Now What?

MIS 300, Chapter 92 Basic Concepts Waste and mistakes: Is it possible?   Computers and crime: Aiding, abetting?   Ethical behavior: Are computers ethically neutral?   

MIS 300, Chapter 93 Principles and Learning Objectives -1 Policies and procedures must be established to avoid computer waste and mistakes.   –Describe some examples of waste and mistakes in an IS environment, their causes, and possible solutions. –Identify policies and procedures useful in eliminating waste and mistakes.

MIS 300, Chapter 94 Principles and Learning Objectives -2 Computer crime is a serious and rapidly growing area of concern requiring management attention.   –Explain the types and effects of computer crime. –Identify specific measures to prevent computer crime. –Discuss the principles and limits of an individual’s right to privacy.  

MIS 300, Chapter 95 Principles and Learning Objectives - 3 Working conditions must be designed to avoid negative ethical consequences.   –Outline criteria for the ethical use of information systems.

MIS 300, Chapter 96 Computer Waste and Mistakes Computer waste –The inappropriate use of computer technology and resources Computer-related mistakes –Errors, failures, and other computer problems that make computer output incorrect or not useful

MIS 300, Chapter 97 Computer Waste Discarding of technology Unused systems Personal use of corporate time and technology Spam Poorly designed systems Unintelligent system use

MIS 300, Chapter 98 Computer-Related Mistakes Mistakes can be caused by unclear expectations and a lack of feedback A systems analyst might specify a system that is not what is needed or wanted A programmer might develop a program that contains errors Users might accept a system that is not what is needed or what is wanted A data-entry clerk might enter the wrong data

MIS 300, Chapter 99 Preventing Computer-Related Waste and Mistakes Establishing policies and procedures Implementing policies and procedures Monitoring policies and procedures Reviewing policies and procedures

MIS 300, Chapter 910 Establishing Policies and Procedures Table 9.2: Types of Computer-Related Mistakes

MIS 300, Chapter 911 Implementing Policies and Procedures Table 9.3: Useful Policies to Eliminate Waste and Mistakes 

MIS 300, Chapter 912 Computer Crime Often defies detection The amount stolen or diverted can be substantial The crime is “clean” and nonviolent (so far!) The number of IT-related security incidents is increasing dramatically Computer crime is now global

MIS 300, Chapter 913 Computer Crime (continued) Figure 9.1: Number of Incidents Reported to CERT

MIS 300, Chapter 914 The Computer as a Tool to Commit Crime Criminals need two capabilities to commit most computer crimes: –Knowing how to gain access to the computer system –Knowing how to manipulate the system to produce the desired result Social engineering Dumpster diving

MIS 300, Chapter 915 Cyberterrorism Cyberterrorist: intimidates or coerces a government or organization to advance his or her political or social objectives by launching computer- based attacks against computers, networks, and the information stored on them Homeland Security Department’s Information Analysis and Infrastructure Protection Directorate

MIS 300, Chapter 916 Identity Theft An imposter obtains key pieces of personal identification information, such as Social Security or driver’s license numbers, in order to impersonate someone else The information is then used to obtain credit, merchandise, and services in the name of the victim or to provide the thief with false credentials Identity Theft and Assumption Deterrence Act of 1998

MIS 300, Chapter 917 The Computer as the Object of Crime Illegal access and use Data alteration and destruction Information and equipment theft Software and Internet piracy Computer-related scams International computer crime

MIS 300, Chapter 918 Illegal Access and Use Hackers Criminal hackers (also called crackers) Script bunnies Insiders –Insiders are the most dangerous of all threats because they have the most knowledge about the system and its defenses

MIS 300, Chapter 919 Illegal Access and Use - 2 Table 9.4: How to Respond to a Security Incident

MIS 300, Chapter 920 Illegal Access and Use -3 Table 9.4: How to Respond to a Security Incident (continued)

MIS 300, Chapter 921 Data Alteration and Destruction Virus: a computer program capable of attaching to disks or other files and replicating itself repeatedly, typically without the user’s knowledge or permission Worm: an independent program that replicates its own program files until it interrupts the operation of networks and computer systems

MIS 300, Chapter 922 Data Alteration and Destruction – 2 Trojan horse: a program that appears to be useful but actually masks a destructive program Logic bomb: an application or system virus designed to “explode” or execute at a specified time and date

MIS 300, Chapter 923 Using Antivirus Programs Antivirus program: program or utility that prevents viruses and recovers from them if they infect a computer An antivirus software should be run and updated often

MIS 300, Chapter 924 Information and Equipment Theft To obtain illegal access, criminal hackers require identification numbers and passwords –Password sniffer Theft of data and software Theft of computer systems and equipment

MIS 300, Chapter 925 Software and Internet Software Piracy Software piracy: the act of illegally duplicating software Internet software piracy: illegally downloading software from the Internet ALL of us are tempted and MOST of us succumb, but there is the problem of motivating creativity by all but an unusual group to create a variety of software.

MIS 300, Chapter 926 Preventing Computer-Related Crime Crime prevention by state and federal agencies Crime prevention by corporations –Public key infrastructure (PKI): a means to enable users of an unsecured public network such as the Internet to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority –Biometrics: the measurement of one of a person’s traits, whether physical or behavioral

MIS 300, Chapter 927 Table 9.8: Common Methods Used to Commit Computer Crimes Preventing Computer-Related Crime (continued)

MIS 300, Chapter 928 Table 9.8: Common Methods Used to Commit Computer Crimes (continued) Preventing Computer-Related Crime (continued)

MIS 300, Chapter 929 Table 9.9: How to Protect Your Corporate Data from Hackers Preventing Computer-Related Crime (continued)

MIS 300, Chapter 930 Table 9.9: How to Protect Your Corporate Data from Hackers (continued) Preventing Computer-Related Crime (continued)

MIS 300, Chapter 931 Privacy Issues With information systems, privacy deals with the collection and use or misuse of data Privacy and the federal government Privacy at work: you don’t have any privacy: doesn’t exist Privacy and the Internet: caveat emptor

MIS 300, Chapter 932 Privacy: The Basic Issue Information about the individual may or may not “belong” to the individual as “property” English common law, the basis of our general law, recognizes property rights as inherent and inviolable (in general) Intellectual assets differ in many ways from physical property –Eg. Copyable without damage –Eg. Valuable only for brief period of time –Eg. Can cause damage as well as be an asset

MIS 300, Chapter 933 Information about Oneself In general this does NOT belong to the individual Example: “public figure” Example: customer records Example: Employee records Example: One’s image (visual or audio) Information in general is inherent in an activity and belongs to that activity; the owner of the activity is the owner of the information. This is not a well-developed field with clear-cut principles that juries and judges adhere to.

MIS 300, Chapter 934 Fairness in Information Use Table 9.10: The Right to Know and the Ability to Decide

MIS 300, Chapter 935 State Privacy Laws and Regulations State legislatures have been considering and passing privacy legislation that is far-reaching and potentially more burdensome to business than existing federal legislation State-by-state and county-by-county exceptions to the federal law complicate financial record keeping and data sharing

MIS 300, Chapter 936 Corporate Privacy Policies Should address a customer’s knowledge, control, notice, and consent over the storage and use of information May cover who has access to private data and when it may be used A good database design practice is to assign a single unique identifier to each customer

MIS 300, Chapter 937 Individual Efforts to Protect Privacy Find out what is stored about you in existing databases Be careful when you share information about yourself Be proactive to protect your privacy When purchasing anything from a Web site, make sure that you safeguard your credit card numbers, passwords, and personal information 

MIS 300, Chapter 938 Ethical Issues in Information Systems “Old contract” of business: the only responsibility of business is to its stockholders and owners “Social contract” of business: businesses are responsible to society There is great pressure on business to treat information about customers and employees as a corporate asset and also as an ethical stewardship responsibility. In Europe there are strong privacy laws.

MIS 300, Chapter 939 Guilty! We attribute “guilt” to an individual for an act if all of the following are true (1) The individual appears motivated to perform the act (potentially profit or avoid loss) (2) The individual appears to have (had) the opportunity to perform the act (3) The individual appears to have (had) the ability to perform the act If any of these are missing, then we tend to label the individual “innocent” or the act “accidental”

MIS 300, Chapter 940 Are These People Guilty? Alice sees Tom’s password stuck on the side of his monitor and memorizes it, then logs on to his and sends out a silly message as a joke. Bill takes his work laptop home to surf the Internet. On his laptop are thousands of customer records. A hacker hacks into his computer and steals the records, opening the customers to many potential problems.

MIS 300, Chapter 941 More Carla uses her work computer to do cybershopping on Cyber Monday while she is supposed to be working. Dennis, a salesperson for Company X, notices that many of his department’s customers aren’t happy with his firm’s products, so he takes his list of customers home and copies it, intending to approach these customers later for his own business after he quits Company X.

MIS 300, Chapter 942 What Is the Harm? What Should Be Done? Alice (password “borrowing”) Bill (laptop surfing) Carla (cybershopping) Dennis (record theft) Basically goofing off. Tom is not a responsible user Bill shouldn’t have been allowed to take records home. He is perhaps misusing a company resource. Computer is simply a venue for playing; theft of time. Dennis is a thief. He’s stolen a company resource. Doesn’t require a computer to be a thief, but it helps.

MIS 300, Chapter 943 Summary Preventing computer-related waste and mistakes requires establishing, implementing, monitoring, and reviewing policies and procedures Criminals need two capabilities to commit most computer crimes: knowing how to gain access to the computer system and knowing how to manipulate the system to produce the desired result

MIS 300, Chapter 944 Summary -2 Categories of crimes in which the computer is the object of crime: illegal access and use, data alteration and destruction, information and equipment theft, software and Internet piracy, computer-related scams, and international computer crime

MIS 300, Chapter 945 Summary -3 With information systems, privacy deals with the collection and use or misuse of data “Old contract” of business: the only responsibility of business is to its stockholders and owners “Social contract” of business: businesses are responsible to society