Chapter 11

Security and Ethical

Challenges

McGraw-Hill/Irwin ©2008,The McGraw-Hill Companies, All Rights Reserved

 Learning Objectives

1. Identify several ethical issues in how the use of

information technologies in business affects
employment, individuality, working conditions,
privacy, crime, health, and solutions to societal
problems.
2. Identify several types of security management
strategies and defenses, and explain how they
can be used to ensure the security of business
applications of information technology.

11- 2
 Learning Objectives

3. Propose several ways that business managers

and professionals can help to lessen the
harmful effects and increase the beneficial
effects of the use of information technology.

11- 3
IT Security, Ethics and Society

11- 4
 Ethical Responsibility

• Business professionals
– have a responsibility to promote ethical uses of
information technology in the workplace.

11- 5
 Business Ethics

• Questions that managers must confront as part

of their daily business decision making including:
– Equity
– Rights
– Honesty
– Exercise of Corporate Power

11- 6
Ethical Business Issues
Categories

11- 7
 Corporate Social Responsibility
Theories
• Stockholder Theory
– Managers are agents of the stockholders
– Their only ethical responsibility is to increase the profits of
the business
– Without violating the law or engaging in fraudulent
practices
• Social Contract Theory
– Companies have ethical responsibilities to all members of
society
– Which allow corporations to exist based on a social
contract
11- 8
 Corporate Social Responsibility
Theories
• Stakeholder Theory
– Managers have an ethical responsibility to manage a
firm for the benefit of all its stakeholders
– Stakeholders are all individuals and groups that have a
stake in, or claim on, a company

11- 9
 Principles of Technology Ethics

• Proportionality – the good achieved by the

technology must outweigh the harm or risk
• Informed Consent – those affected by the
technology should understand and accept the
risks
• Justice – the benefits and burdens of the
technology should be distributed fairly
• Minimized Risk – even if judged acceptable by
the other three guidelines, the technology must
be implemented so as to avoid all unnecessary
risk 11- 10
AITP Standards of Professional
Conduct

11- 11
 Responsible Professional Guidelines

• Acting with integrity

• Increasing your professional competence
• Setting high standards of personal performance
• Accepting responsibility for your work
• Advancing the health, privacy, and general
welfare of the public

11- 12
 Computer Crime

• The unauthorized use, access, modification, and

destruction of hardware, software, data, or
network resources
• The unauthorized release of information
• The unauthorized copying of software
• Denying an end user access to his or her own
hardware, software, data, or network resources
• Using or conspiring to use computer or network
resources illegally to obtain information or
tangible property
11- 13
How large companies protect
themselves from cybercrime

Source: 2003 Global Security Survey by Deloitte Touche Tohmatsu, New York, June 2003,
In Mitch Betts, “The Almanac,” Computerworld, July 14, 2003, p 42. 11- 14
 Hacking

• The obsessive use of computers,

• Or the unauthorized access and use of
networked computer systems

11- 15
 Common Hacking Tactics

• Denial of Service
– Hammering a website’s equipment with too many
requests for information
– Clogging the system, slowing performance or even
crashing the site
• Scans
– Widespread probes of the Internet to determine types of
computers, services, and connections
– Looking for weaknesses

11- 16
 Common Hacking Tactics

• Sniffer
– Programs that search individual packets of data as they
pass through the Internet
– Capturing passwords or entire contents
• Spoofing
– Faking an e-mail address or Web page to trick users
into passing along critical information like passwords or
credit card numbers

11- 17
 Common Hacking Tactics

• Trojan Horse
– A program that, unknown to the user, contains
instructions that exploit a known vulnerability in some
software
• Back Doors
– A hidden point of entry to be used in case the original
entry point has been detected or blocked
• Malicious Applets
– Tiny Java programs that misuse your computer’s
resources, modify files on the hard disk, send fake e-
mail, or steal passwords
11- 18
 Common Hacking Tactics

• War Dialing
– Programs that automatically dial thousands of
telephone numbers in search of a way in through a
modem connection
• Logic Bombs
– An instruction in a computer program that triggers a
malicious act
• Buffer Overflow
– A technique for crashing or gaining control of a
computer by sending too much data to the buffer in a
computer’s memory
11- 19
 Common Hacking Tactics

• Password Crackers
– Software that can guess passwords
• Social Engineering
– Gaining access to computer systems
– By talking unsuspecting company employees out of
valuable information such as passwords
• Dumpster Diving
– Sifting through a company’s garbage to find information
to help break into their computers

11- 20
 Cyber Theft

• Computer crime involving the theft of money

• Often inside jobs
• Or use Internet to break in

11- 21
 Unauthorized Use at Work

• Time and resource theft

• May range from doing private consulting or
personal finances, or playing video games, to
unauthorized use of the Internet on company
networks

11- 22
 Internet Abuses in the Workplace
• General e-mail abuses
• Unauthorized usage and access
• Copyright infringement/plagiarism
• Newsgroup postings
• Transmission of confidential data
• Pornography – accessing sexually explicit sites
• Hacking
• Non-work related download or upload
• Leisure use of the Internet
• Usage of external ISPs
• Moonlighting
11- 23
 Software Piracy

• Software Piracy
– Unauthorized copying of computer programs
• Licensing
– Purchase of software is really a payment for a license
for fair use
– Site license allow a certain number of copies
• A third of the software industry’s revenues are
lost due to piracy

11- 24
 Theft of Intellectual Property

• Intellectual property
– Copyrighted material such as
– Music, videos, images, articles, books, software
• Copyright infringement is illegal

• Peer-to-peer networking techniques have made

it easy to trade pirated intellectual property

11- 25
 Viruses and Worms

• Virus and worms copy annoying or destructive

routines into networked computers
• Often spread via e-mail or file attachments
• Computer Virus
– Program code that cannot work without being inserted
into another program
• Worm
– Distinct program that can run unaided

11- 26
 Cost of viruses and worms

• Nearly 115 million computers were infected in

2004
• As many as 11 million computers are believed to
be permanently infected
• Total economic damage estimated to be between
$166 and $292 billion in 2004
• Average damage per installed Windows-based
machine is between $277 and $366

11- 27
 Adware and Spyware

• Adware
– Software that purports to serve a useful purpose
– But also allows Internet advertisers to display
advertisements (pop-up and banner ads)
– Without the consent of the computer’s user
• Spyware
– Adware that employs the user’s Internet connection in
the background without your permission or knowledge
– Captures information about you and sends it over the
Internet

11- 28
 Privacy: Opt-in versus Opt-out

• Opt-in
– You explicitly consent to allow data to be compiled
about them
– Law in Europe
• Opt-out
– Data can be compiled about you unless you specifically
request it not be
– Default in the US

11- 29
 Privacy Issues

• Violation of Privacy:
– Accessing individuals’ private e-mail conversations and
computer records,
– Collecting and sharing information about individuals
gained from their visits to Internet websites
• Computer Monitoring:
– Always knowing where a person is, especially as mobile
and paging services become more closely associated
with people rather than places

11- 30
 Privacy Issues

• Computer Matching
– Using customer information gained from many sources
to market additional business services
• Unauthorized Personal Files
– Collecting telephone numbers, e-mail addresses, credit
card numbers, and other personal information to build
individual customer profiles

11- 31
 Protecting your Privacy on the
Internet
• E-mail can be encrypted
• Newsgroup postings can be sent through
anonymous remailers
• ISP can be asked not to sell your name and
personal information to mailing list providers and
other marketers
• Decline to reveal personal data and interests on
online service and website user profiles

11- 32
 Privacy Laws

• Rules that regulate the collection and use of

personal data by businesses and the
government

11- 33
 Censorship Issues

• Spamming
– Indiscriminate sending of unsolicited e-mail messages
to many Internet users
• Flaming
– Sending extremely critical, derogatory, and often vulgar
e-mail messages or newsgroup postings to other users
on the Internet or online services

11- 34
 Cyberlaw

• Laws intended to regulate activities over the

Internet or via electronic data communications

11- 35
 Other Challenges

• Employment
– IT creates new jobs and increases productivity
– But can also cause significant reductions in job
opportunities as well as different types of skills required
for new jobs
• Computer Monitoring
– Computers used to monitor the productivity and
behavior of employees as they work

11- 36
 Other Challenges

• Working Conditions
– IT has eliminated monotonous or obnoxious tasks
– But some jobs requiring a skilled craftsman have been
replaced by jobs requiring routine, repetitive tasks or
standby roles
• Individuality
– Dehumanize and depersonalize activities because
computers eliminate human relationships
– Systems without flexibility

11- 37
 Health Issues

• Cumulative Trauma Disorders (CTDs)

– Disorders suffered by people who sit at a PC or terminal
and do fast-paced repetitive keystroke jobs
• Carpal Tunnel Syndrome
– Painful crippling ailment of the hand and wrist

11- 38
 Ergonomics

• Designing healthy work environments

• That are safe, comfortable, and pleasant for
people to work in
• Thus increasing employee morale and
productivity

11- 39
Ergonomic Factors

11- 40
 Security Management
• The goal of security
management is the
accuracy, integrity, and
safety of all information
system processes and
resources.

Source: Courtesy of Wang

11-Global.
41
 Internetworked Security
Defenses
• Encryption
– Data transmitted in scrambled form and unscrambled
by computer systems for authorized users only

11- 42
Public/Private Key Encryption

11- 43
 Internetworked Security
Defenses
• Firewalls
– A gatekeeper system that protects a company’s
intranets and other computer networks from intrusion
– By providing a filter and safe transfer point for access to
and from the Internet and other networks
• Firewalls are also important for individuals who
connect to the Internet with DSL or cable
modems

11- 44
Internet and Intranet Firewalls

11- 45
 How to Defend Against Denial of
Service Attacks
• At the zombie machines (computers
commandeered by cyber criminals)
– Set and enforce security policies
– Scan for vulnerabilities
• At the ISP
– Monitor and block traffic spikes
• At the victim’s website
– Create backup servers and network connections

11- 46
 Internetworked Security
Defenses
• E-mail Monitoring
– Use of content monitoring software that scans for
troublesome words that might compromise corporate
security
• Virus Defenses
– Centralize the distribution and updating of antivirus
software
– Use security suite that integrates virus protection with
firewalls, Web security, and content blocking features

11- 47
 Other Security Measures

• Security Codes
– Multilevel password system
– Encrypted passwords
– Smart cards with microprocessors
• Backup Files
– Duplicate files of data or programs
• System Security Monitors
– Programs that monitor the use of computer systems
and networks and protects them from unauthorized use,
fraud, and destruction

11- 48
 Biometrics

• Computer devices that measure physical traits

that make each individual unique
• Examples:
– Voice verification
– Fingerprints
– Retina scan

11- 49
 Computer Failure Controls

• Prevent computer failure or minimize its effects

• Preventative maintenance
• Arrange backups with a disaster recovery
organization

11- 50
 Fault Tolerant Systems

• Systems that have redundant processors,

peripherals, and software that provide a:
– Fail-over capability to back up components in the event
of system failure
– Fail-safe capability where the computer system
continues to operate at the same level even if there is a
major hardware or software failure
– Fail-soft capability where the computer system
continues to operate at a reduced but acceptable level
in the event of system failure

11- 51
 Disaster Recovery Plan

• Formalized procedures to follow in the event a

disaster occurs including:
– Which employees will participate
– What their duties will be
– What hardware, software, and facilities will be used
– Priority of applications that will be processed
– Use of alternative facilities
– Offsite storage of an organization’s databases

11- 52
 Information Systems Controls

• Methods and devices that attempt to ensure the

accuracy, validity, and propriety of information
system activities

11- 53
 Auditing IT Security

• IT security audits
– By internal or external auditors
– Review and evaluate whether proper and adequate
security measures and management policies have been
developed and implemented

11- 54
How to protect yourself from
cybercrime

11- 55
 Case 1: Cyberscams: Four Top
Cybercriminals: Who They Are and
What They Do
• Fastest growing criminal niche.
• Annual loss to computer crime - $67 Billion
• Many web sites eBay, Microsoft, and PayPal must
defend themselves from frequent fraudulent attempts by
cyberscammers.
• Law enforcement authorities are looking for four
individuals who are all Russians and have been
identified as high priority targets in their investigations.
• Many of these criminals are highly skilled and come from
low income families and countries with unstable
government.

11- 56
 Case Study Questions

1. List several reasons “cyberscams are today’s

fastest growing criminal niche.” Explain why
the reasons you give contribute to the growth
of cyberscams.
2. What are several security measures that
could be implemented to combat the spread
of cyberscams? Explain why your
suggestions would be effective in limiting the
spread of cyberscams.

11- 57
 Case Study Questions

3. Which of the four top cybercriminals

described in this case poses the biggest
threat to businesses? To consumers?
Explain the reasons for your choices, and
describe how businesses and consumers
can protect themselves from these
cyberscammers.

11- 58
 Real World Internet Activity

1. It is not advisable to visit any of the cyberscam

Web sites mentioned in this case or any others
you discover. To do so could make you, your
computer, and your network vulnerable to
various forms of cybercrime. Search other
sites on the Internet for the latest information
on cyberscams, the cybercriminals mentioned
in this case, and ways to combat cyberscams.
What are some of the new developments you
find in each of these areas?

11- 59
 Real World Group Activity

2. How can you protect yourself from

cyberscams and other forms of
cybercrime?
– Discuss this issue and formulate some key
protective recommendations. Include all
forms of cybercrime mentioned in this case in
your recommendations, as well as those you
uncover in your Internet research.

11- 60
 Case 2: Lowe’s, TCI, Bank of America,
ChoicePoint, and Others: Failures in
Data Security Management
• Companies are having problem in protecting their
valuable data of their customers.
• Cheaper database software and storage devices have
made it much easier for companies to gather and save
private information about their customers, presenting a
challenge in securing the information from hackers.
• Lack of adequate and unreliable safeguard of data has
led to theft of vital information of their customers.
• The business cost of poor data security can be very
high.

11- 61
 Case Study Questions

1. Why have there been so many recent incidents

of data security breaches and loss of customer
data by reputable companies? Provide several
possible reasons for this development.
2. What security safeguards must companies
have to deter electronic break-ins into their
computer networks, business applications, and
data resources, like the incident at Lowe’s?
Defend your proposed security measures.

11- 62
 Case Study Questions

3. What security safeguards would have deterred

the loss of customer data at TCI, Bank of
America, and Choice-Point? Defend your
proposed security measures to avoid the
incidents that occurred at each company.

11- 63
 Real World Internet Activity

1. Search the Internet for the latest information

on computer security developments for the
four main companies in this case and any
other companies that have reported major data
losses or other computer security problems.
Then research information on the latest
developments in security measures to protect
companies from data theft and losses. Report
some of your findings to the class.

11- 64
 Real World Group Activity

2. Share the information you have found in your

Internet research on data losses, other
computer security problems, and the latest
developments in computer security measures.
Develop several key computer security
recommendations for companies to implement
to avoid many of the problems you discovered.

11- 65
 Case 3: Western Corporate Federal
Credit Union and Others: Managing
Information Security
• Evolving threats and a greater exposure to risk are
pushing companies to take a strategic view of security.
• The growing use of wireless technologies and the
tendency to connect internal networks with those of
suppliers, partners, and customers have dramatically
increased security risks and the potential cost of a breach.
• Information security is a business problem and can not be
simply addressed by firewalls and other tools.
• OCTAVE helps companies identify infrastructure
vulnerabilities, prioritize information assets, and create
asset-specific threat profiles and mitigation plans.

11- 66
 Case Study Questions

1. Why is information security a major concern for

many companies today? What are security
managers doing to improve their companies’
information security? What else should they be
doing?
2. Why does the OCTAVE methodology promise
to improve security in organizations? Does it
work? Explain your answer with examples from
the case or other sources on the Internet.

11- 67
 Case Study Questions

3. What does Lloyd Hession mean when he says

information security is “not addressed simply
by the firewalls and antivirus [tools] that are
already in place”? What other security
measures does he recommend to improve
information security? What would you add to
his recommendations? Explain your reasoning.

11- 68
 Real World Internet Activity

1. The focus on information security is an

important one for modern organizations of all
sizes. Use the Internet to find examples of
companies that are striving to improve their
information security. What approaches and
methods are they using to improve the security
of their companies?

11- 69
 Real World Group Activity

2. Private and corporate information is under

attack from a wide variety of sources. Discuss
the various threats to information security. Are
you doing your share to protect your
information?

11- 70