Embed Size (px)
Citation preview
Managing and Using Information Systems: A Strategic Approach – Fifth Edition
Using InformationEthically
Keri Pearlson and Carol Saunders
Chapter 12
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-2
Learning Objectives
• Understand how ethics should be framed in the context of business
practices and the challenges surrounding these issues.
• Define and describe the three normative theories of business ethics.
• List and define PAPA and why it is important.
• Identify the issues related to the ethical governance of IS.
• Understand organizations’ security issues and how organizations
are bolstering security.
• Describe how security can be best enacted.
• Define the Sarbanes-Oxley Act and the COBIT framework.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-3
Real World Example
• TJX Co. experienced the largest computer system security
breach in the history of retailing.
• As many as 94 million customers were affected.
• TJX had to decide between notifying their customers
immediately or waiting the 45 days allowed by the
jurisdictions.o If they waited, their customers might be further compromised by
the breach.
o If they notified them immediately, they might lose customer
confidence and face punishment from Wall Street.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-4
Responsible Computing
• Companies encounter ethical dilemmas as they try to use their
IS to create and exploit competitive advantages.
o They occur when there is no one clear way to deal with the ethical
issue.
• Managers:o must assess initiatives from an ethical view.
o are used to the overriding ethical norms present in their traditional
businesses.
o need to translate their current ethical norms into terms meaningful for the
new electronic corporation in the information age.
• Information ethics are the “ethical issues associated with the
development and application of information technologies.”
(Martinsons and Ma)
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-5
Stockholder Theory
• Stockholders advance capital to corporate managers, who act as
agents in advancing the stockholders’ ends.o Managers are bound to the interests of the shareholders (i.e., maximizing
shareholder value).
o As Milton Friedman said:• “There is one and only one social responsibility of business: to use its
resources and engage in activities designed to increase its profits so long as it stays within the rules of the game, which is to say, engages in open and free competition, without deception or fraud.”
• Stockholder theory says the manager’s duties are to:
o employ others by legal, non-fraudulent means.
o take a long view of shareholder interest (i.e. forego short-term
gains in favor of long-term value).
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-6
Stockholder Theory (Cont.)
• The stockholder theory provides a limited framework for
moral argument.o It assumes the free market has the ability to fully promote the
interests of society at large.
o The singular pursuit of profit on the part of individuals or
corporations does not maximize social welfare.
o Free markets can lead to monopolies and other circumstances
that limit society members’ abilities to secure the common
good.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-7
Stakeholder Theory
• Stakeholder theory states:o Managers are entrusted with a responsibility—fiduciary or otherwise—to
all those who hold a stake in or a claim on the firm.
o Management must enact and follow policies that balance the rights of all
stakeholders without impinging upon the rights of any one particular
stakeholder.
• Stakeholders are:o any group that vitally affects the corporation’s survival and success.
o any group whose interests the corporation vitally affects.
o stockholders, customers, employees, suppliers, and the local community. • Other groups may also be considered stakeholders depending on the
circumstances.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-8
Stakeholder Theory (Cont.)
• Stakeholders can stop participating if they feel that their
interests haven't been considered by management.o Examples include:
• Customers can stop buying the company’s products.• Stockholders can sell their stock.• Employees may need to continue working for the
corporation even though they dislike practices of their employers or experience considerable stress due to their jobs.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-9
Social Contract Theory
• Social contract theory places social responsibilities on corporate
managers to consider the needs of a society.
o What conditions would have to be met for the members of a society to
agree to allow a corporation to be formed?
o Corporations are expected to add more value to society that it
consumes.
• The social contract has two components:
o Social welfare.• Corporations must provide greater benefits than their associated
costs, or society would not allow their creation.• Managers are obligated to pursue profits in ways that are
compatible with the well-being of society as a whole.o Justice.
• Corporations must pursue profits legally, without fraud or deception, and avoid actions that harm society.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-10
Social Contract Theory (Cont.)
• In the absence of a real contract whose terms subordinate profit
maximization to social welfare, most critics find it hard to imagine
corporations losing profitability in the name of altruism.
• The three normative theories of business ethics offer useful
metrics for defining ethical behavior in profit-seeking enterprises
under free market conditions (Figure 12.1).
o The three theories are represented by concentric circles.• Stockholder theory is the narrowest in scope and is in the center
circle.• Stakeholder theory encompasses stockholder theory and expands
on it.• Social contract theory covers the broadest area and is in the outer
ring.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-11
Figure 12.1 Three normative theories of business ethics.
Theory Definition Metrics
Stockholder Maximize stockholder wealth in legal and non-fraudulent manners.
Will this action maximize stockholder value? Can goals be accomplished without compromising company standards and without breaking laws?
Stakeholder Maximize benefits to all stakeholders while weighing costs to competing interests.
Does the proposed action maximize collective benefits to the company? Does this action treat one of the corporate stakeholders unfairly?
Social contract Create value for society in a manner that is just and nondiscriminatory.
Does this action create a “net” benefit for society? Does the proposed action discriminate against any group in particular, and is its implementation socially just?
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-12
Corporate Social Responsibility
• The application of social contract theory helps companies
adopt a broader perspective.
• A “big picture” view considers two types of corporate
social responsibility:
o Green computing.
• Green computing is a new way of doing business.
o Ethical dilemmas with governments. • More and more corporations are facing ethical
dilemmas in our flattening world.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-13
Green Computing
• Gartner put Green computing at the top of the list of upcoming strategic
technologies.
• Green computing is:o concerned with using computing resources efficiently.
o needed due to increasing energy demands to run IT infrastructure.
• The 5 largest search companies use more power than what is generated by Hoover Dam.
• Companies are working to adopt more socially responsible approaches to
energy consumption by:
o replacing older systems with more energy-efficient ones.
o moving workloads based on energy efficiency.
o using most power-inefficient servers only at peak usage times.
o improving data center air flows.
o turning to cloud computing and virtualization.
• By reducing our total energy consumption, we can be both sustainable
and profitable.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-14
Green Computing (Cont.)
• Green programs can have a triple bottom line (TBL)—economic,
environmental, and social.
o Green programs create economic value while being socially
responsible and sustaining the environment.
o A triple bottom line is also known as “3BL” or “People, Planet,
Profit.”
• A social contract theory perspective:
o Managers benefit society by conserving global resources when they
make green, energy-related decisions about their computer
operations.
• A stockholder theory perspective:
o Energy-efficient computers reduce:• the direct costs of running the computing-related infrastructure.• the costs of complementary utilities such as cooling systems for
the infrastructure components.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-15
Ethical Tensions with Governments
• Organizations also face dilemmas reconciling their
corporate policies with regulations in countries where they
want to operate.
• “Managers may need to adopt much different approaches
across nationalities to counter the effects of what they
perceive as unethical behaviors.” (Leidner and Kayworth)o Research in Motion (RIM) was threatened by the United Arab
Emirates government.
o Censorship posed an ethical dilemma for Google.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-16
Papa: Privacy, Accuracy, Property,and Accessibility• In an economy that is rapidly becoming dominated by knowledge
workers, the value of information is tremendous.
• Collecting and storing information is becoming easier and more cost-
effective.
• Richard O. Mason identified areas of information ethics in which the
control of information is crucial; these are summarized by the
acronym PAPA (Figure 12.2).
o privacy
o accuracy
o property
o accessibility
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-17
Figure 12.2 Mason’s areas of managerial control.
Area Critical Questions
Privacy What information must a person reveal about oneself to others?What information should others be able to access about you–with or without your permission? What safeguards exist for your protection?
Accuracy Who is responsible for the reliability and accuracy of information? Who will be accountable for errors?
Property Who owns information? Who owns the channels of distribution, and how should they be regulated?
Accessibility What information does a person or an organization have a right to obtain? Under what conditions? With what safeguards?
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-18
Privacy
• Privacy has long been considered:
o “the right to be left alone.” (Warren and Brandeis)
o “protections from intrusion and information gathering by others.” (Stone et. Al)
• Individuals have control to manage their privacy through choice, consent, and
correction.o Choice:
• Individuals can select the desired level of access to their information, ranging from “total privacy to unabashed publicity.” (Tavani and Moore)
o Consent:
• Individuals may exert control when they manage their privacy through consent.– They can grant access to otherwise restricted information.
o Control:
• Individuals have control in managing their privacy through the ability to access their personal information.– They can correct errors and update their information.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-19
Privacy (Cont.)
• The tension between the proper use of personal information and
information privacy is a serious ethical debate.
o Surveillance of employees (e.g. monitoring e-mail and computer
utilization) challenges privacy.
o Individuals’ surfing behaviors are traced via cookies, beacons, flash
cookies, and supercookies. • A cookie is a text message given to a web browser by a web server.• Using cookies to gather information was ruled as legal by U.S.
courts.
o Websites are used to create rich databases of consumer profiles that
can be sold.
o Managers must be aware of regulations that are in place regarding
the authorized collection, disclosure, and use of personal information.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-20
The Right for Privacy
• Courts have decided that customers do not have a right to privacy
while searching the Internet.o This includes monitoring phone usage, location, e-mailing behaviors,
and a myriad of other behaviors.
o Customers give up privacy because:• they can receive personalized services in return.• they receive payment for the information at a price that exceeds
what they are giving up.• they see providing information as something that everybody is
doing (e.g. Facebook pages).
• What is posted on the web is there forever.o It may be fun to share it now, but there could be potential unintended
consequences in the future.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-21
Privacy Legislation: United States
• U.S. privacy legislation relies on a mix of legislation, regulation, and self
regulation.
o Privacy legislation is based on a legal tradition with a strong emphasis on
free trade.
• The 1974 Privacy Act regulates the U.S. government’s collection and use of
personal information.
• The 1998 Children’s Online Privacy Protection Act regulates the online
collection and use of children’s personal information.
• The Gramm–Leach–Bliley Act of 1999 applies to financial institutions selling
sensitive information—including account information, Social Security numbers,
credit card purchase histories, and so forth—to telemarketing companies.
o The act allows the customer to opt-out, or specifically tell the institution that
his or her personal information cannot be used or distributed.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-22
Additional Privacy Legislation
• The Health Insurance Portability and Accountability Act
(HIPAA) of 1996 safeguards the electronic exchange of privacy and
information security in the health care industry.
• The Fair Credit Reporting Act limits the use of consumer reports
provided by consumer reporting agencies to “permissible purposes”
and grants individuals the right to access their reports and correct
errors in them.
• The European Union differs from the U.S. by relying on:
o omnibus legislation that requires creation of government data
protection agencies.
o registration of databases with those agencies.
o prior approval before processing personal data in some cases.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-23
U.S. and European Legislation
• U.S. companies were concerned that they would be unable to meet the
European “adequacy” standard for privacy protection specified in the
European Commission’s Directive. o Directive 95/46/EC on Data Protection:
• was established in 1998.• sets standards for the collection, storage, and processing of personal
information. • prohibits the transfer of personal data to non-European Union
nations that do not meet the European privacy standards.
• The U.S. Department of Commerce (DOC) developed a “safe harbor”
framework in 2000 that:o allows U.S. companies to be placed on a list maintained by the DOC.
o requires companies to demonstrate through a self-certification process
that they are enforcing privacy at a level practiced in the European Union.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-24
Accuracy
• The accuracy, or the correctness of information, dominates in
corporate record-keeping activities.
o Accuracy requires better controls over the bank’s internal
processes.
o Risks can be attributed to inaccurate information retained in
corporate systems.
• Managers must establish controls to ensure that information is
accurate.
o Data entry errors must be controlled and managed carefully.
o Data must be accurate and up-to-date (i.e., addresses and phone
numbers).
• The European Union Directive on Data Protection:o requires accurate and up-to-date data.
o makes sure that data is kept no longer than necessary to fulfill its stated
purpose.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-25
Property
• Vast amounts of data about clients are collected and stored.
o Data is:• shared with others.• used to create a more accurate profile of clients.• stored in a data warehouse.• “mined” to create a profile for something completely different.
• Who owns the data and has rights to it?
• Who owns the images that are posted in cyberspace?
• Managers must understand the legal rights and duties accorded to
proper ownership.
• Information, which is costly to produce in the first place, can be easily
reproduced and sold without the individual who produced it even
knowing what is happening or being reimbursed for its use (Mason).
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-26
Accessibility
• Accessibility, or the ability to obtain data, has become paramount.o Users must gain:
• the physical ability to access online information resources, or computational systems.
• access to information itself.
• Managers’ challenges include:o deciding how to create and maintain access to information for society at large.
o avoiding harming individuals who have provided the information.
o ensuring access to information about employees and customers is restricted.
o actively ensuring that adequate security and control measures are in place.
o ensuring adequate safeguards in the companies of their key trading partners.
o avoiding a surge in identity theft incidents—both true name and account
takeover.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-27
A Manager’s Role in Ethical Information Control• Managers must work to:
o implement controls over information highlighted by the PAPA
principles.
o deter identity theft by limiting inappropriate access to customer
information.
o respect the customers’ privacy.o Implement the following best practices:
• Create a culture of moral responsibility. – Top-level executives should promote responsibility for
protecting both personal information and the organization’s IS.
– Internet companies should post their policies.• Implement governance processes for information control.
– COBIT and ITIL can help identify risks.• Avoid decoupling.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-28
Security and Controls
• The PAPA principles work hand-in hand with security.
• Organizations appear to rely on luck rather than on proven IS controls.
• Emphasis is placed on using technology to protect organizational data from
unauthorized hackers and undesirable viruses.
o E.g., antivirus countermeasures, spam-filtering software, intrusion detection
systems.
• Managers and IT staff must go to great lengths to protect the organization’s
computers and infrastructure from unauthorized access or external threats such
as:
o hackers who seek to enter a computer for sport or for malicious intent.
o telecommunications failures.
o service provider failures.
o spamming.
o distributed denial of service (DDoS) attacks.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-29
Security and Controls (Cont.)
•Inside threats to security include:• current and former employees seeking to sabotage the IS
infrastructure and integrity of data.• unintentional human error or operational errors.• hardware or software failure.• natural disasters.
• Figure 12.3 summarizes three types of tools employed to manage the
security and control: firewalls, passwords, and filtering tools.
• Additional technological approaches to security and privacy may
include a combination of software and hardware (e.g., fingerprint-
based biometric).
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
12-30
(c)
20
13
Joh
n W
iley
& S
on
s, I
nc.
Security Category
Security Tools
Definition
Hardware system security and controls
Firewalls A computer set up with both an internal network card and an external network card. This computer is set up to control access to the internal network and only lets authorized traffic pass the barrier.
Encryption and decryption
Cryptography or secure writing ensures that information is transformed into unintelligible forms before transmission and intelligible forms when it arrives at its destination to protect the informational content of messages.
Anonymizing tools and Pseudonym agents
Tools that enable the user to navigate the Internet either anonymously or pseudonymously to protect the identity of individuals.
Network and software security controls
Network operating system software
The core set of programs that manage the resources of the computer or network often have functionality such as authentication, access control, and cryptology.
Security information management
A management scheme to synchronize all mechanisms and protocols built into network and computer operating systems and protect the systems from unauthorized access.
Server and browser software
Mechanisms to ensure that errors in programming do not create holes or trapdoors that can compromise websites.
Figure 12.3 Security and control tools.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-31
Security Category
Security Tools Definition
Broadcast medium security and controls
Labeling and rating software
The software industry incorporates Platform for Internet Content Selection (PICS) technology, a mechanism of labeling web pages based on content. These labels can be used by filtering software to manage access. Also, online privacy seal programs such as Truste that inform users of online vendor’s privacy policies and ensures that policies are backed and enforced by reputable third parties.
Filtering/blocking software
Software that rates documents and web sites that have been rated and contain content on a designated filter’s “black list” and keeps them from being displayed on the user’s computer.
Figure 12.3 (Cont.)
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-32
Approaches to Reduce Threats
• Efforts to reduce threats include:o top management support.
o training and awareness programs for employees, customers,
and other stakeholders.
o development of security procedures and policies.
o frequent security audits.
o risk management programs.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-33
Chapter 12 - Key Terms
Accessibility (p. 365) - the ability to obtain the data.
Accuracy (p. 364) - the correctness of information; assumes real
importance for society as computers come to dominate in corporate
record-
keeping activities.
Cookie (p. 361) - a text message given to a web browser by a web
server.
Green computing (p. 357) - concerned with using computing
resources
efficiently.
Identity theft (p. 366) - crime in which the thief uses the victim’s
personal information—such as driver’s license number or Social
Security
number—to impersonate the victim.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-34
Chapter 12 - Key Terms (Cont.)
Information ethics (p. 352) - the “ethical issues associated with the
development and application of information technologies.” (Martinsons and Ma)
Privacy (p. 359) - “the right to be left alone.” (Warren and Brandeis)
Property (p. 365) - who owns the data.
Social contract theory (p. 354) - places social responsibilities on corporate
managers to consider the needs of a society.
Stakeholder theory (p. 352) - managers, although bound by their relation to
stockholders, are entrusted also with a responsibility—fiduciary or otherwise—to
all those who hold a stake in or a claim on the firm.
Stockholder theory (p. 353) - stockholders advance capital to corporate
managers, who act as agents in furthering the stockholders’ ends.
Pearl
son
an
d S
au
nd
ers
– 5
th E
d. –
Ch
ap
ter
12
(c) 2013 John Wiley & Sons, Inc. 12-35
Copyright 2013 John Wiley & Sons, Inc.
All rights reserved. Reproduction or translation of this work
beyond that named in Section 117 of the 1976 United States
Copyright Act without the express written consent of the
copyright owner is unlawful. Request for further information
should be addressed to the Permissions Department, John Wiley
& Sons, Inc. The purchaser may make back-up copies for
his/her own use only and not for distribution or resale. The
Publisher assumes no responsibility for errors, omissions, or
damages, caused by the use of these programs or from the use
of the information contained herein.
