11
Security and Ethical Challenges
McGraw-Hill/Irwin
Learning Objectives
Identify
ethical issues in how the use of information technologies in business affects employment, individuality, working conditions, privacy, crime, health, and solutions to societal problems.
McGraw-Hill/Irwin
Identify
types of security management strategies and defenses, and explain how they can be used to ensure the security of e-business applications. can business managers and professionals help to lessen the harmful effects and increase the beneficial effects of the use of information technology?
Copyright 2004, The McGraw-Hill Companies, Inc. All rights reserved.
How
McGraw-Hill/Irwin
Section I
McGraw-Hill/Irwin
Ethical Responsibility
use of IT presents major security challenges, poses serious ethical questions, and affects society in significant ways. IT raises ethical issues in the areas of.. Crime Privacy Individuality Employment Health Working conditions McGraw-Hill/Irwin
The
But,
So
as managers, it is our responsibility to minimize the detrimental effects and optimize the beneficial effects.
McGraw-Hill/Irwin
Business
Ethics Basic categories of ethical issues Employee privacy Security of company records Workplace safety
McGraw-Hill/Irwin
Theories
of corporate social responsibility Stockholder theory Managers are agents of the stockholders. Their only ethical responsibility is to increase profit without violating the law or engaging in fraud
McGraw-Hill/Irwin
Theories
of corporate social responsibility (continued) Social Contract Theory Companies have ethical responsibilities to all members of society, which allow corporations to exist based on a social contract
McGraw-Hill/Irwin
10
of corporate social responsibility (continued) First condition companies must enhance economic satisfaction of consumers and employees Second condition avoid fraudulent practices, show respect for employees as human beings, and avoid practices that systematically worsen the position of any group in society McGraw-Hill/Irwin
Theories
11
Theories
of corporate social responsibility (continued) Stakeholder theory Managers have an ethical responsibility to manage a firm for the benefit of all its stakeholders. Stockholders Employees Customers Suppliers Local community
Copyright 2004, The McGraw-Hill Companies, Inc. All rights reserved.
McGraw-Hill/Irwin
12
Theories
to include Competitors Government agencies and special interest groups Future generations
McGraw-Hill/Irwin
Copyright 2004, The McGraw-Hill Companies, Inc. All rights reserved.
13
Technology
Ethics Four Principles Proportionality Good must outweigh any harm or risk Must be no alternative that achieves the same or comparable benefits with less harm or risk
McGraw-Hill/Irwin
14
Technology
Ethics (continued) Informed consent Those affected should understand and accept the risks Justice Benefits and burdens should be distributed fairly
McGraw-Hill/Irwin
15
Technology
Ethics (continued) Minimized Risk Even if judged acceptable by the other three guidelines, the technology must be implemented so as to avoid all unnecessary risk
McGraw-Hill/Irwin
16
Ethical
Guidelines
McGraw-Hill/Irwin
17
Ethical
guidelines (continued) Responsible end users Act with integrity Increase their professional competence Set high standards of personal performance Accept responsibility for their work Advance the health, privacy, and general welfare of the public
Copyright 2004, The McGraw-Hill Companies, Inc. All rights reserved.
McGraw-Hill/Irwin
18
Computer Crime
Association
of Information Technology Professionals (AITP) definition includes The unauthorized use, access, modification, and destruction of hardware, software, data, or network resources Unauthorized release of information Unauthorized copying of software
McGraw-Hill/Irwin
19
AITP guidelines (continued) Denying an end user his/her own hardware, software, data, or network resources Using or conspiring to use computer or network resources to illegally obtain info or tangible property
McGraw-Hill/Irwin
20
Hacking The
obsessive use of computers, or the unauthorized access and use of networked computer systems
McGraw-Hill/Irwin
21
Cyber
Theft Involves unauthorized network entry and the fraudulent alteration of computer databases
McGraw-Hill/Irwin
22
Unauthorized
use at work Also called time and resource theft May range from doing private consulting or personal finances, to playing video games, to unauthorized use of the Internet on company networks
McGraw-Hill/Irwin
23
Software
Piracy Unauthorized copying of software Software is intellectual property protected by copyright law and user licensing agreements
McGraw-Hill/Irwin
24
of intellectual property Other forms of intellectual property covered by copyright laws Music Videos Images Articles Books Other written works McGraw-Hill/Irwin
Piracy
25
Computer Virus
program that cannot work without being inserted into another program Worm A distinct program that can run unaided
McGraw-Hill/Irwin
26
Privacy Issues
IT
makes it technically and economically feasible to collect, store, integrate, interchange, and retrieve data and information quickly and easily. Benefit increases efficiency and effectiveness But, may also have a negative effect on individuals right to privacy
Copyright 2004, The McGraw-Hill Companies, Inc. All rights reserved.
McGraw-Hill/Irwin
27
Examples
of important privacy issues Accessing private e-mail and computer records & sharing information about individuals gained from their visits to websites and newsgroups Always knowing where a person is via mobile and paging services
McGraw-Hill/Irwin
28
Examples
of important privacy issues (continued) Using customer information obtained from many sources to market additional business services Collecting personal information to build individual customer profiles
McGraw-Hill/Irwin
29
Privacy
on the Internet Users of the Internet are highly visible and open to violations of privacy Unsecured with no real rules Cookies capture information about you every time you visit a site That information may be sold to third parties
Copyright 2004, The McGraw-Hill Companies, Inc. All rights reserved.
McGraw-Hill/Irwin
30
Privacy
on the Internet (continued) Protect your privacy by Encrypting your messages Post to newsgroups through anonymous remailers Ask your ISP not to sell your information to mailing list providers and other marketers Decline to reveal personal data and interests online
Copyright 2004, The McGraw-Hill Companies, Inc. All rights reserved.
McGraw-Hill/Irwin
31
Computer
matching Computer profiling and matching personal data to that profile Mistakes can be a major problem
McGraw-Hill/Irwin
32
Privacy
laws Attempt to enforce the privacy of computerbased files and communications Electronic Communications Privacy Act Computer Fraud and Abuse Act
McGraw-Hill/Irwin
33
Computer
Libel and Censorship The opposite side of the privacy debate Right to know (freedom of information) Right to express opinions (freedom of speech) Right to publish those opinions (freedom of the press) Spamming Flaming
Copyright 2004, The McGraw-Hill Companies, Inc. All rights reserved.
McGraw-Hill/Irwin
34
Other Challenges
Employment New
jobs have been created and productivity has increased, yet there has been a significant reduction in some types of jobs as a result of IT.
McGraw-Hill/Irwin
35
Computer
Concerns
Monitoring
workplace privacy Monitors individuals, not just work Is done continually. May be seen as violating workers privacy & personal freedom Workers may not know that they are being monitored or how the information is being used May increase workers stress level May rob workers of the dignity of their work
Copyright 2004, The McGraw-Hill Companies, Inc. All rights reserved.
McGraw-Hill/Irwin
36
Working
Conditions IT has eliminated many monotonous, obnoxious tasks, but has created others
McGraw-Hill/Irwin
37
Individuality Computer-based
systems criticized as impersonal systems that dehumanize and depersonalize activities Regimentation
McGraw-Hill/Irwin
38
Health Issues
stress Muscle damage Eye strain Radiation exposure Accidents Some solutions Ergonomics (human factors engineering) Goal is to design healthy work environments McGraw-Hill/Irwin
Job
39
McGraw-Hill/Irwin
40
Societal Solutions
Beneficial
McGraw-Hill/Irwin
effects on society Solve human and social problems Medical diagnosis Computer-assisted instruction Governmental program planning Environmental quality control Law enforcement Crime control Job placement
41
Section II
Security Management
McGraw-Hill/Irwin
42
Goal Minimize
errors, fraud, and losses in the ebusiness systems that interconnect businesses with their customers, suppliers, and other stakeholders
McGraw-Hill/Irwin
43
McGraw-Hill/Irwin
44
messages, files, and other data is transmitted in scrambled form and unscrambled for authorized users Involves using special mathematical algorithms to transform digital data in scrambled code Most widely used method uses a pair of public and private keys unique to each individual McGraw-Hill/Irwin
Passwords,
45
Firewalls Serves
as a gatekeeper system that protects a companys intranets and other computer networks from intrusion Provides a filter and safe transfer point Screens all network traffic for proper passwords or other security codes
McGraw-Hill/Irwin
46
Denial
of Service Defenses These assaults depend on three layers of networked computer systems Victims website Victims ISP Sites of zombie or slave computers Defensive measures and security precautions must be taken at all three levels
Copyright 2004, The McGraw-Hill Companies, Inc. All rights reserved.
McGraw-Hill/Irwin
47
Monitoring Spot checks just arent good enough anymore. The tide is turning toward systematic monitoring of corporate e-mail traffic using content-monitoring software that scans for troublesome words that might compromise corporate security.
McGraw-Hill/Irwin
48
Virus
Defenses Protection may accomplished through Centralized distribution and updating of antivirus software Outsourcing the virus protection responsibility to ISPs or to telecommunications or security management companies
Copyright 2004, The McGraw-Hill Companies, Inc. All rights reserved.
McGraw-Hill/Irwin
49
codes Multilevel password system Log onto the computer system Gain access into the system Access individual files
McGraw-Hill/Irwin
50
Backup
Files Duplicate files of data or programs File retention measures Sometimes several generations of files are kept for control purposes
McGraw-Hill/Irwin
51
Security
Monitors Programs that monitor the use of computer systems and networks and protect them from unauthorized use, fraud, and destruction
McGraw-Hill/Irwin
52
Biometric
Security Measure physical traits that make each individual unique Voice Fingerprints Hand geometry Signature dynamics Keystroke analysis Retina scanning Face recognition and Genetic pattern analysis
Copyright 2004, The McGraw-Hill Companies, Inc. All rights reserved.
McGraw-Hill/Irwin
53
Computer
Failure Controls Preventive maintenance of hardware and management of software updates Backup computer system Carefully scheduled hardware or software changes Highly trained data center personnel
McGraw-Hill/Irwin
54
Fault
Tolerant Systems Computer systems that have redundant processors, peripherals, and software Fail-over Fail-safe Fail-soft
McGraw-Hill/Irwin
55
Disaster
Recovery Disaster recovery plan Which employees will participate and their duties What hardware, software, and facilities will be used Priority of applications that will be processed
Copyright 2004, The McGraw-Hill Companies, Inc. All rights reserved.
McGraw-Hill/Irwin
56
System Controls Methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activities Designed to monitor and maintain the quality and security of input, processing, and storage activities
McGraw-Hill/Irwin
57
Auditing
Business Systems Review and evaluate whether proper and adequate security measures and management policies have been developed and implemented Testing the integrity of an applications audit trail
McGraw-Hill/Irwin
58
Discussion Questions
What
can be done to improve e-commerce security on the Internet? potential security problems do you see in the increasing use of intranets and extranets in business? What might be done to solve such problems?
What
McGraw-Hill/Irwin
59
What
artificial intelligence techniques can a business use to improve computer security and fight computer crime?
What
are your major concerns about computer crime and privacy on the Internet? What can you do about it?
McGraw-Hill/Irwin
60
What
is disaster recovery? How could it be implemented at your school or work? there an ethical crisis in e-business today? What role does information technology play in unethical business practices?
Is
McGraw-Hill/Irwin
61
What
business decisions will you have to make as a manager that have both an ethical and IT dimension?
What
would be examples of one positive and one negative effect of the use of e-business technologies in each of the ethical and societal dimensions illustrated in the chapter?
Copyright 2004, The McGraw-Hill Companies, Inc. All rights reserved.
McGraw-Hill/Irwin
62
Defending
What
are the business value and security benefits and limitations of defenses against DDOS attacks like those used by MTV Networks?
McGraw-Hill/Irwin
63
What
are the business benefits and limitations of an intrusion-detection system like that installed at First Citizens?
McGraw-Hill/Irwin
64
What
security defense should small businesses have to protect their websites and internal systems?
did you make that choice?
Why
McGraw-Hill/Irwin
65
What
other network security threats besides denial of service, viruses, and hacker attacks should businesses protect themselves against?
McGraw-Hill/Irwin
66
Security Management Qualifications Technical Business People skills Experience and expertise in areas like government liaison, international regulations, and cyberterrorism
McGraw-Hill/Irwin
67
What
mix of skills is most sought after for IT security specialists? is this mix important in business?
Why
McGraw-Hill/Irwin
68
Why
must IT security executives in business have the mix of skills and experience outlined in this case?
other skills do you think are important to have for effective IT security management?
What
McGraw-Hill/Irwin
69
How
should businesses protect themselves from the spread of cyberterrorism in todays internetworked world?
McGraw-Hill/Irwin
70
What
are the business benefits and limitations of the cybercrime investigative work done by firms like Brandon Internet Services?
McGraw-Hill/Irwin
71
When
should a company use cyberforensic investigative services like those offered by Predictive Systems?
McGraw-Hill/Irwin
72
What
Would
McGraw-Hill/Irwin
73
Why
is there a growing need for IT security defenses and management in business? challenges does this pose to effective IT security management?
What
McGraw-Hill/Irwin
74
What
are some of the IT security defenses companies are using to meet these challenges?
McGraw-Hill/Irwin
75
Do
you agree with the IT usage policies of Link Staffing? The security audit policies of Cervalis?
McGraw-Hill/Irwin
76
What
are the benefits and limitations for a business of outsourcing IT security management according to the companies in this case?
McGraw-Hill/Irwin
77
What
are the benefits and limitations to a business of using pure play IT security management companies like Counterpane and Ubizen?
McGraw-Hill/Irwin
78
What
are the benefits and limitations of outsourcing IT security management to vendors like Symantec and Network Associates?
McGraw-Hill/Irwin