT has both beneficialand detrimental effects on society and
people
-
- Manage work activities to minimize the detrimental effects of
IT
-
- Optimize the beneficial effects
Chapter 13 Security and Ethical Challenges 6. Business
Ethics
- Ethics questions that managers confront as part of their daily
business decision making include:
-
- Exercise of corporate power
Chapter 13 Security and Ethical Challenges 7. Categories of
Ethical Business Issues Chapter 13 Security and Ethical Challenges
8. Corporate Social Responsibility Theories
-
- Managers are agents of the stockholders
-
- Their only ethical responsibility is to increase the profits of
the business without violating the law or engaging in fraudulent
practices
-
- Companies have ethical responsibilities to all members of
society, who allow corporations to exist
-
- Managers have an ethical responsibility to manage a firm for
the benefit of all its stakeholders
-
- Stakeholders are all individuals and groups that have a stake
in, or claim on, a company
Chapter 13 Security and Ethical Challenges 9. Principles of
Technology Ethics
- Proportionality -The good achieved by the technology must
outweigh the harm or risk; there must be no alternative that
achieves the same or comparable benefits with less harm or
risk
- Informed Consent -Those affected by the technology should
understand and accept the risks
-
- The benefits and burdens of the technology should be
distributed fairly
-
- Those who benefit should bear their fair share of the risks,
and those who do not benefit should not suffer a significant
increase in risk
- Minimized Risk -Even if judged acceptable by the other three
guidelines, the technology must be implemented so as to avoid all
unnecessary risk
Chapter 13 Security and Ethical Challenges 10. AITP Standards of
Professional Conduct Chapter 13 Security and Ethical Challenges 11.
Responsible Professional Guidelines
- A responsible professional
-
- Increases personal competence
-
- Sets high standards of personal performance
-
- Accepts responsibility for his/her work
-
- Advances the health, privacy, and generalwelfare of the
public
Chapter 13 Security and Ethical Challenges 12. Computer
Crime
-
- Unauthorized use, access, modification, or destruction of
hardware, software, data, or network resources
-
- The unauthorized release of information
-
- The unauthorized copying of software
-
- Denying an end user access to his/her own hardware, software,
data, or network resources
-
- Using or conspiring to use computer or network resources
illegally to obtain information or tangible property
Chapter 13 Security and Ethical Challenges 13. Cybercrime
Protection MeasuresChapter 13 Security and Ethical Challenges 14.
Hacking
-
- The obsessive use of computers
-
- The unauthorized access and use of networked computer
systems
- Electronic Breaking and Entering
-
- Hacking into a computer system and reading files, but neither
stealing nor damaging anything
-
- A malicious or criminal hacker who maintains knowledge of the
vulnerabilities found forprivate advantage
Chapter 13 Security and Ethical Challenges 15. Common Hacking
Tactics
-
- Hammering a websites equipment with too many requests for
information
-
- Clogging the system, slowing performance, or crashing the
site
-
- Widespread probes of the Internet to determine types of
computers, services, and connections
-
- Programs that search individual packets of data as they pass
through the Internet
-
- Capturing passwords or entire contents
-
- Faking an e-mail address or Web page to trick users into
passing along critical information like passwords or credit card
numbers
Chapter 13 Security and Ethical Challenges 16. Common Hacking
Tactics
-
- A program that, unknown to the user, contains instructions that
exploit a known vulnerability in some software
-
- A hidden point of entry to be used in case the original entry
point is detected or blocked
-
- Tiny Java programs that misuse your computers resources, modify
files on the hard disk, send fake email, or steal passwords
-
- Programs that automatically dial thousands of telephone numbers
in search of a way in through a modem connection
-
- An instruction in a computer program that triggers a malicious
act
Chapter 13 Security and Ethical Challenges 17. Common Hacking
Tactics
-
- Crashing or gaining control of a computer by sending too much
data to buffer memory
-
- Software that can guess passwords
-
- Gaining access to computer systems by talking unsuspecting
company employees out of valuable information, such as
passwords
-
- Sifting through a companys garbage to find information to help
break into their computers
Chapter 13 Security and Ethical Challenges 18. Cyber Theft
- Many computer crimes involve the theft of money
- The majority are inside jobs that involve unauthorized network
entry and alternation of computer databases to cover the tracks of
the employees involved
- Many attacks occur through the Internet
- Most companies dont reveal that they have been targets or
victims of cybercrime
Chapter 13 Security and Ethical Challenges 19. Unauthorized Use
at Work
- Unauthorized use of computer systems and networks istime and
resource theft
-
- Unauthorized use of the Internet or company networks
-
- Used to monitor network traffic or capacity
-
- Find evidence of improper use
Chapter 13 Security and Ethical Challenges 20. Internet Abuses
in the Workplace
-
- Unauthorized usage and access
-
- Copyright infringement/plagiarism
-
- Transmission of confidential data
-
- Non-work-related download/upload
-
- Leisure use of the Internet
Chapter 13 Security and Ethical Challenges 21. Software
Piracy
-
- Unauthorized copying of computer programs
-
- Purchasing software is really a paymentfor a license for fair
use
-
- Site license allows a certain number of copies
A third of the software industrys revenues are lost to piracy
Chapter 13 Security and Ethical Challenges 22. Theft of
Intellectual Property
-
- Includes such things as music, videos, images, articles, books,
and software
- Copyright Infringement is Illegal
-
- Peer-to-peer networking techniques have made it easy to trade
pirated intellectual property
- Publishers Offer Inexpensive Online Music
-
- Illegal downloading of music and video isdown and continues to
drop
Chapter 13 Security and Ethical Challenges 23. Viruses and
Worms
- A virus is a program that cannot work without being inserted
into another program
- These programs copy annoying or destructive routines into
networked computers
-
- Copy routines spread the virus
- Commonly transmitted through
-
- The Internet and online services
-
- Email and file attachments
-
- Disks from contaminated computers
Chapter 13 Security and Ethical Challenges 24. Top Five Virus
Families of all Time
-
- Spread via email and over Kazaa file-sharing network
-
- Installs a back door on infected computers
-
- Infected email poses as returned message or one that cant be
opened correctly, urging recipient to click on attachment
-
- Opens up TCP ports that stay open even after termination of the
worm
-
- Upon execution, a copy of Notepad is opened, filled with
nonsense characters
-
- Mass-mailing worm that spreads by emailing itself to all email
addresses found on infected computers
-
- Tries to spread via peer-to-peer file sharing by copying itself
into the shared folder
-
- It renames itself to pose as one of 26 other common files along
the way
Chapter 13 Security and Ethical Challenges 25. Top Five Virus
Families of all Time
-
- Mass-mailing email worm that arrives as an attachment
-
-
- Examples: Movie_0074.mpg.pif, Document003.pif
-
- Scans all .WAB, .WBX, .HTML, .EML, and .TXT files looking for
email addresses to which it can send itself
-
- Also attempts to download updates for itself
-
- A mass-mailing email worm that arrives with a randomly named
attachment
-
- Exploits a known vulnerability in MS Outlook to auto-execute on
unpatched clients
-
- Tries to disable virus scanners and then copy itself to all
local and networked drives with a random file name
-
- Deletes all files on the infected machine and any mapped
network drives on the 13th of all even-numbered months
Chapter 13 Security and Ethical Challenges 26. Top Five Virus
Families of all Time
-
- Exploits a Microsoft vulnerability to spread from computer to
computer with no user intervention
-
- Spawns multiple threads that scan local subnets for
vulnerabilities
Chapter 13 Security and Ethical Challenges 27. The Cost of
Viruses, Trojans, Worms
- Cost of the top five virus families
-
- Nearly 115 million computers in 200 countries were infected in
2004
-
- Up to 11 million computers are believed tobe permanently
infected
-
- In 2004, total economic damage from virus proliferation was
$166 to $202 billion
-
- Average damage per computer is between$277 and $366
Chapter 13 Security and Ethical Challenges 28. Adware and
Spyware
-
- Software that purports to serve a useful purpose, and often
does
-
- Allows advertisers to display pop-up and banner ads without the
consent of the computer users
-
- Adware that uses an Internet connection in the background,
without the users permissionor knowledge
-
- Captures information about the user and sends it over the
Internet
Chapter 13 Security and Ethical Challenges 29. Spyware
Problems
- Spyware can steal private information and also
-
- Add advertising links to Web pages
-
- Redirect affiliate payments
-
- Change a users home page and search settings
-
- Make a modem randomly call premium-rate phone numbers
-
- Leave security holes that let Trojans in
-
- Degrade system performance
- Removal programs are often not completely successful in
eliminating spyware
Chapter 13 Security and Ethical Challenges 30. Privacy
Issues
- The power of information technology to store and retrieve
information can have a negative effect on every individuals right
to privacy
-
- Personal information is collected with everyvisit to a Web
site
-
- Confidential information stored by creditbureaus, credit card
companies, and the government has been stolen or misused
Chapter 13 Security and Ethical Challenges 31. Opt-in Versus
Opt-out
-
- You explicitly consent to allow data to be compiled about
you
-
- This is the default in Europe
-
- Data can be compiled about you unless you specifically request
it not be
-
- This is the default in the U.S.
Chapter 13 Security and Ethical Challenges 32. Privacy
Issues
-
- Accessing individuals private email conversations and computer
records
-
- Collecting and sharing information about individuals gained
from their visits to Internet websites
-
- Always knowing where a person is
-
- Mobile and paging services are becoming more closely associated
with people than with places
-
- Using customer information gained from many sources to market
additional business services
- Unauthorized Access of Personal Files
-
- Collecting telephone numbers, email addresses, credit card
numbers, and other information to build customer profiles
Chapter 13 Security and Ethical Challenges 33. Protecting Your
Privacy on the Internet
- There are multiple ways to protect your privacy
-
- Send newsgroup postings through anonymous remailers
-
- Ask your ISP not to sell your name and information to mailing
list providers andother marketers
-
- Dont reveal personal data and interests ononline service and
website user profiles
Chapter 13 Security and Ethical Challenges 34. Privacy Laws
- Electronic Communications Privacy Actand Computer Fraud and
Abuse Act
-
- Prohibit intercepting data communications messages, stealing or
destroying data, or trespassing in federal-related computer
systems
- U.S. Computer Matching and Privacy Act
-
- Regulates the matching of data held in federal agency files to
verify eligibility for federal programs
- Other laws impacting privacy and howmuch a company spends on
compliance
-
- Health Insurance Portability and Accountability Act
(HIPAA)
-
- California Security Breach Law
-
- Securities and Exchange Commission rule 17a-4
Chapter 13 Security and Ethical Challenges 35. Computer Libel
and Censorship
- The opposite side of the privacy debate
-
- Freedom of information, speech, and press
- Biggest battlegrounds - bulletin boards, email boxes, and
online files of Internet and public networks
- Weapons used in this battle spamming, flame mail, libel laws,
and censorship
- Spamming - Indiscriminate sending of unsolicited email messages
to many Internet users
-
- Sending extremely critical, derogatory, and often vulgar email
messages or newsgroup posting to other users on the Internet or
online services
-
- Especially prevalent on special-interest newsgroups
Chapter 13 Security and Ethical Challenges 36. Cyberlaw
- Laws intended to regulate activities over the Internet or via
electronic communication devices
-
- Encompasses a wide variety of legal and political issues
-
- Includes intellectual property, privacy, freedom of expression,
and jurisdiction
- The intersection of technology and the law is
controversial
-
- Some feel the Internet should not be regulated
-
- Encryption and cryptography make traditional form of regulation
difficult
-
- The Internet treats censorship as damage and simply routes
around it
- Cyberlaw only began to emerge in 1996
-
- Debate continues regarding the applicability of legal
principles derived from issues that had nothing to do with
cyberspace
Chapter 13 Security and Ethical Challenges 37. Other
Challenges
-
- IT creates new jobs and increases productivity
-
- It can also cause significant reductions in job opportunities,
as well as requiring new job skills
-
- Using computers to monitor the productivity and behavior of
employees as they work
-
- Criticized as unethical because it monitors individuals, not
just work, and is done constantly
-
- Criticized as invasion of privacy because many employees do not
know they are being monitored
-
- IT has eliminated monotonous or obnoxious tasks
-
- However, some skilled craftsperson jobs have been replaced by
jobs requiring routine, repetitive tasks or standby roles
-
- Dehumanizes and depersonalizes activities because computers
eliminate human relationships
Chapter 13 Security and Ethical Challenges 38. Health Issues
- Cumulative Trauma Disorders (CTDs)
-
- Disorders suffered by people who sit at aPC or terminal and do
fast-paced repetitive keystroke jobs
-
- Painful, crippling ailment of the handand wrist
-
- Typically requires surgery to cure
Chapter 13 Security and Ethical Challenges 39. Ergonomics
- Designing healthy work environments
-
- Safe, comfortable, and pleasant for people to work in
-
- Increases employee morale and productivity
-
- Also calledhuman factors engineering
Chapter 13 Security and Ethical Challenges Ergonomics Factors
40. Societal Solutions
- Using information technologies to solve human and social
problems
-
- Computer-assisted instruction
-
- Governmental program planning
-
- Environmental quality control
- The detrimental effects of IT
-
- Often caused by individuals or organizations not accepting
ethical responsibility for their actions
Chapter 13 Security and Ethical Challenges 41. Security
Management of IT
- The Internet was developed for inter-operability, not
impenetrability
-
- Business managers and professionals alikeare responsible for
the security, quality, and performance of business information
systems
-
- Hardware, software, networks, and dataresources must be
protected by a varietyof security measures
Chapter 13 Security and Ethical Challenges 42. Case 2 Data
Security Failures
- Security Breach Headlines
-
- Identity thieves stole information on 145,000 people from
ChoicePoint
-
- Bank of America lost backup tapes that helddata on over 1
million credit card holders
-
- DSW had its stores credit card data breached; over 1 million
had been accessed
- Corporate America is finally owning up to a long-held
secret
-
- It cant safeguard its most valuable data
Chapter 13 Security and Ethical Challenges 43. Case Study
Questions
- Why have there been so many recent incidents of data security
breaches and loss of customer data by reputable companies?
- What security safeguards must companies have to deter
electronic break-ins into their computer networks, business
applications, and data resources like the incident at Lowes?
- What security safeguards would have deterred the loss of
customer data at
Chapter 13 Security and Ethical Challenges 44. Security
Management
- The goal of security management is theaccuracy, integrity,and
safety of all information systemprocesses and resources
Chapter 13 Security and Ethical Challenges 45. Internetworked
Security Defenses
-
- Data is transmitted in scrambled form
-
- It is unscrambled by computer systems for authorized users
only
-
- The most widely used method uses a pair of public and private
keys unique to each individual
Chapter 13 Security and Ethical Challenges 46. Public/Private
Key Encryption Chapter 13 Security and Ethical Challenges 47.
Internetworked Security Defenses
-
- A gatekeeper system that protects a companys intranets and
other computer networks fromintrusion
-
- Provides a filter and safe transfer point foraccess to/from the
Internet and other networks
-
- Important for individuals who connect to the Internet with DSL
or cable modems
-
- Can deter hacking, but cannot prevent it
Chapter 13 Security and Ethical Challenges 48. Internet and
Intranet Firewalls Chapter 13 Security and Ethical Challenges 49.
Denial of Service Attacks
- Denial of service attacks depend on threelayers of networked
computer systems
-
- The victims Internet service provider
-
- Zombie or slave computers that have been commandeered by the
cybercriminals
Chapter 13 Security and Ethical Challenges 50. Defending Against
Denial of Service
-
- Set and enforce security policies
-
- Monitor and block traffic spikes
-
- Create backup servers and network connections
Chapter 13 Security and Ethical Challenges 51. Internetworked
Security Defenses
-
- Use of content monitoring software that scansfor troublesome
words that might compromise corporate security
-
- Centralize the updating and distribution of antivirus
software
-
- Use a security suite that integrates virus protection with
firewalls, Web security,and content blocking features
Chapter 13 Security and Ethical Challenges 52. Other Security
Measures
-
- Multilevel password system
-
- Smart cards with microprocessors
-
- Duplicate files of data or programs
-
- Monitor the use of computers and networks
-
- Protects them from unauthorized use, fraud, and
destruction
-
- Computer devices measure physical traits that make each
individual unique
-
-
- Voice recognition, fingerprints, retina scan
- Computer Failure Controls
-
- Prevents computer failures or minimizes its effects
-
- Arrange backups with a disaster recovery organization
Chapter 13 Security and Ethical Challenges 53. Other Security
Measures
- In the event of a system failure,fault-tolerant systemshave
redundant processors, peripherals, and software that provide
-
- Fail-over capability : shifts to back up components
-
- Fail-save capability : the system continues to operate at the
same level
-
- Fail-soft capability : the system continues to operate at a
reduced but acceptable level
- Adisaster recovery plancontains formalized procedures to follow
in the event of a disaster
-
- Which employees will participate
-
- What their duties will be
-
- What hardware, software, and facilities will be used
-
- Priority of applications that will be processed
-
- Use of alternative facilities
-
- Offsite storage of databases
Chapter 13 Security and Ethical Challenges 54. Information
System Controls
- Methods and devices that attempt to ensure the accuracy,
validity, and propriety of information system activities
Chapter 13 Security and Ethical Challenges 55. Auditing IT
Security
-
- Performed by internal or external auditors
-
- Review and evaluation of security measuresand management
policies
-
- Goal is to ensure that that proper and adequate measures and
policies are in place
Chapter 13 Security and Ethical Challenges 56. Protecting
Yourself from Cybercrime Chapter 13 Security and Ethical Challenges
57. Case 3 Managing Information Security
- OCTAVE Security Process Methodology
-
-
- Self-direction by people in the organization
-
-
- Adaptable measures that can change with technology
-
-
- A defined process and standard evaluation procedures
-
-
- A foundation for a continual process that improves security
over time
-
-
- A focus on a critical few security issues
-
-
- Integrated management of security policies and strategies
Chapter 13 Security and Ethical Challenges 58. Case 3 Managing
Information Security
-
- Organizational and Cultural
-
-
- Open communication of risk information and activities build
around collaboration
-
-
- A global perspective on risk in the context of the
organizations mission and business objectives
Chapter 13 Security and Ethical Challenges 59. Case Study
Questions
- What are security managers doing to improve information
security?
- How does the OCTAVE methodology workto improve security in
organizations?
- What does Lloyd Hession mean when he says information security
is not addressed simply by the firewalls and antivirus tools that
are already in place?
Chapter 13 Security and Ethical Challenges 60. Case 4
Maintaining Software Security
- Security professionals have 7 to 21 days before hackers tools
used to exploit the most recent vulnerabilities become available on
the Internet
-
- Microsofts monthly patch-release date isknown as Patch
Tuesday
-
- Security software companies go to work immediately to update
their products
-
- Update must be thoroughly tested beforebeing deployed
Chapter 13 Security and Ethical Challenges 61. Case Study
Questions
- What types of security problems are typically addressed by a
patch-management strategy?
-
- Why do such problems arise in the first place?
- What challenges does the process of applying software patches
and updates pose for many businesses?
-
- What are the limitations of the patching process?
- Does the business value of a comprehensive patch-management
strategy outweigh its costs, its limitations, and the demands it
placed on the IT function?
Chapter 13 Security and Ethical Challenges