Presentation on theme: "Managing and Using Information Systems: A Strategic Approach – Fifth Edition Using Information Ethically Keri Pearlson and Carol Saunders Chapter 12."— Presentation transcript:
Managing and Using Information Systems: A Strategic Approach – Fifth Edition Using Information Ethically Keri Pearlson and Carol Saunders Chapter 12
Pearlson and Saunders – 5 th Ed. – Chapter Learning Objectives Understand how ethics should be framed in the context of business practices and the challenges surrounding these issues. Define and describe the three normative theories of business ethics. List and define PAPA and why it is important. Identify the issues related to the ethical governance of IS. Understand organizations’ security issues and how organizations are bolstering security. Describe how security can be best enacted. Define the Sarbanes-Oxley Act and the COBIT framework. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Real World Example TJX Co. experienced the largest computer system security breach in the history of retailing. As many as 94 million customers were affected. TJX had to decide between notifying their customers immediately or waiting the 45 days allowed by the jurisdictions. o If they waited, their customers might be further compromised by the breach. o If they notified them immediately, they might lose customer confidence and face punishment from Wall Street. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Responsible Computing Companies encounter ethical dilemmas as they try to use their IS to create and exploit competitive advantages. o They occur when there is no one clear way to deal with the ethical issue. Managers: o must assess initiatives from an ethical view. o are used to the overriding ethical norms present in their traditional businesses. o need to translate their current ethical norms into terms meaningful for the new electronic corporation in the information age. Information ethics are the “ethical issues associated with the development and application of information technologies.” (Martinsons and Ma) (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Stockholder Theory Stockholders advance capital to corporate managers, who act as agents in advancing the stockholders’ ends. o Managers are bound to the interests of the shareholders (i.e., maximizing shareholder value). o As Milton Friedman said: “There is one and only one social responsibility of business: to use its resources and engage in activities designed to increase its profits so long as it stays within the rules of the game, which is to say, engages in open and free competition, without deception or fraud.” Stockholder theory says the manager’s duties are to: o employ others by legal, non-fraudulent means. o take a long view of shareholder interest (i.e. forego short-term gains in favor of long-term value). (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Stockholder Theory (Cont.) The stockholder theory provides a limited framework for moral argument. o It assumes the free market has the ability to fully promote the interests of society at large. o The singular pursuit of profit on the part of individuals or corporations does not maximize social welfare. o Free markets can lead to monopolies and other circumstances that limit society members’ abilities to secure the common good. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Stakeholder Theory Stakeholder theory states: o Managers are entrusted with a responsibility—fiduciary or otherwise—to all those who hold a stake in or a claim on the firm. o Management must enact and follow policies that balance the rights of all stakeholders without impinging upon the rights of any one particular stakeholder. Stakeholders are : o any group that vitally affects the corporation’s survival and success. o any group whose interests the corporation vitally affects. o stockholders, customers, employees, suppliers, and the local community. Other groups may also be considered stakeholders depending on the circumstances. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Stakeholder Theory (Cont.) Stakeholders can stop participating if they feel that their interests haven't been considered by management. o Examples include: Customers can stop buying the company’s products. Stockholders can sell their stock. Employees may need to continue working for the corporation even though they dislike practices of their employers or experience considerable stress due to their jobs. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Social Contract Theory Social contract theory places social responsibilities on corporate managers to consider the needs of a society. o What conditions would have to be met for the members of a society to agree to allow a corporation to be formed? o Corporations are expected to add more value to society that it consumes. The social contract has two components: o Social welfare. Corporations must provide greater benefits than their associated costs, or society would not allow their creation. Managers are obligated to pursue profits in ways that are compatible with the well-being of society as a whole. o Justice. Corporations must pursue profits legally, without fraud or deception, and avoid actions that harm society. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Social Contract Theory (Cont.) In the absence of a real contract whose terms subordinate profit maximization to social welfare, most critics find it hard to imagine corporations losing profitability in the name of altruism. The three normative theories of business ethics offer useful metrics for defining ethical behavior in profit-seeking enterprises under free market conditions (Figure 12.1). o The three theories are represented by concentric circles. Stockholder theory is the narrowest in scope and is in the center circle. Stakeholder theory encompasses stockholder theory and expands on it. Social contract theory covers the broadest area and is in the outer ring. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Figure 12.1 Three normative theories of business ethics. TheoryDefinitionMetrics StockholderMaximize stockholder wealth in legal and non-fraudulent manners. Will this action maximize stockholder value? Can goals be accomplished without compromising company standards and without breaking laws? StakeholderMaximize benefits to all stakeholders while weighing costs to competing interests. Does the proposed action maximize collective benefits to the company? Does this action treat one of the corporate stakeholders unfairly? Social contractCreate value for society in a manner that is just and nondiscriminatory. Does this action create a “net” benefit for society? Does the proposed action discriminate against any group in particular, and is its implementation socially just? (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Corporate Social Responsibility The application of social contract theory helps companies adopt a broader perspective. A “big picture” view considers two types of corporate social responsibility: o Green computing. Green computing is a new way of doing business. o Ethical dilemmas with governments. More and more corporations are facing ethical dilemmas in our flattening world. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Green Computing Gartner put Green computing at the top of the list of upcoming strategic technologies. Green computing is: o concerned with using computing resources efficiently. o needed due to increasing energy demands to run IT infrastructure. The 5 largest search companies use more power than what is generated by Hoover Dam. Companies are working to adopt more socially responsible approaches to energy consumption by: o replacing older systems with more energy-efficient ones. o moving workloads based on energy efficiency. o using most power-inefficient servers only at peak usage times. o improving data center air flows. o turning to cloud computing and virtualization. By reducing our total energy consumption, we can be both sustainable and profitable. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Green Computing (Cont.) Green programs can have a triple bottom line (TBL)—economic, environmental, and social. o Green programs create economic value while being socially responsible and sustaining the environment. o A triple bottom line is also known as “3BL” or “People, Planet, Profit.” A social contract theory perspective: o Managers benefit society by conserving global resources when they make green, energy-related decisions about their computer operations. A stockholder theory perspective: o Energy-efficient computers reduce: the direct costs of running the computing-related infrastructure. the costs of complementary utilities such as cooling systems for the infrastructure components. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Ethical Tensions with Governments Organizations also face dilemmas reconciling their corporate policies with regulations in countries where they want to operate. “Managers may need to adopt much different approaches across nationalities to counter the effects of what they perceive as unethical behaviors.” (Leidner and Kayworth) o Research in Motion (RIM) was threatened by the United Arab Emirates government. o Censorship posed an ethical dilemma for Google. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Papa: Privacy, Accuracy, Property, and Accessibility In an economy that is rapidly becoming dominated by knowledge workers, the value of information is tremendous. Collecting and storing information is becoming easier and more cost- effective. Richard O. Mason identified areas of information ethics in which the control of information is crucial; these are summarized by the acronym PAPA (Figure 12.2). o privacy o accuracy o property o accessibility (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Figure 12.2 Mason’s areas of managerial control. AreaCritical Questions PrivacyWhat information must a person reveal about oneself to others? What information should others be able to access about you–with or without your permission? What safeguards exist for your protection? AccuracyWho is responsible for the reliability and accuracy of information? Who will be accountable for errors? PropertyWho owns information? Who owns the channels of distribution, and how should they be regulated? AccessibilityWhat information does a person or an organization have a right to obtain? Under what conditions? With what safeguards? (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Privacy Privacy has long been considered: o “the right to be left alone.” (Warren and Brandeis) o “protections from intrusion and information gathering by others.” (Stone et. Al) Individuals have control to manage their privacy through choice, consent, and correction. o Choice: Individuals can select the desired level of access to their information, ranging from “total privacy to unabashed publicity.” (Tavani and Moore) o Consent: Individuals may exert control when they manage their privacy through consent. – They can grant access to otherwise restricted information. o Control: Individuals have control in managing their privacy through the ability to access their personal information. – They can correct errors and update their information. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Privacy (Cont.) The tension between the proper use of personal information and information privacy is a serious ethical debate. o Surveillance of employees (e.g. monitoring and computer utilization) challenges privacy. o Individuals’ surfing behaviors are traced via cookies, beacons, flash cookies, and supercookies. A cookie is a text message given to a web browser by a web server. Using cookies to gather information was ruled as legal by U.S. courts. o Websites are used to create rich databases of consumer profiles that can be sold. o Managers must be aware of regulations that are in place regarding the authorized collection, disclosure, and use of personal information. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter The Right for Privacy Courts have decided that customers do not have a right to privacy while searching the Internet. o This includes monitoring phone usage, location, ing behaviors, and a myriad of other behaviors. o Customers give up privacy because: they can receive personalized services in return. they receive payment for the information at a price that exceeds what they are giving up. they see providing information as something that everybody is doing (e.g. Facebook pages). What is posted on the web is there forever. o It may be fun to share it now, but there could be potential unintended consequences in the future. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Privacy Legislation: United States U.S. privacy legislation relies on a mix of legislation, regulation, and self regulation. o Privacy legislation is based on a legal tradition with a strong emphasis on free trade. The 1974 Privacy Act regulates the U.S. government’s collection and use of personal information. The 1998 Children’s Online Privacy Protection Act regulates the online collection and use of children’s personal information. The Gramm–Leach–Bliley Act of 1999 applies to financial institutions selling sensitive information—including account information, Social Security numbers, credit card purchase histories, and so forth—to telemarketing companies. o The act allows the customer to opt-out, or specifically tell the institution that his or her personal information cannot be used or distributed. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Additional Privacy Legislation The Health Insurance Portability and Accountability Act (HIPAA) of 1996 safeguards the electronic exchange of privacy and information security in the health care industry. The Fair Credit Reporting Act limits the use of consumer reports provided by consumer reporting agencies to “permissible purposes” and grants individuals the right to access their reports and correct errors in them. The European Union differs from the U.S. by relying on: o omnibus legislation that requires creation of government data protection agencies. o registration of databases with those agencies. o prior approval before processing personal data in some cases. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter U.S. and European Legislation U.S. companies were concerned that they would be unable to meet the European “adequacy” standard for privacy protection specified in the European Commission’s Directive. o Directive 95/46/EC on Data Protection: was established in sets standards for the collection, storage, and processing of personal information. prohibits the transfer of personal data to non-European Union nations that do not meet the European privacy standards. The U.S. Department of Commerce (DOC) developed a “ safe harbor ” framework in 2000 that: o allows U.S. companies to be placed on a list maintained by the DOC. o requires companies to demonstrate through a self-certification process that they are enforcing privacy at a level practiced in the European Union. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Accuracy The accuracy, or the correctness of information, dominates in corporate record-keeping activities. o Accuracy requires better controls over the bank’s internal processes. o Risks can be attributed to inaccurate information retained in corporate systems. Managers must establish controls to ensure that information is accurate. o Data entry errors must be controlled and managed carefully. o Data must be accurate and up-to-date (i.e., addresses and phone numbers). The European Union Directive on Data Protection: o requires accurate and up-to-date data. o makes sure that data is kept no longer than necessary to fulfill its stated purpose. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Property Vast amounts of data about clients are collected and stored. o Data is: shared with others. used to create a more accurate profile of clients. stored in a data warehouse. “mined” to create a profile for something completely different. Who owns the data and has rights to it? Who owns the images that are posted in cyberspace? Managers must understand the legal rights and duties accorded to proper ownership. Information, which is costly to produce in the first place, can be easily reproduced and sold without the individual who produced it even knowing what is happening or being reimbursed for its use (Mason). (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Accessibility Accessibility, or the ability to obtain data, has become paramount. o Users must gain: the physical ability to access online information resources, or computational systems. access to information itself. Managers’ challenges include: o deciding how to create and maintain access to information for society at large. o avoiding harming individuals who have provided the information. o ensuring access to information about employees and customers is restricted. o actively ensuring that adequate security and control measures are in place. o ensuring adequate safeguards in the companies of their key trading partners. o avoiding a surge in identity theft incidents—both true name and account takeover. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter A Manager’s Role in Ethical Information Control Managers must work to: o implement controls over information highlighted by the PAPA principles. o deter identity theft by limiting inappropriate access to customer information. o respect the customers’ privacy. o Implement the following best practices: Create a culture of moral responsibility. – Top-level executives should promote responsibility for protecting both personal information and the organization’s IS. – Internet companies should post their policies. Implement governance processes for information control. – COBIT and ITIL can help identify risks. Avoid decoupling. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Security and Controls The PAPA principles work hand-in hand with security. Organizations appear to rely on luck rather than on proven IS controls. Emphasis is placed on using technology to protect organizational data from unauthorized hackers and undesirable viruses. o E.g., antivirus countermeasures, spam-filtering software, intrusion detection systems. Managers and IT staff must go to great lengths to protect the organization’s computers and infrastructure from unauthorized access or external threats such as: o hackers who seek to enter a computer for sport or for malicious intent. o telecommunications failures. o service provider failures. o spamming. o distributed denial of service (DDoS) attacks. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Security and Controls (Cont.) Inside threats to security include: current and former employees seeking to sabotage the IS infrastructure and integrity of data. unintentional human error or operational errors. hardware or software failure. natural disasters. Figure 12.3 summarizes three types of tools employed to manage the security and control: firewalls, passwords, and filtering tools. Additional technological approaches to security and privacy may include a combination of software and hardware (e.g., fingerprint-based biometric). (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter (c) 2013 John Wiley & Sons, Inc. Security Category Security Tools Definition Hardware system security and controls FirewallsA computer set up with both an internal network card and an external network card. This computer is set up to control access to the internal network and only lets authorized traffic pass the barrier. Encryption and decryption Cryptography or secure writing ensures that information is transformed into unintelligible forms before transmission and intelligible forms when it arrives at its destination to protect the informational content of messages. Anonymizing tools and Pseudonym agents Tools that enable the user to navigate the Internet either anonymously or pseudonymously to protect the identity of individuals. Network and software security controls Network operating system software The core set of programs that manage the resources of the computer or network often have functionality such as authentication, access control, and cryptology. Security information management A management scheme to synchronize all mechanisms and protocols built into network and computer operating systems and protect the systems from unauthorized access. Server and browser software Mechanisms to ensure that errors in programming do not create holes or trapdoors that can compromise websites. Figure 12.3 Security and control tools.
Pearlson and Saunders – 5 th Ed. – Chapter (c) 2013 John Wiley & Sons, Inc. Security Category Security ToolsDefinition Broadcast medium security and controls Labeling and rating software The software industry incorporates Platform for Internet Content Selection (PICS) technology, a mechanism of labeling web pages based on content. These labels can be used by filtering software to manage access. Also, online privacy seal programs such as Truste that inform users of online vendor’s privacy policies and ensures that policies are backed and enforced by reputable third parties. Filtering/blocking softwareSoftware that rates documents and web sites that have been rated and contain content on a designated filter’s “black list” and keeps them from being displayed on the user’s computer. Figure 12.3 (Cont.)
Pearlson and Saunders – 5 th Ed. – Chapter Approaches to Reduce Threats Efforts to reduce threats include: o top management support. o training and awareness programs for employees, customers, and other stakeholders. o development of security procedures and policies. o frequent security audits. o risk management programs. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Chapter 12 - Key Terms Accessibility (p. 365) - the ability to obtain the data. Accuracy (p. 364) - the correctness of information; assumes real importance for society as computers come to dominate in corporate record- keeping activities. Cookie (p. 361) - a text message given to a web browser by a web server. Green computing (p. 357) - concerned with using computing resources efficiently. Identity theft (p. 366) - crime in which the thief uses the victim’s personal information—such as driver’s license number or Social Security number—to impersonate the victim. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Chapter 12 - Key Terms (Cont.) Information ethics (p. 352) - the “ethical issues associated with the development and application of information technologies.” (Martinsons and Ma) Privacy (p. 359) - “the right to be left alone.” (Warren and Brandeis) Property (p. 365) - who owns the data. Social contract theory (p. 354) - places social responsibilities on corporate managers to consider the needs of a society. Stakeholder theory (p. 352) - managers, although bound by their relation to stockholders, are entrusted also with a responsibility—fiduciary or otherwise—to all those who hold a stake in or a claim on the firm. Stockholder theory (p. 353) - stockholders advance capital to corporate managers, who act as agents in furthering the stockholders’ ends. (c) 2013 John Wiley & Sons, Inc.
Pearlson and Saunders – 5 th Ed. – Chapter Copyright 2013 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that named in Section 117 of the 1976 United States Copyright Act without the express written consent of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein. (c) 2013 John Wiley & Sons, Inc.