information system security ethics
TRANSCRIPT
Principles of Information SystemsEighth Edition
IS in Society, Business and Industry
& Security Issue and Privacy
&Ethics and IS
Principles and Learning Objectives
• Policies and procedures must be established to avoid computer waste and mistakes– Describe some examples of waste and mistakes in
an IS environment, their causes, and possible solutions
– Identify policies and procedures useful in eliminating waste and mistakes
– Discuss the principles and limits of an individual’s right to privacy
Principles of Information Systems, Eighth Edition
2
Principles and Learning Objectives (continued)
• Computer crime is a serious and rapidly growing area of concern requiring management attention– Explain the types and effects of computer crime– Identify specific measures to prevent computer
crime
• Ethical and social issues related to IS
Principles of Information Systems, Eighth Edition
3
Principles and Learning Objectives (continued)
• Jobs, equipment, and working conditions must be designed to avoid negative health effects– List the important effects of computers on the
work environment– Identify specific actions that must be taken to
ensure the health and safety of employees– Outline criteria for the ethical use of information
systems
Principles of Information Systems, Eighth Edition
4
Why Learn About Security, Privacy, and Ethical Issues in Information Systems and
the Internet?• Many nontechnical issues associated with ISs• Human Resource employees need to:
– Prevent computer waste and mistakes– Avoid privacy violations– Comply with laws about:
• Collecting customer data• Monitoring employees
• Employees, IS users, and Internet users need to: – Avoid crime, fraud, privacy invasion
Principles of Information Systems, Eighth Edition
5
Computer Waste and Mistakes
• Computer waste– Inappropriate use of computer technology and
resources
• Computer-related mistakes– Errors, failures, and other computer problems that
make computer output incorrect or not useful– Caused mostly by human error
Principles of Information Systems, Eighth Edition
6
Computer Waste
• Cause: improper management of information systems and resources– Discarding old software and computer systems when
they still have value– Building and maintaining complex systems that are
never used to their fullest extent– Using corporate time and technology for personal
use– Spam ~ contain viruses, image-based spam
(unfiltered by spam-filtering software) – offensive and disturbing photos
Principles of Information Systems, Eighth Edition
7
Computer-Related Mistakes
• Common causes– Failure by users to follow proper procedures– Unclear expectations and a lack of feedback– Program development that contains errors– Incorrect data entry by data-entry clerk
Principles of Information Systems, Eighth Edition
8
Preventing Computer-Related Waste and Mistakes
• Must involves:– Established– Implemented– Monitored – Reviewed
~of policies and procedures
Principles of Information Systems, Eighth Edition
9
Establishing Policies and Procedures
• Establish policies and procedures regarding efficient acquisition, use, and disposal of systems and devices
• Identify most common types of computer-related mistakes
• Training programs for individuals and workgroups• Manuals and documents on how computer
systems are to be maintained and used • Approval of certain systems and applications
before they are implemented and used
Principles of Information Systems, Eighth Edition
10
Implementing Policies and Procedures
• Policies often focus on:– Implementation of source data automation– Use of data editing to ensure data accuracy and
completeness– Assignment of clear responsibility for data
accuracy within each information system
• Training is very important for acceptance and implementation of policies and procedures
Principles of Information Systems, Eighth Edition
11
Monitoring Policies and Procedures
• Monitor routine practices and take corrective action if necessary
• Implement internal audits to measure actual results against established goals
• Follow requirements in Sarbanes-Oxley Act– Requires companies to document underlying
financial data to validate earnings reports
Principles of Information Systems, Eighth Edition
12
Reviewing Policies and Procedures
• Do current policies cover existing practices adequately?– Were any problems or opportunities uncovered
during monitoring?• Does the organization plan any new activities
in the future? – If so, does it need new policies or procedures on
who will handle them and what must be done?• Are contingencies and disasters covered?
Principles of Information Systems, Eighth Edition
13
Computer Crime
• Often defies detection• Amount stolen or diverted can be substantial• Crime is “clean” and nonviolent• Number of IT-related security incidents is
increasing dramatically• Computer crime is now global
Principles of Information Systems, Eighth Edition
14
The Computer as a Tool to Commit Crime
• Criminals need two capabilities to commit most computer crimes– Knowing how to gain access to computer system– Knowing how to manipulate the system to produce
desired results• Examples
– Dumpster diving ~ going through the trash cans of an organisation to find confidential info including info to access IS
– Counterfeit and banking fraud using sophisticated desktop publishing programs and high-quality printers
Principles of Information Systems, Eighth Edition
15
Cyberterrorism
• Cyberterrorist: intimidates a government or organization to advance his or her political or social objectives by launching computer-based attacks against computers, networks, and information stored on them
• Homeland Security Department’s Information Analysis and Infrastructure Protection Directorate– Serves as governmental focal point for fighting
cyberterrorism
Principles of Information Systems, Eighth Edition
16
Identity Theft
• Imposter obtains personal identification information such as Social Security or driver’s license numbers in order to impersonate someone else– To obtain credit, merchandise, and services in the
name of the victim– To have false credentials
• Identity Theft and Assumption Deterrence Act of 1998 passed to fight identity theft
• 9 million victims in 2005
Principles of Information Systems, Eighth Edition
17
The Computer as the Object of Crime
• Crimes fall into several categories– Illegal access and use– Data alteration and destruction– Information and equipment theft– Software and Internet piracy– Computer-related scams– International computer crime
Principles of Information Systems, Eighth Edition
18
Illegal Access and Use• Hacker: a person who enjoys computer technology
and learns about and uses computer systems • Criminal hacker (also called a cracker): gains
unauthorized use or illegal access to computer systems
• Script bunny: programming codes that automates the job of crackers
• Insider: employee who comprises corporate systems• Malware: software programs that destroy or damage
processing
Principles of Information Systems, Eighth Edition
19
Illegal Access and Use (continued)
• Virus: program file capable of attaching to disks or other files and replicating itself repeatedly
• Worm: parasitic computer program that can create copies of itself on infected computer or send copies to other computers via a network
Principles of Information Systems, Eighth Edition
20
Illegal Access and Use (continued)
• Trojan horse: program that appears to be useful but purposefully does something user does not expect/destructive
• Logic bomb: type of Trojan horse that executes when specific conditions occur
• Variant: modified version of a virus that is produced by virus’s author or another person
Principles of Information Systems, Eighth Edition
21
Using Antivirus Programs• Defending against viruses and worms• Antivirus program: program or utility that
prevents viruses and recovers from them if they infect a computer
• Tips on using antivirus software– Run and update antivirus software often– Scan all diskettes and CDs before using them– Install software only from a sealed package or secure,
well-known Web site– Follow careful downloading practices– If you detect a virus, take immediate action
Principles of Information Systems, Eighth Edition
22
Using Antivirus Programs (continued)
Principles of Information Systems, Eighth Edition
23
Antivirus software should be used and updated often
Information and Equipment Theft
• Obtaining identification numbers and passwords to steal information or disrupt systems:– Trial and error, – password sniffer program ~ a small program
hidden in a network or computer system that records identification number and password.
• Software theft• Computer systems and equipment theft
– Data on equipment is valuable
Principles of Information Systems, Eighth Edition
24
Software and Internet Software Piracy
• Software is protected by copyright laws• Copyright law violations
– Making additional copies– Loading the software onto more than one machine
• Software piracy: act of illegally duplicating software
• Internet-based software piracy– Most rapidly expanding type of software piracy and
most difficult form to combat– Examples: pirate Web sites, auction sites with
counterfeit software, peer-to-peer networks
Principles of Information Systems, Eighth Edition
25
Computer-Related Scams
• Examples of Internet scams– Get-rich-quick schemes– “Free” vacations with huge hidden costs– Bank fraud– Fake telephone lotteries
• Phishing– Gaining access to personal information by
redirecting user to fake site
Principles of Information Systems, Eighth Edition
26
International Computer Crime• Computer crime becomes more complex when it
is committed internationally• Large percentage of software piracy takes place
across borders• Threat of terrorists, international drug dealers,
and other criminals using information systems to launder illegally obtained funds
• Computer Associates International’s CleverPath for Global Compliance software-eliminate money laundering and fraud in finance, banking, insurance industry.
Principles of Information Systems, Eighth Edition
27
Preventing Computer-Related Crime
• Efforts to curb computer crime being made by:– Private users– Companies - Public key infrastructure (PKI),
biometrics– Employees– Public officials
Principles of Information Systems, Eighth Edition
28
Crime Prevention by State and Federal Agencies
• Computer Fraud and Abuse Act of 1986– Punishment based on the victim’s dollar loss
• Computer Emergency Response Team (CERT)– Responds to network security breaches– Monitors systems for emerging threats
• Newer and tougher computer crime legislation is emerging
Principles of Information Systems, Eighth Edition
29
Crime Prevention by Corporations
• Public key infrastructure (PKI)– Allows users of an unsecured public network such
as the Internet to securely and privately exchange data
– Use of a public and a private cryptographic key pair, obtained and shared through a trusted authority
• Biometrics: measurement of one of a person’s traits, whether physical or behavioral
Principles of Information Systems, Eighth Edition
30
Crime Prevention by Corporations (continued)
Principles of Information Systems, Eighth Edition
31
Table 14.3: Common Methods Used to Commit Computer Crimes
Crime Prevention by Corporations (continued)
Principles of Information Systems, Eighth Edition
32
Table 14.3: Common Methods Used to Commit Computer Crimes (continued)
Using Intrusion Detection Software
• Intrusion detection system (IDS)– Monitors system and network resources– Notifies network security personnel when it
senses a possible intrusion, such as:• Repeated failed logon attempts• Attempts to download a program to a server• Access to a system at unusual hours
– Can provide false alarms– E-mail or voice message alerts may be missed
Principles of Information Systems, Eighth Edition
33
Using Managed Security Service Providers (MSSPs)
• Managed security service provider (MSSP): organization that monitors, manages, and maintains network security for both hardware and software for its client companies– Sifts through alarms and alerts from all monitoring
systems– May provide scanning, blocking, and filtering
capabilities– Useful for small and midsized companies
Principles of Information Systems, Eighth Edition
34
Internet Laws for Libel and Protection of Decency
• Filtering software– Screens Internet content to protect children– Prevents children from sending personal
information over e-mail or through chat groups
• Internet Content Rating Association (ICRA) rating system for Web sites
• Children’s Internet Protection Act (CIPA)– Requires filters in federally funded libraries
Principles of Information Systems, Eighth Edition
35
Internet Laws for Libel and Protection of Decency (continued)
• Libel: publishing an intentionally false written statement that is damaging to a person’s reputation
• Can online services be sued for libel for content that someone else publishes on their service?
Principles of Information Systems, Eighth Edition
36
Preventing Crime on the Internet
• Develop effective Internet usage and security policies• Use a stand-alone firewall with network monitoring
capabilities• Deploy intrusion detection systems, monitor them,
and follow up on their alarms• Monitor managers’ and employees’ use of Internet• Use Internet security specialists to perform audits of
all Internet and network activities• Report incidents to the authority:
Cyber Security Malaysia
Principles of Information Systems, Eighth Edition
37
Ethical and social issues related to IS
• Ethics – principles of right and wrong that individuals use to make choices to guide their behavior
• IS raise new ethical issues for both individuals and societies ~ create opportunities & threats
• Examples: privacy, protection of intellectual property
Principles of Information Systems, Eighth Edition
38
Technology Trends that Raise Ethical Issues
Principles of Information Systems, Eighth Edition
39
Trend Impact
Computer power doubles every 18 months More organizations depend on computer system for critical operation ~ expose to vulnerability of system errors
Data storage costs rapidly declining Organizations can easily maintain detailed databases on individuals ~ violation of individual privacy
Data analysis advances Companies can analyze vast quantities of data gathered to develop detailed profiles of individual behavior
Network advances and the Internet Copying data from one location to another and assessing personal data from remote locations are much easier
Information Rights: Privacy and Freedom in the Internet Age
• Privacy? – right to be left alone• Internet challenges to privacy:
– Firms monitor the Internet usage of their employees to see how they are using company resources
– Web sites monitor and track visitors’ activities, behaviors, learn the visitor identities
– E.g ~ cookies, web bugs
Principles of Information Systems, Eighth Edition
40
How cookies identify web visitors• Cookies – tiny files ( generate user ID number) deposited on
a computer hard drive when a user visit certain web site ~ identify OS, browser, Internet address etc.
• when a user visit a web site, the web site write a cookie on the visitor’s hard drive,
• When the visitor return to that web site, the web site request the content from the cookie and
• The web site can then use these data to display personalized info
• Cookie cannot directly obtain visitors’ name and add unless the visitor are registered to the web site, e.g. Amazon.com
• Data from cookies + data from web site monitoring tool =develop very detailed profiles of their visitor
Principles of Information Systems, Eighth Edition
41
Individual Efforts to Protect Privacy
• Find out what is stored about you in existing databases
• Be careful when you share information about yourself
• Be proactive to protect your privacy• When purchasing anything from a Web site,
make sure that you safeguard your credit card numbers, passwords, and personal information
Principles of Information Systems, Eighth Edition
42
Corporate Privacy Policies
• Should address a customer’s knowledge, control, notice, and consent over storage and use of information ~ fairness of information use
• May cover who has access to private data and when it may be used
• A good database design practice is to assign a single unique identifier to each customer
Principles of Information Systems, Eighth Edition
43
Fairness in Information Use
Principles of Information Systems, Eighth Edition
44
Table 14.4: The Right to Know and the Ability to Decide
Ethical Issues in Information Systems
• Laws do not provide a complete guide to ethical behavior
• Many IS-related organizations have codes of ethics for their members
• American Computing Machinery (ACM): oldest computing society founded in 1947
• ACM’s code of ethics and professional conduct– Contribute to society and human well-being– Avoid harm to others– Be honest and trustworthy
Principles of Information Systems, Eighth Edition
45
Ethical Issues in Information Systems (continued)
• ACM’s code of ethics and professional conduct (continued)– Be fair and take action not to discriminate– Honor property rights including copyrights and
patents– Give proper credit for intellectual property– Respect the privacy of others– Honor confidentiality
Principles of Information Systems, Eighth Edition
46
You have access to the sales and customer information in a flower shop. You discover that the boyfriend of a woman you know is sending roses to three different other woman on aregular basis. The woman you know is on the flower list, but she believes that she’s the only woman in his romantic life. You really think you should tell the woman. Your dilemma is that you have a professional responsibility to keep the company’s information private. However, you also believe that you have a responsibilityto the woman. Do you tell her? Are there factors that would change your decision? How about if:• The woman is your sister • The man is your brother
• 47
What would you do?
Health Concerns
• Occupational stress• Repetitive stress injury (RSI)• Carpal tunnel syndrome (CTS)• Emissions from improperly maintained and
used equipment• Increase in traffic accidents due to drivers
using cell phones, laptops, or other devices while driving
Principles of Information Systems, Eighth Edition
48
Principles of Information Systems, Eighth Edition
49
Avoiding Health and Environment Problems
• Work stressors: hazardous activities associated with unfavorable conditions of a poorly designed work environment
• Ergonomics: science of designing machines, products, and systems to maximize safety, comfort, and efficiency of people who use them
• Employers, individuals, and hardware manufacturing companies can take steps to reduce RSI and develop a better work environment
Principles of Information Systems, Eighth Edition
50
Avoiding Health and Environment Problems (continued)
Principles of Information Systems, Eighth Edition
51
Research has shown that developing certain ergonomically correct habits can reduce the risk of RSI when using a computer
Ethical Issues in Information Systems (continued)
• ACM’s code of ethics and professional conduct (continued)– Be fair and take action not to discriminate– Honor property rights including copyrights and
patents– Give proper credit for intellectual property– Respect the privacy of others– Honor confidentiality
Principles of Information Systems, Eighth Edition
52
Summary
• Computer waste: inappropriate use of computer technology and resources
• Computer-related mistakes: errors, failures, and other computer problems that make computer output incorrect or not useful; caused mostly by human error
• Preventing computer-related waste and mistakes requires establishing, implementing, monitoring, and reviewing effective policies and procedures
Principles of Information Systems, Eighth Edition
53
Summary (continued)• Criminals need two capabilities to commit most
computer crimes: knowing how to gain access to a computer system and knowing how to manipulate the system to produce desired results
• Crimes in which computer is the tool: cyberterrorism, identity theft, etc.
• Crimes in which computer is the object of crime: illegal access and use, data alteration and destruction, information and equipment theft, software and Internet piracy, computer-related scams, and international computer crime
Principles of Information Systems, Eighth Edition
54
Summary (continued)
• Efforts to curb computer crime are being made by state and federal agencies, corporations, and individuals
• With information systems, privacy deals with the collection and use or misuse of data
• Ergonomics: science of designing machines, products, and systems to maximize safety, comfort, and efficiency of people who use them
• Many IS-related organizations have codes of ethics for their members
Principles of Information Systems, Eighth Edition
55