The Personal and Social Impact of Computers

Why Learn About Security, Privacy, and Ethical Issues in Information Systems and the Internet?

Many nontechnical issues associated with ISs Human Resource employees need to:

Prevent computer waste and mistakes Avoid privacy violations Comply with laws about:

Collecting customer data Monitoring employees

Employees, IS users, and Internet users need to: Avoid crime, fraud, privacy invasion

Computer Waste and Mistakes Computer waste:

Inappropriate use of computer technology and resources

Cause: improper management of information systems and resources Discarding old software and

even complete computer systems when they still have value

Building and maintaining complex systems that are never used to their fullest extent

Using corporate time and technology for personal use

Spam

Computer-related mistakes: Errors, failures, and other computer problems that make computer output incorrect or not useful

Causes Failure by users to follow

proper procedures Unclear expectations and a

lack of feedback Program development that

contains errors Incorrect data entry by data-

entry clerk

Prevention Methods: Policies and Procedures

Establishing -- Establish policies and

procedures regarding efficient acquisition, use, and disposal of systems and devices

Training programs for individuals and workgroups

Manuals and documents on how computer systems are to be maintained and used

Approval of certain systems and applications to ensure compatibility and cost-effectiveness

Implementing -- Policies often focus on:

Implementation of source data automation and the use of data editing to ensure data accuracy and completeness

Assignment of clear responsibility for data accuracy within each information system

Training is often the key to acceptance and implementation of policies and procedures

Policies and Procedures

Monitoring -- Monitor routine practices

and take corrective action if necessary

Implement internal audits to measure actual results against established goals

Follow requirements in Sarbanes-Oxley Act

Reviewing -- During review, people should

ask the following questions: Do current policies cover

existing practices adequately? Were any problems or opportunities uncovered during monitoring?

Does the organization plan any new activities in the future? If so, does it need new policies or procedures on who will handle them and what must be done?

Are contingencies and disasters covered?

Computer Crime

Often defies detectionAmount stolen or diverted can be

substantialCrime is “clean” and nonviolentNumber of IT-related security incidents is

increasing dramaticallyComputer crime is now global

The Computer as a Tool to Commit Crime

Criminals need two capabilities to commit most computer crimesKnowing how to gain access to the computer systemKnowing how to manipulate the system to produce

the desired result

ExamplesSocial engineeringDumpster divingCounterfeit and banking fraud using sophisticated

desktop publishing programs and high-quality printers

Cyberterrorism

CyberterroristSomeone who intimidates or coerces a government

or organization to advance his or her political or social objectives by launching computer-based attacks against computers, networks, and the information stored on them

Homeland Security Department’s Information Analysis and Infrastructure Protection Directorate Serves as governmental focal point for fighting

cyberterrorism

Identity Theft

Imposter obtains key pieces of personal identification information, such as Social Security or driver’s license numbers, in order to impersonate someone elseInformation is then used to obtain credit,

merchandise, and/or services in the name of the victim or to provide the thief with false credentials

Identity Theft and Assumption Deterrence Act of 1998 passed to fight identity theft

9 million victims in 2005

The Computer as the Object of Crime

Crimes fall into several categories such as:Illegal access and useData alteration and destructionInformation and equipment theftSoftware and Internet piracyComputer-related scamsInternational computer crime

Illegal Access and Use

Hacker: learns about and uses computer systems

Criminal hacker (also called a cracker): gains unauthorized use or illegal access to computer systems

Script bunnies: automate the job of crackers

Insider: employee who compromises corporate systems

Malware: software programs that destroy or damage processing

Virus: computer program file capable of attaching to disks or other files and replicating itself repeatedly, typically without the user’s knowledge or permission

Worm: parasitic computer program that can create copies of itself on the infected computer or send copies to other computers via a network

Trojan horse: malicious program that disguises itself as a useful application and purposefully does something the user does not expect

Logic bomb: type of Trojan horse that executes when specific conditions occur Triggers for logic bombs can

include a change in a file by a particular series of keystrokes or at a specific time or date

Illegal Access and Use

Tips for avoiding viruses and wormsInstall antivirus software on your computer and

configure it to scan all downloads, e-mail, and disksUpdate your antivirus software regularlyBack up your files regularlyDo not open any files attached to an e-mail from an

unknown, suspicious, or untrustworthy sourceDo not open any files attached to an e-mail unless

you know what it is, even if it appears to come from a friend or someone you know

Exercise caution when downloading files from the Internet

Ensure that the source is legitimate and reputable

Information and Equipment Theft

Obtaining identification numbers and passwords to steal information or disrupt systemsTrial and error, password sniffer program

Software theftComputer systems and equipment theft

Data on equipment is valuable

Software and Internet Software Piracy

Software piracy: act of illegally duplicating software

Internet software piracy: illegally downloading software from the InternetMost rapidly expanding type of software piracyMost difficult form to combatExamples: pirate Web sites, auction sites that

offer counterfeit software, peer-to-peer networks

Penalties can be severe

Computer-Related Scams

Examples of Internet scamsGet-rich-quick schemes involving bogus real

estate deals“Free” vacations with huge hidden costsBank fraudFake telephone lotteries

PhishingGaining access to personal information by

redirecting user to fake site

International Computer Crime

Computer crime is an international issueSoftware industry loses about $9 billion in

revenue annually to software piracy occurring outside the United States

Terrorists, international drug dealers, and other criminals might use information systems to launder illegally obtained funds

Preventing Computer-Related Crime

All states have passed computer crime legislation

Some believe that these laws are not effective because: Companies do not always

actively detect and pursue computer crime

Security is inadequate Convicted criminals are not

severely punished Individual and group efforts

are being made to curb computer crime, and recent efforts have met with some success

State and federal agencies have begun aggressive attacks on computer criminals

Computer Fraud and Abuse Act, 1986

Computer Emergency Response Team (CERT)

Many states are now passing new, comprehensive bills to help eliminate computer crimes

Crime Prevention by Corporations

Public key infrastructure (PKI): enables users of an unsecured public network such as the Internet to securely and privately exchange dataUses a public and a private cryptographic key pair

that is obtained and shared through a trusted authority

Biometrics: measurement of one of a person’s traits, whether physical or behavioral

Security & Biometric Videohttp://www.youtube.com/watch?v=CkRAUnFLYKA

Using Intrusion Detection Software

Intrusion detection system (IDS): software that monitors system and network resources and notifies network security personnel when it senses a possible intrusionSuspicious activities: failed login attempts,

attempts to download program to server, accessing a system at unusual hours

Can provide false alarmsE-mail or voice message alerts may be missed

Internet Laws for Libel and Protection of Decency

Filtering software helps screen Internet contentAlso prevents children from sending personal

information over e-mail or through chat groups

Internet Content Rating Association (ICRA)Rates Web sites based on authors’ responses from

questionnaire

Children’s Internet Protection Act (CIPA), 2000Required filters in federally funded libraries

Libel is an important legal issue on the InternetPublishing Internet content to the world can subject

companies to different countries’ laws

Preventing Crime on the Internet

Develop effective Internet usage and security policies for all employees

Use a stand-alone firewall (hardware and software) with network monitoring capabilities

Deploy intrusion detection systems, monitor them, and follow up on their alarms

Monitor managers and employees to make sure that they are using the Internet for business purposes

Use Internet security specialists to perform audits of all Internet and network activities

Privacy Issues

With information systems, privacy deals with the collection and use or misuse of data

More data and information are produced and used today than ever before

Data is constantly being collected and stored on each of us

This data is often distributed over easily accessed networks and without our knowledge or consent

Concerns of privacy regarding this data must be addressed

Privacy and the Federal Government

U.S. federal government is perhaps the largest collector of data

Over 4 billion records exist on citizens, collected by about 100 federal agencies

U.S. National Security Agency (NSA) had secretly collected phone call records of tens of millions of U.S. citizens after the September 11, 2001 terrorist attacksRuled unconstitutional and illegal by a federal judge

in August 2006

Privacy at Work

There is conflict between rights of workers who want their privacy and the interests of companies that demand to know more about their employees

Workers might be monitored via computer technology that can:Track every keystroke made by a workerKnow when the worker is not using the keyboard or

computer systemEstimate how many breaks he or she is taking

Many workers consider monitoring dehumanizing

E-Mail Privacy

Federal law permits employers to monitor e-mail sent and received by employees

E-mail messages that have been erased from hard disks can be retrieved and used in lawsuits

Use of e-mail among public officials might violate “open meeting” laws

Privacy and the Internet

Huge potential for privacy invasion on the InternetE-mail is a prime target

Platform for Privacy Preferences (P3P): screening technology that shields users from Web sites that do not provide the level of privacy protection they desire

Children’s Online Privacy Protection Act (COPPA), 1998: require privacy policies and parental consent

Potential dangers on social networking Web sites

Corporate Privacy Policies

Should address a customer’s knowledge, control, notice, and consent over the storage and use of information

May cover who has access to private data and when it may be used

A good database design practice is to assign a single unique identifier to each customerSingle record describing all relationships with the

company across all its business unitsCan apply customer privacy preferences consistently

throughout all databases

Individual Efforts to Protect Privacy

Find out what is stored about you in existing databases

Be careful when you share information about yourself

Be proactive to protect your privacyWhen purchasing anything from a Web site,

make sure that you safeguard your credit card numbers, passwords, and personal information

Health Concerns Working with computers can

cause occupational stress Training and counseling can

often help the employee and deter problems

Computer use can affect physical health as well Strains, sprains, tendonitis,

repetitive motion disorder, carpal tunnel syndrome

Concerns about emissions from improperly maintained and used equipment, display screens, and cell phones

Many computer-related health problems are caused by a poorly designed work environment

Ergonomics: science of designing machines, products, and systems to maximize the safety, comfort, and efficiency of the people who use them

EthicsPrinciples of right and wrong used by

individuals as free moral agents to guide behavior

Moral dimensions of the information ageInformation rights & obligationsProperty rightsAccountability & controlSystem qualityQuality of life

Moral dimensions of the information age

Information rights & obligationsProperty rightsAccountability & controlSystem qualityQuality of life

Ethics in an information society

Ethical analysis: Identify, describe factsDefine conflict, identify values Identify stakeholders Identify options Identify potential consequences

Ethics in an information society

Ethical principles:Treat others as you want to be treated If action not right for everyone, not right For

anyone If action not repeatable, not right at any timePut value on outcomes, understand

consequences Incur least harm or costNo free lunch

Information rights

Privacy: right to be left alone Fair information practices (FIP): No secret personal records Individuals can access, amend information about them Use info only with prior consent Managers accountable for damage done by systems Governments can intervene

Intellectual property

Intellectual property: intangible creations protected by law

Trade secret: intellectual work or product belonging to business, not in public domain

Copyright: statutory grant protecting intellectual property from copying by others

Trade Mark: legally registered mark, device, or name to distinguish one’s goods

Patent: legal document granting owner exclusive monopoly on an invention for 17 years

Ethical Issues in Information Systems

Code of ethics: states the principles and core values that are essential to a set of people and thus governs their behavior

ACM code of ethics and professional conductContribute to society and human well-beingAvoid harm to othersBe honest and trustworthyBe fair and take action not to discriminateHonor property rights including copyrights and

patentsGive proper credit for intellectual propertyRespect the privacy of othersHonor confidentiality