Académique Documents
Professionnel Documents
Culture Documents
Chapter 13
Security, Privacy, and
Ethics
Why and what managers need to know about IT risk
management, privacy, and information systems
ethics.
Course Roadmap
Part I: Foundations
Part II: Competing in the Internet Age
Part III: The Strategic use of Information
Systems
Part IV: Getting IT Done
Chapter
Chapter
Chapter
Chapter
10:
11:
12:
13:
Learning Objectives
1. Learn to make the case that information systems security, privacy,
and ethics are issues of interest to general and functional managers,
and why it is a grave mistake to delegate them exclusively to IT
professionals.
2. Understand the basic IT risk management processes, including risk
assessment, risk analysis, and risk mitigation.
3. Understand the principal security threats, both internal and external,
and the principal safeguards that have been developed to mitigate
these risks.
4. Be able to identify the nature of privacy concerns that modern
organizations face, and be able to articulate how general and
functional managers can safeguard the privacy of their customers and
employees.
5. Define ethics, apply the concept of ethical behavior to information
systems decisions, and be able to articulate how general and
functional managers can help ensure that their organization behaves
ethically.
3
Introduction
Information systems security, privacy, and
ethical concerns were born along with the
introduction of computer systems and
information technology in organizations
The recent widespread adoption of the Internet
and the proliferation of information for business
use have dramatically amplified these threats
A failure in security, privacy, or ethics can have
dramatic repercussions on the organization, both
because of its potentially damaging direct
effects (e.g., computer outages, disruptions to
operations) and its increasingly negative indirect
effects (e.g., legal recourse, image damage)
4
Security
The set of defenses put in place to
mitigate threats to technology
infrastructure and data resources
6
The Trade-off:
Purchase more security or accept higher risks?
7
Risk Assessment
Audit the current resources
Map the current state of information
systems security in the organization
The audit will:
Expose vulnerabilities
Provide the basis for risk analysis
Risk Analysis:
The process of quantifying the risks
identifies in the audit
8
Risk Mitigation
The process of matching the
appropriate response to the security
threats your firm identified
Designed to help manage the tradeoff between the degree of desired
security and the investment
necessary to achieve it
Risk Reduction
Actively investing in the safeguards designed
to mitigate security threats
Consciously paying for security protection
Risk Transference
Passing a potion (or all) of the risks associated
with security to a third party
Consciously paying for someone else to
assume the risk
10
Cost/Security Trade-Offs
Total Cost
Cost
Anticipation
Cost
Failure Cost
Degree of security
11
Internal Threats
Intentional Malicious Behavior
Typically associated with disgruntled or illwilled employees
Example: A marketing employee selling
customers e-mail addresses to spammers
Careless Behavior
Associated with ignorance of or
disinterest in security problems
Example: Failing to destroy sensitive data
according to planned schedules
12
External Threats
Intrusion Threat
An unauthorized attacker gains access to
organizational IT resources
Social Engineering
Lying to and deceiving legitimate users so that
they divulge restricted or private information
Phishing
Sending official sounding spam from known
institutions and asking individuals to confirm
private data in an effort to capture the data
13
14
Backdoors
Code expressly designed into software
programs to allow access to the application
by circumventing password protection
15
Viruses
Malicious code that spreads by attaching
itself to other, legitimate, executable
programs.
After infecting a machine, a harmful set of
actions, know as the payload, are
performed
16
Malicious Code
Trojan Horses
A computer program that
claims to, and sometimes
does, deliver useful
functionality
Delivers a hidden,
malicious payload, after
installation
Worms
Malicious code that
exploits security holes in
network software to selfreplicate
Does not deliver a payload
Generates enough
network traffic to slow or
bring a network down
17
Malicious Code
Spyware
Software that, unbeknownst to the owner
of the computer:
Monitors behavior
Collects information
Either transfers this information to a third
party or
Performs unwanted operations
19
Responding to Internal
Security Threats
Security Policies
Spell out what the organization believes
are the behaviors that individual
employees within the firm should follow
in order to minimize security risks
They should specify:
Password standards
User right
Legitimate uses of portable devices
Responding to External
Security Threats
Intrusion
The cornerstone of securing against
intrusion is the use of passwords
Firewalls can be used to screen and
manage traffic in and out of a computer
network
Only as strong as the weakest link
Responding to External
Security Threats
Malware
Safeguarding against malware requires
that the firms IT professionals install
detection software
Training and Policies are also necessary
Denial-of-Service Attacks
Preventing a denial-of-service attack is
very difficult
It is difficult to identify the location of the
attack
22
23
Managing Security:
Overall Guidelines
Have a plan and specify responsibilities
Who should be contacted in an emergency?
What should the first reaction measures be?
Revisit often
New technologies should be proactively
addressed
Privacy
The ability of individuals to control
the terms and conditions under
which their personal information is
collected, managed, and utilized.
Private information can be traced
back to the individual
Privacy subsumes security
25
Privacy Risks
Function Creep
Occurs when data collected for a stated
or implied purpose are then reused for
other, unrelated objectives.
Privacy Risks
Data Management Risks
It is increasingly simple, and cost effective, to
merge data repositories
IT creates pressure for, and the risk of, function
creep if not managed carefully
Safeguarding Privacy
Fair Information Practice Principles
Notice
The right of individuals to be informed when
their personal data is being collected
The right of individuals to be informed about
how their data is or will be used.
Choice
The ability of individuals to be informed of, and
object to, function creep whether within one
firm or across firms who share information.
28
Safeguarding Privacy
Fair Information Practice Principles (cont)
Access
The right of individuals to be able to access their
information and correct any errors that may have
occurred in their records
Security
Organizations that house individuals private
information must ensure its safekeeping and to
protect it from unauthorized access.
Enforcement
Organizations that collect and use private
information must develop enforceable procedures
to ensure that the above principles are upheld.
29
30
Security
The responsibility of the firm that houses private
information to ensure its safekeeping and to protect it
from unauthorized access.
Enforcement
The responsibility of the organizations that collect and
use private information to develop enforceable procedure
to ensure that the above principals are upheld.
31
Protecting Privacy
Say What You Do
The firm develop a codified set of policies
and procedures for safeguarding privacy and
communicates these policies to affected
individuals (e.g., customers, employees)
Be Able to Prove It
The firm document its policies and the
processes it has developed to ensure privacy
32
Ethics
The discipline dealing with what is
good and bad and with moral duty
and obligation
The problem:
Ethical choices are rarely
straightforward
Ethical choices typically engender
multiple sub-optimal options
33
Enabling IS Ethics
Developing a culture of ethical decision
making is critical
Establish an information systems ethics
code of conduct that:
Identifies the principles of ethical information
system use for your organization
Identifies the firms formal stance on ethics
34
The Recap
Information systems must be secured
against both internal and external
threats
Information systems security and risk
management are not IT issues
Privacy concerns, like security
threats, need general and functional
managers full attention.
35
The Recap
In order for the firm to safeguard the privacy of its
employees and customers, it must subscribe to fair
information practices
Notice
Choice
Access
Security
Enforcement.