IMchap13

13 Security and Ethical Challenges

I. CHAPTER OVERVIEW

This chapter discusses the threats against, and defenses needed for the performance and security of business information systems, as well as the ethical implications and societal impacts of information technology.

Section I: Security, Ethical and Societal Challenges of IT Section II: Security Management of Information Technology

II. LEARNING OBJECTIVES

Learning Objectives1. Identify several ethical issues in how the use of information technologies in business affects employment,

individuality, working conditions, privacy, crime, health, and solutions to societal problems.2. Identify several types of security management strategies and defenses, and explain how they can be used

to ensure the security of business applications of information technology.3. Propose several ways that business managers and professionals can help to lessen the harmful effects and

increase the beneficial effects of the use of information technology.

O’Brien, Management Information Systems, 7/eIM - Chapter 13 pg. 1

III. TEACHING SUGGESTIONS

Figure 13.2 outlines major aspects of the ethical and societal dimensions of information technology. It should be stressed to students that information technology could have both positive and negative effects on society. Instructors should spend some time discussing the different types of computer crimes, and why they are considered crimes at all. Figure 13.4 outlines the four principles of technology ethics – proportionality, informed consent, justice, and minimized risk. Figure 13.7 gives a number of common examples of common hacking tactics used to assault e-business enterprises and other organizations through the use of the Internet and other networks. Figure 13.12 is related to a number of ergonomic factors that are found in the workplace. It stresses that good ergonomic design considers tools, tasks, the workstation, and the environment.

The necessity of controls for information systems should be emphasized. The goal of security management is the accuracy, integrity, and safety of all e-business processes and resources. Stress to students that conducting security management is a complex task in all organizations. News accounts of computer errors and computer related crimes could be used to convince students of the importance of this topic. Examples of procedural and physical facility controls should also be discussed with your students, especially the importance of disaster recovery planning. Figure 13.21 can serve to provide an example of e-business system controls and audits. Note that they are designed to monitor and maintain the quality and security of the input, processing, output, and storage activities of an information system. Finally, Figure 13.22 is a good slide to use to discuss information systems controls as methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities. Figure 13.23 outlines important ways to protect yourself from cybercrime and other computer security threats.


IV. LECTURE NOTES

Section I: Security, Ethical, and Societal Challenges of IT

Introduction

There is no question that the use of information technology in e-business operations presents major security challenges, poses serious ethical questions, and affects society in significant ways.

Analyzing F-Secure, Microsoft, GM, and Verizon

We can learn a lot from this case about the security and ethical issues in business that arise from the challenges caused by computer viruses. Take a few minutes to read it, and we will discuss it (see F-Secure, Microsoft, GM, and Verizon: The Business Challenge of Computer Viruses in Section IX).

Business/IT Security, Ethics, and Society [Figure 13.2]

The use of information technology in e-business has major impacts on society, and thus raises serious ethical issues in the areas such as: Crime Privacy Individuality Employment Health Working Conditions

Note: Students should realize that information technology could have a beneficial effect as well as a negative effect in each of the areas listed above.

Ethical Responsibility of Business Professionals

As a business end user, you have a responsibility to promote ethical uses of information technology in the workplace. These responsibilities include properly performing your role as a vital human resource in the e-business systems you help develop and use in your organizations.

The AITP code provides guidelines for ethical conduct in the development and use of information technology. End-users and IS professionals would live up to their ethical responsibilities by voluntarily following such guidelines.

For example, you can be a responsible end user by: Acting with integrity Increasing your professional competence Setting high standards of personal performance Accepting responsibility for your work Advancing the health, privacy, and general welfare of the public

Business Ethics:

Business ethics is concerned with the numerous ethical questions that managers must confront as part of their daily business decision-making. Managers use several important alternatives when confronted with making ethical decisions on business issues.


These include: Stockholder Theory – Holds that managers are agents of the stockholders, and their only ethical

responsibility is to increase the profits of the business, without violating the law or engaging in fraudulent practices.

Social Contract Theory - States that companies have ethical responsibility to all members of society, which allow corporations to exist based on a social contract.

Stakeholder Theory - Maintains that managers have an ethical responsibility to manage a firm for the benefit of all of its stakeholders, which are all individuals and groups that have a stake in or claim on a company.

Technology Ethics [Figure 13.4]

Proportionality – The good achieved by the technology must outweigh the harm or risk. Moreover, there must be no alternative that achieves the same or comparable benefits with less harm or risk.

Informed Consent – Those affected by the technology should understand and accept the risks.

Justice – The benefits and burdens of the technology should be distributed fairly. Those who benefit should bear their fair share of the risks, and those who do not benefit should not suffer a significant increase in risk.

Minimized Risk – Even it judged acceptable by the other three guidelines, the technology must be implemented so as to avoid all unnecessary risk.

Ethical Guidelines:

The Association of Information Technology Professionals (AITP), is an organization of professionals in the computing field. Its code of conduct outlines the ethical considerations inherent in the major responsibilities of an IS professional.

Business and end users and IS professionals would live up to their ethical responsibilities by voluntarily following such guidelines as those outlined in the AITP standard. You can be a responsible end user by: Acting with integrity Increasing your professional competence Setting high standards of personal performance Accepting responsibility for your work Advancing the health, privacy, and general welfare of the public

Computer Crime

Computer crime is a growing threat to society by the criminal or irresponsible actions of computer individuals who are taking advantage of the widespread use and vulnerability of computers and the Internet and other networks. It thus presents a major challenge to the ethical use of information technologies. E-computer crime poses serious threats to the integrity, safety, and survival of most e-business systems, and thus makes the development of effective security methods a top priority.

The Association of Information Technology professionals (ATIP) defines computer crime as including: The unauthorized use, access, modification, and destruction of hardware, software, data, or network

resources. The unauthorized release of information The unauthorized copying of software Denying an end user access to his or her own hardware, software, data, or network resources


Using or conspiring to use computer or network resources to illegally obtain information or tangible property.

Penalties for violation of the U.S. Computer Fraud and Abuse Act include: 1 to 5 years in prison for a first offence 10 years for a second offence 20 years for three or more offences Fines ranging up to $250,000 or twice the value of stolen data

Hacking: [Figure 13.7]

Hacking is the obsessive use of computers, or the unauthorized access and use of networked computer systems. Illegal hackers (also called crackers) frequently assault the Internet and other networks to steal or damage data and programs. Hackers can: Monitor e-mail, Web server access, or file transfers to extract passwords or steal network files, or to plant

data that will cause a system to welcome intruders. Use remote services that allow one computer on a network to execute programs on another computer to gain

privileged access within a network. Use Telnet, an Internet tool for interactive use of remote computers, to discover information to plan other

attacks.

Cyber-Theft

Many computer crimes involve the theft of money. In the majority of cases, they are “inside jobs” that involve unauthorized network entry and fraudulent alternation of computer databases to cover the tracks of the employees involved.

Unauthorized Use at Work:

The unauthorized use of a computer system is called time and resource theft. A common example is unauthorized use of company-owned computer networks by employees. This may range from doing private consulting or personal finances, or playing video games to unauthorized use of the Internet on company networks. Network monitoring software called sniffers is frequently used to monitor network traffic to evaluate network capacity, as well as reveal evidence of improper use.

Software Piracy:

Computer programs are valuable property and thus are the subject of theft from computer systems. Unauthorized copying of software or software piracy is a major form of software theft because software is intellectual property, which is protected by copyright law and user licensing agreements.

Piracy of Intellectual Property:

Software is not the only intellectual property subject to computer-based piracy. Other forms of copyrighted material, such as music, videos, images, articles, books, and other written works are especially vulnerable to copyright infringement, which most courts have deemed illegal. Digitised versions can easily be captured by computer systems and made available for people to access or download at Internet websites, or can be readily disseminated by e-mail as file attachments. The development of peer-to-peer (P2P) networking has made digital versions of copyrighted material even more vulnerable to unauthorized use.

Computer Viruses:


One of the most destructive examples of computer crime involves the creation of computer viruses or worms. They typically enter a computer system through illegal or borrowed copies of software, or through network links to other computer systems. A virus usually copies itself into the operating systems programs, and from there to the hard disk and any inserted floppy disks. Vaccine programs, and virus prevention and detection programs are available, but may not work for new types of viruses.

Virus - is a program code that cannot work without being inserted into another program.

Worm - is a distinct program that can run unaided.

Privacy Issues

The power of information technology to store and retrieve information can have a negative effect on the right to privacy of every individual.

For example: Confidential e-mail messages by employees are monitored by many companies Personal information is being collected about individuals every time they visit a site on the World Wide Web Confidential information on individuals contained in centralized computer databases by credit bureaus,

government agencies, and private business firms has been stolen or misused, resulting in the invasion of privacy, fraud, and other injustices.

Unauthorized use of information can seriously damage the privacy of individuals. Errors in databases can seriously hurt the credit standing or reputation of individuals.

Some important privacy issues being debated in business and government include the following: Accessing individuals’ private e-mail conversations and computer records, and collecting and sharing

information about individuals gained from their visits to Internet websites and newsgroups (violation of privacy).

Always “knowing” where a person is, especially as mobile and paging services become more closely associated with people rather than places (computer monitoring)

Using customer information to market additional business services (computer matching). Collecting telephone numbers and other personal information to build individual customer profiles

(unauthorized personal files).

Privacy on the Internet:

The Internet is notorious for giving its users a feeling of anonymity, when in actuality; they are highly visible and open to violations of their privacy. Most of the Internet and its World Wide Web and newsgroups are still a wide open, unsecured, electronic frontier, with no tough rules on what information is personal and private. You can protect your privacy in several ways: Use encryption to send e-mail (both sender and receiver must have encryption software). Anonymous remailers to protect your identify when you add comments in newsgroup postings. Ask Internet service provider not to sell your name and personal information to mailing list providers, and

other marketers. Decline to reveal personal data and interest on online service and websites user profiles.

Computer Matching:

Computer matching is the use of computers to screen and match data about individual characteristics provided by


a variety of computer-based information systems and databases in order to identify individuals for business, government, or other purposes. Unauthorized use or mistakes in the computer matching of personal data can be a threat to privacy. For example, an individual’s personal profile may be incorrectly matched with someone else.

Privacy Laws:

In the US, the Federal Privacy Act strictly regulates the collection and use of personal data by governmental agencies. The law specifies that individuals have the right to inspect their personal records, make copies, and correct or remove erroneous or misleading information.

Federal Privacy Act specifies that federal agencies: Must annually disclose the types of personal data files they maintain. Cannot disclose personal information on an individual to any other individual or agency except under certain

strict conditions. Must inform individuals of the reasons for requesting personal information from them. Must retain personal data records only if it is “relevant and necessary to accomplish” an agency’s legal

purpose. Must establish appropriate administrative, technical, and physical safeguards to ensure the security and

confidentiality of records.

The U.S. Congress enacted the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act in 1986. These federal privacy laws are a major attempt to enforce the privacy of computer-based files and communications. These laws prohibit intercepting data communications messages, stealing or destroying data, or trespassing in federal-related computer systems.

Computer Libel and Censorship

The opposite side of the privacy debate is: The right of people to know about matters others may want to keep private (freedom of information) The right of people to express their opinions about such matters (freedom of speech) The right of people to publish those opinions (freedom of the press).

Some of the biggest battlegrounds in the debate are the bulletin boards, e-mail boxes, and online files of the Internet and public information networks, such as America Online and the Microsoft Network. The weapons being used in this battle include spamming, flame mail, libel laws, and censorship.

Spamming - is the indiscriminate sending of unsolicited e-mail messages (spam) to many Internet users. Spamming is the favorite tactic of mass-mailers of unsolicited advertisements, or junk e-mail. Cyber criminals to spread computer viruses or infiltrate many computer systems have also used Spamming.

Flaming - is the practice of sending extremely critical, derogatory, and often vulgar e-mail messages (flame mail), or newsgroup postings to other users on the Internet or online services. Flaming is especially prevalent on some of the Internet’s special interest newsgroups. The Internet is very vulnerable to abuse, as it currently lacks formal policing, and lack of security.

Other Challenges:

The uses of information technologies in e-business systems include ethical and societal impacts of e-business in


the areas of employment, individuality, working conditions, and health.

Employment Challenges:

The impact of IT on employment is a major ethical concern and is directly related to the use of computers to achieve automation of work activities. The use of e-business technologies has created new jobs and increased productivity. However, it has also caused a significant reduction in some types of job opportunities.

Computer Monitoring:

One of the most explosive ethical issues concerning the quality of working conditions in e-business is computer monitoring. Computers are being used to monitor the productivity and behavior of employees while they work. Supposedly, computer monitoring is done so employers can collect productivity data about their employees to increase the efficiency and quality of service.

Computer monitoring has been criticized as unethical because: It is used to monitor individuals, not just work, and is done continually, thus violating workers’ privacy and

personal freedom. Is considered an invasion of the privacy of employees, because in many cases, they do not know that they are

being monitored, or don’t know how the information is being used. Employee’s right of due process may be harmed by the improper use of collected data to make personnel

decisions. It increases the stress on employees who must work under constant electronic surveillance. It has been blamed for causing health problems among monitored workers. Blamed for robbing workers of the dignity of their work.

Challenges in Working Conditions:

Information technology has eliminated some monotonous or obnoxious tasks in the office and the factory that formerly had to be performed by people. Thus, IT can be said to upgrade the quality of work. Though, many automated operations are also criticized for relegating people to a “do-nothing” standby role.

Challenges to Individuality:

A frequent criticism of e-business systems concerns their negative effect on the individuality of people. Computer-based systems are criticized as: Being impersonal systems that dehumanize and depersonalize activities, since they eliminate the human

relationships present in noncomputer systems. Humans feel a loss of identity. Humans feel a loss of individuality as some systems require a regimentation of the individual, and demanding

strict adherence to detailed procedures.

Computer-based systems can be ergonomically engineered to accommodate human factors that: Minimize depersonalization and regimentation. Design software that is “people-oriented” and “user-friendly.”

Health Issues: [Figure 13.12]

The use of IT in the workplace raises a variety of health issues. Heavy use of computers is reportedly causing health problems such as:


Job stress Damaged arm and neck muscles Eye strain Radiation exposure Death by computer-caused accidents

Ergonomics:

Solutions to some health problems are based on the science of ergonomics, sometimes called human factors engineering. The goal of ergonomics is to design healthy work environments that are safe, comfortable, and pleasant for people to work in, thus increasing employee morale and productivity.

Ergonomics stresses the healthy design of the workplace, workstations, computers and other machines, and even software packages. Other health issues may require ergonomic solutions emphasizing job design, rather than workplace design.

Societal Solutions

Computers and networks like the Internet, and other information technology can have many beneficial effects on society. Information technology can be used to solve human and societal problems through societal solutions such as: Medical diagnosis Computer-assisted instruction Governmental program planning Environmental quality control Law enforcement


IV. LECTURE NOTES (con’t)

Section II: Security Management of Information Technology

Introduction

There are many significant threats to the security of information systems in business. Business managers and professionals alike are responsible for the security, quality, and performance of the e-business systems in their business units.

Analyzing Geisinger Health Systems and Du Pont

We can learn a lot from this case about the security management issues and challenges in securing company data resources and process control networks. Take a few minutes to read it, and we will discuss it (See Geisinger Health Systems and Du Pont: Security Management in Section IX).

Tools of Security Management

The goal of security management is the accuracy, integrity, and safety of all e-business processes and resources. Effective security management can minimize errors, fraud, and losses in the internetworked computer-based systems that interconnect today’s e-business enterprises.

Internetworked Security Defense

Security of today’s internetworked e-business enterprises is a major management challenge. Vital network links and business flows need to be protected from external attack by cyber criminals or subversion by the criminal or irresponsible acts of insiders. This requires a variety of security tools and defensive measures and a coordinated security management program.

Encryption

Encryption of data has become an important way to protect data and other computer network resources especially on the Internet, intranets, and extranets.

Encryption characteristics include: Passwords, messages, files, and other data can be transmitted in scrambled form and unscrambled by

computer systems for authorized users only. Encryption involves using special mathematical algorithms, or keys, to transform digital data into a scrambled

code before they are transmitted, and to decode the data when they are received. The most widely used encryption method uses a pair of public and private keys unique to each individual.

For example: e-mail could be scrambled and encoded using a unique public key for the recipient that is known to the sender. After the e-mail is transmitted, only the recipient’s secret private key could unscramble the message.

Encryption programs are sold as separate products or built into other software used for the encryption process. There are several competing software encryption standards, but the top two are RSA and PGP.

Firewalls

Another important method for control and security on the Internet and other networks is the use of firewall computers and software. A network fire wall can be a communications processor, typically a router, or a dedicated server, along with fire wall software.


Fire wall computers and software characteristics include: A fire wall serves as a “gatekeeper” computer system that protects a company’s intranets and other computer

networks from intrusion by serving as a filter and safe transfer point for access to and from the Internet and other networks.

A fire wall computer screens all network traffic for proper passwords and other security codes, and only allows authorized transmissions in and out of the network.

Fire walls have become an essential component of organizations connecting to the Internet, because of its vulnerability and lack of security.

Fire walls can deter, but not completely prevent, unauthorized access (hacking) into computer networks. In some cases, a fire wall may allow access only from trusted locations on the Internet to particular computers inside the fire wall. Or it may allow only “safe” information to pass.

In some cases, it is impossible to distinguish safe use of a particular network service from unsafe use and so all requests must be blocked. The fire wall may then provide substitutes for some network services that perform most of the same functions but are not as vulnerable to penetration.

Denial of Service Defenses

The Internet is extremely vulnerable to a variety of assaults by criminal hackers, especially denial of service (DOS) attacks. Denial of service assaults via the Internet depend on three layers of networked computer systems, and these are the basic steps e-business companies and other organizations can take to protect their websites form denial of service and other hacking attacks. The victim’s website The victim’s Internet service provider (ISP) The sites of “zombie” or slave computers that were commandeered by the cyber criminals.

e-Mail Monitoring

Internet and other online e-mail systems are one of the favorite avenues of attack by hackers for spreading computer viruses or breaking into networked computers. E-mail is also the battleground for attempts by companies to enforce policies against illegal, personal, or damaging messages by employees, and the demands of some employees and others, who see such policies as violations of privacy rights.

Virus Defenses

Many companies are building defenses against the spread of viruses by centralizing the distribution and updating of antivirus software, as a responsibility of there IS departments. Other companies are outsourcing the virus protection responsibility to their Internet service providers or to telecommunications or security management companies.

Other Security Measures:

A variety of security measures are commonly used to protect e-business systems and networks. These include both hardware and software tools like fault-tolerant computers and security monitors, and security policies and procedures like passwords and backup files.


Security Codes:

Typically, a multilevel password system is used for security management. First, an end user logs on to the computer system by entering his or her unique identification code, or user ID.

The end user is then asked to enter a password in order to gain access into the system. Next, to access an individual file, a unique file name must be entered.

Backup Files

Backup files, which are duplicate files of data or programs, are another important security measure. Files can be protected by file retention measures that involve storing copies of files from previous periods. Several generations of files can be kept for control purposes.

Security Monitors

System security monitors are programs that monitor the use of computer systems and networks and protect them from unauthorized use, fraud, and destruction. Security monitor programs provide the security measures needed to allow only authorized users to access the

networks. Security monitors also control the use of the hardware, software, and data resources of a computer system. Security monitors can be used to monitor the use of computer networks and collect statistics on any attempts

at improper use.

Biometric Security

These are security measures provided by computer devices, which measure physical traits that make each individual unique. This includes: Voice verification Fingerprints Hand geometry Signature dynamics Keystroke analysis Retina scanning Face recognition Genetic pattern analysis

Computer Failure Controls:

A variety of controls are needed to prevent computer failure or to minimize its effects. Computer systems may fail due to: Power failure Electronic circuitry malfunctions Telecommunications network problems Hidden programming errors Computer operator errors Electronic vandalism

The information services department typically takes steps to prevent equipment failure and to minimize its detrimental effects.

For example: Programs of preventative maintenance of hardware and management of software updates are commonplace


Using computers equipped with automatic and remote maintenance capabilities Establishing standards for electrical supply, air conditioning, humidity control, and fire prevention standards Arrange for a backup computer system capability with disaster recovery organizations. Scheduling and implementing major hardware or software changes to avoid problems. Training and supervision of computer operators. Using fault tolerant computer systems (fail-safe and fail-soft capabilities)

Fault Tolerant Systems : [Figure 13.21]

Many firms use fault tolerant computer systems that have redundant processors, peripherals, and software that provide a fail-over capability to back up components in the event of system failure. Fail-Safe - Fail-Safe refers to computer systems that continue to operate at the same level of performance

after a major failure.

Fail-Soft - Fail-soft refers to computer systems that continue to operate at a reduced but acceptable level after a system failure.

Disaster Recovery

Hurricanes, earthquakes, fires, floods, criminal and terrorist acts, and human error can all severely damage an organization's computing resources, and thus the health of the organization itself. Many companies, especially online e-commerce retailers and wholesalers, airlines, banks, and Internet service providers, for example, are crippled by losing even a few hours of computing power. That is why it is important for organizations to develop disaster recovery procedures and formalize them in a disaster recovery plan. It specifies which employees will participate in disaster recovery, and what their duties will be; what hardware, software, and facilities will be used; and the priority of applications that will be processed. Arrangements with other companies for use of alternative facilities as a disaster recovery site and off site storage of an organization's databases are also part of an effective recovery effort.

System Controls and Audits [Figure 13.22]:

The development of information system controls and the accomplishment of e-business systems audits are two other types of security management.

Information Systems Controls:

Information systems controls are methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities. Information System (IS) controls must be developed to ensure proper data entry, processing techniques, storage methods, and information output. IS controls are designed to monitor and maintain the quality and security of the input, processing, output, and storage activities of any information system.

Auditing IT Systems

E-business systems should be periodically examined, or audited, by a company’s internal auditing staff or external auditors from professional accounting firms. Such audits should review and evaluate whether proper and adequate security measures and management policies have been developed and implemented.

An important objective of e-business system audits is testing the integrity of an application audit trail. An audit trail can be defined as the presence of documentation that allows a transaction to be traced through all stages of


its information processing. The audit trail of manual information systems was quite visible and easy to trace; however, computer-based information systems have changed the form of the audit trail.


IV. LECTURE NOTES (con’t)

Summary

● Ethical and Societal Dimensions. The vital role of information technologies and systems in society raises serious ethical and societal issues in terms of their impact on employment, individuality, working conditions, privacy, health, and computer crime as illustrated in Figure 13.2.

Employment issues include the loss of jobs due to computerization and automation of work versus the jobs created to supply and support new information technologies and the business applications they make possible. The impact on working condition involves the issues of computer monitoring of employees and the quality of the working conditions of jobs that make heavy use of information technologies. The effect of IT of individuality addresses the issues of the depersonalization, regimentation, and inflexibility of some computerized business systems.

Health issues are raised by heavy use of computer workstations for long periods of time by employees which may cause work-related health disorders. Serious privacy issues are raised by the use of IT to access or collect private information without authorization, as well as for computer profiling, computer matching, computer monitoring, and computer libel and censorship. Computer crime issues surround activities such as hacking, computer viruses and worms, cyber theft, unauthorized use at work, software piracy, and piracy of intellectual property.

Manager, business professionals, and IS specialists can help solve the problems of improper use of IT by assuring their ethical responsibilities for the ergonomic design, beneficial use, and enlightened management of information technologies in our society.

● Ethical Responsibility in Business. Business and IT activities involve many ethical considerations. Basic principles of technology and business ethics can serve as guidelines for business professionals when dealing with ethical business issues that may arise in the widespread use of information technology in business and society. Examples include theories of corporate social responsibility, which outline the ethical responsibility of management and employees to a company’s stockholders, stakeholders, and society, and the four principles of technology ethics summarized in Figure 13.4.

● Security Management. One of the most important responsibilities of the management of a company is to assure the security and quality of its IT-enables business activities. Security management tools and policies can ensure the accuracy, integrity, and safety of the information systems and resources of a company, and thus minimize errors, fraud, and security losses in their business activities. Examples mentioned in the chapter include the use of encryption of confidential business data, firewalls, e-mail monitoring, antivirus software, security codes, backup files, security monitors, biometric security measures, computer failure controls, fault tolerant systems, disaster recovery measures, information systems controls, and security audits of business systems.


V. KEY TERMS AND CONCEPTS - DEFINED

Antivirus Software (462):Is a software program that is designed to find and eliminate computer viruses.

Audit Trail (468):Periodically examining the accuracy and integrity of information systems.

Auditing e-business Systems (467):An information services department should be periodically examined (audited) by internal auditing personnel. In addition, periodic audits by external auditors from professional accounting firms are a good business practice.

Backup Files (464):Backup files are duplicate files of data or programs. These files may be stored off-premises, that is, in a location away from the computer center, sometimes in special storage vaults in remote locations.

Biometric Security (465):Computer-based security methods that measure physical traits and characteristics such as fingerprints, voice prints, retina scans, and so on.

Business Ethics (436):An area of ethical philosophy concerned with developing ethical principles and promoting ethical behavior and practices in the accomplishment of business tasks and decision-making.

Computer Crime (439):Criminal actions accomplished through the use of computer systems, especially with intent to defraud, destroy, or make unauthorized use of computer system resources.

Computer Matching (450):Using computers to screen and match data about individual characteristics provided by a variety of computer-based information systems and databases in order to identify individuals for business, government, or other purposes.

Computer Monitoring (451):Using computers to monitor the behavior and productivity of workers on the job and in the workplace.

Computer Virus (446):Program code that copies its destructive program routines into the computer systems of anyone who accesses computer systems which have used the program, or anyone who uses copies of data or programs taken from such computers. This spreads the destruction of data and programs among many computer users. Technically, a virus will not run unaided, but must be inserted into another program, while a worm is a distinct program that can run unaided.

Denial of Service (461):Is a process whereby hackers overwhelm a website with requests for service from captive computers.

Disaster Recovery (467):Methods for ensuring that an organization recovers from natural and human-caused disasters that affect its computer-based operations.

Encryption (458):To scramble data or convert it, prior to transmission, to a secret code that masks the meaning of the data to unauthorized recipients. Similar to enciphering.


Ergonomics (453):The science and technology emphasizing the safety, comfort, and ease of use of human-operated machines such as computers. The goal of ergonomics is to produce systems that are user friendly, that is, safe, comfortable, and easy to use. Ergonomics is also called human factors engineering.

Ethical and Societal Impacts of Business/IT (450):These include (1) employment, (2) individuality, (3) health, (4) privacy, (5) societal solutions, and (6) working conditions.

Ethical and Societal Impacts of e-business – Employment (450):The impact of IT on employment is a major ethical concern and is directly related to the use of computers to achieve automation. IT has created new jobs and increased productivity; however, it has also caused a significant reduction in some types of job opportunities.

Ethical and Societal Impacts of e-business – Health (453):IT in the workplace raises a variety of health issues including health problems such as job stress, damaged arm and neck muscles, eyestrain, radiation exposure, and even death by computer-caused accidents.

Ethical and Societal Impacts of e-business – Individuality (452):Computer-based systems are criticized as being impersonal systems that dehumanize and depersonalize activities, and eliminate the human relationships present in manual systems. Humans feel a loss of individuality as some systems require a regimentation of the individual, and demand strict adherence to detailed procedures.

Ethical and Societal Impacts of e-business - Societal Solutions (454):IT can have many beneficial effects on society. It is being used to solve human and societal problems through societal applications such as medical diagnosis, computer-assisted instruction, governmental program planning, environmental quality control, and law enforcement.

Ethical and Societal Impacts of e-business - Working Conditions (452): IT has eliminated some monotonous and obnoxious tasks formerly performed by people. IT has upgraded the quality of work, but is also being criticized for relegating people to a “do-nothing” standby role.

Ethical Foundations (436):Ethical choices may result from decision-making processes or behavioral stages. These include egoism, natural law, utilitarianism, and respect for persons.

Fault Tolerant (465):Computers with multiple central processors, peripherals, and system software that are able to continue operations even if there is a major hardware or software failure.

Firewall (458):A computer that protects computer networks from intrusion by screening all network traffic and serving as a safe transfer point for access to and from other networks.

Flaming (450):Flaming is the practice of sending extremely critical, derogatory, and often-vulgar e-mail messages (flame mail), or electronic bulletin board postings to other users on the Internet or online services.

Hacking (441):(1) obsessive use of a computer, (2) the unauthorized access and use of computer systems.

Information System Controls (467):Methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities. Information system controls monitor and maintain the quality and security of the input, processing, output, and storage activities of any information system.


Intellectual Property Piracy (445):Copyrighted material, such as software, music, videos, images, articles, books, and other written works are especially vulnerable to copyright infringement, which most courts have deemed illegal.

Passwords (464):A password is used as a security method, which enables computer systems to identify eligible users and determine which types of information they are authorized to receive.

Privacy Issues (447):Laws that regulate the collection, access, and use of personal data.

Responsible Professional (438):End user that acts with integrity and competence in the use of IT.

Security Management (457):Passwords, identification codes, account codes, and other codes that limit the access and use of computer-based system resources to authorized users.

Software Piracy (445):Unauthorized copying of software.

Spamming (450):Spamming is the indiscriminate sending of unsolicited e-mail to many Internet users. Spamming is the favorite tactic of mass-mailers of unsolicited advertisements, or junk e-mail.

System Security Monitor (464):Software that controls access and use of a computer system.

Unauthorized Use (443):The unauthorized use of a computer system is called time and resource theft. A common example is unauthorized use of company-owned computer networks by employees.


VI. REVIEW QUIZ - Match one of the key terms and concepts

1 26 Security management 17 15d Societal solutions2 21 Information security controls 18 15e Working conditions3 29 System security monitor 19 8 Computer matching4 17 Fault tolerant 20 24 Privacy issues5 18 Firewall 21 9 Computer monitoring6 3 Auditing business systems 22 11 Denial of service7 2 Audit trail 23 7 Computer crime8 5 Biometric security 24 30 Unauthorized use9 12 Disaster recovery 25 27 Software piracy10 13 Encryption 26 22 Intellectual property piracy11 16 Ethical foundations 27 20 Hacking12 6 Business ethics 28 10 Computer virus13 28 Spamming 29 1 Antivirus software14 15a Employment 30 19 Flaming15 15c Individuality 31 14 Ergonomics16 15b Health 32 25 Responsible professional


VII. ANSWERS TO DISCUSSION QUESTIONS

1. What can be done to improve the security of business uses of the Internet? Give several examples of security measures, and technologies you would use.

Examples would include: Encryption of data – passwords, messages, files and other data transmitted in scrambled form for

authorized users only. Firewall computes and software such as a router or dedicated service along with firewall software to

serve as a gatekeeper system that protects a company’s intranets and other computer networks from intrusion by providing a filter and safe transfer point for access to and from the Internet and other networks.

Denial of services defenses such as setting and enforcing security policies at the zombie machines to scan regularly for Trojan Horse programs and vulnerabilities, closing unused portals, and reminding users not to open .exe mail attachments; monitor and block traffic spikes; and create backup servers and network connections with limited connections to each, installing multiple intrusion-detection systems and multiple routers for incoming traffic to reduce choke points.

Monitoring of e-mail using content-monitoring software that scans for troublesome words that might compromise corporate security.

Centralizing the distribution and updating of antivirus software as a responsibility of there is departments.

Adopt other security measures such as security codes (a multilevel password system), backup files, security monitors, biometric security features, computer failure control procedures and policies, using fault tolerant systems, establishing disaster recovery policies and procedures.

2. What potential security problems do you see in the increasing use of intranets and extranets in business? What might be done to solve such problems? Give several examples.

Students’ answers will vary. However, with the increased business use of intranets and extranets there is no doubt that the number of potential security problems will also increase. Issues such as hacking, data alteration, unauthorized data access, etc. will become prime security problems. As companies forge ahead in e-commerce and e-business activities, the stakes get progressively higher, and the potential threat will also increase.

In order to solve such problems, businesses must continue to exercise caution in areas such as encryption, fire walls, secure Internet sites, security monitoring, disaster recovery plans, security awareness programs and policies must be implemented and monitored.

3. Refer to the Real World Example about copying CDs in the chapter. Is copying music CDs an ethical practice? Explain.

No – if copyrightedYes – if public domain music.

Explanations would include: Copyright infringement, which most courts have deemed illegal. Piracy of intellectual property. Digitized versions easily captured by computer systems and made available to others for access or

download at Internet websites for unauthorized use. Peer-to-peer networks of millions of Internet users electronically trading digital versions of

copyrighted music stored on their PC’s hard drive bringing music to fan royalty free.


4. What are your major concerns about computer crime and privacy on the Internet? What can you do about it? Explain.

Students’ answers will vary, however many people are concerned about computer crime and privacy on the Internet. Individuals must express their concern to governments so that proper action can be taken in this regard. The Internet offers very little privacy to an individual. Without your knowing it, cookies are being placed on your machine when you visit websites. Information is continually being gathered about your activities and site visits, and this information is sold to other parties. Individuals can take care when giving out information, they can ask their ISP providers to not give out information about them, they should exercise caution in giving out sensitive information such as charge card numbers, e-mail addresses, addresses, etc. Personal data should be carefully guarded, and given out as little as possible if you have a concern about privacy and crime.

5. What is disaster recovery? How could it be implemented at your school or work?

Disaster recoveries are methods for ensuring that an organization recovers from natural and human caused disasters that affect its computer-based operations.

Students’ answers will vary. However, a disaster recovery plan should be developed that specifies which employees will participate in disaster recovery, what their duties will be, what hardware, software, and facilities will be used, and the priority of applications that will be processed. Arrangements with other companies for use of alternative facilities as a disaster recovery site and off site storage of an organization's databases are also part of an effective recovery effort.

6. Refer to the Real World Case on F-Secure, Microsoft, GM, and Verizon in the chapter. What are the ethical responsibilities of companies and business professionals in helping to curb the spread of computer viruses?

Ethical responsibilities would focus on the following: Does the responsibility lie with the software vendors in the industry, Microsoft has a 95% market

share, to focus more on making the software more secure and focus less on developing new products (upgrades) and getting them to the market quickly?

Does the responsibility lie with the computer users themselves to develop better procedures for frequently updating their computers with the latest security patches to programs and inoculations against new viruses?

7. Is there an ethical crisis in e-business today? What role does information technology play in unethical business practices?

Information technology has made it easier to communicate, work cooperatively, share resources, and make decisions, all electronically. However, IT has also made it possible to engage in ethical as well as unethical practices electronically anywhere in the world. This possibility has resulted in a massive increase in unethical business practices. Ethical crisis in e-business is certainly real in today’s e-business, and companies are scrambling to ensure that they are doing all they can to curb on this problem.

8. What are several business decisions that you will have to make as a manager that have both an ethical and IT dimension? Give several examples to illustrate your answer.

Managers will be required to face making decisions that will have both ethical and an IT dimension. For example, they will make decisions to implement technology to modernize a manufacturing process will knowing at the same time that they will put hundreds of workers out of work. They may also implement systems to monitor their employees while at the same time causing high levels of employee stress, or invade their privacy.

9. Refer to the Real World Case on Geisinger Health Systems and Du Pont in the chapter. What unique security challenges do mobile wireless applications like Geisinger’s Electronic Medical Record system pose for companies? What are several ways these challenges can be met?


Challenges would include: Balancing the needs of security with the push for greater access to data. Coping with government mandates. Planning for possible budget cuts.

Ways to meet the challenges would include: Installing databases for different applications on different hardware.

Requiring patient access to use an electronic token identification in addition to a virtual private network or other encryption method.

Focus on using the latest intrusion detection systems that provide adequate analysis tools, are compatible with network management software and have the ability to handle large volumes of data.

10. What would be examples of one positive and one negative effect of the use of e-business technologies in each of the ethical and societal dimensions in Figure 11.2? Explain several of your choices.

Employment: IT has created many new jobs and increased productivity. IT has caused a significant reduction in some types of job opportunities.

Individuality: Computer-based systems can be ergonomically engineered to accommodate human factors. Computer-based systems eliminate the human relationships present in manual systems.

Working Conditions: IT has eliminated some monotonous and obnoxious tasks in the office and the factory that formerly had to be performed by people. Many automated operations relegate people to a “do-nothing” standby role.

Privacy: Caller identification may allow users to identify sales people or prank callers. IT allows supervisors to monitor employees’ private conversations and records.

Computer Crime: IT may be used in law enforcement. IT can be used as a tool in committing crimes.

Health Issues: IT can be used in medical diagnosis. Heavy use of computers may cause health problems like job stress, damaged arm and neck muscles, and eye strain and radiation exposure.

Societal Solutions: IT can be used to solve human and social problems through societal applications such as medical diagnosis, computer-assisted instruction, governmental program planning, environmental quality control, and law enforcement. Computer-based information systems can violate antitrust or international laws and regulations.


VIII. ANSWERS TO ANALYSIS EXERCISES

1. Internet Privacy and Anonymity: An Ethical Dilemma

a. Should there be unrestricted use of software that provides anonymity on the Internet? Why or why not?

Again, this is a subjective question. Unrestricted use of software that provides anonymity on the Internet can be used for both illegal and unethical reasons as well as uses for legal and ethical reasons.

b. If you were able to decide this issue now, how would you decide for yourself? Your company? For Society? Explain the reasons for your decisions.

Various answers are possible. Deciding what is right for the good of all of society should be what is important. Many people will make decisions that fit in with their ethical beliefs and values systems. If these beliefs are strong enough, they are carried over into how they will conduct themselves within their personal life, company employment, and in their society as a whole.


2. Your Internet Job Rights: Three Ethical Scenarios

a. Do you agree with the advice of attorney Mark Grossman in each of the scenarios? Why or why not?

b. What would your advice be? Explain your positions.

c. Identify any ethical philosophies, values or models you may be using in explaining your position in each of the scenarios.

Students’ answers will vary. However, students would be well advised to ensure that they fully versed on any Internet policies that exist in the workplace. Certainly, when push comes to show the courts would favor the company over the individual. Everyone who works knows that the computers and the networks belong to the company they are working for. They also should know that surfing the Internet is classified as service/usage theft, and as such companies have their right to expect that they are paying you to do a job – not surf the Web, and use their resources for personal gain.


3. Social Engineering: Exploiting Security Weaknesses

a. Describe the business problems presented by this exercise.

Information systems are vulnerable to "social engineering." Highly trained, expensive technical resources manage the access control administrative process.

b. Suggest several ways to reduce an organization's exposure to social engineering.

improve employee training at all levels and responsibility protect personnel and process information from outside discovery allow application or information managers to directly administer access to their own systems without

giving these managers the ability to affect any other areas. This would remove the communications link between authorizing manager and systems administrator.

c. Easy to memorize passwords are often easy to guess. Hackers' toolkits include programs that run "dictionary" attacks that attempt to crack a system using thousands of commonly chosen passwords (e.g. "smart1," "smart-one," "smart_one," "smartone," "smartypants," etc) or simply testing every word in the dictionary. On the other hand, difficult to guess passwords may be hard to memorize. Describe how you manage your own passwords. What are the strengths and weaknesses of your own approach?

Students' answers will vary significantly. First of all, students may point out that by describing their personal system, they would be violating one of their own recommendations from the previous answer.

Good Practices Bad PracticesChanging passwords frequently Using short passwords (less than eight characters)Using numbers and both upper and lower case letters

Using only one or two words (regardless of language)

Using fun, nonsense phrases (if password length allows)

Using password sequences rather than creating whole new passwords for systems that require frequent password changes (e.g. "smart1," "smart2," "smart3," "smart4," etc)

Treating "Secret question" answers with the same diligence as any other password

Sharing your passwords with others

Writing down your accounts and passwords and securing them under lock and key or storing them in an encrypted password file

Sending passwords through e-mail/storing them on an unsecured system

Using the different and unrelated passwords for every application that requires a password

Failing to change default passwords

d. Prepare an orientation memo to new-hires in your IT department describing "social engineering." Suggest several ways employees can avoid being tricked by hackers.

MEMO:To: All systems administrative employees.

Imposters posing as employees may request accounts, passwords, and other information. Even by giving out employee names or instructions about how to obtain access, you may be helping a hacker gain access to our systems. Our performance ratings and our jobs depend upon keeping our systems secure.

All requests for account changes, passwords, or access changes must come through our normal request process. This process has been designed to ensure that the requestor is who they say they are and that the appropriate managers have approved the request.


If you receive a phone call requesting access, employee names, or information about our security policies and procedures, do not answer these questions over the phone. You may e-mail this information to any employee, but you must use our company's e-mail address. Under no circumstances should you e-mail any information to an outside e-mail address. If the caller claims to not have company e-mail access, then you may e-mail this information to the employee's supervisor. Use our company's directory to determine the correct addressee, use only our company's e-mail addresses, and do not give out the employee names to the caller. The caller should know how to contact their own supervisor, and the supervisor should be able to affirmatively identify his or her own employees.

If you receive a subsequent call from the employee's supervisor rather than a change request through our normal processes, treat this caller in accordance with this memo.


4. Privacy Statements and Spyware

a. Use a search engine to search on "spyware," "spyware removal," "adware," or other related terms. Prepare a one-page summary of your results. Include URLs for on-line sources.

Adware, spyware, and cookies have caused great consternation among many internet users. Students will have no difficulty finding information about how this software is used and how to remove it. Students may be surprised (or shocked) to learn that Kazaa, a popular peer-to-peer file sharing program comes complete with "adware" and will not run if the user removes the adware files.

Description URLAnti-spyware software vendor's overview http://www.spychecker.com/spyware.htmlAnti-spyware software vendor's overview http://www.lavasoftusa.com/Anti-spyware software vendor's overview http://www.spywareinfo.com/Describes adware http://whatis.techtarget.com/definition/

0,289893,sid9_gci521293,00.html

b. Select three of your favorite websites and print out their privacy policies. What do they share in common? How do they differ?

Students' answers will vary. Consider having students simply highlight the common elements in one color and the unique elements with another color on each printout.Common elements may include liability statements, copyrights, and terms of use. Far fewer websites will comment on cookie use or use of personal information. E-commerce sites will outline how they use customer information. Some of these sites have an opt-out policy whereby users automatically permit use of their data unless they specifically request otherwise. Other sites have an opt-in policy whereby users must specifically express a desire to share all or part of their personal information.

c. Write your own website privacy policy striking a balance between both customer and business needs.

Students' answers will vary. Policies should include statements about: data collection and methods security (especially of credit information) policy prominence/notification opt-in/opt-out approaches to gaining customer authorization

Note: a blanket policy favoring only the consumer or only the enterprise fails to embrace the complexities associated with compromise and the issue at hand.


http://whatis.techtarget.com/definition/0,289893,sid9_gci521293,00.html

http://whatis.techtarget.com/definition/0,289893,sid9_gci521293,00.html

http://www.spywareinfo.com/

http://www.lavasoftusa.com/

http://www.spychecker.com/spyware.html

IX. ANSWERS TO REAL WORLD CASES

RWC 1: F-Secure, Microsoft, FM and Verizon: The Business Challenges of Computer Viruses

1. What security measures should companies, business professionals, and consumers take to protect their systems from being damaged by computer worms and viruses?

Discussion points would include:

Businesses should “get serious” about cyber security. Businesses should stop relying on just one outfit – Microsoft – to provide the backbone of the

computing and Internet world. Businesses need to come up with better procedures for frequently updating their computers with

the latest security patches to programs and inoculations against new viruses. Businesses should review and update their use of security defenses – encryption of data, use of

firewalls, use of denial of service defenses, e-mail monitoring, and focusing attention on the issue of security codes.

2. What is the business and ethical responsibility of Microsoft in helping to prevent the spread of computer viruses? Have they met this responsibility? Why or why not?


Microsoft with a 95% market share has an obligation to ensure that its software is sufficiently hostile to hackers.

Microsoft has an obligation to make more fundamental changes in the way it designs programs – Microsoft has to write better software.

Microsoft and other software companies have placed a high priority on getting products out quickly and loading them with features, rather than attending to security.

Security is the responsibility of the user and not the vendor such as Microsoft.

3. What are several possible reasons why some companies (like GM) were seriously affected by computer viruses, while others (like Verizon) were not?

Reasons would include:

Undue dependence on Microsoft to provide quality software. Some companies such as GM ignored the security issue until it became so big that they could not

ignore it any more. Some companies watched their bottom line more than watching security trends – a low priority

to spend money to provide frequent updates of security patches and inoculations against new viruses.

Inadequate planning for improving security features of their system.


RWC 2: Geisinger Health Systems and Du Pont: Security Management

1. What is Geisinger Health Systems doing to protecting the security of their data resources? Are these measures adequate? Explain your evaluation.


Understanding workflow, assessing risk and educating users are all key components of their security system.

Security needs dictated that the database that powers MvChart be installed on hardware separate from the EMK system.

Evaluating and considering biometric and proximity devices as ways to streamline secure network access.

Requiring caregivers accessing patient information via the Internet to use electronic token identification in addition to a virtual private network or other encryption method.

2. What security measures is Du Pont taking to protect their process control networks? Are these measures adequate? Explain your evaluation.


On all of the critical manufacturing processes, Du Pont Co. is either going to totally isolate the process systems from the business systems by not connecting our networks, or it is going to put in firewalls to control access.

A team comprising three groups of IT staffers, process-control engineers, and manufacturing employees was established to:

o Discern which control devices are critical to manufacturing, safety and continuity of production.

o Identify the assets of each – hardware, data, and software applications – then research relevant vulnerabilities.

o Testing fixes and workarounds to see which ones might work for which machines.o Recognizing that precise vulnerabilities differ by environment – water treatment

process differs from vessels under high-temperature and high-pressure conditions. o Determining how to separate networks and where process-control firewall appliances

should go.

3. What are several other steps Geisinger and Du Pont could take to increase the security of their data and network resources? Explain the value of your proposals.

Students discussion should include the concepts presented in the chapter material and additional considerations they are able to locate on the Internet.


RWC 3: City of Colorado Springs, CO and the Federal Reserve Bank: Creating a Sound Software Patch Management Strategy

1. What types of security problems are typically addressed by a patch management strategy? Why do such problems arise in the first place?

There are mainly three reasons why these problems arise, errors and overlooks during the development process, and current misuse of features that were designed with a different purpose in mind. Vulnerabilities can allow outsiders to:

Execute commands Gain access to company information Pose as another entity Conduct attacks on the network or using the network as a launching platform Hide their activities within the system

2. What challenges does the process of applying software patches and updates pose for many businesses? What are the limitations of the patching process?

Potential challenges may include: Variety of platforms each with its own, incompatible, procedure to handle patches Distributed or mobile users for whom enforcing patching may be difficult, or are without

connection for a period of time Patches may disrupt operations, or be incompatible with current systems (especially difficult to

control for custom-developed ones)

In terms of limitations, even if companies adopt a standardized, routine patching policy, patches themselves are still ad-hoc reactive solutions, and there is always a window of time between when the problem is identified and the patch is produced. During this period organizations are vulnerable to these issues.

3. Does the business value of a comprehensive patch management strategy outweigh its costs, limitations, and the demands it places on the IT function? Why or why not?

Possible points for discussion might include: Patching is a necessity rather than an option, so it has to be done Given the state of the art in scanning packages, vulnerabilities are relatively easy to find for

outsiders The potential damage for just a single occurrence is extremely large It is as critical to the security of data resources as any other security practice the organization

has in place


RWC 4: Online Resources, Lehman Brothers, and Others: Managing Network Security Systems

1. What is the function of each of the network security tools identified in this case? Visit the websites of security firms Check Point and NetForensics to help you answer.


Network intrusion-detection systems Firewalls Anti-virus tools Automating the process of gathering, consolidating, correlating and prioritizing data from

various segments of the security event management suite. Collecting data from individual security systems installed by a business and “normalizing” the

data to permit easier and quicker identification of potential attacks to the business and sending out alert messages.

2. What is the value of security information management software to a company? Use the companies

in this case as examples.


Provides a single place where the business can go to get information needed to management security.

Automated the process of gathering, consolidating, and correlating the data into a usable format that can be analyzed and used to establish prioritizes based upon the severity and the importance of the system that is vulnerable.

Permits businesses to react faster to activity that indicates an attack. Reduces the number of false alerts. Allows companies to drill down into the details of an attack and quickly build a composite of

events leading up to a security incident.

3. What can smaller firms who cannot afford the cost of such software do to properly manage and use the information about security from their network security systems? Give several examples.


Plan for having periodic audits of IT security. Review and update regularly the control features related to IT. Regularly change passwords allowing access to the system’ Develop a backup plan and implement. Plan for disaster recovery by developing procedures to be used when a system is attacked.


Documents

IMchap13