Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security, Privacy, and Ethical Issues in Information Systems and the Internet Chapter 14 Although information technology has become so valuable most of.

Similar presentations


Presentation on theme: "Security, Privacy, and Ethical Issues in Information Systems and the Internet Chapter 14 Although information technology has become so valuable most of."— Presentation transcript:

1 Security, Privacy, and Ethical Issues in Information Systems and the Internet
Chapter 14 Although information technology has become so valuable most of us can’t imagine life without it, it also brings problems. After studying this chapter, you should be able to address the objectives on the next 2 slides.

2 Social Issues in Information Systems
Computer Waste Cyber Crime Privacy Issues Ethical Issues Health Concerns Patent & Copyright Issues

3 Computer Waste Personal use of corporate time and technology
Discarded technology and unused systems Older systems may still have value Software is often under-utilized Computer waste is widespread in the public and private sectors, and is usually caused by the improper management of information technology. Some companies discard usable hardware and software that could be used elsewhere in the company, or sold or donated. Another example of computer waste occurs when significant resources are invested in the development of an information system, and then, it is never used to it fullest extent. This happens for many reasons, but poor design and inadequate training are major causes. Employees playing computer games or surfing the Web at their desks on company time is also a source of waste, as are junk and junk faxes.

4 Should they be monitored?
According to a Vault.com survey 90.3 percent of employees admit to surfing non-work-related sites everyday 83.6 percent admit to sending personal s everyday. Managers should be scrambling to scrutinize server logs to prevent this epidemic of goofing off, right?

5 Should they be monitored?
“Using the Internet for errands or short personal breaks has become part of the fabric of normal human behavior.” Preventing personal use of the Internet and may not increase overall productivity. Why? What are the trade-offs, costs, or negatives if a company monitors and blocks personal use?

6 Should they be monitored?
“Employees who use the Internet to access pornography, hate groups, etc. can land a company in hot water.” Companies need to have an enforceable Internet-usage policy that clearly outlines what is acceptable and what isn't. What risks or problems could arise if a company does NOT have an Internet-usage policy?

7 Should they be monitored?
Companies are obligated to protect themselves by developing a strict Internet-usage Policy. Monitoring systems should be in place for other reasons: To detect hackers, internal attacks, etc. Excessive personal usage may not imply poor productivity. How so? Use monitoring to deter inappropriate usage but not as evaluation measure of productivity.

8 Computer Mistakes Data entry errors Program bugs or errors
Accidental deletion or over-write Inadequate planning for malfunctions Inadequate computing resources Failure to keep things updated

9 Preventing Computer Waste and Mistakes
Establish and Implement Policies Monitor and Review Polices Examples: Requiring employees to update virus software. Requiring backup of key files Requiring “modified-on dates” for websites. Required training Make user manuals and documentation available Preventive policies and procedures typically address the issues listed on this slide. Procedures relating to the acquisition and use of computers can avoid both waste and mistakes. For example, procedures could ensure that computers no longer needed in one part of the company would be used in another part, rather than discarded. Employees and groups are less likely to make mistakes using applications and technology if they have been properly trained in their use. Many organizations require that systems or applications meeting certain criteria must be approved by a committee or the IS department before they are acquired or implemented, to ensure they are compatible with existing systems, databases, and technology, and are cost-effective. Many organizations have established procedures to ensure that all systems, including those developed by end users, have adequate documentation.

10 Preventing Computer Waste and Mistakes
Siena as an example: The Good Tons of info online Policies & procedures made public Training is available What else? The Bad Info poorly organized Policies and procedures are NOT simple Training is not mandatory What else? Preventive policies and procedures typically address the issues listed on this slide. Procedures relating to the acquisition and use of computers can avoid both waste and mistakes. For example, procedures could ensure that computers no longer needed in one part of the company would be used in another part, rather than discarded. Employees and groups are less likely to make mistakes using applications and technology if they have been properly trained in their use. Many organizations require that systems or applications meeting certain criteria must be approved by a committee or the IS department before they are acquired or implemented, to ensure they are compatible with existing systems, databases, and technology, and are cost-effective. Many organizations have established procedures to ensure that all systems, including those developed by end users, have adequate documentation.

11 Computer Crime Even with policies in place, computer crimes can occur. Computer crime is relatively risk free, compared to crimes such as bank robbery, and can often escape detection. Furthermore, due to computer processing speed and data communications, large amounts of money can be quickly stolen or diverted with the right know-how and equipment. Computer crime includes a wide range of categories, such as introducing viruses, stealing credit card numbers from on-line systems, and crashing Web sites.

12 Number of Incidents Reported to CERT
Established in 1988, CERT is a center of Internet security expertise located at the Software Engineering Institute. Federally funded research and development center operated by Carnegie Mellon University.

13 Computer Crime and Security Survey
FBI Computer Crime and Security Survey of Companies 2002 90% - detected security breach in last 12 months 80% - acknowledged financial losses 74% - frequent external attacks via Internet 34% - frequent internal attacks (insider job) 33% - reported incidents to FBI

14 Simple Cyber Crime Techniques
Social engineering talking a critical password out of someone knowing typical hiding spots Dumpster diving gathering critical information about someone to help guess/break passwords leading to identify theft Computers can be used to access valuable information or steal funds. Recent examples of such crimes include stealing credit card numbers from on-line retailer CD Universe and stealing $10 million from Citibank. Individuals need to know how to gain access to the target computer system and know what to do to the system to achieve their objectives. Often, criminals gain the critical computer passwords or access codes needed simply by talking to employees. This is sometimes called social engineering. Another means used by many cyber criminals is dumpster diving – or searching through an organization’s garbage to find the information they need. Password sniffers are small programs that can be run on computers or networks to record logins and passwords. Furthermore, there are numerous websites that provide free tips and tools for doing such things as breaking into systems and crashing computers.

15 Computers as tools for criminals
Cyber-terrorism From Individual harassment online to Terrorist strike on critical IT infrastructure Identity Theft From using an individuals credit card to obtaining fraudulent Drivers License or Passport Computers can be used to access valuable information or steal funds. Recent examples of such crimes include stealing credit card numbers from on-line retailer CD Universe and stealing $10 million from Citibank. Individuals need to know how to gain access to the target computer system and know what to do to the system to achieve their objectives. Often, criminals gain the critical computer passwords or access codes needed simply by talking to employees. This is sometimes called social engineering. Another means used by many cyber criminals is dumpster diving – or searching through an organization’s garbage to find the information they need. Password sniffers are small programs that can be run on computers or networks to record logins and passwords. Furthermore, there are numerous websites that provide free tips and tools for doing such things as breaking into systems and crashing computers.

16 The Criminals Hacker Cracker Script Bunnies (Script Kiddies) Insider
enjoys learning the details of how computer systems work Cracker a Criminal Hacker Script Bunnies (Script Kiddies) Wannabe Crackers who use scripts Insider Disgruntled employees Not only can computers be used to commit crimes, but they can be the object of crimes. These crimes include the illegal access and use of computer resources; the alteration or destruction of data; information and equipment theft; and software and Internet piracy. The term “hacker” has long been used to describe an individual who enjoys technology and spends much time learning about and using computers. “Cracker” is short for criminal hacker. Crackers are hackers who gain unauthorized access to computer systems. Some crackers are motivated by the challenge; others want to steal information or money. Individuals with little technical knowledge who download programs, called scripts, that automate breaking into computers, are called script bunnies.

17 The Acts Illegal Access Data Alteration Data Destruction
Hack into Equifax to see Bill Clinton’s credit report Data Alteration Hack into Citibank to increase account balance. Data Destruction Hack into Dr. Breimer’s account to delete future quizzes Software Piracy Warning: All we need is a technologically aware, pro-active DA, and a quarter of Siena would be in jail.

18 The Acts Internet Scams Phishing Spam Spyware Viruses
Nigerian letter fraud Phishing Tricking someone into sharing private information Spam Can be considered harassment Spyware Legal but dishonest access to private information Viruses Can be considered data alteration or destruction

19 Data Alteration and Destruction

20 Preventing Computer-Related Crime
Crime prevention by state and federal agencies FBI handles a lot because of the inter-state issues. FBI hampered by International issues CERT (Dept. of Defense) Crime prevention by corporations Public Key Infrastructure (PKI) Biometrics (finger-printing mouse, voice recognition, etc.) Antivirus programs Although virtually all states have passed computer crime bills, they may not be effective since companies don’t always detect or report computer crime and punishments are not severe. In 1986 Congress enacted the Computer Fraud and Abuse Act, which sets punishment based on the amount of the victim’s monetary loss. The Department of Defense supports CERT, the Computer Emergency Response Team, which responds to network security breaches and identifies potential threats. Several states have also passed laws to outlaw spamming, the practice of sending numerous unsolicited . The debate weighing free speech and decency on the Internet continues. U.S. courts have limited the government’s right to restrict content on the Internet. However, European countries have forced ISPs to ban newsgroups or services that violate their privacy and decency laws. Filtering software exists that parents can use to screen Internet content. With the increasing use of the Internet, libel on the Internet has become an important legal issue. Although publishers, such as newspapers, can be held liable for statements in their publications, court rulings to date seem to indicate that on-line services, such as AOL, are more like bookstores than publishers, and therefore not liable for content posted by others. Firewalls, as discussed in Chapter 7, can help secure an organization’s information system from unauthorized external access. It is also important for organizations to develop and enforce effective Internet security policies for all employees. Many companies have taken steps to fight computer crime. Many encrypt data to prevent its unauthorized use. Some, particularly healthcare organizations, use biometrics, such as fingerprint, face, or retinal identification. Since preventing computer crime requires additional controls on information systems, organizations must identify potential computer-related crime, the consequences of that crime, and the cost and complexity of the controls needed to protect against loss from the crime. Sometimes, the cost of the controls may outweigh the potential for loss.

21 Preventing Computer-Related Crime is a business
Firewalls Hardware of software that can block access to a computer or network Intrusion Detection Software Uses sophisticated measures to detect intruders or suspicious activity Managed Security Service Providers (MSSPs) Consulting firms that manage security for smaller companies Protection of Decency Net Nanny and other filtering software

22 Internet Laws for Libel
A Newspaper or Publisher can be sued for libel or indecency in addition to the actual author Can an Internet Service Provider (AOL, MSN, etc.) be sued for libel or indecency? How can they be responsible for all the content? Don’t they have a right to protect the privacy of their customers?

23 How to Protect Your Corporate Data from Hackers
Systems with strong user authentication and data encryption Up-to-date security patches and virus definitions Disable guest accounts or no password accounts Put different services on separate dedicated servers. Why? Turn on logs and audit trails Conduct security audits Frequent backup of data. Why?

24 Privacy Privacy is the right to be out of public view or to be left alone. With today’s information systems and networks, the right to privacy has become a challenge. Data is continually collected and stored about you, and often transmitted over networks without your knowledge. Data about you is stored in countless databases. The question remains – if an organization used its resources to collect that data, is it their data and can it use it anyway it wants without your knowledge or consent? The federal government is most likely the largest data collector. Although federal legislation defines an individual’s privacy rights for data collected by federal agencies, very little such legislation exists for the private sector. The Internet poses major privacy issues – private data about individuals is easily accessible, sometimes without charge. The European Union has enacted privacy legislation that applies to all firms doing business in Europe. Although there is legislation before the U.S. Congress addressing Internet privacy, US citizens and businesses are skeptical about government involvement. The Online Privacy Alliance, a group supported by large companies such as AT&T, Microsoft and Walt Disney, is developing a voluntary code of conduct for Internet businesses to employ.

25 Privacy Issues Privacy and the Federal Government Privacy at work
Individual privacy vs. national security Privacy at work Individual privacy vs. company’s right to protect itself privacy Business document or personal information? Privacy and the Internet Right to use  right to know? Companies want to know more about their employees and technology is available to help them. Keystrokes can be monitored, as can times the keyboard is not in use. This can be used to extrapolate such things as how long an employee takes for lunch or a break. It is legal for employers to monitor sent & received by employees, as well as retrieve deleted messages. In 1999 consumer groups were concerned about the processor serial number on Intel Pentium III chips that could possibly be used to track an individual on the Internet. Intel discontinued the practice in 2000. Microsoft applications, such as Word and Excel, automatically record the creator of electronic documents and the computer on which the document was created. A hidden unique identifier is inserted into a document that identifies the Ethernet network adapter card of the computer on which the document was created. Thus, documents could be traced back to their creators. That ID is also sent to Microsoft when the owner registers Windows 98 online, so Microsoft knows your computer’s ID, and could trace documents you create. Microsoft responded to customers and bad publicity by releasing patches to remove the ID function. The challenges to privacy from the Internet have been mentioned before. When buying products or giving personal information on the Internet, it is important to read the merchant’s privacy policy to understand what the website can do with the information you provide. Many sites provide consumers the option of requesting that their data not be given to other companies.

26 Major Issue Adware & Spyware
Free (and sometimes useful) Software Usign it requires agreeing to a policy (Double-negative trickery). Gives software permission to Track your Internet usage Share information about you Should this type business be outlawed? Privacy protection vs. entrepreneurial freedom What are the compromises?

27 Federal Privacy Laws and Regulations
The Privacy Act of 1979 Applies to federal agencies Individuals can determine what records (pertaining to them) are collected, maintained, used, or disseminated. Gramm-Leach-Bliley Act 1999 Applies to non-public financial institutions Requires privacy polices to be in place USA Patriot Act

28 Health Concerns Repetitive stress injury (RSI)
Carpal tunnel syndrome (CTS) Ergonomics Continued work using computer keyboards, mice, or other equipment can lead to repetitive stress disorder and carpal tunnel syndrome, both resulting in pain in the fingers, wrist, or hand. Workers’ compensation claims for these disorders has been costly for some companies. There is contradictory evidence about other health effects, such as ozone released by improperly maintained laser printers and the relationship of emissions from computer displays and cancer. Ergonomics is the study of designing and positioning equipment to enhance employee safety and health. Ergonomics has suggested that furniture can be designed to decrease fatigue, strain, or injury from working with computers. The positioning of keyboards and display screens, as well as lighting, is also important.

29 Avoiding Health and Environment Problems
Maintain good posture and positioning. Don’t ignore pain or discomfort. Use stretching and strengthening exercises. Find a good physician who is familiar with RSI and how to treat it.

30 Ethical Issues in Information Systems
The AITP Code of Ethics Obligation to management Obligation to fellow AITP members Obligation to society The ACM Code of Professional Conduct Acquire and maintain professional competence


Download ppt "Security, Privacy, and Ethical Issues in Information Systems and the Internet Chapter 14 Although information technology has become so valuable most of."

Similar presentations


Ads by Google