Download Chap013

Chapter 13
Security and Ethical
Challenges
McGraw-Hill/Irwin
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.
Learning Objectives
 Identify several ethical issues regarding how the use of
information technologies in business affects
employment, individuality, working conditions,
privacy, crime, health, and solutions to societal
problems.
 Identify several types of security management
strategies and defenses and explain how they can be
used to ensure the security of business applications of
information technology.
 Propose several ways that business managers and
professionals can help lessen the harmful effects and
increase the beneficial effects of the use of
information technology.
13-2
Section 1
Security, Ethical, and Societal Challenges of IT
13-3
I. Introduction
Use of IT in business poses security
challenges, ethical questions, and
societal challenges
The Nexus of IT, Ethics, Security, and
Safety – we must consider the impact
technologies have on society
13-4
II. Ethical Responsibility of Business Professionals
As a business professional you have the
responsibility to promote Ethical (what does
that mean???) use of IS in the workplace
Business Ethics – ethical questions that are part of
daily business decision making
Ethical Use of Technology – the use of technology
raises its own ethical questions
Ethical Guidelines – many firms have specific
guidelines for ethical computer and Internet use by
employees
13-5
II. Ethical Responsibility of Business Professionals
Security, Ethical, and Societal Aspects of IT Use
13-6
II. Ethical Responsibility of Business Professionals
Categories of Ethical Business Issues
13-7
Enron Corporation: Failure in Business
Ethics
What were some of the unethical practices at
Enron?
What two issues does the article suggest about
Credibility?
Why would Enron (or any) executives engage
in such activities?
How can people be encouraged to follow
acceptable ethical/moral business practices?
13-8
III. Computer Crime – using a computer to
do something illegal
Hacking and Cracking
Hacking – obsessive use of computers,
unauthorized use of networked systems
Cracking (black hat or dark-side hacker) – malicious
or criminal hacker
Cyber Theft – many computer crimes involve
theft of money; many firms do not reveal that
they’ve been victims due to bad publicity
Cyber-terrorism – causing physical, real-world
harm or severe disruption of infrastructure
13-9
The Online Crusade Against Phishing
What is phishing?
Why is phishing dangerous?
What is the challenge for law enforcement?
Why does Warner see phishing as a personal,
moral challenge?
13-10
III. Computer Crime – using a computer to
do something illegal
Cyber-Warfare – actions by a nation-state to
cause damage or disruption to another nationstate
Unauthorized use at Work – time and resource
theft, this can be a very wide range of actions,
many firms have written policies for
(im)proper use of computers and IT resources
Software Piracy –unauthorized copying of
software
Theft of Intellectual Property – any
infringement of copyrighted materials
13-11
Leaving Your Job? Don’t Take Anything
with You
What is an “orphaned account”?
Why are they dangerous?
Why do people take data with them when
they leave an organization?
How many firms monitor or track these
accounts?
What threats does this pose to the firm?
13-12
III. Computer Crime – using a computer to
do something illegal
Computer Viruses and Worms – insert
destructive routines into computer systems to
cause damage
Adware and Spyware
Adware – allows Internet advertisers to display ads
without the consent of the user
Spyware – uses the network connection without
the user’s knowledge or permission, collects and
distributes information about the user
13-13
Survey: E-mail and Internet Abuse Can Get
You Fired
How many firms have fired workers for misuse
of e-mail and the Internet?
What actions may be considered inappropriate
use of e-mail/Internet?
How do firms prevent this behavior?
How do firms monitor employee behavior?
Do firms inform employees of monitoring?
13-14
Music Piracy: The Long War
IS music piracy a recent phenomenon?
What is a copyright? Why is it an important
legal issue?
How do feel about downloading music? Is it
right or wrong? What ethical/moral issues
does it raise?
What are the business/property issues raisd by
downloading music?
13-15
Oldies but Goodies: Old Threats That Just
Won’t Go Away
What is malware?
What is the difference between a virus and a
worm?
Why should malware concern businesses?
Why do old viruses and worms still proliferate?
What can a business do to encourage users to
be more careful about malware?
13-16
ommtouch: Trends in Internet Threats
Describe each of the threats listed.
What are the results of these threats to
businesses?
How can you promote a business culture of
caution toward these and other threats?
13-17
IV. Privacy Issues
IT can store and retrieve information
affecting the privacy of the individual
Privacy on the Internet – the Internet
gives users a feeling of anonymity while
making them vulnerable to privacy
violations
Computer Matching – profiling
13-18
Identity Theft: As Easy as Stealing a Check
What is Identity Theft?
What data does a check hold that criminals
can use?
How many fraudulent checks are written every
day?
What precautions can you take to prevent
identity theft?
13-19
IV. Privacy Issues
Privacy Laws – many countries regulate
collection and use of personal data
HIPAA – health related privacy laws
Sarbanes-Oxley – standards for publicly held firms
Computer Libel and Censorship – what can and
cannot be said (legally) online
Spamming – indiscriminate sending of unsolicited
email
Flaming – extremely critical, derogatory, vulgar
email
13-20
V. The Current State of Cyber Law
A very wide range of legal and political issues,
VERY controversial
13-21
VI. Other Challenges
Employment Challenges – impact of IT on
employment is a major ethical concern
Computer Monitoring – using a computer to
monitor productivity in the workplace, or to
monitor behavior in public
Challenges in Working Conditions – IT can
eliminate monotonous tasks, and create some,
too
Challenges of Individuality – one concern is the
effect of IT on a person’s individuality
13-22
VII. Health Issues
IT raises a variety of health issues
Ergonomics (Human Factors Engineering)
– designing healthy work environments
that are safe and comfortable
13-23
VIII. Societal Solutions
IT can have many beneficial effects on
society
13-24
Section 2
Security Management of
Information Technology
13-25
I. Introduction
The number one problem with e-commerce is
security; the Internet was developed for
interoperability not impenetrability
13-26
II. Tools of Security Management
Goal of Security Management –
accuracy, integrity, and safety of all
information processes and resources
13-27
Top Executives Agree: Information Security
Is a Top Priority
What are the reasons for executive
support of IS/IT security?
What is a breach disclosure law?
Why would a firm not want consumers
to know about a security breach?
What are the costs of a breach (both
dollar and non-dollar costs)?
13-28
III. Inter-Networked Security Defenses
 How so you balance the need for security with the
need for access?
 Encryption – using a mathematical algorithm to
encode a message before transmission and
descramble it for reception
 Firewalls – a hardware or software gatekeeper that
keeps unauthorized transmissions out of a system
 Denial of Service Attacks – using zombie/slave
computers to overload another system with large
volumes of service requests
 E-Mail Monitoring – firms watch employees use of
email
13-29
III. Inter-Networked Security Defenses
Public Key/Private Key Encryption
13-30
WhiteHat Security: “Black Box Testing”
Mimics Hackers to Discover Vulnerabilities
What do most attacks exploit today?
What service does WhiteHat sell?
How might a vulnerability re-appear?
Is this an ethical/moral approach to
security?
13-31
As If Phishing Wasn’t Enough: Denial of
Service Attacks
How big is online crime today?
What is a Phishing scam?
What is a Denial of Service attack?
Why would someone want to create a
denial of service attack?
Why would a CEO resist taking necessary
steps to solve a denial of service attack?
13-32
BNSF Railway: Well Balanced Web-Use
Monitoring
Why is extensive use of the Internet a
concern for BNSF?
Why is the BNSF Internet Policy
important? What does it emphasize?
What information do the Cyfin reports
contain and why are they important?
Why is employee monitoring a risk
management obligation?
13-33
IV. Viral Defenses
Antivirus software
13-34
The Future of Antivirus
What is a computer virus?
What is a signature-based antivirus?
What other tools are used to add to
strength to the antivirus approach?
Why do people still like the old
approach?
13-35
V. Other Security Measures
Security Codes – login IDs and passwords
Backup Files – duplicate files of data or
programs
Security Monitors – monitor systems for
unauthorized use, fraud, and destruction
Biometric Security – measure/verify an
individual’s physical traits
13-36
V. Other Security Measures
Computer Failure Controls – preventing
computer failure or minimizing its effects
Fault-Tolerant Systems – providing
backup components in case of a system
failure
Disaster Recovery – getting a system
running again after a disaster
13-37
What If the Internet Went Down … and
Didn’t Come Back Up?
What would the effects on your personal
life be if the Internet went down?
What changes would there be to the
businesses that you use every day?
Where would you go for information and
research?
What other daily-use items would be
unavailable to you?
13-38
VI. System Controls and Audits
Information System Controls – assure
accuracy, validity, and propriety of IS
activities
Auditing IT Security – IT security should
be periodically examined
13-39
Georgetown University: All Systems Go
What new strategy did GU address?
What effects did this have to IT?
What are the most significant risks to
the university?
What political and cultural issues had to
be addressed?
How do they address “Risk”?
13-40