Ethics - Refers to the principles of right and wrong that individuals, acting
Wireless technology – enables employees to compute,
as free moral agents, use to make choices to guide their behaviours.
Code of Ethics - Is a collection of principles that is intended to guide
decision making by members of the organization.
Fundamental Tenets of Ethics
1. Responsibility – means that you accept the consequences of your
decisions and actions.
2. Accountability – refers to determines who is responsible for
actions that were taken.
3. Liability – is a legal concept that gives individuals the right to
recover the damages done to them by individuals, organization, or
systems.
Four General issues in Ethical issues
1. Privacy Issues – involves collecting, storing, and disseminating
information about individuals.
2. Accuracy Issues – involve the authenticity, fidelity, and accuracy
of information that is collected and processed.
3. Property Issues – involve the ownership and value of information.
4. Accessibility Issues – revolve around who should have access to
information and whether they should have to pay for this access.
Threats to Information Security
1. Interconnected, interdependent, wirelessly networked business
environment.
a. Trusted networks – in general, is any network within your
organization.
b. Untrusted networks – in general, is any external network to
your organization.
c.
communicate, and access the internet anytime and
anywhere.
2. Government legislation – dictates that many types of information
must be protected by law.
3. Smaller, faster, cheaper computers and storage devices – makes it
easier to steal or lose a computer or a storage device that contains
huge amounts of sensitive information.
4. Decreasing skills necessary to be a computer hacker – the reason is
that the internet contains information and computer programs called
scripts that users with few skills can download and use to attack any
information system connected to the internet.
5. International organized crime taking over cyber-crime.
a. Cyber-crime – refers to the illegal activities taking over
computer networks, particularly in the internet.
6. Downstream liability – linked attacked by a perpetrator coming from
a downstream company.
7. Increased employee use of unmanaged devices – devices that are
outside the control of an organization’s IT department.
These devices include;
a. customers computer
b. business partners’ mobiles devices
c. computers in the business centers of hotels
8. Lack of management support – the entire organization to take
security policies and procedures seriously, senior managers must set
the tone.
Threat – is any dangers to which a system may be exposed.
Exposure – is any harm, loss, or damage that can result if a threat
compromises the information resources.
Systems vulnerability – is the possibility that the system will suffer harm
by a threat.
Risk – is the likelihood that a threat will occur.
Information system controls – are the procedures, devices, or software e. Users
aimed at preventing compromise to the system.  Data Entry errors
 Weak passwords
SECURITY THREATS
 Lack of training
A. Threats from the Outside
2. System Software
1. Internet  Failure of protection mechanism
o Malware (viruses, worms etc.)  Information leakage
o Denial of service  Installed unauthorized software
o Unauthorized users (hackers, crackers)
2. Natural Disasters 3. Other Insider (Consultants, contract labor, janitors)
o Floods  Unauthorized access
o Storms  Theft
3. Man-made Disasters
 Copying
o Fire
o Power Outages
4. Hardware Threats
o Other accidents
a. Terminals – located in non-secure environment.
b. PCs
i. Fraudulent identification
B. Threats from the Inside ii. Illegal leakage of authorized information
iii. Viruses, worms, and other malware
1. Employees
iv. Physical theft
a. Application Programmer
c. Databases
 Programming of applications to function contrary to the
i. Unauthorized access
specifications.
ii. Copying
iii. Theft
b.
c. Systems Programmer C. Threats to Information Systems
 By passing security mechanism
 Disabling security mechanism A. Unintentional Acts – those acts with no malicious intent.
 Installing non-secure systems 1. Human Error – mistakes by employees due to carelessness, or
lack of awareness concerning information security.
d. Operators Categories of Human errors;
 Duplication of confidential reports and files. 1. Regular employee
 Initializing non-secure system a. The higher the level of employee, the
 Theft of confidential files greater the threat the employee poses
in the information security.
 b. Human resources and Information
systems, due to the access of the
personal files and sensitive 2. Deviations in the Quality of Service by the Service Providers
organization data. Wherein often have – consists of situations in which a product or a service is not
the control to and means to create, delivered to the organization as expected.
store, transmit, and modify that data. 3. Environment al Hazards – include dirt, dust, humidity, and
2. Contract labor, consultants and janitors and static electricity.
guards.

B. Natural Disasters – Acts of God.

Examples of Unintentional Human Error
1. Earthquakes
1. Tailgating 2. Floods
2. Shoulder Surfing 3. Hurricanes
3. Careless with laptops 4. Tornadoes
4. Carelessness with portable devices 5. Lightning
5. Opening questionable e-mails 6. And some cases of fire.
6. Careless Internet surfing
7. Poor password selections and use C. Technical Failures – includes problems in hardware and software.
8. Carelessness with one’s office
9. Carelessness using unmanaged devices D. Management Failure – involves lack of funding for information security
10. Carelessness with discarded equipment efforts and a lack of interest in those efforts.

Examples of Deliberate Human Error
1. Social Engineering – is an attack in which the
perpetrator uses social skills to trick or manipulate a
legitimate employee into providing company
information such as password.
2. Reverse Social Engineering – the employees
approach the attacker. For example the attacker
gains employment at a company and, in informal
conversations with his co-workers, while he is
helping them. He loads Trojan horses on their
computers that email him with their passwords and
information about their machines.
3. Social Data Mining – also called buddy mining,
occurs when attackers seek to learn who knows who
in an organization and how.
E. Deliberate Acts – acts by employees by organizational employees (i.e.,
insiders) account for large number of information security breaches.
Examples of deliberate:
1. Espionage or Tresspass – occurs when an authorized
individual attempt to gain illegal access to organizational
information.
2. Information extortion – occurs when an attacker either
threatens to steal or actually steals information from a
company.
3. Sabotage or vandalism – are deliberate acts that involve
defacing an organization’s web site, possibly causing the
organization to lose its image and experience a loss of
confidence by its customers.
4. Theft or equipment or information – computing devices and
storage devices are becoming smaller yet more powerful with
vastly increased storage.
5. Identity theft – is deliberate assumption of another person’s
identity, usually to gain access to their financial information
or to frame them for a crime.
Techniques for obtaining information include;
1. Stealing mail or dumpster diving –
2. Stealing personal information in computer databases
3. Infiltrating organizations that store large amounts of
person information –
4. Impersonating a trusted organization in an electronic
communication (phishing) –
6. Compromises to intellectual property – vital issue for people
who make their livelihood in knowledge fields.
Intellectual Property – property created by individuals or
corporation that is protected under trade secret, patent
and copyright laws.
Trade secret – an intellectual work, such as a business
plan, that is a company secret and not based on public
information. An example is a corporate strategic plan.
Patent – is a document that grants the holder exclusive
rights on an invention or process for 20 years.
Copyright – is a statutory grant that provides the
creators of intellectual property with ownership of the
property for the life of the creator plus 70 years.
Piracy – copying a software program without making
payment to the owner – including giving disc to a friend
to install on a computer – is a copyright violation.
7. Software attacks – malicious software tried to infect as many
computers worldwide.
1. Virus – Segment of the computer code that performs
malicious actions by attaching to another computer
program.
2. Worm – segment of computer code that performs
malicious actions and will replicate, or spread, by
itself (without requiring another computer program)
3. Trojan horse – programs that hide in other computer
programs and reveal their designed behaviour only
when they are activated.
4. Back- door – typically a password, known only to the
attacker, that allows him to access a computer
system at will, without having to go through any
security procedures (also called trap door)
5. Blended attack – an attack using several delivery
methods (e.g. email and Web), and combines
multiple components, such as phishing, spam,
worms, and Trojan in one attack.
6. Logic bomb – Segment of computer code that is
embedded with an organization’s existing computer
programs and is designed to activate and perform a
destructive action at a certain time and date.
7. Password Attack
a. Dictionary Attack – attack that tries
combination of letters and numbers those
are most likely to succeed, such as all words
from a dictionary.
b. Brute Force Attack – attack sends uses
massive computing resources to try every
possible combination of password options
to uncover a password.
8. Denial-of-Service attack – attacker sends so many
information request to a target computer system
that the target cannot handle them successfully and
typically crashes (cease function)
9. Distributed Denial-of-Service attack – an attacker
first takes over many computers, typically by using
malicious software. These computers are called
zombies or bots. The attacker uses these bots (which
from botnet) to deliver a coordinated stream of
information to a target computer, causing it to crash.
10. Phishing attack – use deception to acquire sensitive
personal information by masquerading as official-
looking emails or instant messages.
 11. Spear Phishing attack – target large groups of Note: cookies are also necessary if you want to shop
people. In spear phishing attacks, the perpetrators online because they are used for your shopping carts
find out as much information about individual as at various online merchants.
possible to improve their chances that phishing 9. Supervisory control and data acquisition (SCADA) attacks –
techniques will be able to obtain sensitive personal are used to monitor or to control chemical, physical, or
information. transport processes such as oil refineries, water, sewerage or
12. Zero-day attack – takes advantage of a newly treatment plants, electrical generators, and nuclear power
discovered, previously unknown vulnerability in a plants.
software product. Perpetrators attack the
vulnerability before the software vendor can prepare 10. Cyber-terrorism and Cyber-warfare – attackers use a target’s
a patch for the vulnerability. computer systems, particularly via internet, to cause physical,
8. Alien Software – clandestine software that is installed on real-world harm or severe disruption, usually to carry out a
your computer through duplicitous methods, sometimes political agenda
called pestware.
Different types of alien software;
1. Adware – software that is designed to help pop-up
advertisements to appear on your screen.
2. Spyware – software that collects personal
information about users without consent.
a. Keystroke loggers (keyloggers) – records
your keystrokes and record your Internet
Web browsing history.
b. Screen scrappers – software that records a
continuous “movie” of a screen contents
rather than simply keystrokes.
3. Spamware – designed to use your computer as
Launchpad for spammers.
Spam – is unsolicited e-mail, usually for the purpose
of advertising for the products and services.
4. Cookies – small amounts of information that web
sites store on your computer, temporarily or more or
less permanently.

Tracking Cookies – can be used to track your path

through a website, the time you spend there, what
links you click on, and other details that the
company wants to record, usually for marketing
purposes.