1
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
2
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Chapter
11
Security and Ethical Challenges
3
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Learning Objectives
Identify ethical issues in how the use of information technologies in business affects employment, individuality, working conditions, privacy, crime, health, and solutions to societal problems.
4
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Learning Objectives (continued)
Identify types of security management strategies and defenses, and explain how they can be used to ensure the security of e-business applications.
How can business managers and professionals help to lessen the harmful effects and increase the beneficial effects of the use of information technology?
5
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Section I
Security, Ethical, and Societal Challenges
6
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Ethical Responsibility
The use of IT presents major security challenges, poses serious ethical questions, and affects society in significant ways.
IT raises ethical issues in the areas of..CrimePrivacyIndividualityEmployment HealthWorking conditions
7
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Ethical Responsibility (continued)
But, IT has had beneficial results as well.
So as managers, it is our responsibility to minimize the detrimental effects and optimize the beneficial effects.
8
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Ethical Responsibility (continued)
Business EthicsBasic categories of ethical issues
Employee privacySecurity of company recordsWorkplace safety
9
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Ethical Responsibility (continued)
Theories of corporate social responsibilityStockholder theory
Managers are agents of the stockholders. Their only ethical responsibility is to increase profit without violating the law or engaging in fraud
10
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Ethical Responsibility (continued)
Theories of corporate social responsibility (continued)Social Contract Theory
Companies have ethical responsibilities to all members of society, which allow corporations to exist based on a social contract
11
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Ethical Responsibility (continued)
Theories of corporate social responsibility (continued)
First condition – companies must enhance economic satisfaction of consumers and employees
Second condition – avoid fraudulent practices, show respect for employees as human beings, and avoid practices that systematically worsen the position of any group in society
12
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Ethical Responsibility (continued)
Theories of corporate social responsibility (continued)Stakeholder theory
Managers have an ethical responsibility to manage a firm for the benefit of all its stakeholders.StockholdersEmployeesCustomersSuppliersLocal community
13
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Ethical Responsibility (continued)
Theories of corporate social responsibility (continued)
Sometimes stakeholders are considered to includeCompetitorsGovernment agencies and special
interest groupsFuture generations
14
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Ethical Responsibility (continued)
Technology EthicsFour Principles
ProportionalityGood must outweigh any harm or riskMust be no alternative that achieves the
same or comparable benefits with less harm or risk
15
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Ethical Responsibility (continued)
Technology Ethics (continued)Informed consent
Those affected should understand and accept the risks
JusticeBenefits and burdens should be
distributed fairly
16
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Ethical Responsibility (continued)
Technology Ethics (continued)Minimized Risk
Even if judged acceptable by the other three guidelines, the technology must be implemented so as to avoid all unnecessary risk
17
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Ethical Responsibility (continued)
Ethical Guidelines
18
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Ethical Responsibility (continued)
Ethical guidelines (continued)Responsible end users
Act with integrityIncrease their professional competenceSet high standards of personal
performanceAccept responsibility for their workAdvance the health, privacy, and general
welfare of the public
19
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Computer Crime
Association of Information Technology Professionals (AITP) definition includesThe unauthorized use, access, modification,
and destruction of hardware, software, data, or network resources
Unauthorized release of informationUnauthorized copying of software
20
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Computer Crime (continued)
AITP guidelines (continued)Denying an end user his/her own hardware,
software, data, or network resourcesUsing or conspiring to use computer or
network resources to illegally obtain info or tangible property
21
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Computer Crime (continued)
HackingThe obsessive use of computers, or the
unauthorized access and use of networked computer systems
22
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Computer Crime (continued)
Cyber TheftInvolves unauthorized network entry and
the fraudulent alteration of computer databases
23
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Computer Crime (continued)
Unauthorized use at workAlso called time and resource theftMay range from doing private consulting or
personal finances, to playing video games, to unauthorized use of the Internet on company networks
24
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Computer Crime (continued)
Software PiracyUnauthorized copying of software
Software is intellectual property protected by copyright law and user licensing agreements
25
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Computer Crime (continued)
Piracy of intellectual propertyOther forms of intellectual property covered
by copyright lawsMusicVideosImagesArticlesBooksOther written works
26
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Computer Crime (continued)
Computer viruses and wormsVirus
A program that cannot work without being inserted into another program
WormA distinct program that can run unaided
27
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Privacy Issues
IT makes it technically and economically feasible to collect, store, integrate, interchange, and retrieve data and information quickly and easily.Benefit – increases efficiency and
effectivenessBut, may also have a negative effect on
individual’s right to privacy
28
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Privacy Issues (continued)
Examples of important privacy issuesAccessing private e-mail and computer
records & sharing information about individuals gained from their visits to websites and newsgroups
Always knowing where a person is via mobile and paging services
29
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Privacy Issues (continued)
Examples of important privacy issues (continued)Using customer information obtained from
many sources to market additional business services
Collecting personal information to build individual customer profiles
30
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Privacy Issues (continued)
Privacy on the InternetUsers of the Internet are highly visible and
open to violations of privacyUnsecured with no real rulesCookies capture information about you
every time you visit a siteThat information may be sold to third
parties
31
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Privacy Issues (continued)
Privacy on the Internet (continued)Protect your privacy by
Encrypting your messagesPost to newsgroups through anonymous
remailersAsk your ISP not to sell your information
to mailing list providers and other marketers
Decline to reveal personal data and interests online
32
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Privacy Issues (continued)
Computer matchingComputer profiling and matching personal
data to that profileMistakes can be a major problem
33
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Privacy Issues (continued)
Privacy lawsAttempt to enforce the privacy of computer-
based files and communicationsElectronic Communications Privacy ActComputer Fraud and Abuse Act
34
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Privacy Issues (continued)
Computer Libel and CensorshipThe opposite side of the privacy debate
Right to know (freedom of information)Right to express opinions (freedom of
speech)Right to publish those opinions (freedom
of the press)SpammingFlaming
35
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Other Challenges
EmploymentNew jobs have been created and
productivity has increased, yet there has been a significant reduction in some types of jobs as a result of IT.
36
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Other Challenges (continued)
Computer MonitoringConcerns workplace privacy
Monitors individuals, not just workIs done continually. May be seen as violating
workers’ privacy & personal freedomWorkers may not know that they are being
monitored or how the information is being usedMay increase workers’ stress levelMay rob workers of the dignity of their work
37
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Other Challenges (continued)
Working ConditionsIT has eliminated many monotonous,
obnoxious tasks, but has created others
38
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Other Challenges (continued)
IndividualityComputer-based systems criticized as
impersonal systems that dehumanize and depersonalize activities
Regimentation
39
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Health Issues
Job stressMuscle damageEye strainRadiation exposureAccidentsSome solutions
Ergonomics (human factors engineering)Goal is to design healthy work
environments
40
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Health Issues (continued)
41
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Societal Solutions
Beneficial effects on societySolve human and social problems
Medical diagnosisComputer-assisted instructionGovernmental program planningEnvironmental quality controlLaw enforcementCrime controlJob placement
42
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Section II
Security Management
43
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Tools of Security Management
GoalMinimize errors, fraud, and losses in the e-
business systems that interconnect businesses with their customers, suppliers, and other stakeholders
44
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Tools of Security Management (continued)
45
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Internetworked Security Defenses
EncryptionPasswords, messages, files, and other data is
transmitted in scrambled form and unscrambled for authorized users
Involves using special mathematical algorithms to transform digital data in scrambled code
Most widely used method uses a pair of public and private keys unique to each individual
46
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Internetworked Security Defenses (continued)
FirewallsServes as a “gatekeeper” system that
protects a company’s intranets and other computer networks from intrusionProvides a filter and safe transfer pointScreens all network traffic for proper
passwords or other security codes
47
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Internetworked Security Defenses (continued)
Denial of Service DefensesThese assaults depend on three layers of
networked computer systemsVictim’s websiteVictim’s ISPSites of “zombie” or slave computers
Defensive measures and security precautions must be taken at all three levels
48
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Internetworked Security Defenses (continued)
E-mail Monitoring“Spot checks just aren’t good enough
anymore. The tide is turning toward systematic monitoring of corporate e-mail traffic using content-monitoring software that scans for troublesome words that might compromise corporate security.”
49
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Internetworked Security Defenses (continued)
Virus DefensesProtection may accomplished through
Centralized distribution and updating of antivirus software
Outsourcing the virus protection responsibility to ISPs or to telecommunications or security management companies
50
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Other Security Measures
Security codesMultilevel password system
Log onto the computer systemGain access into the systemAccess individual files
51
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Other Security Measures (continued)
Backup FilesDuplicate files of data or programsFile retention measuresSometimes several generations of files are
kept for control purposes
52
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Other Security Measures (continued)
Security MonitorsPrograms that monitor the use of computer
systems and networks and protect them from unauthorized use, fraud, and destruction
53
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Other Security Measures (continued)
Biometric SecurityMeasure physical traits that make each individual
uniqueVoiceFingerprintsHand geometrySignature dynamicsKeystroke analysisRetina scanningFace recognition and Genetic pattern analysis
54
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Other Security Measures (continued)
Computer Failure ControlsPreventive maintenance of hardware and
management of software updatesBackup computer systemCarefully scheduled hardware or software
changesHighly trained data center personnel
55
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Other Security Measures (continued)
Fault Tolerant SystemsComputer systems that have redundant
processors, peripherals, and softwareFail-overFail-safeFail-soft
56
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Other Security Measures (continued)
Disaster RecoveryDisaster recovery plan
Which employees will participate and their duties
What hardware, software, and facilities will be used
Priority of applications that will be processed
57
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
System Controls and Audits
Information System ControlsMethods and devices that attempt to ensure
the accuracy, validity, and propriety of information system activities
Designed to monitor and maintain the quality and security of input, processing, and storage activities
58
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
System Controls and Audits (continued)
Auditing Business SystemsReview and evaluate whether proper and
adequate security measures and management policies have been developed and implemented
Testing the integrity of an application’s audit trail
59
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Discussion Questions
What can be done to improve e-commerce security on the Internet?
What potential security problems do you see in the increasing use of intranets and extranets in business? What might be done to solve such problems?
60
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Discussion Questions (continued)
What artificial intelligence techniques can a business use to improve computer security and fight computer crime?
What are your major concerns about computer crime and privacy on the Internet? What can you do about it?
61
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Discussion Questions (continued)
What is disaster recovery? How could it be implemented at your school or work?
Is there an ethical crisis in e-business today? What role does information technology play in unethical business practices?
62
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Discussion Questions (continued)
What business decisions will you have to make as a manager that have both an ethical and IT dimension?
What would be examples of one positive and one negative effect of the use of e-business technologies in each of the ethical and societal dimensions illustrated in the chapter?
63
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Real World Case 1 – MTV Networks & First Citizens Bank
Defending Against Hacker and Virus Attacks
What are the business value and security benefits and limitations of defenses against DDOS attacks like those used by MTV Networks?
64
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Real World Case 1 (continued)
What are the business benefits and limitations of an intrusion-detection system like that installed at First Citizens?
65
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Real World Case 1 (continued)
What security defense should small businesses have to protect their websites and internal systems?
Why did you make that choice?
66
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Real World Case 1 (continued)
What other network security threats besides denial of service, viruses, and hacker attacks should businesses protect themselves against?
67
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Real World Case 2 – Oppenheimer Funds, Cardinal Health, & Exodus
IT Security Management QualificationsTechnicalBusinessPeople skillsExperience and expertise in areas like
government liaison, international regulations, and cyberterrorism
68
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Real World Case 2 (continued)
What mix of skills is most sought after for IT security specialists?
Why is this mix important in business?
69
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Real World Case 2 (continued)
Why must IT security executives in business have the mix of skills and experience outlined in this case?
What other skills do you think are important to have for effective IT security management?
70
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Real World Case 2 (continued)
How should businesses protect themselves from the spread of cyberterrorism in today’s internetworked world?
71
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Real World Case 3 – Brandon Internet Services & PayPal
What are the business benefits and limitations of the cybercrime investigative work done by firms like Brandon Internet Services?
72
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Real World Case 3 (continued)
When should a company use cyberforensic investigative services like those offered by Predictive Systems?
73
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Real World Case 3 (continued)
What is the business value of their cyberforensic and investigative capabilities to PayPal?
Would you trust PayPal for your online payment transactions?
74
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Real World Case 4 – Providence Health Systems & Others
Why is there a growing need for IT security defenses and management in business?
What challenges does this pose to effective IT security management?
75
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Real World Case 4 (continued)
What are some of the IT security defenses companies are using to meet these challenges?
76
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Real World Case 4 (continued)
Do you agree with the IT usage policies of Link Staffing? The security audit policies of Cervalis?
77
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Real World Case 5 – The Doctor’s Co. & Rockland Trust
What are the benefits and limitations for a business of outsourcing IT security management according to the companies in this case?
78
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Real World Case 5 (continued)
What are the benefits and limitations to a business of using “pure play” IT security management companies like Counterpane and Ubizen?
79
McGraw-Hill/Irwin Copyright © 2004, The McGraw-Hill Companies, Inc. All rights reserved.
Real World Case 5 (continued)
What are the benefits and limitations of outsourcing IT security management to vendors like Symantec and Network Associates?