Document Sample
CHAPTER PREVIEW Powered By Docstoc
					rainer_c03_060-103hr.qxd   7-02-2008   16:36   Page 60

                      CHAPTER PREVIEW
                      This information systems world we live in is filled with many types of people and organ-
                      izations. Unfortunately, not all of them are honest. Controls help honest people stay
                      honest and detect potential problems. What type of information systems problems should
                      we protect ourselves and our organizations against? What are the different types of con-
                      trols and how can information systems auditors help in the control evaluation process? This
                      chapter will first look at some ethical problems that can arise when using information
                      systems, and then at the threats and compensating controls that can be implemented in
                      our systems.
rainer_c03_060-103hr.qxd   7-02-2008   16:36   Page 61

              ETHICS, PRIVACY, AND


                 3.1 ETHICAL ISSUES
                     Describe the major ethical issues related to information technology, and identify
                     situations in which they occur.
                      BUSINESS OPPORTUNITIES: A high quality privacy policy will encourage customers
                      to use a particular website.
                      BUSINESS RISKS: A marketing department could sell private information without

                     Identify the many threats to information security.
                      BUSINESS OPPORTUNITIES: New anti-spyware products and innovative fraud
                      detection software can earn high revenues.
                      BUSINESS RISKS: Spyware could track your usage and capture your passwords for
                      unauthorized access to your financial information.

                     Understand the various defence mechanisms used to protect information systems.
                      BUSINESS OPPORTUNITIES: Well-protected data and systems will enable websites to
                      serve customers without threat of interruption.
                      BUSINESS RISKS: Poorly designed or outdated firewalls will enable hackers to access
                      organizational systems.
                      Explain IT auditing and planning for disaster recovery.
                      BUSINESS OPPORTUNITIES: Duplicated systems and alternative plans will enable
                      organizations to continue to serve customers even in the face of hardware or software
                      BUSINESS RISKS: Poorly designed disaster recovery systems will result in excess
                      downtime in the event of a hardware failure.
rainer_c03_060-103hr.qxd   7-02-2008     16:36    Page 62


                      THE WORST RETAIL DATA
                      BREACH EVER?
                                                                             the breach for years. Finally, TJX was unable to
                                                                             ascertain what data was actually compromised,
                                                                             and when.
                                                                                 Adding to TJX’s problems, Visa notified financial
                                                                             institutions that issue credit cards and manage Visa
                                                                             transactions that TJX had stored credit and debit
                                                                             card data in violation of the Payment Card Industry
                                                                             Data Security Standard (the PCI standard) created
                                                                             by Visa and MasterCard. The PCI standard applies
                                                                             to banks, clearinghouses, and merchants that
                                                                             issue or accept credit cards. Merchants such as
                                                                             TJX are not supposed to store cardholder data
                                                                             because a thief can use that information to create
                                                                             a counterfeit credit or debit card. Some TJX data
                                                                             went back to 2003, which indicated that the com-
                                                                             pany had been out of compliance with the PCI
                                                                             standard for years.
                                                                                 Before the intrusion was even reported,
                                                                             a California credit union noticed an increase in
                                                                             counterfeit cards used to commit fraudulent trans-
                                                                             actions. In fact, the TJX breach resulted in financial
                      THE BUSINESS PROBLEM
                                                                             losses to the credit union. The credit union had to
                      The TJX Companies Inc. (, a $16-billion
                                                                             issue new cards for any cardholder accounts that
                      retail conglomerate, operates some 2,500 stores
                                                                             Visa said were affected by the TJX compromise. As
                      around the world, including T.J. Maxx, Marshalls,
                                                                             an issuer of Visa cards, the credit union—not Visa
                      HomeGoods, Bob’s Stores, and A.J. Wright stores
                                                                             or TJX—had to pay for any fraudulent transactions
                      in the United States, and Winners and HomeSense
                                                                             charged to members’ accounts.
                                                       ,       ,
                      stores in Canada. On January 17 2007 the com-
                                                                                 In addition, Visa encountered an increase in
                      pany reported that an intrusion into its customer
                                                                             fraud activity on certain TJX accounts beginning in
                      transaction management systems had compro-
                                                                             mid-November, 2006. After the breach was
                      mised the personal data of a number of its cus-
                                                                             reported, many banks and credit unions around
                      tomers. The security breach involved systems that
                                                                             the world reported compromises of customer
                      handle customer credit card, debit card, cheque,
                                                                             accounts as a result of the breach.
                      and merchandise return transactions. At first, the
                                                                                 Also before the breach was announced, thieves
                      company did not state how many customers were
                                                                             used data stolen from TJX to steal $8 million in
                      affected by the incident, but later revealed that
                                                                             merchandise from Wal-Mart stores in Florida. The
                      credit card information on 46 million of its cus-
                                                                             thieves created fake credit cards that they used to
                      tomers had been compromised.
                                                                             buy Wal-Mart gift cards, and then used them to buy
                          The company said that the data involved was
                      related to people who shopped at its stores dur-
                      ing 2003 and 2004, as well as between May and
                      December of 2006. TJX learned of the breach in         A VARIETY OF SOLUTIONS
                      mid-December 2006, but it did not release the          TJX hired General Dynamics and IBM to help inves-
                      information at that time at the request of law         tigate the intrusion, assess the volume and types
                      enforcement officials.                                 of data that may have been stolen, and strength-
                          Investigators noted that TJX really had three      en the company’s defences. TJX also worked with
                      problems. First, the company’s security was            all major credit and debit card companies to help
                      originally breached and its data compromised.          investigate any related fraud, and co-operated with
                      In fact, the intruders had the company’s encryp-       law enforcement officials, including the U.S.
                      tion key. (We discuss encryption later in this chap-                                          .
                                                                             Department of Justice and the RCMP The compa-
                      ter.) Second, the company did not know about           ny also bought full-page newspaper ads and put a
rainer_c03_060-103hr.qxd     7-02-2008     16:36     Page 63


              video message from its chairman on its website,         customer information? Should the blame for the
              assuring customers that rigorous steps had been         breach be shared by TJX and its software suppli-
              taken to protect their information.                     ers? How should TJX protect its information more
                  TJX identified a limited number of customers        effectively? Does better protection involve technol-
              whose private information was stolen and notified       ogy, policy, or both?
              them directly. TJX officials said that they did not         The answers to these and other questions are
              know if they could identify the names of other cus-     not clear. As we discuss ethics, privacy, and secu-

                                                                                                                                       CASE 3.1
              tomers who are at risk. The company offered addi-       rity in the context of information technology, you
              tional customer support to people concerned that        will acquire a better understanding of these
              their data may have been compromised, and rec-          issues, their importance, their relationships, and
              ommended that its customers carefully review            their trade-offs.
              their credit card and debit card statements and             Information technologies, properly used, can
              other account information for evidence of unautho-      have enormous benefits for individuals, organiza-
              rized use.                                              tions, and entire societies. In the first two chapters
                                                                      we discussed the diverse ways in which IT has
              THE RESULTS                                             made businesses more productive, efficient, and
              The company faced a stream of bad news. TJX             responsive to consumers. We have also explored
              had to record a fourth-quarter (2006) charge of         areas such as medicine in which IT has improved
              about $5 million related to the intrusion, includ-      people’s health and well-being. Unfortunately,
              ing the costs to investigate and contain the            information technologies can also be misused,
              breach, enhance information security, communi-          often with devastating consequences. Consider
              cate with customers, and legal fees. Many organ-        the following:
              izations have sued TJX over the compromise of its
                                                                      • Individuals can have their identities stolen.
                                                                      • Organizations can have customer information
                  Interestingly, TJX noted that the company relied
                                                                        stolen, leading to financial losses, erosion of
              on commercially available systems, software,
                                                                        customer confidence, and legal action.
              tools, and monitoring to provide security for pro-
                                                                      • Countries face the threat of cyberwarfare (see
              cessing, transmission, and storage of confidential
                                                                        p. 82).
              customer information. Further, the company noted
              that systems it used for transmission and approval          In fact, the misuse of information technologies
              of payment card transactions were determined            has come to the forefront of any discussion of IT.
              and controlled by the payment-card industry, not        Now that you are acquainted with the major capa-
              by TJX.                                                 bilities of IT, we address the complex issues of
                  What really worries information security            ethics, privacy, and security.
              experts are these questions: What if TJX did almost
              everything correctly? What if this massive data
              breach was less of a case of TJX being careless and
              more a case of the attackers being clever,              Sources: Compiled from E. Schuman, “The Nightmare
                                                                      Scenario: What If TJX Did Everything Right, eWeek, March 30,
              resourceful, knowledgeable, and persistent? The
                                                                      2007; M. Hines, “TJX Intrusion Highlights Pursuit of Corporate
              implication here is that modern cyberthieves can        Data, eWeek, January 18, 2007; K. Evans-Correia, “Top IT
              execute a breach on any retailer, regardless of the     Execs Could Take Heat for TJX Breach,,
              security measures in place.                             January 18, 2007; L. Greenemeier, “Card Data, A Hack, and a
                                                                      Rush to Contain the Damage, InformationWeek, January 22,
              WHAT WE LEARNED                                         2007; p. 28; L. Greenemeier, “Maxxed Out, InformationWeek,
                                                                      February 5, 2007 pp. 29-30; C. McCarthy, “T. J. Maxx Probe
              FROM THIS CASE
                                                                      Finds Broader Hacking,, February 22, 2007;
              The lessons we can learn from the massive, undis-       E. Schuman, “Massachusetts Leads National TJX Data Probe,    ”
              covered security breach at TJX address the three        eWeek, February 7 2007; E. Schuman, “TJX: Data Theft Began
              major issues discussed in this chapter: ethics, pri-    in 2005; Data Taken from 2003, eWeek, February 21, 2007; E.
              vacy, and security. Each of these issues is closely     Schuman, “Stolen TJX Data Used in $8M Scheme Before
              related to IT and raises significant questions. For     Breach Discovery, eWeek, March 21, 2007; B. Brenner,
                                                                      “Mistakes to the Maxx, Information Security, March, 2007; L.
              example, is it ethical (or even necessary) for TJX to
                                                                      Greenemeier, “TJX Breach Hits Wal-Mart, InformationWeek,
              gather and keep so much information on its cus-
                                                                      March 26, 2007; E. Schuman, “TJX Intruder Had Retailer’s
              tomers? Is this practice an invasion of its cus-        Encryption Key, eWeek, March 29, 2007; E. Sutherland, “Data
              tomers’ privacy? By using commercially available        Breach Lawsuits Pile up on TJX,,
              software, did TJX show due diligence in protecting      February 2, 2007  .
rainer_c03_060-103hr.qxd    7-02-2008     16:36    Page 64

    64                Chapter 3 – Ethics, Privacy, and Information Security

             3.1 ETHICAL ISSUES
                      Ethics refers to the principles of right and wrong that individuals use to make choices to guide
                      their behaviours. Deciding what is right or wrong is not always easy or clear-cut. For this rea-
                      son, many companies and professional organizations develop their own codes of ethics. A code
                      of ethics is a collection of principles intended to guide decision making by members of the organ-
                      ization. For example, the Association for Computing Machinery (, an organization
                      of computing professionals, has a thoughtful code of ethics for its members (see
                           Fundamental tenets of ethics include responsibility, accountability, and liability.
                           Responsibility means that you accept the consequences of your decisions and actions.
                      Accountability provides for a determination of who is responsible for actions that were taken.
                      Liability is a legal concept implying that individuals have the right to recover the damages done
                      to them by other individuals, organizations, or systems.
                           Before we go any further, it is very important to realize that what is unethical is not neces-
                      sarily illegal. In most instances, an individual or organization faced with an ethical decision is
                      not considering whether to break the law. This does not mean, however, that ethical decisions
                      do not have serious consequences for individuals, organizations, or society at large.
                           Unfortunately, during the last few years we have seen a large number of extremely poor eth-
                      ical decisions, not to mention outright criminal behaviour. Three of the most highly publicized
                      fiascos in the U.S. occurred at Enron Corporation (now Enron Creditors Recovery Corporation),
                      WorldCom (now MCI Inc.), and Tyco International. At each company, executives were convicted
                      of various types of fraud using illegal accounting practices. These illegal acts resulted, at least
                      in part, in the passage of the Sarbanes-Oxley Act in 2002 in the United States. This law requires
                      that public companies implement financial controls and that, to ensure accountability, execu-
                      tives must personally certify financial reports. Similar problems occurred in Canada at compa-
                      nies like Nortel and Southam. In Canada, Bill 198, the Budget Measures Act, imposes similar
                      requirements of management.
                           Improvements in information technologies are causing an increasing number of ethical
                      problems. Computing processing power doubles about every 18 months, meaning that organ-
                      izations are more dependent than ever before on their information systems. Increasing
                      amounts of data can be stored at decreasing cost, meaning that organizations can store more
                      data on individuals for longer amounts of time. Computer networks, particularly those using
                      the Internet, enable organizations to collect, integrate, and distribute enormous amounts of
                      information on individuals, groups, and institutions. As a result, ethical problems are arising
                      about the appropriate use of customer information, personal privacy, and the protection of
                      intellectual property.
                           All employees have a responsibility to encourage the ethical use of information and infor-
                      mation technology. Most, if not all, of the business decisions you will face at work will have an
                      ethical dimension. Consider these decisions you might have to make:

                      • Should your organization monitor employees’ web surfing and e-mail?
                      • Should your organization sell customer information to other companies?
                      • Should your organization audit employees’ computers for unauthorized software or
                           illegally downloaded music or video files?
rainer_c03_060-103hr.qxd     7-02-2008       16:36    Page 65

                                                                                                   Section 3.1 – Ethical Issues        65

                 The diversity and ever-expanding use of IT applications have created a variety of ethical
              issues. These issues fall into four general categories: privacy, accuracy, property, and accessibility.

              1. Privacy issues involve the collection, storage, and dissemination of information about
              2. Accuracy issues involve the authenticity, integrity, and accuracy of information that is collect-
                 ed and processed.
              3. Property issues involve the ownership and value of information.
              4. Accessibility issues revolve around who should have access to information and whether they
                 should have to pay for this access.

                 Table 3.1 lists representative questions and issues for each of these categories. In addition,
              Online Appendix W3.1 presents 14 several ethics scenarios for you to consider. These scenar-
              ios will provide a context for you to consider situations that involve ethical or unethical behav-
              iour. In the next section, we discuss privacy issues in more detail. We cover property issues
              later in this chapter.

               TABLE 3.1
               PRIVACY ISSUES
               • What information about oneself should an individual be required to reveal to others?
               • What kind of surveillance can an employer use on its employees?
               • What types of personal information can people keep to themselves and not be forced to reveal to others?
               • What information about individuals should be kept in databases, and how secure is the information there?
               ACCURACY ISSUES
               • Who is responsible for the authenticity, integrity, and accuracy of the information collected?
               • How can we ensure that the information will be processed properly and presented accurately to users?
               • How can we ensure that errors in databases, data transmissions, and data processing are accidental and not
               • Who is to be held accountable for errors in information, and how should the injured parties be compensated?
               PROPERTY ISSUES
               • Who owns the information?
               • What are the just and fair prices for its exchange?
               • How should one handle software piracy (copying copyrighted software)?
               • Under what circumstances can one use proprietary databases?
               • Can corporate computers be used for private purposes?
               • How should experts who contribute their knowledge to create expert systems be compensated?
               • How should access to information channels be allocated?
               • Who is allowed to access information?
               • How much should companies charge for permitting accessibility to information?
               • How can accessibility to computers be provided for employees with disabilities?
               • Who will be provided with the equipment needed for accessing information?
               • What information does a person or an organization have a right or a privilege to obtain, under what conditions, and
                 with what safeguards?
rainer_c03_060-103hr.qxd    7-02-2008     16:36    Page 66

    66                Chapter 3 – Ethics, Privacy, and Information Security

                      PROTECTING PRIVACY
                      In general, privacy is the right to be left alone and to be free of unreasonable personal intru-
                      sion. Information privacy is the right to determine when, and to what extent, information about
                      yourself can be gathered or communicated to others. Privacy rights apply to individuals, groups,
                      and institutions.
                           The definition of privacy can be interpreted quite broadly. However, court decisions in many
                      countries have followed two rules fairly closely:

                      1. The right of privacy is not absolute. Privacy must be balanced against the needs of society.
                      2. The public’s right to know supersedes the individual’s right of privacy.

                      These two rules show why it is difficult in some cases to determine and enforce privacy regu-
                      lations. The right to privacy is recognized today in all Canadian provinces and by the federal
                      government through privacy legislation.
                           Rapid advances in information technologies have made it much easier to collect, store, and inte-
                      grate data on individuals, in large databases. On any given day, data is generated in many ways:
                      surveillance cameras in public places and at work; credit card transactions; telephone calls (land-
                      line and cellular); banking transactions; queries to search engines; and government records (includ-
                      ing police records). This data can be integrated to produce a digital dossier, which is an electronic
                      description of a person’s habits. The process of forming a digital dossier is called profiling. This
                      information also helps companies know their customers better, to achieve customer intimacy.
                           Data aggregators in the U.S., such as LexisNexis (, ChoicePoint Inc.
                      (, and Acxiom Corporation (, are good examples of profil-
                      ers. These companies collect public data such as real estate records and published telephone
                      numbers, in addition to non-public information such as U.S. Social Security numbers (and Social
                      Insurance numbers in Canada), financial data, and police, criminal, and motor vehicle records.
                      Many Canadian organizations use large volumes of survey data to create and rent out targeted mail-
                      ing lists such as Lifestyle Selector Canada (, which has data on about a mil-
                      lion Canadians. ICOM Information & Communications’ product Targetsource ( has
                      North American data, including information on about two million Canadians. Statistics Canada
                      (, Canada’s national statistics agency, provides aggregated information about busi-
                      nesses and individuals.
                           Data aggregators integrate this data to form digital dossiers, or profiles, on adults in North
                      America. They sell these dossiers to law enforcement agencies and companies conducting back-
                      ground checks on potential employees. They also sell the dossiers to companies that want to
                      know their customers better, a process called customer intimacy.

                      ELECTRONIC SURVEILLANCE
                      Electronic surveillance is rapidly increasing, particularly with the emergence of new technolo-
                      gies. Monitoring is done by employers, the government, and other institutions.
                           In general, employees have very limited protection against surveillance by employers. The
                      law supports the right of employers to read their employees’ e-mail and other electronic doc-
                      uments and to monitor their Internet use. Today, many organizations are monitoring employ-
                      ees’ Internet usage. Organizations also use software to block connections to inappropriate
                      websites, a practice called URL filtering. Organizations are installing monitoring and filtering soft-
                      ware to enhance security by stopping malicious software and improve employee productivity
                      by discouraging employees from wasting time.
rainer_c03_060-103hr.qxd    7-02-2008    16:36   Page 67

                                                                                       Section 3.1 – Ethical Issues   67

                 In one organization, before deploying a URL filtering product, the chief information officer
              (CIO) monitored about 13,000 people for three months to determine the types of activities they
              engaged in on the network. He then passed the data to the chief executive officer (CEO) and the
              heads of the Human Resources and Legal departments. They were shocked at the questionable
              websites the employees were visiting, as well as the amount of time employees spent on those
              sites. The executives quickly made the decision to implement the filtering product.
                 Surveillance is also a concern for private individuals regardless of whether it is conducted
              by corporations, government bodies, or criminals. As a country we are still trying to determine
              the appropriate balance between personal privacy and electronic surveillance, especially where
              threats to national security are involved.

              Information about individuals is being kept in many databases. Perhaps the most visible loca-
              tions of such records are credit-reporting agencies. Other institutions that store personal infor-
              mation include: banks and financial institutions; cable TV, telephone, and utilities companies;
              employers; mortgage companies; hospitals; schools and universities; retail establishments;
              government agencies (Canada Revenue Agency, your province, your municipality); and many
                 There are several concerns about the information you provide to these record keepers. Some
              of the major concerns are:

              • Do you know where the records are?
              • Are the records accurate?
              • Can you change inaccurate data?
              • How long will it take to make a change?
              • Under what circumstances will personal data be released?
              • How is the data used?
              • To whom is the data given or sold?
              • How secure is the data against access by unauthorized people?

              Every day we see more and more electronic bulletin boards, newsgroups, electronic discussion sites
              such as chat rooms, and social networking sites (discussed in Chapter 5). These sites appear on
              the Internet, within corporate intranets, and on blogs. A blog, short for weblog, is an informal,
              personal journal that is frequently updated and intended for general public reading. How does
              society keep the owners of bulletin boards from disseminating information that may be offen-
              sive to readers or simply untrue? This is a difficult problem because it involves the conflict
              between freedom of speech on the one hand and privacy on the other.
                 There is no better illustration of the conflict between free speech and privacy than
              the Internet. Some websites contain anonymous, derogatory information on individuals, who
              typically have little recourse in the matter.

              Privacy policies or privacy codes are an organization’s guidelines with respect to protecting the
              privacy of customers, clients, and employees. In many corporations, senior management has
              begun to understand that when they collect vast amounts of personal information, they must
rainer_c03_060-103hr.qxd     7-02-2008       16:36    Page 68

    68                  Chapter 3 – Ethics, Privacy, and Information Security

                        protect it. Many organizations provide opt-out choices for their customers. The opt-out model
                        of informed consent permits the company to collect personal information until the customer
                        specifically requests that the data not be collected. Privacy advocates prefer the opt-in model
                        of informed consent, where a business is prohibited from collecting any personal information
                        unless the customer specifically authorizes it.
                            The Platform for Privacy Preferences (P3P) (see was developed by the World
                        Wide Web Consortium, a group that creates standards for the web. P3P automatically communi-
                        cates privacy policies between an electronic commerce website and visitors to that site. P3P enables
                        visitors to determine the types of personal data that can be extracted by the websites they visit. It
                        also allows visitors to compare a website’s privacy policy to the visitor’s preferences or to other stan-
                        dards, such as the Canadian Standards’ Association (CSA) Model Code for the Protection of Personal
                        Information (see or the
                        European Union Directive on Data Protection.
                            Canada’s privacy legislation is called the Personal Information Protection and Electronic
                        Documents Act (PIPEDA). It became effective January 1, 2004. The legislation applies to businesses
                        and other organizations, such as non-profit organizations. PIPEDA is based upon the principles in
                        the Canadian Standards’ Association Model Code. As part of the legislation, organizations are
                        required to establish a privacy policy, as well as procedures to ensure that the policy is adhered to.
                            Table 3.2 provides a sampling of privacy policy guidelines. You can access Google’s Canadian
                        Privacy Policy at
                            Having a privacy policy in place can help organizations avoid legal problems. However, crim-
                        inals do not pay attention to privacy codes and policies, as IT’s About Business 3.1 shows.

              TABLE 3.2
              DATA COLLECTION
              • Data should be collected on individuals only for the purpose of accomplishing a legitimate business objective.
              • Data should be adequate, relevant, and not excessive in relation to the business objective.
              • Individuals must give their consent before data pertaining to them can be gathered. Such consent may be implied
                from the individual’s actions (for instance, in applications for credit, insurance, or employment).

              DATA ACCURACY
              • Sensitive data gathered on individuals should be verified before it is entered into the database.
              • Data should, where and when necessary, be kept current.
              • The file should be made available so the individual can ensure that the data is correct.
              • If there is disagreement about the accuracy of the data, the individual’s version should be noted and included with any
                disclosure of the file.

              • Computer security procedures should be implemented to ensure against unauthorized disclosure of data. These
                procedures should include physical, technical, and administrative security measures.
              • Third parties should not be given access to data without the individual’s knowledge or permission, except as required
                by law.
              • Disclosures of data, other than the most routine, should be noted and maintained for as long as the data is
              • Data should not be disclosed for reasons incompatible with the business objective for which it is collected.
rainer_c03_060-103hr.qxd     7-02-2008       16:36    Page 69

                                                                                                         Section 3.1 – Ethical Issues                         69

               IT’S ABOUT BUSINESS 3.1

               LexisNexis ( and,         services for each of them. The company provided credit
               a $2 billion international data aggregator, collects and       counsellors and $20,000 worth of identity theft insurance to
               integrates information from public sources such as             anyone who ultimately became a victim of fraud as a result
               telephone books and real estate records and non-public         of the theft.
               sources such as criminal records and financial institutions.       The real lesson learned by LexisNexis was that hackers
               It has data on millions of people–even their Social            can use ingenious ways to get inside an internal network.
               Insurance numbers. This information is very valuable, both     Organizations need to protect not only their own data
               to black-market operators who promote identity theft, and      networks, but those of customers and business partners.
               to the company’s 4.5 million legitimate customers,             Therefore, LexisNexis had to address the vulnerabilities on
               including direct marketers and law enforcement agencies.       the edges of its network by making its customers more
                   In 2005, the personal records of 310,000 individuals,      secure. This effort represented a major challenge, however,
               including names, U.S. Social Security numbers, and             because the company’s network included more than 4.5
               driver’s licence numbers, were stolen from LexisNexis          million customers and business partners, many of whom
               databases in 59 separate incidences. The theft unfolded in     came from government agencies.
               this manner.                                                       As a result, the company implemented the LexisNexis
                   A group of hackers sent out an e-mail promising an         Customer Security Program, which is designed to push more
               attached file of pornographic images. Among those who          of the burden for the security of LexisNexis’ information to its
               responded were an employee in a police department in           customers. The program consists of several action items,
               Florida and one in a constable's office in Texas. When they    which include more stringent login requirements, monthly
               clicked on the attachment, they unknowingly downloaded         user verification, and restricted access to full Social Security
               keystroke logging software (also called keylogging             numbers and driver’s licence information.
               software or keyloggers) onto their computers. The              Sources: Compiled from D. Briody, “Lexis-Nexis: Ground Zero for War vs. Data
               software tracked their every keystroke and click of the        Thieves, CIO Insight, September 5, 2005; E. Nee, “Making Legitimate
                                                                              Business from Data Theft, CIO Insight, September 5, 2005; B. Krebs, “Five
               mouse. Like personnel in many police departments, the
                                                                              Arrested in Theft of LexisNexis Data, Washington Post, July 1, 2006; J. Kirk,
               employees had accounts with LexisNexis to obtain               “LexisNexis Finds Disclosure Meant Less Pain in Data Theft, Information
               background information on criminal suspects. When the          Security News; April 25, 2006; “LexisNexis in the Security Hot Seat, Baseline
                                                                              Magazine, June 1, 2006.
               employees signed in to their accounts, the hackers
               captured their passwords and user names.
                   The problem wasn't discovered until weeks later. One of    QUESTIONS
               the police departments involved spotted a heavier than         1. Should LexisNexis be held legally liable for security
               usual amount of activity on its LexisNexis account and            breaches outside its perimeter? Support your answer.
               notified the company. LexisNexis contacted U.S. federal        2. Do you think that the LexisNexis Customer Security
               government authorities and the media. LexisNexis notified         Program is sufficiently powerful to reduce security
               the people whose personal data had been stolen and                breaches that occur through its customers? Why or
               provided a consolidated credit report and credit monitoring       why not?

              As the number of online users has increased globally, governments have enacted a large num-
              ber of inconsistent privacy and security laws. This highly complex global legal framework is caus-
              ing regulatory problems for companies. Approximately 50 countries have some form of data
              protection law. Many of these laws conflict or require specific security measures. Other coun-
              tries have no privacy laws at all.
                 The absence of consistent or uniform standards for privacy and security obstructs the flow
              of information among countries. The European Union (EU), for one, has taken steps to over-
              come this problem. In 1998 the European Community Commission (ECC) issued guidelines to
              all its member countries regarding the rights of individuals to access information about them-
              selves. The EU data protection laws are similar to Canadian laws, but stricter than U.S. laws
              and therefore may create problems for U.S.-based multinational corporations, which may face
rainer_c03_060-103hr.qxd     7-02-2008      16:36     Page 70

    70                Chapter 3 – Ethics, Privacy, and Information Security

                      lawsuits for privacy violation unless they follow the “Safe Harbor” framework that was jointly
                      developed between the U.S. and the EU (see
                            The transfer of data in and out of a nation without the knowledge of either the authorities
                      or the individuals involved raises a number of privacy issues. Whose laws have jurisdiction when
                      records are stored in a different country for reprocessing or retransmission purposes? For exam-
                      ple, if data is transmitted by a Polish company through a Canadian satellite to a British corpo-
                      ration, which country’s privacy laws control the data, and when? Questions like these will
                      become more complicated and frequent as time goes on. Governments must make an effort to
                      develop laws and standards to cope with rapidly changing information technologies in order to
                      solve some of these privacy issues.

                       BEFORE YOU GO ON...
                       1.   Define ethics, and list its four categories as they apply to IT.
                       2.   Describe the issue of privacy as it is affected by IT.
                       3.   What does a code of ethics contain?
                       4.   Describe the relationship between IT and privacy.

                      A number of factors are contributing to the increasing vulnerability of organizational informa-
                      tion assets. Before we discuss these factors, we list them here:

                      • today’s interconnected, interdependent, wirelessly networked business environment;
                      • government legislation;
                      • smaller, faster, cheaper computers and storage devices;
                      • decreasing skills necessary to be a computer hacker;
                      • international organized crime taking over cybercrime;
                      • downstream liability;
                      • increased employee use of unmanaged devices; and
                      • lack of management support.

                            The first factor is the evolution of the information technology resource from mainframe-only
                      to today’s highly complex, interconnected, interdependent, wirelessly networked business envi-
                      ronment. The Internet now enables millions of computers and computer networks to freely and
                      seamlessly communicate with one another. Organizations and individuals are exposed to a
                      world of untrusted networks and potential attackers. A trusted network, in general, is any net-
                      work within your organization that is adequately protected. An untrusted network, in general, is
                      any network external to your organization. In addition, wireless technologies enable employ-
                      ees to compute, communicate, and access the Internet anywhere and any time. Making mat-
                      ters worse, wireless is an inherently non-secure broadcast communications medium.
                            The second factor, governmental legislation, dictates that many types of information must
                      be protected by law. In Canada, PIPEDA applies to customer information that is collected by busi-
                      nesses or non-profit organizations. Each province also has a health privacy act, normally called
                      a Personal Health Information Protection Act (PHIPA), that protects medical records and other
                      individually identifiable health information.
rainer_c03_060-103hr.qxd    7-02-2008    16:36    Page 71

                                                                         Section 3.2 – Threats to Information Security   71

                 The third factor results from the fact that modern computers and storage devices (such as
              thumb drives or flash drives) are becoming smaller, faster, cheaper, and more portable, with
              greater storage capacity. These characteristics make it much easier to steal or lose a computer
              or storage device that contains huge amounts of sensitive information. Also, far more people
              are able to afford powerful computers and connect inexpensively to the Internet, thus raising
              the potential of an attack on information assets.
                 The fourth factor is that the computing skills necessary to be a hacker are decreasing. The
              reason for this is that the Internet contains information and computer programs called scripts,
              which even relatively unskilled users can download and use to attack any information system
              connected to the Internet.
                 The fifth factor is that international organized crime is taking over cybercrime. Cybercrime
              refers to illegal activity taking place over computer networks, particularly the Internet. For exam-
              ple, cyberextortion occurs when individuals attack an organization’s website, and then demand
              money from the website owners to call off the attack.
                 iDefense Labs ( is an international company that specializes in provid-
              ing security information to governments, financial services firms, and other large companies.
              The company states that groups of well-organized criminals have taken control of a global
              billion-dollar crime network. The network, powered by skillful hackers, targets known software
              security weaknesses. These crimes are typically non-violent, but quite lucrative. For example,
              the losses from armed robberies average hundreds of dollars and those from white collar crimes
              average tens of thousands of dollars. In contrast, losses from computer crimes average hundreds
              of thousands of dollars. Also, these crimes can be committed from anywhere in the world, at
              any time, effectively providing an international safe haven for cybercriminals. Computer-based
              crimes cause billions of dollars in damages to businesses each year, including the costs to repair
              information systems and the costs of lost business.
                 The sixth factor is downstream liability. Downstream liability occurs in this manner. If com-
              pany A’s information systems were compromised by a perpetrator and used to attack compa-
              ny B’s systems, then company A could be liable for damages to company B. Note that company
              B is “downstream” from company A in this attack scenario. A downstream liability lawsuit
              would put company A’s security policies and operations on trial. Under tort law, the plaintiff
              (injured party or company B) would have to prove that the offending company (company A)
              had a duty to keep its computers secure and failed to do so, as measured against generally
              accepted standards and practices.
                 Legal experts think it is only a matter of time before victims of computer crime start suing
              the owners of systems and networks used as launchpads in cyberattacks. Information securi-
              ty’s first downstream liability lawsuit will likely come from a catastrophe. For example, an online
              retailer may be hit with a devastating attack that disrupts its business.
                 At some point, all companies will have some minimal set of standards they have to meet
              when operating information systems that connect to the Internet and when accessing or
              collecting customer information. The models already exist in the form of regulations and laws
              (such as PIPEDA in Canada). In the U.S. the Gramm-Leach-Bliley Act mandates the disclosure of
              security breaches. Such legislation does not exist in Canada.
                 Contractual security obligations, particularly service level agreements (SLAs), which spell out
              very specific requirements, might also help establish a security standard. Courts or legislatures
              could cite typical SLA terms, such as maintaining up-to-date antivirus software, implementing
rainer_c03_060-103hr.qxd    7-02-2008     16:36    Page 72

    72                Chapter 3 – Ethics, Privacy, and Information Security

                      software patches on a timely basis, and the use of adequate firewalls in crafting minimum secu-
                      rity responsibilities.
                           A company being sued for downstream liability will have to convince a judge or jury that its
                      security measures were reasonable. That is, the company must demonstrate that it had prac-
                      tised due diligence in information security. Due diligence can be defined in part by what your
                      competitors are doing that defines best practices.
                           Verizon, a carrier that provides long distance, data and Internet services, learned about due
                      diligence in April 2003, when the Maine Public Utilities Commission in the U.S. rejected its request
                      for relief from $62,000 in fees owed to local carriers after the SQL Slammer Worm shut down its
                      networks. Verizon had applied for a steep break on the fees owed under its service agreement,
                      arguing that the worm “was an event that was beyond its control” (like a lightning strike). The
                      commission’s rejection rested, in part, on comments submitted by then-competitors WorldCom
                      and AT&T. They handled Slammer with minimal interruption, they said, because they did a bet-
                      ter job patching their systems than Verizon did. Why should Verizon, or potentially any compa-
                      ny, be an exception?
                           The seventh factor is the increased employee use of unmanaged devices—devices that are
                      outside the control of an organization’s IT department. These include customer computers, busi-
                      ness partners’ mobile devices, computers in the business centres of hotels, and many others.
                           The eighth, and final, factor is management support. For the entire organization to take secu-
                      rity policies and procedures seriously, senior managers must set the tone. Ultimately, however,
                      lower-level managers may be even more important. These managers are in close contact with
                      employees every day and thus are in a better position to determine whether employees are
                      following security procedures.
                           Before we discuss the many threats to an organization’s information resources, let’s look at
                      some key terms. Organizations have many information resources (for example, computers and
                      the information on them, information systems and applications, databases, and so on). These
                      resources are subject to a huge number of threats. A threat to an information resource is any
                      danger to which a system may be exposed. The exposure of an information resource is the harm,
                      loss, or damage that can result if a threat compromises that resource. A system’s vulnerability
                      is the possibility that the system will suffer harm by a threat. Risk is the likelihood that a threat
                      will occur. Information systems controls are the procedures, devices, or software aimed at pre-
                      venting a compromise to the system. We discuss these controls in Section 3.3.
                           Information systems are vulnerable to many potential hazards or threats. Figure 3.1 illustrates
                      the major threats to the security of an information system. There are many threats, so the fol-
                      lowing outline should help you follow our discussion.

                      Michael Whitman and Herbert Mattord (2003) classified threats into five general categories to
                      enable us to better understand the complexity of the threat problem. Their categories are:

                      1. unintentional acts,
                      2. natural disasters,
                      3. technical failures,
                      4. management failures, and
                      5. deliberate acts.

                      We discuss the five threat categories in the next sections.
rainer_c03_060-103hr.qxd      7-02-2008      16:36   Page 73

                                                                         Section 3.2 – Threats to Information Security   73


              FIGURE 3.1 Security threats.

              Unintentional acts are those with no malicious intent. There are three types of unintentional acts:
              human errors, deviations in the quality of service from service providers, and environmental
              hazards. Of these three types of acts, human errors are by far the most serious threats to infor-
              mation security.

              HUMAN ERRORS. Before we discuss the various types of human errors, we consider the different
              categories of organizational employees. The first category comprises regular employees, spanning
rainer_c03_060-103hr.qxd    7-02-2008     16:36    Page 74

    74                Chapter 3 – Ethics, Privacy, and Information Security

                      the breadth and depth of the organization, from mail clerks to the CEO, and in all functional areas.
                      There are two important points to be made about regular employees. First, the higher the level of
                      employee, the greater the threat the employee poses to information security. This situation exists
                      because higher-level employees typically have greater access to corporate data and enjoy greater
                      privileges on organizational information systems. Second, employees in two areas of the organi-
                      zation pose significant threats to information security: human resources and information sys-
                      tems. Human resources employees generally have access to sensitive personal information about
                      all employees. Likewise, information systems employees not only have access to sensitive organi-
                      zational data, but they often control the means to create, store, transmit, and modify that data.
                           The second category includes contract labour, consultants, and janitors and guards. Contract
                      labour, such as temporary hires, may be overlooked in information security. However, these
                      employees often have access to the company’s network, information systems, and information
                      assets. Consultants, while technically not employees, do work for the company. Depending on
                      the nature of their work, these people may also have access to the company’s network, infor-
                      mation systems, and information assets.
                           Finally, janitors and guards are the most frequently ignored people in information security.
                      Companies might outsource their security and janitorial services, meaning that, while these indi-
                      viduals technically are not employees, they nevertheless do work for the company. Moreover,
                      they are usually present when most—if not all—other employees have gone home. They typi-
                      cally have keys to every office, and nobody questions their presence in even the most sensitive
                      parts of the building.
                           Human errors or mistakes by employees pose a large problem as the result of laziness, care-
                      lessness, or a lack of information security awareness. This lack of awareness comes from poor
                      education and training efforts by the organization. Human mistakes manifest themselves in
                      many different ways, as we see in Table 3.3.
                           The human errors we have just discussed are unintentional on the part of the employee.
                      However, employees can also make mistakes as a result of deliberate actions by an attacker. Such
                      deliberate actions are called social engineering and reverse social engineering.

                      Social engineering is an attack in which the perpetrator uses social skills to trick or manipu-
                      late a legitimate employee into providing confidential company information such as passwords.
                      The most common example of social engineering occurs when the attacker impersonates some-
                      one else on the telephone, such as a company manager or information systems employee. The
                      attacker says he forgot his password and asks the legitimate employee to give him a password
                      to use. Other common exploits include posing as an exterminator, air conditioning technician,
                      or fire marshal. Examples of social engineering abound.
                           In one company, a perpetrator entered a company building wearing a company ID card that
                      looked legitimate. He walked around and put up signs on bulletin boards saying, “The help desk
                      telephone number has been changed. The new number is 555-1234.” He then exited the build-
                      ing and began receiving calls from legitimate employees thinking they were calling the compa-
                      ny help desk. Naturally, the first thing the perpetrator asked for was user name and password.
                      He now had the information necessary to access the company’s information systems.
                           In another company, an attacker loaded a Trojan horse program (discussed later in this chapter)
                      on 20 thumb drives. The Trojan horse was designed to collect passwords and login information
rainer_c03_060-103hr.qxd     7-02-2008      16:36   Page 75

                                                                             Section 3.2 – Threats to Information Security             75

               TABLE 3.3
               HUMAN MISTAKES
               HUMAN MISTAKE                                  DESCRIPTION AND EXAMPLES
               Tailgating                                     A technique designed to allow the perpetrator to enter restricted
                                                              areas that are controlled with locks or card entry. The perpetrator
                                                              follows closely behind a legitimate employee and, when the employee
                                                              gains entry, asks them to “hold the door. ”
               Shoulder surfing                               The perpetrator watches the employee’s computer screen over that
                                                              person’s shoulder. This technique is particularly successful in public
                                                              areas such as airports, commuter trains, and on airplanes.
               Carelessness with laptops                      Losing laptops, misplacing laptops, leaving them in taxis, and so on.
               Carelessness with portable devices             Losing or misplacing these devices, or using them carelessly so that
                                                              malware is introduced into an organization’s network.
               Opening questionable e-mails                   Opening e-mails from someone unknown, or clicking on links
                                                              embedded in e-mails (see phishing attacks, Table 3.4).
               Careless Internet surfing                      Accessing questionable websites; can result in malware and/or alien
                                                              software being introduced into the organization’s network.
               Poor password selection and use                Choosing and using weak passwords (see strong passwords, p. 87).
               Carelessness with one’s office                 Unlocked desks and filing cabinets when employees go home at
                                                              night; not logging off the company network when away from the
                                                              office for any extended period of time.
               Carelessness using unmanaged devices           Unmanaged devices are those outside the control of an organization’s
                                                              IT department and company security procedures. These devices
                                                              include computers belonging to customers and business partners,
                                                              computers in the business centres of hotels, and computers in retail
               Carelessness with discarded equipment          Discarding old computer hardware and devices without completely
                                                              wiping the memory. This includes computers, cell phones,
                                                              BlackBerrys, and digital copiers and printers.

              from an employee’s computer and then e-mail the information to the attacker. Early one morn-
              ing, he scattered the thumb drives in the parking lots, designated smoking areas, and near walk-
              ways of the target company. Employees found 15 of the drives and plugged them into company
              computers without first scanning them with security software. The Trojan horse software trans-
              mitted their user names and passwords to the attacker and enabled him to compromise addi-
              tional systems in the company.
                 In social engineering, the attacker approaches legitimate employees. In reverse social engi-
              neering, the employees approach the attacker. For example, the attacker gains employment at
              a company and, in informal conversations with his co-workers, lets it be known that he is “good
              with computers.” As is often the case, they ask him for help with their computer problems. While
              he is helping them, he loads Trojan horses on their computers, which e-mail him with their pass-
              words and information about their machines.

              This category consists of situations in which a product or service is not delivered to the organi-
              zation as expected. There are many examples of such deviations in quality of service. For exam-
              ple, heavy equipment at a construction site severs a fibre optic line to your building or your
rainer_c03_060-103hr.qxd    7-02-2008      16:36   Page 76

    76                Chapter 3 – Ethics, Privacy, and Information Security

                      Internet service provider has availability problems. Organizations may also experience service
                      disruptions from various providers, such as communications, electricity, telephone, water,
                      wastewater, garbage pickup, cable, and natural gas.

                      ENVIRONMENTAL HAZARDS
                      Environmental hazards include dirt, dust, humidity, and static electricity. These hazards are
                      harmful to the safe operation of computing equipment.

                      NATURAL DISASTERS
                      Natural disasters include floods, earthquakes, hurricanes, tornadoes, lightning, and in some
                      cases, fires. In many cases, such weather disturbances can cause catastrophic loss of systems
                      and data. To avoid such losses, companies must engage in proper planning for backup and recov-
                      ery of information systems and data, a topic we discuss later in this chapter.

                      TECHNICAL FAILURES
                      Technical failures include problems with hardware and software. The most common hardware
                      problem is the crash of a hard disk drive. Another notable hardware problem occurred when
                      Intel released a Pentium chip with a defect that caused the chip to perform some mathemati-
                      cal calculations incorrectly.
                           The most common software problem is errors—bugs—in computer programs. Software bugs
                      are so common that application programs or websites are dedicated to documenting them. For
                      example, see and

                      MANAGEMENT FAILURES
                      Management failures involve a lack of funding for information security efforts and a lack of
                      interest in those efforts. Such lack of leadership will cause the information security of the organ-
                      ization to suffer.

                      DELIBERATE ACTS
                      Deliberate acts by employees (i.e., insiders) account for a large number of information security
                      breaches. There are so many types of deliberate acts that we provide a brief list here to guide
                      our discussion of these acts in this section.

                      • espionage or trespass
                      • information extortion
                      • sabotage or vandalism
                      • theft of equipment or information
                      • identity theft
                      • compromises to intellectual property
                      • software attacks
                      • supervisory control and data acquisition (SCADA) attacks
                      • cyberterrorism and cyberwarfare

                      ESPIONAGE OR TRESPASS
                      Espionage or trespass occurs when an unauthorized person attempts to gain illegal access to orga-
                      nizational information. When we discuss trespass, it is important that we distinguish between
                      competitive intelligence and industrial espionage. Competitive intelligence consists of legal
rainer_c03_060-103hr.qxd    7-02-2008    16:36   Page 77

                                                                         Section 3.2 – Threats to Information Security   77

              information-gathering techniques, such as studying a company’s website and media releases,
              attending trade shows, and so on. In contrast, industrial espionage crosses the legal boundary
              and involves theft or illegal duplication of information assets.

              Information extortion occurs when an attacker either threatens to steal, or actually steals, infor-
              mation from a company. The perpetrator demands payment for not stealing the information,
              for returning stolen information, or for agreeing not to disclose the information.

              Sabotage and vandalism are deliberate acts that involve defacing an organization’s website, pos-
              sibly tarnishing the organization’s image and causing it to experience a loss of confidence by
              its customers. One form of online vandalism is a hacktivist or cyberactivist operation. These are
              cases of high-tech civil disobedience to protest the operations, policies, or actions of an organ-
              ization or government agency.
                 The reasons for website defacement vary. One recent survey listed these reasons: just for fun;
              to be the best defacer; political reasons; and patriotism. In 2006, a Danish newspaper published
              a cartoon of Muhammad. This resulted in over 800 Danish websites being hacked into and defaced
              with messages relating to Islamic war. (For further information, see

              Computing devices and storage devices are becoming smaller yet more powerful with vastly
              increased storage (for example, laptops, BlackBerrys, personal digital assistants, smart phones,
              digital cameras, thumb drives, and iPods). As a result, these devices are becoming easier to steal
              and easier for attackers to use to steal information.
                 The uncontrolled proliferation of portable devices in companies has led to a type of attack
              called pod slurping. In pod slurping, perpetrators plug an iPod or other portable device into a USB
              port on a computer and download huge amounts of information very quickly and easily. An iPod,
              for example, can contain 60 gigabytes of storage and can download most of a computer’s hard
              drive in a matter of minutes.
                 Another form of theft, known as dumpster diving, involves the practice of rummaging through
              commercial or residential garbage to find information that has been discarded. Files, letters,
              memos, photographs, IDs, passwords, credit cards, and other forms of information can be found
              in dumpsters. Unfortunately, many people never consider that the sensitive items they throw
              in the garbage may be recovered. Such information, when recovered, can be used for fraudu-
              lent purposes.
                 Dumpster diving is possible theft, because the legality of this act varies. Because dumpsters
              are usually located on private premises, dumpster diving is illegal in some parts of the coun-
              try, although the law is enforced with varying degrees of rigour.

              IDENTITY THEFT
              Identity theft is the deliberate assumption of another person’s or an organization’s identity, usu-
              ally to gain access to financial information and assets or to frame someone for a crime.
              Techniques for obtaining information include:

              • stealing mail or dumpster diving,
              • stealing personal information in computer databases,
rainer_c03_060-103hr.qxd    7-02-2008     16:36    Page 78

    78                Chapter 3 – Ethics, Privacy, and Information Security

                      • infiltrating organizations that store large amounts of personal information (e.g., data aggre-
                           gators such as Acxiom,, and
                      • impersonating a trusted organization in an electronic communication (phishing).

                           The Office of the Privacy Commissioner of Canada provides instructions for businesses and
                      individuals to help reduce their risk of identify theft (see
                      Additional information and articles are also available at the Better Business Bureau website
                           Recovering from identity theft is costly, time-consuming, and difficult. A survey by the Identity
                      Theft Resource Center ( found that victims spent an average of 330 hours
                      repairing the damage from identity theft. Victims reported difficulties in obtaining credit and
                      obtaining or holding a job, as well as adverse effects on insurance or credit rates. In addition,
                      victims stated that it was difficult to remove negative information from their records, such as
                      their credit reports.
                           Your personal information can be compromised in other ways. For example, AOL released
                      detailed keyword search data for approximately 658,000 anonymized users. AOL said that the
                      release of the data, which amounted to about 20 million search queries, was an innocent attempt
                      to help academic researchers interested in search queries. The data, which was mirrored on mul-
                      tiple websites, represented a random selection of searches conducted over a three-month peri-
                      od. It included user ID, the actual query, the time of the search, and the destination domain
                      visited. In some cases, the data included personal names, addresses, and U.S. Social Security
                      numbers. Although AOL apologized for the action and withdrew the site, the damage was done.
                           The ability to analyze all searches by a single user can enable a criminal to identify who the
                      user is and what he or she is doing. To show how easy this is, The New York Times tracked down
                      a particular person based solely on her AOL searches.
                           Once criminals have stolen personal information, they can use it in a variety of nefarious
                      activities. One such activity, illustrated in IT’s About Business 3.2, is the “hack, pump, and dump”

                      Protecting intellectual property is a vital issue for people who make their livelihood in knowl-
                      edge fields. Intellectual property is the property created by individuals or corporations that is
                      protected under trade secret, patent, and copyright laws.
                           A trade secret is an intellectual work, such as a business plan, or private product formula-
                      tion, that is a company secret and is not based on public information. An example is a corpo-
                      rate strategic plan. A patent is a document that grants the holder exclusive rights on an invention
                      or process for 20 years. Copyright is a statutory grant that provides the creators of intellectual
                      property with ownership of the property for the life of the creator plus 50 years. Owners are
                      entitled to collect fees from anyone who wants to copy the property.
                           The most common intellectual property related to IT deals with software. In Canada, the
                      Canadian Copyright Act protects a variety of intellectual property, including written work. A com-
                      puter program is considered to be a written work, as it is written instructions that are used to
                      have the computer system perform specific functions. However, copyright law does not protect
                      similar concepts, functions, and general features such as pull-down menus, colours, and icons.
                      Under copyright law, copying a software program—including giving a disk to a friend to install
                      on his or her computer—without making payment to the owner is a copyright violation. Not
rainer_c03_060-103hr.qxd     7-02-2008       16:36    Page 79

                                                                                  Section 3.2 – Threats to Information Security                            79

               IT’S ABOUT BUSINESS 3.2

               Criminals have discovered yet another way to steal             where it remained. Subsequently, TD Ameritrade, an online
               money. They are combining phishing attacks, Trojan             broker, restricted online trade on the company’s stock. The
               horses, and keyloggers to steal identities for use in          company’s owner had planned to make a large acquisition,
               investment fraud. The scheme works like this: hackers          but the declining stock price forced a cancellation of the
               first gain the personal information of legitimate investors,   purchase.
               including names, account numbers, passwords, and                                  ,
                                                                                  In March 2007 U.S. federal regulators temporarily
               PINs. These criminals then hack into the investment            stopped stock trading in 35 companies that had inflated
               accounts of unsuspecting investors, selling off their          prices due to a variation on this scheme using spam
               holdings in various companies to purchase shares in            e-mail. Rather than hacking into investment accounts,
               penny stocks. (A penny stock is a low-priced, speculative      spam is sent to many potential investors telling them
               stock of a small company.) As they buy the penny stocks,       about the value of the stock. They invest, increasing the
               the share price increases. After a short time, the hackers     prices, and then lose money when the stock price falls.
               sell the penny stocks for a profit and transfer the money      Sources: Compiled from M. Gordon, “35 Firms Suspended for E-mail
               to offshore accounts.                                          ‘Spamming,’” Toronto Star, March 9, 2007 p. F8; E. Nakashima, “Hack, Pump,
                                                                              and Dump, Washington Post, January 26, 2007; R. Naraine, “Pump and
                   Aleksey Karmardin, for example, used this scheme 14        Dump Spam Surge Linked to Russian Bot Herders, eWeek, November 16,
               times to defraud investors of more than $80,000. He and        2006; J. Libbenga, “Pump and Dump Blues, The Register; November 21,
                                                                              2006; E. Sutherland, “Fraudsters Update Pump and Dump, Internet News,
               his accomplices allegedly hacked into four legitimate
                                                                              January 31, 2007 .
               online trading accounts, sold their holdings, and purchased
               shares in a penny stock. The stock’s price went from 26
               cents to 80 cents in less than a day. The hackers promptly     QUESTIONS
               sold the shares and moved the profits to an offshore           1. How can investors protect themselves from hack,
               account.                                                          pump, and dump schemes?
                   The fraud affects not only investors, but also             2. How can companies protect themselves from hack,
               companies whose stocks are pumped and then dumped.                pump, and dump schemes?
               One firm had its stock price go from 88 cents to $1.28 in      3. Should online brokers be held liable for hack, pump,
               one day. The following day, the stock fell to 13 cents,           and dump schemes? Why or why not?

              surprisingly, this practice, called piracy, is a major problem for software vendors. The global trade
              in pirated software amounts to hundreds of billions of dollars.
                 The Canadian Alliance Against Software Theft (CAAST, see is an organization
              representing the commercial software industry that promotes legal software and conducts
              research on software piracy in an attempt to eliminate it. CAAST is affiliated with the Business
              Software Alliance (BSA, see, which identifies Vietnam, China, Indonesia, Ukraine,
              and Russia as the countries with the highest percentage of illegal software compared with legal
              software. In those countries, more than 85 percent of the software used consists of illegal copies.

              SOFTWARE ATTACKS
              Software attacks have evolved from the outbreak era, where malicious software tried to infect
              as many computers worldwide as possible, to the profit-driven, web-based attacks of today.
              Malware attacks can be used to make money as they use sophisticated, blended attacks typi-
              cally via the web. Table 3.4 shows a variety of software attacks.

              ALIEN SOFTWARE. Many personal computers have alien software (also called pestware) run-
              ning on them that the owners do not know about. Alien software is clandestine software that
              is installed on your computer through duplicitous methods. Alien software is typically not as
              malicious as a virus, worm, or Trojan horse, but it does use up valuable system resources. In
              addition, it can report on your web surfing habits and other personal behaviour.
rainer_c03_060-103hr.qxd      7-02-2008    16:36    Page 80

    80                 Chapter 3 – Ethics, Privacy, and Information Security

              TABLE 3.4
              Virus                                  Segment of computer code that performs malicious actions by attaching to
                                                     another computer program.
              Worm                                   Segment of computer code that performs malicious actions and will replicate,
                                                     or spread, by itself (without requiring another computer program).
              Trojan Horse                           Software programs that hide in other computer programs and reveal their
                                                     designed behaviour only when they are activated.
              Back Door                              Typically a password, known only to the attacker, that allows him or her to
                                                     access a computer system at will, without having to go through any security
                                                     procedures (also called trap door).
              Logic Bomb                             Segment of computer code that is embedded within an organization’s existing
                                                     computer programs and is designed to activate and perform a destructive
                                                     action at a certain time or date.

              PASSWORD ATTACK
              Dictionary Attack                      Attacks that try combinations of letters and numbers that are most likely to
                                                     succeed, such as all words from a dictionary.
              Brute Force Attack                     Attacks that use massive computing resources to try every possible
                                                     combination of password options to uncover a password.
              Denial-of-Service Attack               Attacker sends so many information requests to a target computer system that
                                                     the target cannot handle them successfully and typically crashes (ceases to
              Distributed Denial-of-Service          An attacker first takes over many computers, typically by using malicious
              (DDoS) Attack                          software. These taken-over computers are called zombies, or bots. The attacker
                                                     uses these bots to deliver a coordinated stream of information requests (called
                                                     a botnet) to a target computer, causing it to crash.
              Phishing Attack                        Phishing attacks use deception to acquire sensitive personal information by
                                                     masquerading as official-looking e-mails or instant messages.
              Zero-Day Attack                        A zero-day attack takes advantage of a newly discovered, previously unknown
                                                     vulnerability in a software product. Perpetrators attack the vulnerability before
                                                     the software vendor can prepare a patch for the vulnerability.

                             One clear indication that software is pestware is that it does not come with an uninstaller
                       program. An uninstaller is an automated program that allows you to remove a particular soft-
                       ware package systematically and entirely. The different types of alien software include adware,
                       spyware, spamware, and cookies.
                             The vast majority of pestware is adware—software that is designed to help pop-up adver-
                       tisements appear on your screen. The reason adware is so common is that it works. According
                       to advertising agencies, for every 100 people who delete such an ad, three click on it. This “hit
                       rate” is extremely high for Internet advertising.
                             Spyware is software that collects personal information about users without their consent.
                       We discuss two types of spyware here: keystroke loggers and screen scrapers.
                             Keystroke loggers (also called key loggers) record your keystrokes and record your Internet
                       web browsing history. The purposes range from criminal (for example, theft of passwords and
                       sensitive personal information such as credit card numbers) to annoying (for example, record-
                       ing your Internet search history for targeted advertising).
rainer_c03_060-103hr.qxd   7-02-2008     16:36   Page 81

                                                                        Section 3.2 – Threats to Information Security   81

                Companies have attempted to counter key loggers by switching to other forms of input for
              authentication. For example, rather than typing in a password, the user has to accurately select
              each character in turn from a series of boxes, using a mouse. As a result, attackers have turned
              to screen scrapers (or screen grabbers). This software records a continuous “movie” of a screen’s
              contents rather than simply recording keystrokes.
                Spamware is pestware that is designed to use your computer as a launch pad for spammers.
              Spam is unsolicited e-mail, usually for the purpose of advertising products and services. When
              your computer is used this way, e-mails from spammers appear to come from you. Even worse,
              spam will be sent to everyone in your e-mail address book.
                Not only is spam a nuisance, but it wastes time and money. Effective January 2005, over
              83 percent of Internet traffic was estimated to be spam ( These
              costs come from productivity losses, clogged e-mail systems, additional storage, user sup-
              port, and anti-spam software. Spam can also carry viruses and worms, making it even more
                Cookies are small amounts of information that websites store on your computer, temporar-
              ily or more-or-less permanently. In many cases, cookies are useful and innocuous. For exam-
              ple, some cookies are passwords and user IDs that you do not have to retype every time you
              load a new page at the website that issued the cookie. Cookies are also necessary if you want
              to shop online, because they are used for your shopping carts at various online merchants.
                Tracking cookies, however, can be used to track your path through a website, the time you spend
              there, what links you click on, and other details the company wants to record, usually for mar-
              keting purposes. Tracking cookies can also combine this information with your name, purchas-
              es, credit card information, and other personal data, to develop an intrusive profile of your
              spending habits.
                Most cookies can be read only by the party that created them. However, some companies that
              manage online banner advertising are, in essence, cookie-sharing rings. These companies can
              track information such as which pages you load and which ads you click on. They then share
              this information with their client websites (which may number in the thousands).

              SCADA refers to a large-scale, distributed, measurement and control system. SCADA systems
              are used to monitor or to control chemical, physical, or transport processes such as oil
              refineries, water and sewage treatment plants, electrical generators, and nuclear power
                SCADA systems consist of multiple sensors, a master computer, and communications infra-
              structure. The sensors connect to physical equipment. They read status data such as the
              open/closed status of a switch or a valve, as well as measurements such as pressure, flow,
              voltage, and current. By sending signals to equipment, sensors control that equipment, such as
              opening or closing a switch or valve or setting the speed of a pump.
                The sensors are connected in a network, and each sensor typically has an Internet (Internet
              Protocol, or IP) address. (We discuss IP addresses in Technology Guide 4). If an attacker can gain
              access to the network, he or she can disrupt the power grid over a large area or disrupt the oper-
              ations of a large chemical plant. Such actions could have catastrophic results.
                Although experts see little chance of a SCADA system being attacked, at least one such event
              has already occurred—in Australia in 2000. There, a disgruntled sewage-treatment plant job reject
rainer_c03_060-103hr.qxd    7-02-2008     16:36    Page 82

    82                Chapter 3 – Ethics, Privacy, and Information Security

                      hacked the sewage plant’s pump control systems. He repeatedly sent torrents of effluent into
                      nearby rivers and parks and at least one hotel.

                      With both cyberterrorism and cyberwarfare, attackers use a target’s computer systems, partic-
                      ularly via the Internet, to cause physical, real-world harm or severe disruption, usually with a
                      political agenda. Cyberterrorism and cyberwarfare range from gathering data to attacking crit-
                      ical infrastructure (via SCADA systems). We discuss the two synonymously here, even though
                      cyberterrorism typically involves individuals or groups, whereas cyberwarfare involves nations.
                           Terrorist groups around the world have expanded their activities on the Internet, increasing
                      the sophistication and volume of their videos and messages, in an effort to recruit new mem-
                      bers and raise money.
                           The Canadian Security Intelligence Service (CSIS, see presents information on
                      its website about the potential use of the Internet by terrorists. CSIS speculates that as of 2006
                      there were more than 5,000 active terrorist websites. It is the Internet’s easy access and lack of
                      regulation that makes such sites possible.
                           CSIS believes that SCADA attacks are not a major cyberterrorism threat, but that distributed
                      denial-of-services attacks are a far greater threat. Such attacks can bring a website to a tem-
                      porary halt, or slow down the data communication systems of an organization or a govern-
                      ment, significantly rendering them unable to effectively respond to an emergency. As IT’s About
                      Business 3.3 shows, a distributed denial-of-services attack can be difficult and expensive to
                      deal with.

                      WHAT COMPANIES ARE DOING
                      Why is it so difficult to stop cybercriminals? One reason is that the online commerce indus-
                      try is not particularly willing to install safeguards that would make it harder to complete trans-
                      actions. It would be possible, for example, to demand passwords or personal identification
                      numbers for all credit card transactions. However, these requirements might discourage peo-
                      ple from shopping online. Also, there may be little incentive for companies to share leads on
                      criminal activity either with one another or with the FBI. For credit card companies, it is like-
                      ly less expensive to block a stolen credit card and move on than to invest time and money on
                      a prosecution.
                           Despite these difficulties, the information security industry is battling back. Companies are
                      developing software and services that deliver early warnings of trouble on the Internet. Unlike
                      traditional antivirus software, which is reactive, early-warning systems are proactive, scanning
                      the web for new viruses and alerting companies to the danger.
                           And new systems are emerging in response to ever-more-effective virus writers. As virus writ-
                      ers become more expert, the gap between the time when they learn of vulnerabilities and when
                      they exploit them is closing quickly. Hackers are now producing new viruses and worms in a
                      matter of hours (see zero-day attacks).
                           Technicians at TruSecure Corporation ( and Symantec Corporation
                      ( are working around the clock to monitor web traffic. Symantec’s team
                      taps into 20,000 sensors placed at Internet hubs in 180 countries to spot e-mail and other data
                      packets that seem to be carrying viruses. TruSecure sends technicians posing as hackers into
rainer_c03_060-103hr.qxd      7-02-2008      16:36     Page 83

                                                                                   Section 3.2 – Threats to Information Security                             83

               IT’S ABOUT BUSINESS 3.3

               All this foreign software! It almost seems unsafe to be         large sum of money, with regular monthly payments to
               connected to the Internet. E-mails can have viruses, junk       “prevent” such attacks in the future. But if you pay, how
               mail clogs our networks, and spyware spreads nasty              do you know they will not attack you again and then ask
               software. Where is it all going to go?                          for an even larger amount?
                   If the source can be located, that company could be             There is specific technology and expertise available that
               held liable. A Montreal-based distributor called Integrated     can combat DDoS attacks, but it is expensive. Cisco
               Search Technologies was investigated by the Canadian            Systems, Inc. sells something called a Cisco Guard DDoS
               Competition Bureau in response to a complaint that the          mitigation appliance. This solution is sold together with
               company planted software that performed functions not           software that monitors Internet traffic, so potential attacks
               documented in its promotional material. Unfortunately,          can be detected early, and the offending traffic can be
               there is no law in Canada against spyware, so prosecution       blocked. There are also software specialists who deal with
               could occur only if damage arose or if there was a mis-         DDoS attacks, such as the SANS Technology Institute and
               representation by the company with respect to how               Prolexic Technologies Inc. What Prolexic does is take all of the
               private information was handled.                                company’s incoming data, analyze it, and then send
                   Spyware can be planted on any computing device—not          “sanitized” or “scrubbed” data forward to the company. If a
               just a computer. The worst spyware is the kind that             DDoS attack does occur, then there could be hundreds of
               obtains information on how to run your computer, and            thousands of messages arriving within seconds of each
               then takes over your computer. It uses it to attack another     other, bringing the volume of data up well beyond what a
               system by sending it thousands of messages, which can           normal Internet server could handle. High capacity computing
               overload the target system and take it down. The                power is needed to handle the peaks of the DDoS attacks.
               investigation of one such distributed denial-of-service         Sources: Compiled from G. Buckler, “Is Your Printer Spying on You?” The
               (DDoS) attack found that at one location, four of these         Globe and Mail, April 18, 2007 p. B12; N. Carniol, “Probe of Software Firm
                                                                               Sought, The Toronto Star, November 4, 2005, p. F1; J. MacDonald, “Attack of
               computer bots were actually Hewlett-Packard JetDirect           the Killer Bots, Canadian Business, June 4, 2007 p. 51-52;
                                                                                              ”                                  ,
               printer controllers.                                            accessed August 18, 2007   .
                   So what do you do when your company, which has
               been operating a successful website and business for            QUESTIONS
               many years, suddenly struggles under terabytes of e-mail        1. Which websites would be most at risk for DDoS
               messages flooding the system over a period of a few                attacks? Why?
               minutes, bringing the system down? In Canada, you would         2. Describe the activities that a business could perform to
               call the computer crime unit of your local police force. You       reduce the likelihood of a DDoS attack.
               could also call someone in from the computer crimes             3. Assume that it costs $25,000 to purchase a DDoS
               investigation unit of the RCMP They would likely tell you          mitigation product and about $4,000 per month to run
               that, unfortunately, these crimes are frequent, and difficult      the DDoS mitigation service. If you are a small company
               to stop if you do not know where they are coming from or           with only $10,000 in sales a month from the Internet,
               who is initiating them.                                            and someone attacked your website, demanding $1,000
                   Likely, if your business is brought down by a DDoS             a month in “insurance” so you would not be attacked
               attack, you will receive an extortion e-mail, asking for a         again, what would you do? Why?

              online virus-writer chat rooms to find out what they are planning. TruSecure boasts that it
              even contributed to the arrests of the authors of the Melissa, Anna Kournikova, and Love
              Letter viruses.
                 In addition, many companies hire information security experts to attack their own systems.
              These surprise attacks are called penetration tests or white hacking. A penetration test is a method
              of evaluating the security of an information system by simulating an attack by a malicious per-
              petrator. The idea is to proactively discover weaknesses before real attackers exploit them.
                 Despite the difficulties involved in defending against attacks, organizations spend a great deal
              of time and money protecting their information resources. We discuss these methods of pro-
              tection in the next section.
rainer_c03_060-103hr.qxd    7-02-2008     16:36    Page 84

    84                Chapter 3 – Ethics, Privacy, and Information Security

                       BEFORE YOU GO ON...
                       1. Give an example of one type of unintentional threat to a computer system.
                       2. Describe the various types of software attacks.
                       3. Describe the issue of intellectual property protection.

                      Before spending money to apply controls, organizations must perform risk management. As we dis-
                      cussed earlier in the chapter, a risk is the probability that a threat will impact an information resource.
                      The goal of risk management is to identify, control, and minimize the impact of threats. In other
                      words, risk management seeks to reduce risk to acceptable levels. There are three processes in risk
                      management: risk analysis, risk mitigation, and controls evaluation. We consider each one below.

                      RISK ANALYSIS
                      Risk analysis is the process by which an organization assesses the value of each asset being
                      protected, estimates the probability that each asset will be compromised, and compares the
                      probable costs of the asset’s being compromised with the costs of protecting that asset.
                      Organizations perform risk analysis to ensure that their information systems’ security programs
                      are cost effective. The risk analysis process prioritizes the assets to be protected based on each
                      asset’s value, its probability of being compromised, and the estimated cost of its protection. The
                      organization then considers how to mitigate the risk.
                           In risk mitigation, the organization takes concrete actions against risks. Risk mitigation has
                      two functions: (1) implementing controls to prevent identified threats from occurring and
                      (2) developing a means of recovery should the threat become a reality. There are several risk
                      mitigation strategies that organizations may adopt. The three most common are risk accept-
                      ance, risk limitation, and risk transference.

                      • Risk acceptance: Accept the potential risk, continue operating with no controls, and absorb
                           any damages that occur.
                      • Risk limitation: Limit the risk by implementing controls that minimize the impact of the threat.
                      • Risk transference: Transfer the risk by using other means to compensate for the loss, such
                           as by purchasing insurance.

                      In controls evaluation, the organization identifies security deficiencies and calculates the costs
                      of implementing adequate control measures. If the costs of implementing a control are greater
                      than the value of the asset being protected, then control is not cost effective.
                           For example, an organization’s mainframe computers are too valuable for risk acceptance.
                      As a result, organizations limit the risk to mainframes through controls, such as access con-
                      trols. Organizations also use risk transference for their mainframes by purchasing insurance and
                      having off-site backups.

                      The purpose of controls is to safeguard assets, optimize the use of the organization’s resources,
                      and prevent or detect errors or fraud. Organizations protect their systems using “layers” of
                      control systems. First comes the control environment, and then general controls, followed by
                      application controls. The control environment encompasses management attitudes toward con-
                      trols, as evidenced by management actions, as well as by stated policies and procedures that
rainer_c03_060-103hr.qxd    7-02-2008    16:36    Page 85

                                                                       Section 3.3 – Protecting Information Resources   85

              address ethical issues and the quality of supervision. Using the analogy of a house, the control
              environment provides the roof and walls of the house, the general controls provide the plumbing
              and electricity, while the application controls cover each room (functional area). General controls
              apply to more than one functional area. For example, passwords are general controls. Controls
              specific to one application, such as payroll, are application controls. A typical payroll applica-
              tion control would be the approval of payroll wage rates.
                 Information systems security encompasses all of the types of controls, as organizations need
              to have security policies and procedures, to protect all applications using physical and software
              controls such as anti-virus or firewalls, and to protect individual applications with controls over
              how information is entered and managed.
                 Because it is so important to the entire enterprise, organizing an appropriate defence system
              is one of the major activities of any prudent CIO and of the functional managers who control infor-
              mation resources. As a matter of fact, IT security is the business of everyone in an organization.
              The following is a list of the major difficulties involved in protecting information resources:

              • Hundreds of potential threats exist.
              • Computing resources may be situated in many locations.
              • Many individuals control information assets.
              • Computer networks can be located outside the organization and difficult to protect.
              • Rapid technological changes make some controls obsolete as soon as they are installed.
              • Many computer crimes go undetected for a long period of time, so it is difficult to learn from
              • People tend to violate security procedures because the procedures are inconvenient.
              • The amount of computer knowledge necessary to commit computer crimes is usually
                 minimal. As a matter of fact, one can learn hacking, for free, on the Internet.
              • The cost of preventing hazards can be very high. Therefore, most organizations simply can-
                 not afford to protect against all possible hazards.
              • It is difficult to conduct a cost-benefit justification for controls before an attack occurs
                 because it is difficult to assess the value of a hypothetical attack.

              Controls that protect information assets are called defence mechanisms or countermeasures.
              Security controls are designed to protect all of the components of an information system, includ-
              ing data, software, hardware, and networks.
                 Controls are intended to prevent accidental hazards, deter intentional acts, detect problems
              as early as possible, enhance damage recovery, and correct problems. Before we discuss con-
              trols in more detail, we emphasize that the single, most effective control is user education and
              training, leading to increased awareness of the vital importance of information security on the
              part of every organizational employee.
                 We will look at three categories of general controls: physical controls, access controls, and
              communications controls. Figure 3.2 illustrates these controls. Then, we will look at examples
              of application controls.

              Physical controls prevent unauthorized individuals from gaining access to a company’s facilities.
              Common physical controls include walls, doors, fencing, gates, locks, badges, guards, and alarm sys-
              tems. More sophisticated physical controls include pressure sensors, temperature sensors, and motion
              detectors. One weakness of physical controls is that they can be inconvenient to employees.
rainer_c03_060-103hr.qxd        7-02-2008      16:36      Page 86

    86                     Chapter 3 – Ethics, Privacy, and Information Security

    FIGURE 3.2 Various locations of defence mechanisms.

                              Guards deserve special mention because they have very difficult jobs. First, their jobs are bor-
                           ing and repetitive and they are typically not highly paid. Second, if they do their jobs thorough-
                           ly, other employees may harass them, particularly if their being conscientious slows down the
                           process of entering a facility.

                           ACCESS CONTROLS
                           Access controls can be physical controls or logical controls. Both types restrict unauthorized indi-
                           viduals from using information resources. Logical controls are implemented by software. For
                           example, access control programs limit users to acceptable login times and acceptable login loca-
                           tions. These controls can limit the number of unsuccessful login attempts and they require
                           everyone to log off their computers when they leave for the day. In addition, computers are set
                           to automatically log the user off after a certain period of disuse.
                              These controls involve two major functions: authentication and authorization.
                              Authentication determines the identity of the person requiring access and authorization
                           determines which actions, rights, or privileges the person has, based on verified identity.
                           Organizations use many methods to identify authorized personnel (i.e., authenticate someone).
                           These methods include something the user is, something the user has, something the user does,
                           and something the user knows.

                           SOMETHING THE USER IS. Also known as biometrics, these authentication methods examine
                           a person’s innate physical characteristics. Common biometric applications are fingerprint
                           scans, palm scans, retina scans, iris recognition, and facial recognition. Of these, fingerprints,
                           retina scans, and iris recognition provide the most definitive identification.
rainer_c03_060-103hr.qxd    7-02-2008    16:36   Page 87

                                                                      Section 3.3 – Protecting Information Resources   87

              SOMETHING THE USER HAS. These authentication mechanisms include regular identification
              (ID) cards, smart ID cards, and tokens. Regular ID cards, or dumb cards, typically have the per-
              son’s picture, and often, his or her signature. Smart ID cards have a chip embedded in them
              with pertinent information about the user. (Smart ID cards used for identification differ from
              smart cards used in electronic commerce; see Chapter 6. Both types of card have embedded
              chips, but they are used for different purposes.) Tokens have embedded chips and a digital dis-
              play that presents a login number employees use to access the organization’s network. The
              number changes with each login.

              SOMETHING THE USER DOES. These authentication mechanisms include voice and signature
              recognition. In voice recognition, the user speaks a phrase (e.g., his or her name and depart-
              ment) that has been previously recorded under controlled, monitored conditions. The voice
              recognition system matches the two voice signals.
                In signature recognition, the user signs his or her name, and the system matches this sig-
              nature with one previously recorded under controlled, monitored conditions. Signature recog-
              nition systems also match the speed of the signature and the pressure of the signature.

              SOMETHING THE USER KNOWS. These authentication mechanisms include passwords and
              passphrases. Passwords present a huge information security problem in all organizations. All
              users should use strong passwords so that the password cannot be broken by a password
              attack, which we discussed earlier. Strong passwords have the following characteristics:

              • They should be difficult to guess.
              • They should be longer rather than shorter.
              • They should have uppercase letters, lowercase letters, numbers, and special characters.
              • They should not be a recognizable word.
              • They should not be the name of anything or anyone familiar, such as family names or names
                of pets.
              • They should not be a recognizable string of numbers, such as a Social Insurance number or

                Unfortunately, strong passwords are irritating. If the organization mandates longer (stronger)
              passwords and/or frequent password changes, they become more difficult to remember, caus-
              ing employees to write them down. What is needed is a way for a user to create a strong pass-
              word that is easy to remember. A passphrase can help, either by being a password itself, or by
              helping you create a strong password.
                A passphrase is a series of characters that is longer than a password but can be memorized
              easily. Examples of passphrases include “maytheforcebewithyoualways,” “goaheadmakemyday,”
              “livelongandprosper,” and “aman’sgottoknowhislimitations.” A user can turn a passphrase into
              a strong password in this manner. Start with the last passphrase above and use the first letter
              of each word. You will have amgtkhl. Then capitalize every other letter, to have AmGtKhL. Then
              add special characters and numbers, to have 9AmGtKhL//*. Now you have a strong password
              that you can remember.

              MULTIFACTOR AUTHENTICATION. Many organizations are using multifactor authentication to
              more efficiently and effectively identify authorized users. This type of authentication is partic-
              ularly important when users are logging in from remote locations.
                Single-factor authentication, which is notoriously weak, commonly consists simply of a pass-
              word. Two-factor authentication consists of a password plus one type of biometric identification
rainer_c03_060-103hr.qxd    7-02-2008      16:36     Page 88

    88                Chapter 3 – Ethics, Privacy, and Information Security

                      (e.g., a fingerprint). Three-factor authentication is any combination of three authentication
                      methods. We should keep in mind that stronger authentication is more expensive, and can be
                      irritating to users as well.
                           Once users have been properly authenticated, then the rights and privileges that they have
                      on the organization’s systems are established, a process called authorization. Companies use
                      the principle of least privilege for authorization purposes. A privilege is a collection of related
                      computer system operations that can be performed by users of the system. Least privilege is a
                      principle that users be granted the privilege for some activity only if there is a justifiable need
                      to grant this authorization. This means that employees would have access to only those func-
                      tions they need to complete their job effectively. The accounts payable data entry clerk, for exam-
                      ple, would be unable to access wage rates.

                      COMMUNICATIONS CONTROLS
                      Communications (network) controls secure the movement of data across networks.
                      Communications controls consist of firewalls, anti-malware systems, intrusion detection sys-
                      tems, encryption, virtual private networking (VPN), and vulnerability management systems.
                      Firewalls, anti-malware systems, intrusion detection systems, encryption, and VPNs are reac-
                      tive. Only vulnerability management systems provide a proactive approach, identifying network
                      and device vulnerabilities before networks are compromised.

                      FIREWALLS. A firewall is a system that prevents a specific type of information from moving
                      between untrusted networks, such as the Internet, and private networks, such as your compa-
                      ny’s network. Put simply, firewalls prevent unauthorized Internet users from accessing private
                      networks. Firewalls can consist of hardware, software, or a combination of both. All messages
                      entering or leaving your company’s network pass through a firewall. The firewall examines
                      each message and blocks those that do not meet specified security rules.
                           Firewalls range from simple, for home use, to very complex for organizational use. Figure 3.3a
                      shows a basic firewall for a home computer. In this case, the firewall is implemented as soft-
                      ware on the home computer. Figure 3.3b shows an organization that has implemented an exter-

                      FIGURE 3.3 (a) Basic firewall for home computer. (b) Organization with two firewalls and demilitarized zone.
rainer_c03_060-103hr.qxd    7-02-2008    16:36   Page 89

                                                                      Section 3.3 – Protecting Information Resources   89

              nal firewall, which faces the Internet, and an internal firewall, which faces the company net-
              work. A demilitarized zone (DMZ) is located between the two firewalls. Messages from the
              Internet must first pass through the external firewall. If they conform to the defined security
              rules, then they are sent to company servers located in the DMZ. These servers typically han-
              dle web page requests and e-mail. Any messages designated for the company’s internal network
              (for example, its intranet) must pass through the internal firewall, again with its own defined
              security rules, to gain access to the company’s private network.
                 The danger from viruses and worms is so severe that many organizations are placing fire-
              walls at strategic points inside their private networks. In this way, if a virus or worm does get
              through both the external and internal firewalls, then the internal damage may be contained.

              ANTI-MALWARE SYSTEMS. Anti-malware systems, also called AV, or antivirus, software, are
              software packages that attempt to identify and eliminate viruses, worms, and other malicious
              software. This software is implemented at the organizational level by the Information Systems
              department. There are currently hundreds of AV software packages available. Among the best
              known are Norton AntiVirus (, McAfee VirusScan (, and
              Trend Micro PC-cillin (
                 As mentioned above, anti-malware systems are generally reactive. These products work by
              creating definitions, or signatures, of various types of malware, and then updating these signa-
              tures in their products. The anti-malware software then examines suspicious computer code to
              see if it matches a known signature. If it does, then the anti-malware software will remove it.
              This is the reason organizations update their malware definitions so often.
                 Because malware is such a serious problem, the leading vendors are rapidly developing anti-
              malware systems that function proactively as well as reactively. These systems evaluate behav-
              iour rather than relying on signature matching. In theory, therefore, it is possible to catch
              malware before it can infect systems. Cisco, for example, has a product called Cisco Security
              Agent. This product functions proactively by analyzing computer code to see if it functions like
              malware (see Prevx is another vendor offering this type
              of proactive malware system (

              WHITELISTING AND BLACKLISTING. A report by Yankee Group Research, Inc. (www.yankee-
    , a technology research and consulting firm, stated that 99 percent of organizations
              had anti-malware systems installed, but 62 percent of companies still suffered successful mal-
              ware attacks. As we have discussed, anti-malware systems are usually reactive, and malware
              continues to infect companies.
                 One solution to this problem is whitelisting. Whitelisting is a process in which a company iden-
              tifies the software that it will allow to run and does not try to recognize malware. Whitelisting
              permits acceptable software to run and either prevents anything else from running or lets new
              software run in a quarantined environment until the company can verify its validity.
                 Where whitelisting allows nothing to run unless it is on the whitelist, blacklisting allows
              everything to run unless it is on the blacklist. A blacklist, then, includes certain types of soft-
              ware that are not allowed to run in the company environment. For example, a company might
              blacklist peer-to-peer file sharing on its systems. In addition to software, people, devices, and
              websites can also be whitelisted and blacklisted.

              INTRUSION DETECTION SYSTEMS. Intrusion detection systems are designed to detect all
              types of malicious network traffic and computer usage that cannot be detected by a firewall.
rainer_c03_060-103hr.qxd          7-02-2008      16:36    Page 90

    90                       Chapter 3 – Ethics, Privacy, and Information Security

                             These systems capture all network traffic flows and examine the contents of each packet
                             for malicious traffic. An example of this type of malicious traffic is a denial-of-service attack
                             (discussed earlier).

                             ENCRYPTION. When organizations do not have a secure channel for sending information,
                             they use encryption to stop unauthorized eavesdroppers. Encryption is the process of con-
                             verting an original message into a form that cannot be read by anyone except the intended
                                All encryption systems use a key, which is the code that scrambles, and then decodes, the mes-
                             sages. The majority of encryption systems use public-key encryption. Public-key encryption—also
                             known as asymmetric encryption—uses two different keys: a public key and a private key (see
                             Figure 3.4). The public key and the private key are created simultaneously using the same math-
                             ematical formula or algorithm. Because the two keys are mathematically related, the data
                             encrypted with one key can be decrypted using the other key. The public key is publicly available
                             in a directory that all parties can access. The private key is kept secret, never shared with any-
                             one, and never sent across the Internet. In this system, if Alice wants to send a message to Bob,
                             she first obtains Bob’s public key, which she uses to encrypt (scramble) her message. When Bob
                             receives Alice’s message, he uses his private key to decrypt (unscramble) it.

    FIGURE 3.4 How
     public-key encryption
     works. (Source:
     Omnisec AG)
rainer_c03_060-103hr.qxd       7-02-2008       16:36     Page 91

                                                                                   Section 3.3 – Protecting Information Resources                       91

                 Public key systems also show that a message is authentic. That is, if you encrypt a message
              using your private key, you have electronically “signed” it. A recipient can verify that the mes-
              sage came from you by using your public key to decrypt it.
                 Although this system is adequate for personal information, organizations doing business over
              the Internet require a more complex system. In such cases, a third party, called a certificate
              authority, acts as a trusted intermediary between companies. As such, the certificate authori-
              ty issues digital certificates and verifies the worth and integrity of the certificates. A digital cer-
              tificate is an electronic document attached to a file certifying that the file is from the organization
              it claims to be from and has not been modified from its original format. As you can see in
              Figure 3.5, Sony requests a digital certificated from VeriSign, a certificate authority, and uses this
              certificate when doing business with Dell. Note that the digital certificate contains an identifi-
              cation number, the issuer, validity dates, and the requester’s public key. For examples of certifi-
              cate authorities, see,,,, and
     One way of improving access controls is by combining a variety of techniques.
              IT’s About Business 3.4 provides a discussion of biometrics and video surveillance software that
              are increasingly being used around the world.

              VIRTUAL PRIVATE NETWORKING. A virtual private network (VPN) is a private network that
              uses a public network (usually the Internet) to connect users. As such, VPNs integrate the glob-
              al connectivity of the Internet with the security of a private network, and thereby extend the
              reach of the organization’s networks.
                 VPNs are labelled “virtual” because the connections (among organizations, between remote
              sites of one organization, or between an organization and its off-site employees) are created
              when a transmission needs to be made and terminated when the transmission has been sent.
              VPNs are handled by common carriers (i.e., telephone service providers).





              FIGURE 3.5 How digital certificates work. Sony and Dell, business partners, use a digital certificate from VeriSign for authentication.
rainer_c03_060-103hr.qxd      7-02-2008      16:36     Page 92

    92                  Chapter 3 – Ethics, Privacy, and Information Security

              IT’S ABOUT BUSINESS 3.4

              Montreal-based Genetec, Inc. has surveillance systems on            The difficulty with biometrics is that there are both
              every other continent, though. Genetec’s website                “false acceptance” and “false rejection” errors. A false
              ( states that the company is a physical         acceptance means that someone could be incorrectly
              security leader. It has three major products, all used in the   identified as an authorized individual. A false rejection
              security industry. The first is Omnicast, which manages         means that you could incorrectly be rejected as being
              digital audio, video, and data across an Internet network,      you—perhaps due to a cut finger or an eye infection. A
              allowing users to monitor up to tens of thousands of video      false rejection at the office could mean that you do not get
              cameras. It boasts video camera systems on every                access to your systems, but at a border crossing it could
              continent except Antarctica, at airports, royal palaces, and    mean you are accused of being a terrorist or having a fake
              many other locations. The second product, Synergis,             passport.
              promises a full solution to access controls, using products     Sources: Compiled from D. Butler, “Big Bio Is Watching You, The Montreal
              such as reader cards, software for workstations, and            Gazette, June 17 2007 p. A 10; S. Delacourt, “Ottawa Takes ‘Big Step’ to
                                                                                              ,     ,
                                                                              Biometric ID, The Toronto Star, June 30, 2006, p. A6; S. Rabinovitch, “Big
              hardware for servers. Finally, AutoVu is touted as being        Brother to the World, Globe and Mail, October 8, 2006;
              able to recognize licence plates from any country—useful        accessed August 19, 2007 .
              for security firms and police forces around the world.
                  Together with this type of software, agencies such as
              country border crossings can scan your licence plate as
              you arrive, and then use your biometrically enhanced            QUESTIONS
              passport to check on your identity. Various countries have      1. What security precautions should be used for biometric
              already included, or are considering including, biometric          data that is stored on passports or organizational
              information (such as retina scans, face structure or               systems? What risks do these security precautions
              fingerprints) on passports. British passports already have         prevent?
              such information. Canadian airports and land-based              2. How does combining biometric information with a
              customs entry points have a pass program whereby                   password improve control over organizational systems?
              individuals can have retina scans embedded in their             3. What actions should governments take to help prevent
              documents. This is now required for Canadians working in           individuals from being falsely accused of being a
              the U.S. and it is part of the speed-pass cards that are           terrorist?
              used for fast entry when driving to and from the U.S.

                            VPNs have several advantages. First, they allow remote users to access the company network.
                        Second, they allow flexibility. That is, without being constrained by the need for dedicated con-
                        nections, mobile users can access the organization’s network from properly configured remote
                        devices. Third, organizations can impose their security policies through VPNs. For example, an
                        organization may dictate that only corporate e-mail applications are available to users when
                        they connect from unmanaged devices.
                            To provide secure transmissions, VPNs use a process called tunnelling. Tunnelling encrypts
                        each data packet to be sent and places each encrypted packet inside another packet. In this
                        manner, the packet can travel across the Internet with confidentiality, authentication, and
                        integrity. Figure 3.6 shows a VPN and tunnelling.

                        SECURE SOCKET LAYER (SSL). Secure socket layer, now called transport layer security (TLS),
                        is an encryption standard used for secure transactions such as credit card purchases and
                        online banking. TLS is indicated by a URL that begins with https rather than http and it often
                        has a small padlock icon in the browser’s status bar. TLS encrypts and decrypts data between
                        a web server and a browser end-to-end.

                        VULNERABILITY MANAGEMENT SYSTEMS. Users need access to their organization’s
                        network from anywhere and at any time. To accommodate these needs, vulnerability manage-
                        ment systems, also called security on demand, extends the security perimeter that exists for the
rainer_c03_060-103hr.qxd    7-02-2008    16:36   Page 93

                                                                      Section 3.3 – Protecting Information Resources                       93

                                                                                                              FIGURE 3.6 Virtual private
                                                                                                              network and tunnelling.

              organization’s managed devices. That is, vulnerability management systems handle security
              vulnerabilities on unmanaged, remote devices. Recall that we discussed the dangers inherent
              in using unmanaged devices earlier. Vendors of vulnerability management software include
              Symantec (, Trend Micro (, McAfee (,
              and Genetec (
                 Vulnerability management systems scan the remote system and decide whether to allow the
              user access to it. These systems allow the user to download anti-malware software to the remote
              computer for the user’s protection. The systems will also implement virtual user sessions
              on the remote computer. These sessions separate and encrypt data, applications, and networks
              from the main system of the unmanaged computer. After the user is finished, the vulnerability
              management system clears the unmanaged computer’s browser cache and temporary files.

              EMPLOYEE MONITORING SYSTEMS. Many companies are taking a proactive approach to pro-
              tecting their networks from what they view as one of their major security threats, namely
              employee mistakes. These companies are implementing employee monitoring systems, which
              monitor their employees’ computers, e-mail activities, and Internet surfing activities. These
              products are useful to identify employees who spend too much time surfing on the Internet for
              personal reasons, who visit questionable websites, or who download music illegally. Vendors
              that provide monitoring software include SpectorSoft Corporation ( and
              Websense, Inc. (

              Application controls, as their name suggests, are security countermeasures that protect specific
              applications. Application controls include three major categories: input controls, processing con-
              trols, and output controls. Input controls are programmed routines that are performed to edit input
              data for errors before it is processed. For example, Social Insurance numbers should not contain
              any alphabetic characters. Processing controls, for example, might match entered quantities of
              goods received in the shipping area to amounts ordered on authorized purchase orders. Processing
              controls also balance the total number of transactions processed with the total number of trans-
              actions input or output. An example of output controls is documentation specifying that author-
              ized recipients have received their reports, paycheques, or other critical documents.

              An important strategy for organizations is to be prepared for any eventuality. A critical element
              in any security system is a business continuity plan, also known as a disaster recovery plan.
                 Business continuity is the chain of events linking planning to protection and to recovery. The
              purpose of the business continuity plan is to keep the business operating after a disaster occurs.
              The plan prepares for, reacts to, and recovers from events that affect the security of informa-
              tion assets and the subsequent restoration to normal business operations. The plan ensures that
              critical business functions continue.
rainer_c03_060-103hr.qxd      7-02-2008        16:36     Page 94

    94                   Chapter 3 – Ethics, Privacy, and Information Security

                             In the event of a major disaster, organizations can employ several strategies for business conti-
                         nuity. These strategies include hot sites, warm sites, cold sites, and off-site data storage. A hot site is
                         a fully configured computer facility, with all services, communications links, and physical plant oper-
                         ations. A hot site duplicates computing resources, peripherals, telephone systems, applications, and
                         workstations. A warm site provides many of the same services and options of the hot site. However,
                         a warm site typically does not include the actual applications the company needs. A warm site does
                         include computing equipment such as servers, but it often does not include user workstations. A
                         cold site provides only rudimentary services and facilities. This type of site provides no computer
                         hardware or user workstations. Hot sites reduce risk to the greatest extent, but they are the most
                         expensive option. Conversely, cold sites reduce risk the least, but they are the least expensive option.
                         In addition to hot, warm, and cold sites, organizations also use off-site data storage services.
                             IT’s About Business 3.5 shows how disasters come in various flavours—hardware failure,
                         human error, or business-unfriendly programming. A well-designed business continuity plan
                         should be able to deal with many different types of problems.

                         INFORMATION SYSTEMS AUDITING
                         Companies implement security controls to ensure that information systems work properly.
                         These controls can be installed in the original system, or they can be added after a system is

              IT’S ABOUT BUSINESS 3.5

              How about a construction site accidentally knocking down a             What happens when your e-mail is rejected by a firewall
              hydro-electric pole and accidentally cutting several fibre optic   because the firewall thinks that you are a spammer? Well,
              cables? (Fibre optic cables are high speed lines used for data     the recipient clearly does not get your
              communications.) On July 12, 2006, this happened in                e-mail. Performance Communications Group Inc., a
              Toronto, resulting in the disruption of cable communications       marketing organization, was blacklisted from one of its
              traffic to Roger Communications Inc.’s data network. Rogers        clients. It turned out that there were several organizations
              Communications, in turn, provides data network services to         sharing the same server, and one of the organizations had
              Research in Motion Limited (RIM), the company that sells           sent out mail that looked like spam. All of the organizations
              BlackBerry personal digital assistants and provides e-mail         using that server were blacklisted by the firewall, since it
              and other electronic services. The damage occurred early in        used source addresses to do the automatic blacklisting.
              the morning, and it took until 5:30 p.m. for the bulk of the       Your organization can also be blacklisted if it does not keep
              BlackBerry services to downtown Toronto to be rerouted             its e-mail listings current and too many e-mails bounce
              through other carriers. So, backup procedures were in place        back as invalid, one of the signs of spammers that send e-
              (the traffic was routed around the damaged area), but it took      mail to random addresses. If your e-mail cannot get
              many hours for this to happen. Poorly trained, or poorly           through, then your backup systems are telephone and
              instructed, employees cost money—but usually not                   facsimile—not quite as fast or convenient as e-mail.
              hundreds of thousands of dollars for one error.                    Sources: Compiled from Associated Press, “Oops! Techie Wipes Out $38-
                  A typical procedure in most organizations is to erase          Billion Fund,, March 20, 2007; K. J. Bannan, “When
                                                                                 They Say You Are a Spammer, The New York Times, May 24, 2007 p. C10; T.
                                                                                                             ”                                  ,
              old backup drives to make them available for new                   Perkins, “BlackBerry Black-Out Dismays Bay Streeters, The Toronto Star,
              processing. But care has to be taken so that it’s the    , July 13, 2006.
              backup data that is erased rather than live data. An
              operator for the Alaska Department of Revenue was doing            QUESTIONS
              this type of maintenance, and accidentally reformatted the         1. Think about the different computing resources and
              hard drive for a large oil fund used to issue cheques to              information that you have. What risks of failure are they
              residents for oil fund royalties. Unfortunately, he also              exposed to?
              reformatted the hard drive for the backup to this infor-           2. Compare this with a large financial services organization,
              mation. Specialists were unable to recover the data, so it            perhaps where you bank. What additional risks of
              had to be labouriously re-entered from paper records, for a           information system failure is this organization exposed to?
              total cost of $220,700. The moral of the story? Keep your          3. What new methods of backup are you going to initiate
              paper backup. With the electronic versions all erased, the            now that you are aware of some of the risks
              paper was the bottom-line backup for this organization.               associated with information loss?
rainer_c03_060-103hr.qxd     7-02-2008      16:36    Page 95

                                                                            Section 3.3 – Protecting Information Resources   95

              in operation. Installing controls is necessary but not sufficient to provide adequate security. In
              addition, people responsible for security need to answer questions such as: Are all controls
              installed as intended? Are they effective? Has any breach of security occurred? If so, what actions
              are required to prevent future breaches?
                 These questions must be answered by independent and unbiased observers. Such observers
              perform the task of information systems auditing. An audit involves the accumulation and evalu-
              ation of evidence that is used to prepare a report about the information or controls that are being
              examined, using established criteria and standards. In an IS environment, an audit is an exam-
              ination of information systems, their control environment, general controls, or application con-
              trols (inputs, outputs, and processing).

              There are several types of auditors. External auditors, also referred to as independent auditors,
              work at a public accounting firm, auditing primarily financial statements. Government auditors
              work for the provincial or federal auditors general offices. Canada Revenue Agency auditors audit
              compliance with tax legislation. Internal auditors work for specific organizations, and may have
              the Certified Internal Auditor (CIA) designation. Specialist auditors can be from a variety of fields.
              Information systems auditors, for example, may work for any of the above organizations, and
              may have a Certified Information Systems Auditor (CISA) designation.
                 IS auditing is usually conducted as part of the controls evaluation for the financial statement
              audit or as part of internal auditing, which looks at the efficiency or effectiveness of systems.
                 IS auditing is a broad topic, so we present only its essentials here. Auditing focuses on top-
              ics such as operations, data integrity, software applications, security and privacy, budgets and
              expenditures, cost control, and productivity. Guidelines are available to assist auditors in their
              jobs, such as those from the Institute of Internal Auditors ( or the Information
              Systems Audit and Control Association (

              IS auditors conduct their work using a risk-based approach. They consider the likelihood of errors
              or fraud, or the risk of organizations not following their procedures. Then, they design proce-
              dures to test compliance or the percentages of errors. Information systems audits could be part
              of the evaluation of controls for a financial statement audit, which are required by statute for
              organizations that sell shares to the public, or for publicly accountable organizations such as
              registered charities.
                 Internal auditors conduct their audits based on a plan approved by management. This plan
              may look at areas where there are high risks of theft, such as an electronic commerce system,
              or at new systems development projects where there is an elevated potential for error, such as
              a new point-of-sale system. Where legislation is relatively new, such as privacy legislation, audi-
              tors could conduct a privacy audit to evaluate whether the organization is in compliance with
              the legislation.
                 Auditors could use computers in the actual conduct of their audit, by using software to cre-
              ate reports or by creating test data that is run through systems to evaluate their functioning.

               BEFORE YOU GO ON...
               1. Describe the major types of controls for information systems.
               2. What is information system auditing?
               3. What is the purpose of a disaster recovery plan?
rainer_c03_060-103hr.qxd    7-02-2008    16:36   Page 96


                      WHAT’S IN                      FOR ME?
                      FOR THE ACCOUNTING MAJOR
                      Public companies, their accountants, and their auditors now have significant information secu-
                      rity responsibilities. Accountants are now being held professionally responsible for reducing risk,
                      assuring compliance, reducing the risk of fraud, and increasing the transparency of transactions
                      according to generally accepted accounting principles (GAAP). Regulatory agencies require infor-
                      mation security, fraud prevention and detection, and internal controls over financial reporting
                      and the privacy of information. Forensic accounting, a combination of accounting and informa-
                      tion security, is one of the most rapidly growing areas in accounting today.

                      FOR THE FINANCE MAJOR
                      Because information security is essential to the success of organizations today, it is no longer
                      just the concern of the CIO. As a result of national and global regulatory requirements, respon-
                      sibility for information security also lies with the CEO and Chief Financial Officer (CFO).
                      Consequently, the security audit, including the security of information and information systems,
                      are a key concern for financial managers.
                           In addition, CFOs and treasurers are increasingly involved with investments in information
                      technology. They know that a security breach of any kind can have devastating financial effects
                      on a company. Banking and financial institutions are prime targets for computer criminals.
                      A related problem is fraud involving stocks and bonds that are sold over the Internet. Finance
                      personnel must be aware of both the hazards and the available controls associated with these

                      FOR THE MARKETING MAJOR
                      Marketing professionals have new opportunities to collect data on their customers, for exam-
                      ple, through business-to-consumer electronic commerce. Business ethics clearly state that this
                      data should be used internally by the company in accordance with its privacy policy, and must
                      be adequately protected. Marketers clearly do not want to be sued because of an invasion of
                      privacy concerning data collected for the company’s marketing database.
                           Customers expect their data to be properly secured. Profit-motivated criminals want that data.
                      Therefore, marketing managers must participate in the the risk analysis of their operations.
                      Failure to protect corporate and customer data will cause significant public relations problems
                      and make customers very angry, causing them to go elsewhere.

                      Every process in a company’s operations—inventory purchasing, receiving, quality control, pro-
                      duction, and shipping—can be disrupted by an information technology security breach or an IT
                      security breach at a business partner. Any weak link in supply chain management or enterprise
                      resource management systems puts the entire chain at risk. Companies may be held liable for
                      IT security failures that impact other companies.
                           POM professionals help to decide whether to outsource (or offshore) manufacturing opera-
                      tions. In some cases, these operations are sent overseas to countries that do not have strict
                      labour laws. This situation raises serious ethical questions. For example, is it ethical to hire peo-
                      ple as employees in countries with poor working conditions in order to reduce labour costs?
rainer_c03_060-103hr.qxd    7-02-2008    16:36    Page 97


              POM managers must answer other difficult questions: To what extent do security efforts reduce
              productivity? Are incremental improvements in security worth the additional costs?

              Ethics is critically important to HR managers. HR policies describe the appropriate use of infor-
              mation technologies in the workplace. Questions arise such as: Can employees use the Internet,
              e-mail, or chat systems for personal purposes while at work? Is it ethical to monitor employ-
              ees? If so, how? How much? How often? HR managers help to formulate and enforce such
              policies while at the same time maintaining trusting relationships between employees and
                 HR managers also have responsibilities to maintain security over confidential employee data
              and provide a non-hostile work environment. In addition, they must ensure that all employees
              explicitly verify that they understand the company’s information security policies and proce-

              FOR THE MIS MAJOR
              Ethics might be more important for MIS personnel than for anyone else in the organization,
              because they have control of the information assets. They also have control over a huge amount
              of personal information on all employees. As a result, the MIS function must be held to the high-
              est ethical standards.
                 The MIS function provides the security infrastructure that protects the organization’s infor-
              mation assets. This function is critical to the success of the organization, even though it is almost
              invisible until an attack succeeds. All application development, network deployment, and intro-
              duction of new information technologies have to be guided by IT security considerations. MIS
              personnel must customize the risk exposure security model to help the company identify secu-
              rity risks and prepare responses to security incidents and disasters.
                 Senior executives look to the MIS function for help in maintaining internal controls over
              information systems management and security. Other functional areas also look to the MIS
              function to help them meet their security responsibilities.
rainer_c03_060-103hr.qxd    7-02-2008      16:36   Page 98


                      1. Describe the major ethical issues related to information technology, and identify situations
                           in which they occur. The major ethical issues related to IT are privacy, accuracy, property
                           (including intellectual property), and accessibility to information. Privacy may be violated
                           when data is held in databases or transmitted over networks. Privacy policies that address
                           issues of data collection, data accuracy, and data confidentiality can help organizations
                           avoid legal problems. Intellectual property is the intangible property created by individuals
                           or corporations that is protected under trade secret, patent, and copyright laws. The most
                           common intellectual property related to IT deals with software. Copying software without
                           paying the owner is a copyright violation, and it is a major problem for software vendors.

                      2. Describe the many threats to information security. There are numerous threats to informa-
                           tion security, which fall into the general categories of unintentional and intentional.
                           Unintentional threats include human errors, environmental hazards, and computer system
                           failures. Intentional failures include espionage, extortion, vandalism, theft, software attacks,
                           and compromises to intellectual property. Software attacks include viruses, worms, Trojan
                           horses, logic bombs, back doors, denial-of-service, alien software, and phishing. A growing
                           threat is cybercrime, which includes identity theft and phishing attacks.

                      3. Understand the various controls used to protect information systems. Information systems
                           are protected with a wide variety of controls such as security procedures, physical guards,
                           and detection software. Management is responsible for the control environment, the atti-
                           tudes, and the policies used as a framework to establish controls. General controls include
                           controls for the prevention, deterrence, detection, damage control, recovery, and correction
                           of information systems. The major types of general controls include physical controls,
                           access controls, administrative controls, and communications controls. Application controls
                           include input, processing, and output controls.

                      4. Explain IT auditing and planning for disaster recovery. Information systems auditing is a
                           specialization that helps financial, internal, government, or tax auditors evaluate or assess
                           controls or compliance with procedures or legislation. A detailed internal and external IT
                           audit may involve hundreds of issues and can be supported by both software and checklists.
                           Related to IT auditing is the preparation for disaster recovery, which specifically addresses
                           how to avoid, plan for, and quickly recover from a disaster.

                      KEY TERMS
                      access controls, 86                                  back door, 80
                      accountability, 64                                   biometrics, 86
                      adware, 80                                           blacklisting, 89
                      alien software, 79                                   brute force attack, 80
                      anti-malware systems (antivirus                      certificate authority, 91
                           software), 89                                   code of ethics, 64
                      application controls, 93                             cold site, 94
                      audit, 95                                            communications control (see network
                      authentication, 86                                      control), 98
                      authorization, 86                                    control, 84
rainer_c03_060-103hr.qxd      7-02-2008     16:36   Page 99


              control environment, 85                         privacy code (see privacy policy), 67
              controls evaluation, 84                         privacy policy, 67
              cookie, 81                                      privilege, 88
              copyright, 78                                   profiling, 66
              cybercrime, 71                                  public-key encryption, 90
              cyberextortion, 71                              regular ID card, 87
              cyberterrorism, 82                              responsibility, 64
              cyberwarfare, 82                                reverse social engineering, 75
              demilitarized zone (DMZ), 89                    risk, 72
              denial-of-service (DoS) attack, 80              risk acceptance, 84
              dictionary attack, 80                           risk analysis, 84
              digital certificate, 91                         risk limitation, 84
              digital dossier, 66                             risk management, 84
              distributed denial-of-service (DDoS), 80        risk mitigation, 84
              electronic surveillance, 66                     risk transference, 84
              employee monitoring system, 93                  SCADA, 81
              encryption, 90                                  screen scraper, 81
              ethics, 64                                      secure socket layer (SSL) (see transport layer
              exposure, 72                                       security), 92
              firewall, 88                                    signature recognition, 87
              general control, 85                             social engineering, 74
              hot site, 94                                    smart ID card, 87
              identity theft, 77                              spam, 81
              information systems control, 72                 spamware, 81
              intellectual property, 78                       spyware, 80
              intrusion detection system, 89                  strong passwords, 87
              keystroke logger (key logger), 80               threat, 72
              least privilege, 88                             token, 87
              liability, 64                                   trade secret, 78
              logic bomb, 80                                  transport layer security (TLS) (see secure
              logical control, 86                                socket layer), 92
              malware, 75                                     trap door (see back door), 80
              network control (see communications             Trojan horse, 80
                 control), 88                                 tunnelling, 92
              opt-in model, 68                                virtual private network (VPN), 91
              opt-out model, 67                               virus, 80
              passphrase, 87                                  voice recognition, 87
              patent, 78                                      vulnerability, 72
              penetration test, 83                            vulnerability management system, 92
              phishing attack, 80                             warm site, 94
              physical control, 85                            whitelisting, 89
              piracy, 79                                      worm, 80
              privacy, 66                                     zero-day attack, 80
rainer_c03_060-103hr.qxd    7-02-2008    16:36    Page 100


                      DISCUSSION QUESTIONS
                      1. Why are computer systems so vulnerable?
                      2. Why should information security be of prime concern to management?
                      3. Compare information security in an organization with insuring a house.
                      4. Why are authentication and authorization important to e-commerce?
                      5. Why is cross-border cybercrime expanding rapidly? Discuss possible solutions.
                      6. Discuss why the Sarbanes-Oxley Act and its Canadian equivalent, Bill 198, The Budget
                           Measures Act, are having an impact on information security.

                      PROBLEM-SOLVING ACTIVITIES
                      1. An information security manager routinely monitored the web surfing conducted by her
                           company’s employees. She discovered that many employees were visiting the “sinful six”
                           websites. (Note: The sinful six are websites with material related to pornography, gambling,
                           hate, illegal activities, tastelessness, and violence). She then prepared a list of the employ-
                           ees and their surfing histories and gave the list to management. Some managers punished
                           their employees. Some employees, in turn, objected to the monitoring, claiming that they
                           should have a right to privacy.
                           a. Is monitoring of web surfing by managers ethical? (It is legal?) Support your answer.
                           b. Is employee web surfing on the “sinful six” ethical? Support your answer.
                           c. Is the security manager’s submission of the list of abusers to management ethical? Why
                              or why not?
                           d. Is punishing the abusers ethical? Why or why not? If yes, then what types of punishment
                              are acceptable?
                           e. What should the company do in order to rectify the situation?
                      2. Frank Abagnale Jr., the criminal played by Leonardo DiCaprio in the motion picture Catch Me If You
                           Can (2002), ended up in prison. However, when he left prison, he went to work as a consultant to
                           many companies on matters of fraud. Why do so many companies not report computer crimes?
                           Why do these companies hire the perpetrators (if caught) as consultants? Is this a good idea?
                      3. A critical problem is assessing how far a company is legally obligated to go in order to secure
                           personal data. Because there is no such thing as perfect security (i.e., there is always more
                           that you can do), resolving this question can significantly affect cost.
                           a. When are security measures that a company implements sufficient to comply with its
                           b. Is there any way for a company to know if its security measures are sufficient? Can you
                              devise a method for any organization to determine if its security measures are sufficient?
                      4. Assume that the daily probability of a tornado in Brampton is .07 percent. The chance of
                           your computer centre being damaged during such a tornado is five percent. If the centre is
                           damaged, the average estimated damage will be $4.0 million.
                           a. Calculate the expected loss in dollars.
                           b. An insurance agent is willing to insure your facility for an annual fee of $25,000. Analyze
                              the offer, and discuss whether to accept it.
                      5. A company receives 50,000 e-mail messages each year. Currently, the organization has no
                           firewalls. On the average, there are two successful hackings each year. Each successful hack-
                           ing results in loss to the company of about $150,000. A firewall is proposed at a cost of $75,000
                           and an annual maintenance fee of $6,000. The estimated useful life is three years. The chance
                           that an intruder will break through this firewall is 0.00002 percent. In such a case, there is a
rainer_c03_060-103hr.qxd      7-02-2008   16:36   Page 101


                 30 percent chance that the damage will total $100,000, a 50 percent chance that the damage
                 will total $200,000, and a 20 percent chance that there will be no damage at all.
                 a. Should management buy this firewall?
                 b. A different firewall that is 99.9988 percent effective and that costs $90,000, with a useful
                    life of three years and an annual maintenance cost of $18,000, is available. Should the com-
                    pany purchase this firewall instead of the first one?
              6. Complete the computer ethics quiz at

              WEB ACTIVITIES
              1. Enter Find out what
                 the organization does. Learn about identity theft, e-mail scams, and website scams. Report
                 your findings.
              2. Visit and learn how to prohibit unsolicited e-mail (spam). Check out
                 Canada’s working group on anti-spam for the Canadian legal environment related to spam
        Describe how your privacy is
              3. Visit (Canadian Security Intelligence Service). Go to the
                 Integrated Threat Assessment Centre ( and find out about
                 the partner organizations involved. Do a search on “computer security” and document the
                 type of reports you find.
              4. Enter and other vendors of biometrics. Find the devices they make that
                 can be used to control access into information systems. Prepare a list of products and major
                 capabilities of each.
              5. Access the website at The site offers the “Ten Commandments
                 of Computer Ethics.” Study these 10 and decide if any should be added.
              6. Software piracy is a global problem. Access the following websites: and
        What can organizations do to mitigate this problem? Are some
                 organizations dealing with the problem better than others?

              TEAM ASSIGNMENTS
              1. Access to learn more about how law enforcement agencies around
                 the world work together to fight consumer fraud. Each team should obtain current statistics on
                 one of the top five consumer complaint categories and prepare a report. Are any categories
                 growing faster than others? Are any categories more prevalent in certain parts of the world?
              2. Read 47, Canadian Bank Loses Data on 470,000 Customers,
                 and do a search on “Talvest security breach.” What else did you find? Describe the reaction of
                 Canada’s Privacy Commissioner to the breach. What could CIBC have done to prevent the loss
                 of the Talvest Mutual Funds information?

              Big Brother or Necessary Security Measures? Go to the Interactivities section on the WileyPLUS
              website and access Chapter 3: Ethics, Privacy, and Information Security. There you will find
              some animated, hands-on activities that help you make some decisions about ethical issues
              like privacy and electronic tracking at a hospital, manufacturing plant, and office.

              Information and Ethics at Club IT Go to the Club IT link on the WileyPLUS website. On the web-
              site, you will find some assigments that will help you learn how to apply IT solutions to a business.
rainer_c03_060-103hr.qxd   7-02-2008      16:36    Page 102


                      CLICK FRAUD
                                                                                (e.g., Yahoo! and Google) boost their profits by
                                                                                recycling ads to millions of other websites, rang-
                                                                                ing from the familiar, such as, to
                                                                                dummy web addresses that display lists of ads and
                                                                                very little else. When someone clicks on these
                                                                                recycled ads, companies such as MostChoice are
                                                                                billed. Google or Yahoo! then share the revenue
                                                                                with a chain of website hosts and operators. About
                                                                                one penny trickles down to the actual people who
                                                                                click on the ads.
                                                                                    “Paid to read” rings pay hundreds of thousands
                                                                                of individuals for clicking on ads. One couple set
                                                                                up dummy websites filled with only recycled
                                                                                Google and Yahoo! advertisements. They paid oth-
                                                                                ers small amounts to visit the sites, where they
                                                                                would click on the ads.
                                                                                    In other cases, “clickbot” software generates
                                                                                ad hits automatically and anonymously. Clickbots
                                                                                use proxy, or anonymous, servers to disguise a
                                                                                computer’s Internet protocol address (discussed in
                      THE BUSINESS PROBLEM                                      Chapter 5), and they can space clicks minutes
                      Spending on Internet ads is growing faster than any       apart to make them less conspicuous. Some crim-
                      other sector of the advertising industry and is pro-      inals are creating botnets with thousands of zom-
                      jected to reach $29 billion in the U.S. alone by 2010.    bie computers, each with clickbot software clicking
                      About half of these dollars are paid by the click.        away on ads.
                      Google and Yahoo! are making billions of dollars
                      once collected by traditional print and broadcast         THE SOLUTION
                      outlets, based on the assumption that clicks are a        Google and Yahoo! say they filter out most ques-
                      reliable, quantifiable measure of consumer interest.      tionable clicks and either do not charge for them,
                 ( offers            or reimburse advertisers who have been incorrect-
                      consumers rate quotes and other information on            ly billed. The two companies maintain that they use
                      insurance and mortgages. In 2006, the company             sophisticated mathematical formulas and intelli-
                      paid Yahoo! and Google $2 million in advertising          gence from advertisers to identify the vast major-
                      fees. The company is required to pay such fees only       ity of fake clicks. However, they will not release
                      when prospective customers click on its ads.              their specific methods, because criminals would
                          Over the past three years, however, MostChoice        exploit the information. Yahoo! in Canada offers a
                      has seen an increasing number of clicks coming                                 ”
                                                                                “continental opt-out, so customers can prevent e-
                      from such places as Botswana, Mongolia, and Syria.        mails from particular continents from clicking on
                      This was strange, because MostChoice steers cus-          their sites.
                      tomers to insurance and mortgage brokers only in              MostChoice assigned an in-house programmer
                      the United States. The validity of clicks on its ads is   to design a system for analyzing every click on a
                      critically important to MostChoice, because the           company ad: the web page where the ad
                      company pays up to $8 for each click.                     appeared, the clicker’s country, the length of the
                          The company is a victim of click fraud. Click         clicker’s visit to the MostChoice website, and
                      fraud occurs in pay-per-click online advertising,         whether the visitor became a customer. Using this
                      when a person or automated computer program               data, the company continues to demand recom-
                      imitates a legitimate user clicking on an ad for the      pense from Google and Yahoo!, noting that they
                      purpose of generating a fee per click without hav-        have received refunds from the two Internet giants
                      ing any interest in the company of the advertise-         totalling about $35,000 out of the $100,000 they
                      ment. MostChoice estimates that click fraud has           say they are owed.
                      cost it more than $100,000 since 2003. The prob-              Mailworkz, a small company based in Halifax,
                      lem is magnified when large Internet companies            Nova Scotia, has written commercial software called
rainer_c03_060-103hr.qxd      7-02-2008       16:36     Page 103


              Eztrackz that can track the location clicks are coming      of the Internet as an advertising medium. In fact,
              from, and analyze these clicks to warn about poten-         some analysts are questioning the value of Google
              tial click fraud. Dell Canada Corp. has its own propri-     and Yahoo! stock because they see click fraud as a
              etary software, called Landing Strip, that does the         tangible risk to the profits of the two firms.
              same thing for its own website.
                                                                          Sources: Compiled from B. Helm, “Click Fraud Gets Smarter,    ”
              THE RESULTS                                                 BusinessWeek Online, February 27 2007; B. Helm, “How Do

                                                                                                                                             CASE 3.2
              The industry simply does not know exactly how               You Clock the Clicks?” BusinessWeek, March 13, 2006; B. Grow
              widespread click fraud is. The practice is skewing          and B. Elgin, “Click Fraud, BusinessWeek, October 2, 2006;
                                                                          M. Tutton, “Battling an Invisible Enemy, Globe and Mail, May
              statistics on the popularity of an ad, draining mar-
                                                                          9, 2007; D. Vise, “Clicking to Steal, Washington Post, April 17
                                                                                                              ”                          ,
              keting budgets, and enriching the criminals behind
              it. Both Google and Yahoo! have been targeted by
              class-action lawsuits accusing the two companies
              of (1) a lack of transparency in methods used to            QUESTIONS
              detect click fraud and (2) conflict of interest in that     1. How would Yahoo! and Google find people who
              both companies can profit from the click fraud that            are committing click fraud?
              they are supposed to be filtering out.                      2. Is it a stretch to think that the value of Yahoo!
                  If the click fraud problem is not fixed, then it will      and Google can be decreased as a result of
              present a major obstacle to the further development            undetected click fraud? Support your answer.

Shared By: