Presentation on theme: "Using Information Ethically"— Presentation transcript:
1 Using Information Ethically Managing and Using Information Systems: A Strategic Approach – Fifth EditionKeri Pearlson and Carol SaundersChapter 12Using InformationEthically
2 (c) 2013 John Wiley & Sons, Inc. Learning ObjectivesUnderstand how ethics should be framed in the context of business practices and the challenges surrounding these issues.Define and describe the three normative theories of business ethics.List and define PAPA and why it is important.Identify the issues related to the ethical governance of IS.Understand organizations’ security issues and how organizations are bolstering security.Describe how security can be best enacted.Define the Sarbanes-Oxley Act and the COBIT framework.Duplicate this slide as necessary.This and related slides can be moved to the appendix or hidden if necessary.(c) 2013 John Wiley & Sons, Inc.
3 (c) 2013 John Wiley & Sons, Inc. Real World ExampleTJX Co. experienced the largest computer system security breach in the history of retailing.As many as 94 million customers were affected.TJX had to decide between notifying their customers immediately or waiting the 45 days allowed by the jurisdictions.If they waited, their customers might be further compromised by the breach.If they notified them immediately, they might lose customer confidence and face punishment from Wall Street.(c) 2013 John Wiley & Sons, Inc.
4 Responsible Computing Companies encounter ethical dilemmas as they try to use their IS to create and exploit competitive advantages.They occur when there is no one clear way to deal with the ethical issue.Managers:must assess initiatives from an ethical view.are used to the overriding ethical norms present in their traditional businesses.need to translate their current ethical norms into terms meaningful for the new electronic corporation in the information age.Information ethics are the “ethical issues associated with the development and application of information technologies.” (Martinsons and Ma)IT often lacks accepted norms of behavior or universally-accepted decision making criteria.Three theories of ethical behavior in the corporate environment: stockholder theory, stakeholder theory, and social contract theory.(c) 2013 John Wiley & Sons, Inc.
5 (c) 2013 John Wiley & Sons, Inc. Stockholder TheoryStockholders advance capital to corporate managers, who act as agents in advancing the stockholders’ ends.Managers are bound to the interests of the shareholders (i.e., maximizing shareholder value).As Milton Friedman said:“There is one and only one social responsibility of business: to use its resources and engage in activities designed to increase its profits so long as it stays within the rules of the game, which is to say, engages in open and free competition, without deception or fraud.”Stockholder theory says the manager’s duties are to:employ others by legal, non-fraudulent means.take a long view of shareholder interest (i.e. forego short-term gains in favor of long-term value).(c) 2013 John Wiley & Sons, Inc.
6 Stockholder Theory (Cont.) The stockholder theory provides a limited framework for moral argument.It assumes the free market has the ability to fully promote the interests of society at large.The singular pursuit of profit on the part of individuals or corporations does not maximize social welfare.Free markets can lead to monopolies and other circumstances that limit society members’ abilities to secure the common good.A proponent of stockholder theory might insist that, as agents of stockholders, managers must not use stockholders’ money to accomplish goals that do not directly serve the interests of those same stockholders.(c) 2013 John Wiley & Sons, Inc.
7 (c) 2013 John Wiley & Sons, Inc. Stakeholder TheoryStakeholder theory states:Managers are entrusted with a responsibility—fiduciary or otherwise—to all those who hold a stake in or a claim on the firm.Management must enact and follow policies that balance the rights of all stakeholders without impinging upon the rights of any one particular stakeholder.Stakeholders are:any group that vitally affects the corporation’s survival and success.any group whose interests the corporation vitally affects.stockholders, customers, employees, suppliers, and the local community.Other groups may also be considered stakeholders depending on the circumstances.(c) 2013 John Wiley & Sons, Inc.
8 Stakeholder Theory (Cont.) Stakeholders can stop participating if they feel that their interests haven't been considered by management.Examples include:Customers can stop buying the company’s products.Stockholders can sell their stock.Employees may need to continue working for the corporation even though they dislike practices of their employers or experience considerable stress due to their jobs.Research has shown that customers who receive adequate compensation after making a complaint are actually more loyal than those without complaints.(c) 2013 John Wiley & Sons, Inc.
9 Social Contract Theory Social contract theory places social responsibilities on corporate managers to consider the needs of a society.What conditions would have to be met for the members of a society to agree to allow a corporation to be formed?Corporations are expected to add more value to society that it consumes.The social contract has two components:Social welfare.Corporations must provide greater benefits than their associated costs, or society would not allow their creation.Managers are obligated to pursue profits in ways that are compatible with the well-being of society as a whole.Justice.Corporations must pursue profits legally, without fraud or deception, and avoid actions that harm society.Society charges the corporation to enhance its welfare by satisfying particular interests of consumers and workers in exploiting the advantages of the corporate form.(c) 2013 John Wiley & Sons, Inc.
10 Social Contract Theory (Cont.) In the absence of a real contract whose terms subordinate profit maximization to social welfare, most critics find it hard to imagine corporations losing profitability in the name of altruism.The three normative theories of business ethics offer useful metrics for defining ethical behavior in profit-seeking enterprises under free market conditions (Figure 12.1).The three theories are represented by concentric circles.Stockholder theory is the narrowest in scope and is in the center circle.Stakeholder theory encompasses stockholder theory and expands on it.Social contract theory covers the broadest area and is in the outer ring.(c) 2013 John Wiley & Sons, Inc.
11 Figure 12.1 Three normative theories of business ethics. TheoryDefinitionMetricsStockholderMaximize stockholder wealth in legal and non-fraudulent manners.Will this action maximize stockholder value? Can goals be accomplished without compromising company standards and without breaking laws?StakeholderMaximize benefits to all stakeholders while weighing costs to competing interests.Does the proposed action maximize collective benefits to the company? Does this action treat one of the corporate stakeholders unfairly?Social contractCreate value for society in a manner that is just and nondiscriminatory.Does this action create a “net” benefit for society? Does the proposed action discriminate against any group in particular, and is its implementation socially just?(c) 2013 John Wiley & Sons, Inc.
12 Corporate Social Responsibility The application of social contract theory helps companies adopt a broader perspective.A “big picture” view considers two types of corporate social responsibility:Green computing.Green computing is a new way of doing business.Ethical dilemmas with governments.More and more corporations are facing ethical dilemmas in our flattening world.(c) 2013 John Wiley & Sons, Inc.
13 (c) 2013 John Wiley & Sons, Inc. Green ComputingGartner put Green computing at the top of the list of upcoming strategic technologies.Green computing is:concerned with using computing resources efficiently.needed due to increasing energy demands to run IT infrastructure.The 5 largest search companies use more power than what is generated by Hoover Dam.Companies are working to adopt more socially responsible approaches to energy consumption by:replacing older systems with more energy-efficient ones.moving workloads based on energy efficiency.using most power-inefficient servers only at peak usage times.improving data center air flows.turning to cloud computing and virtualization.By reducing our total energy consumption, we can be both sustainable and profitable.The need for green computing is becoming more obvious considering the amount of power needed to drive the world’s PCs, servers, routers, switches, and data centers.(c) 2013 John Wiley & Sons, Inc.
14 Green Computing (Cont.) Green programs can have a triple bottom line (TBL)—economic, environmental, and social.Green programs create economic value while being socially responsible and sustaining the environment.A triple bottom line is also known as “3BL” or “People, Planet, Profit.”A social contract theory perspective:Managers benefit society by conserving global resources when they make green, energy-related decisions about their computer operations.A stockholder theory perspective:Energy-efficient computers reduce:the direct costs of running the computing-related infrastructure.the costs of complementary utilities such as cooling systems for the infrastructure components.This creates a huge profit motivation for companies to turn “green.”The companies can become more environmentally friendly and reduce their energy costs at the same time.(c) 2013 John Wiley & Sons, Inc.
15 Ethical Tensions with Governments Organizations also face dilemmas reconciling their corporate policies with regulations in countries where they want to operate.“Managers may need to adopt much different approaches across nationalities to counter the effects of what they perceive as unethical behaviors.” (Leidner and Kayworth)Research in Motion (RIM) was threatened by the United Arab Emirates government.Censorship posed an ethical dilemma for Google.(c) 2013 John Wiley & Sons, Inc.
16 Papa: Privacy, Accuracy, Property, and Accessibility In an economy that is rapidly becoming dominated by knowledge workers, the value of information is tremendous.Collecting and storing information is becoming easier and more cost-effective.Richard O. Mason identified areas of information ethics in which the control of information is crucial; these are summarized by the acronym PAPA (Figure 12.2).privacyaccuracypropertyaccessibility(c) 2013 John Wiley & Sons, Inc.
17 Figure 12.2 Mason’s areas of managerial control. Critical QuestionsPrivacyWhat information must a person reveal about oneself to others?What information should others be able to access about you–with or without your permission?What safeguards exist for your protection?AccuracyWho is responsible for the reliability and accuracy of information?Who will be accountable for errors?PropertyWho owns information?Who owns the channels of distribution, and how should they be regulated?AccessibilityWhat information does a person or an organization have a right to obtain? Under what conditions? With what safeguards?(c) 2013 John Wiley & Sons, Inc.
18 (c) 2013 John Wiley & Sons, Inc. PrivacyPrivacy has long been considered:“the right to be left alone.” (Warren and Brandeis)“protections from intrusion and information gathering by others.” (Stone et. Al)Individuals have control to manage their privacy through choice, consent, and correction.Choice:Individuals can select the desired level of access to their information, ranging from “total privacy to unabashed publicity.” (Tavani and Moore)Consent:Individuals may exert control when they manage their privacy through consent.They can grant access to otherwise restricted information.Control:Individuals have control in managing their privacy through the ability to access their personal information.They can correct errors and update their information.Many consider privacy to be the most important area in which their interests need to be safeguarded.The concern about privacy on Facebook (and other Internet sites) varies across the globe.(c) 2013 John Wiley & Sons, Inc.
19 (c) 2013 John Wiley & Sons, Inc. Privacy (Cont.)The tension between the proper use of personal information and information privacy is a serious ethical debate.Surveillance of employees (e.g. monitoring and computer utilization) challenges privacy.Individuals’ surfing behaviors are traced via cookies, beacons, flash cookies, and supercookies.A cookie is a text message given to a web browser by a web server.Using cookies to gather information was ruled as legal by U.S. courts.Websites are used to create rich databases of consumer profiles that can be sold.Managers must be aware of regulations that are in place regarding the authorized collection, disclosure, and use of personal information.Ethical debates of the information age.(c) 2013 John Wiley & Sons, Inc.
20 (c) 2013 John Wiley & Sons, Inc. The Right for PrivacyCourts have decided that customers do not have a right to privacy while searching the Internet.This includes monitoring phone usage, location, ing behaviors, and a myriad of other behaviors.Customers give up privacy because:they can receive personalized services in return.they receive payment for the information at a price that exceeds what they are giving up.they see providing information as something that everybody is doing (e.g. Facebook pages).What is posted on the web is there forever.It may be fun to share it now, but there could be potential unintended consequences in the future.(c) 2013 John Wiley & Sons, Inc.
21 Privacy Legislation: United States U.S. privacy legislation relies on a mix of legislation, regulation, and self regulation.Privacy legislation is based on a legal tradition with a strong emphasis on free trade.The 1974 Privacy Act regulates the U.S. government’s collection and use of personal information.The 1998 Children’s Online Privacy Protection Act regulates the online collection and use of children’s personal information.The Gramm–Leach–Bliley Act of 1999 applies to financial institutions selling sensitive information—including account information, Social Security numbers, credit card purchase histories, and so forth—to telemarketing companies.The act allows the customer to opt-out, or specifically tell the institution that his or her personal information cannot be used or distributed.(c) 2013 John Wiley & Sons, Inc.
22 Additional Privacy Legislation The Health Insurance Portability and Accountability Act (HIPAA) of 1996 safeguards the electronic exchange of privacy and information security in the health care industry.The Fair Credit Reporting Act limits the use of consumer reports provided by consumer reporting agencies to “permissible purposes” and grants individuals the right to access their reports and correct errors in them.The European Union differs from the U.S. by relying on:omnibus legislation that requires creation of government data protection agencies.registration of databases with those agencies.prior approval before processing personal data in some cases.(c) 2013 John Wiley & Sons, Inc.
23 U.S. and European Legislation U.S. companies were concerned that they would be unable to meet the European “adequacy” standard for privacy protection specified in the European Commission’s Directive.Directive 95/46/EC on Data Protection:was established in 1998.sets standards for the collection, storage, and processing of personal information.prohibits the transfer of personal data to non-European Union nations that do not meet the European privacy standards.The U.S. Department of Commerce (DOC) developed a “safe harbor” framework in 2000 that:allows U.S. companies to be placed on a list maintained by the DOC.requires companies to demonstrate through a self-certification process that they are enforcing privacy at a level practiced in the European Union.(c) 2013 John Wiley & Sons, Inc.
24 (c) 2013 John Wiley & Sons, Inc. AccuracyThe accuracy, or the correctness of information, dominates in corporate record-keeping activities.Accuracy requires better controls over the bank’s internal processes.Risks can be attributed to inaccurate information retained in corporate systems.Managers must establish controls to ensure that information is accurate.Data entry errors must be controlled and managed carefully.Data must be accurate and up-to-date (i.e., addresses and phone numbers).The European Union Directive on Data Protection:requires accurate and up-to-date data.makes sure that data is kept no longer than necessary to fulfill its stated purpose.Keeping data only as long as it is necessary to fulfill its stated purpose is a challenge many companies don’t even attempt to meet.(c) 2013 John Wiley & Sons, Inc.
25 (c) 2013 John Wiley & Sons, Inc. PropertyVast amounts of data about clients are collected and stored.Data is:shared with others.used to create a more accurate profile of clients.stored in a data warehouse.“mined” to create a profile for something completely different.Who owns the data and has rights to it?Who owns the images that are posted in cyberspace?Managers must understand the legal rights and duties accorded to proper ownership.Information, which is costly to produce in the first place, can be easily reproduced and sold without the individual who produced it even knowing what is happening or being reimbursed for its use (Mason).The increase in monitoring leads to the question of property, or who owns the data.(c) 2013 John Wiley & Sons, Inc.
26 (c) 2013 John Wiley & Sons, Inc. AccessibilityAccessibility, or the ability to obtain data, has become paramount.Users must gain:the physical ability to access online information resources, or computational systems.access to information itself.Managers’ challenges include:deciding how to create and maintain access to information for society at large.avoiding harming individuals who have provided the information.ensuring access to information about employees and customers is restricted.actively ensuring that adequate security and control measures are in place.ensuring adequate safeguards in the companies of their key trading partners.avoiding a surge in identity theft incidents—both true name and account takeover.Identity theft is a crime in which the thief uses the victim’s personal information (such as driver’s license number or Social Security number) toimpersonate the victim.(c) 2013 John Wiley & Sons, Inc.
27 A Manager’s Role in Ethical Information Control Managers must work to:implement controls over information highlighted by the PAPA principles.deter identity theft by limiting inappropriate access to customer information.respect the customers’ privacy.Implement the following best practices:Create a culture of moral responsibility.Top-level executives should promote responsibility for protecting both personal information and the organization’s IS.Internet companies should post their policies.Implement governance processes for information control.COBIT and ITIL can help identify risks.Avoid decoupling.Managers can decouple the impact to individuals from institutional processes and mechanisms.(c) 2013 John Wiley & Sons, Inc.
28 (c) 2013 John Wiley & Sons, Inc. Security and ControlsThe PAPA principles work hand-in hand with security.Organizations appear to rely on luck rather than on proven IS controls.Emphasis is placed on using technology to protect organizational data from unauthorized hackers and undesirable viruses.E.g., antivirus countermeasures, spam-filtering software, intrusion detection systems.Managers and IT staff must go to great lengths to protect the organization’s computers and infrastructure from unauthorized access or external threats such as:hackers who seek to enter a computer for sport or for malicious intent.telecommunications failures.service provider failures.spamming.distributed denial of service (DDoS) attacks.(c) 2013 John Wiley & Sons, Inc.
29 Security and Controls (Cont.) Inside threats to security include:current and former employees seeking to sabotage the IS infrastructure and integrity of data.unintentional human error or operational errors.hardware or software failure.natural disasters.Figure 12.3 summarizes three types of tools employed to manage the security and control: firewalls, passwords, and filtering tools.Additional technological approaches to security and privacy may include a combination of software and hardware (e.g., fingerprint-based biometric).The United Kingdom passed the Identity Cards Act in 2006 that required nationals to obtain a compulsory national identity card that contained 50 different types of information including name, birth date and place, current and past addresses, a head and shoulders photograph, fingerprints, an iris scan and other biometric information, personal reference information, and registration and record histories.(c) 2013 John Wiley & Sons, Inc.
30 Figure 12.3 Security and control tools. Security CategorySecurity ToolsDefinitionHardware system security and controlsFirewallsA computer set up with both an internal network card and an external network card. This computer is set up to control access to the internal network and only lets authorized traffic pass the barrier.Encryption and decryptionCryptography or secure writing ensures that information is transformed into unintelligible forms before transmission and intelligible forms when it arrives at its destination to protect the informational content of messages.Anonymizing tools and Pseudonym agentsTools that enable the user to navigate the Internet either anonymously or pseudonymously to protect the identity of individuals.Network and software security controlsNetwork operating system softwareThe core set of programs that manage the resources of the computer or network often have functionality such as authentication, access control, and cryptology.Security information managementA management scheme to synchronize all mechanisms and protocols built into network and computer operating systems and protect the systems from unauthorized access.Server and browser softwareMechanisms to ensure that errors in programming do not create holes or trapdoors that can compromise websites.(c) 2013 John Wiley & Sons, Inc.
31 (c) 2013 John Wiley & Sons, Inc. Figure (Cont.)Security CategorySecurity ToolsDefinitionBroadcast medium security and controlsLabeling and rating softwareThe software industry incorporates Platform for Internet Content Selection (PICS) technology, a mechanism of labeling web pages based on content. These labels can be used by filtering software to manage access. Also, online privacy seal programs such as Truste that inform users of online vendor’s privacy policies and ensures that policies are backed and enforced by reputable third parties.Filtering/blocking softwareSoftware that rates documents and web sites that have been rated and contain content on a designated filter’s “black list” and keeps them from being displayed on the user’s computer.(c) 2013 John Wiley & Sons, Inc.
32 Approaches to Reduce Threats Efforts to reduce threats include:top management support.training and awareness programs for employees, customers, and other stakeholders.development of security procedures and policies.frequent security audits.risk management programs.(c) 2013 John Wiley & Sons, Inc.
33 (c) 2013 John Wiley & Sons, Inc. Chapter 12 - Key TermsAccessibility (p. 365) - the ability to obtain the data. Accuracy (p. 364) - the correctness of information; assumes real importance for society as computers come to dominate in corporate record- keeping activities. Cookie (p. 361) - a text message given to a web browser by a web server. Green computing (p. 357) - concerned with using computing resources efficiently. Identity theft (p. 366) - crime in which the thief uses the victim’s personal information—such as driver’s license number or Social Security number—to impersonate the victim.(c) 2013 John Wiley & Sons, Inc.
34 Chapter 12 - Key Terms (Cont.) Information ethics (p. 352) - the “ethical issues associated with the development and application of information technologies.” (Martinsons and Ma) Privacy (p. 359) - “the right to be left alone.” (Warren and Brandeis) Property (p. 365) - who owns the data. Social contract theory (p. 354) - places social responsibilities on corporate managers to consider the needs of a society. Stakeholder theory (p. 352) - managers, although bound by their relation to stockholders, are entrusted also with a responsibility—fiduciary or otherwise—to all those who hold a stake in or a claim on the firm. Stockholder theory (p. 353) - stockholders advance capital to corporate managers, who act as agents in furthering the stockholders’ ends.(c) 2013 John Wiley & Sons, Inc.
35 Copyright 2013 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that named in Section 117 of the 1976 United States Copyright Act without the express written consent of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.(c) 2013 John Wiley & Sons, Inc.