Security, Privacy, and Ethical Issues in Information Systems and

							Security, Privacy, and Ethical
Issues in Information
Systems and the Internet
Chapter 14
Social Issues in Information
Systems
 Computer Waste
 Cyber Crime
 Privacy Issues
 Ethical Issues
 Health Concerns
 Patent & Copyright
  Issues
Computer Waste
 Personal use of
  corporate time and
  technology
 Discarded technology
  and unused systems
  – Older systems may still
    have value
  – Software is often
    under-utilized
Should they be monitored?
 According to a Vault.com survey
  – 90.3 percent of employees admit to surfing non-work-
    related sites everyday
  – 83.6 percent admit to sending personal e-mails
    everyday.
 Managers should be scrambling to scrutinize
  server logs to prevent this epidemic of goofing
  off, right?
Should they be monitored?
 “Using the Internet for errands or
  short personal breaks has become
  part of the fabric of normal human
  behavior.”
 Preventing personal use of the
  Internet and Email may not
  increase overall productivity. Why?
 What are the trade-offs, costs, or
  negatives if a company monitors
  and blocks personal use?
Should they be monitored?
 “Employees who use the Internet to
  access pornography, hate groups,
  etc. can land a company in hot
  water.”
 Companies need to have an
  enforceable Internet-usage policy
  that clearly outlines what is
  acceptable and what isn't.
 What risks or problems could
  arise if a company does NOT
  have an Internet-usage policy?
Should they be monitored?
 Companies are obligated to protect
  themselves by developing a strict
  Internet-usage Policy.
 Monitoring systems should be in place
  for other reasons: To detect hackers,
  internal attacks, etc.
 Excessive personal usage may not
  imply poor productivity. How so?
 Use monitoring to deter inappropriate
  usage but not as evaluation measure of
  productivity.
Computer Mistakes
 Data entry errors
 Program bugs or errors
 Accidental deletion or over-write
 Inadequate planning for malfunctions
 Inadequate computing resources
 Failure to keep things updated
Preventing Computer Waste and Mistakes

 Establish and Implement Policies
 Monitor and Review Polices
 Examples:
  – Requiring employees to update virus software.
  – Requiring backup of key files
  – Requiring “modified-on dates” for websites.
  – Required training
  – Make user manuals and documentation
    available
Preventing Computer Waste and Mistakes
Siena as an example:
http://www.siena.edu/technology/computing/

 The Good                 The Bad
  – Tons of info online     – Info poorly organized
  – Policies & procedures   – Policies and procedures
    made public               are NOT simple
  – Training is available   – Training is not
  – What else?                mandatory
                            – What else?
Computer Crime
Number of Incidents Reported to
CERT
 Established in 1988, CERT is a center of Internet
  security expertise located at the Software
  Engineering Institute.
 Federally funded
  research and
  development center
  operated by
  Carnegie Mellon
  University.
Computer Crime and Security
Survey
 FBI Computer Crime and Security Survey
 of Companies 2002
  – 90% - detected security breach in last 12
    months
  – 80% - acknowledged financial losses
  – 74% - frequent external attacks via Internet
  – 34% - frequent internal attacks (insider job)
  – 33% - reported incidents to FBI
Simple Cyber Crime Techniques
 Social engineering
   – talking a critical password out of someone
   – knowing typical hiding spots
 Dumpster diving
  – gathering critical information about someone
  – to help guess/break passwords
  – leading to identify theft
Computers as tools for criminals
 Cyber-terrorism
  – From Individual harassment online
    to
  – Terrorist strike on critical IT infrastructure
 Identity Theft
   – From using an individuals credit card
     to
   – obtaining fraudulent Drivers License or
     Passport
The Criminals
 Hacker
   – enjoys learning the details of how computer
     systems work
 Cracker
   – a Criminal Hacker
 Script Bunnies (Script Kiddies)
   – Wannabe Crackers who use scripts
 Insider
   – Disgruntled employees
The Acts
 Illegal Access
   – Hack into Equifax to see Bill Clinton’s credit report
 Data Alteration
   – Hack into Citibank to increase account balance.
 Data Destruction
   – Hack into Dr. Breimer’s account to delete future
     quizzes
 Software Piracy
   – Warning: All we need is a technologically aware, pro-
     active DA, and a quarter of Siena would be in jail.
The Acts
 Internet Scams
   – Nigerian letter fraud
 Phishing
   – Tricking someone into sharing private information
 Spam
   – Can be considered harassment
 Spyware
   – Legal but dishonest access to private information
 Viruses
   – Can be considered data alteration or destruction
Data Alteration and Destruction
Preventing Computer-Related
Crime
 Crime prevention by state and federal agencies
  – FBI handles a lot because of the inter-state issues.
  – FBI hampered by International issues
  – CERT (Dept. of Defense)

 Crime prevention by corporations
  – Public Key Infrastructure (PKI)
  – Biometrics (finger-printing mouse, voice recognition,
    etc.)

 Antivirus programs
Preventing Computer-Related
Crime is a business
 Firewalls
   – Hardware of software that can block access to a
     computer or network
 Intrusion Detection Software
   – Uses sophisticated measures to detect intruders or
     suspicious activity
 Managed Security Service Providers (MSSPs)
   – Consulting firms that manage security for smaller
     companies
 Protection of Decency
   – Net Nanny and other filtering software
Internet Laws for Libel
 A Newspaper or Publisher can be sued for
  libel or indecency
  – in addition to the actual author
 Can an Internet Service Provider (AOL,
  MSN, etc.) be sued for libel or indecency?
  – How can they be responsible for all the
    content?
  – Don’t they have a right to protect the privacy of
    their customers?
How to Protect Your Corporate Data from
Hackers
 Systems with strong user authentication and data
  encryption
 Up-to-date security patches and virus definitions
 Disable guest accounts or no password accounts
 Put different services on separate dedicated
  servers. Why?
 Turn on logs and audit trails
 Conduct security audits
 Frequent backup of data. Why?
Privacy
Privacy Issues
 Privacy and the Federal Government
   – Individual privacy vs. national security
 Privacy at work
   – Individual privacy vs. company’s right to
     protect itself
 E-mail privacy
   – Business document or personal information?
 Privacy and the Internet
   – Right to use  right to know?
Major Issue
 Adware & Spyware
  – Free (and sometimes useful) Software
 Usign it requires agreeing to a policy (Double-
  negative trickery).
   – Gives software permission to
      • Track your Internet usage
      • Share information about you
 Should this type business be outlawed?
 Privacy protection vs. entrepreneurial freedom
   – What are the compromises?
Federal Privacy Laws
and Regulations
 The Privacy Act of 1979
  – Applies to federal agencies
  – Individuals can determine what records
    (pertaining to them) are collected, maintained,
    used, or disseminated.
 Gramm-Leach-Bliley Act 1999
  – Applies to non-public financial institutions
  – Requires privacy polices to be in place
 USA Patriot Act
Health Concerns
 Repetitive stress injury (RSI)
 Carpal tunnel syndrome (CTS)
 Ergonomics
Avoiding Health and
Environment Problems
 Maintain good posture and positioning.
 Don’t ignore pain or discomfort.
 Use stretching and strengthening exercises.
 Find a good physician who is familiar with
  RSI and how to treat it.
Ethical Issues in Information
Systems
 The AITP Code of Ethics
  – Obligation to management
  – Obligation to fellow AITP members
  – Obligation to society


 The ACM Code of Professional Conduct
  – Acquire and maintain professional competence