This document discusses ethical issues and security challenges related to information technology. It covers topics like computer crime, hacking, privacy, censorship, cyberlaw, and strategies for improving security such as encryption, firewalls, biometrics, and fault tolerant systems. The document provides examples and definitions to explain these concepts over several pages. It also includes two case studies and questions to help readers apply the concepts.

1. 11-1
McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved.

2. Security and Ethical Challenges
Ethical issues in the use of Information Technology
Security Management
Chapter
11
McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved.

3. 11-3
Learning Objectives
1. Identify several ethical issues in how the use of
information technologies in business affects
employment, individuality, working conditions,
privacy, crime, health, and solutions to societal
problems.
2. Identify several types of security management
strategies and defenses, and explain how they can
be used to ensure the security of business
applications of information technology.

4. 11-4
Learning Objectives
3. Propose several ways that business managers and
professionals can help to lessen the harmful effects
and increase the beneficial effects of the use of
information technology.

5. 11-5
Case 1: Machine Wars
Fighting Evil in Cyberspace
 Machine Wars
 Computers compromised and subverted by hackers
churn out spam and malicious code in relentless raids
 Spyware
 Phishing
 Trojan horses
 Fighting back
 Blocking spam
 Turning the network into a security device

6. 11-6
Case Study Questions
1. Why is automation becoming such an important
tool in cybercrime?
2. What is being done to combat the wide variety of
cybercrimes listed in the case?
3. Have you ever been a victim of a cybercrime? Do
you know how it happened? What did you do to
fix the problem and ensure it not happening again?

7. 11-7
Real World Internet Activity
1. The advent of various cybercrimes has spawned
new companies and products focusing on its
prevention. Using the Internet,
 See if you can find examples of companies that
specialize in preventing or combating cybercrimes.

8. 11-8
Real World Group Activity
 Cyberspace is a world without laws and can serve to
both help or hurt those who use it. In small groups,
 Discuss ways in which the Internet can be better
protected.
 What security measures should companies, business
professionals, and consumers take to protect their
systems from being damaged or infected by cyber
criminals?

9. 11-9
IT Security, Ethics and Society

10. 11-10
Ethical Responsibility
 Business professionals
 have a responsibility to promote ethical uses of
information technology in the workplace.

11. 11-11
Business Ethics
 Questions that managers must confront as part of
their daily business decision making including:
 Equity
 Rights
 Honesty
 Exercise of Corporate Power

12. 11-12
Ethical Business Issues
Categories

13. 11-13
Corporate Social Responsibility
Theories
 Stockholder Theory
 Managers are agents of the stockholders
 Their only ethical responsibility is to increase the
profits of the business
 Without violating the law or engaging in fraudulent
practices
 Social Contract Theory
 Companies have ethical responsibilities to all members
of society
 Which allow corporations to exist based on a social
contract

14. 11-14
Corporate Social Responsibility
Theories
 Stakeholder Theory
 Managers have an ethical responsibility to manage a
firm for the benefit of all its stakeholders
 Stakeholders are all individuals and groups that have a
stake in, or claim on, a company

15. 11-15
Principles of Technology Ethics
 Proportionality – the good achieved by the
technology must outweigh the harm or risk
 Informed Consent – those affected by the technology
should understand and accept the risks
 Justice – the benefits and burdens of the technology
should be distributed fairly
 Minimized Risk – even if judged acceptable by the
other three guidelines, the technology must be
implemented so as to avoid all unnecessary risk

16. 11-16
AITP Standards of Professional
Conduct

17. 11-17
Responsible Professional Guidelines
 Acting with integrity
 Increasing your professional competence
 Setting high standards of personal performance
 Accepting responsibility for your work
 Advancing the health, privacy, and general welfare
of the public

18. 11-18
Computer Crime
 The unauthorized use, access, modification, and
destruction of hardware, software, data, or network
resources
 The unauthorized release of information
 The unauthorized copying of software
 Denying an end user access to his or her own
hardware, software, data, or network resources
 Using or conspiring to use computer or network
resources illegally to obtain information or tangible
property

19. 11-19
How large companies protect
themselves from cybercrime
Source: 2003 Global Security Survey by Deloitte Touche Tohmatsu, New York, June 2003,
In Mitch Betts, “The Almanac,” Computerworld, July 14, 2003, p 42.

20. 11-20
Hacking
 The obsessive use of computers,
 Or the unauthorized access and use of networked
computer systems

21. 11-21
Common Hacking Tactics
 Denial of Service
 Hammering a website’s equipment with too many
requests for information
 Clogging the system, slowing performance or even
crashing the site
 Scans
 Widespread probes of the Internet to determine types
of computers, services, and connections
 Looking for weaknesses

22. 11-22
Common Hacking Tactics
 Sniffer
 Programs that search individual packets of data as they
pass through the Internet
 Capturing passwords or entire contents
 Spoofing
 Faking an e-mail address or Web page to trick users
into passing along critical information like passwords
or credit card numbers

23. 11-23
Common Hacking Tactics
 Trojan Horse
 A program that, unknown to the user, contains
instructions that exploit a known vulnerability in some
software
 Back Doors
 A hidden point of entry to be used in case the original
entry point has been detected or blocked
 Malicious Applets
 Tiny Java programs that misuse your computer’s
resources, modify files on the hard disk, send fake e-
mail, or steal passwords

24. 11-24
Common Hacking Tactics
 War Dialing
 Programs that automatically dial thousands of
telephone numbers in search of a way in through a
modem connection
 Logic Bombs
 An instruction in a computer program that triggers a
malicious act
 Buffer Overflow
 A technique for crashing or gaining control of a
computer by sending too much data to the buffer in a
computer’s memory

25. 11-25
Common Hacking Tactics
 Password Crackers
 Software that can guess passwords
 Social Engineering
 Gaining access to computer systems
 By talking unsuspecting company employees out of
valuable information such as passwords
 Dumpster Diving
 Sifting through a company’s garbage to find
information to help break into their computers

26. 11-26
Cyber Theft
 Computer crime involving the theft of money
 Often inside jobs
 Or use Internet to break in

27. 11-27
Unauthorized Use at Work
 Time and resource theft
 May range from doing private consulting or personal
finances, or playing video games, to unauthorized
use of the Internet on company networks

28. 11-28
Internet Abuses in the
Workplace
 General e-mail abuses
 Unauthorized usage and access
 Copyright infringement/plagiarism
 Newsgroup postings
 Transmission of confidential data
 Pornography – accessing sexually explicit sites
 Hacking
 Non-work related download or upload
 Leisure use of the Internet
 Usage of external ISPs
 Moonlighting

29. 11-29
Software Piracy
 Software Piracy
 Unauthorized copying of computer programs
 Licensing
 Purchase of software is really a payment for a license
for fair use
 Site license allow a certain number of copies
 A third of the software industry’s revenues are lost
due to piracy

30. 11-30
Theft of Intellectual Property
 Intellectual property
 Copyrighted material such as
 Music, videos, images, articles, books, software
 Copyright infringement is illegal
 Peer-to-peer networking techniques have made it
easy to trade pirated intellectual property

31. 11-31
Viruses and Worms
 Virus and worms copy annoying or destructive
routines into networked computers
 Often spread via e-mail or file attachments
 Computer Virus
 Program code that cannot work without being inserted
into another program
 Worm
 Distinct program that can run unaided

32. 11-32
Cost of viruses and worms
 Nearly 115 million computers were infected in 2004
 As many as 11 million computers are believed to be
permanently infected
 Total economic damage estimated to be between $166
and $292 billion in 2004
 Average damage per installed Windows-based
machine is between $277 and $366

33. 11-33
Adware and Spyware
 Adware
 Software that purports to serve a useful purpose
 But also allows Internet advertisers to display
advertisements (pop-up and banner ads)
 Without the consent of the computer’s user
 Spyware
 Adware that employs the user’s Internet connection in
the background without your permission or knowledge
 Captures information about you and sends it over the
Internet

34. 11-34
Privacy: Opt-in versus Opt-out
 Opt-in
 You explicitly consent to allow data to be compiled
about them
 Law in Europe
 Opt-out
 Data can be compiled about you unless you specifically
request it not be
 Default in the US

35. 11-35
Privacy Issues
 Violation of Privacy:
 Accessing individuals’ private e-mail conversations
and computer records,
 Collecting and sharing information about individuals
gained from their visits to Internet websites
 Computer Monitoring:
 Always knowing where a person is, especially as
mobile and paging services become more closely
associated with people rather than places

36. 11-36
Privacy Issues
 Computer Matching
 Using customer information gained from many sources
to market additional business services
 Unauthorized Personal Files
 Collecting telephone numbers, e-mail addresses, credit
card numbers, and other personal information to build
individual customer profiles

37. 11-37
Protecting your Privacy on the
Internet
 E-mail can be encrypted
 Newsgroup postings can be sent through anonymous
remailers
 ISP can be asked not to sell your name and personal
information to mailing list providers and other
marketers
 Decline to reveal personal data and interests on
online service and website user profiles

38. 11-38
Privacy Laws
 Rules that regulate the collection and use of personal
data by businesses and the government

39. 11-39
Censorship Issues
 Spamming
 Indiscriminate sending of unsolicited e-mail messages
to many Internet users
 Flaming
 Sending extremely critical, derogatory, and often
vulgar e-mail messages or newsgroup postings to other
users on the Internet or online services

40. 11-40
Cyberlaw
 Laws intended to regulate activities over the Internet
or via electronic data communications

41. 11-41
Other Challenges
 Employment
 IT creates new jobs and increases productivity
 But can also cause significant reductions in job
opportunities as well as different types of skills
required for new jobs
 Computer Monitoring
 Computers used to monitor the productivity and
behavior of employees as they work

42. 11-42
Other Challenges
 Working Conditions
 IT has eliminated monotonous or obnoxious tasks
 But some jobs requiring a skilled craftsman have been
replaced by jobs requiring routine, repetitive tasks or
standby roles
 Individuality
 Dehumanize and depersonalize activities because
computers eliminate human relationships
 Systems without flexibility

43. 11-43
Health Issues
 Cumulative Trauma Disorders (CTDs)
 Disorders suffered by people who sit at a PC or
terminal and do fast-paced repetitive keystroke jobs
 Carpal Tunnel Syndrome
 Painful crippling ailment of the hand and wrist

44. 11-44
Ergonomics
 Designing healthy work environments
 That are safe, comfortable, and pleasant for people to
work in
 Thus increasing employee morale and productivity

45. 11-45
Ergonomic Factors

46. 11-46
Case 2: Strategic Security
 OCTAVE Process Methodology to security
 Risk evaluation
 Risk management
 Organizational and cultural
 A principle of “reduction of risk on investment”

47. 11-47
Case Study Questions
1. What are security managers doing to improve
information security?
2. How does the OCTAVE methodology work to
improve security in organizations?
3. What does Lloyd Hession mean when he says
information security is “not addressed simply by
the firewalls and antivirus [tools] that are already
in place”?

48. 11-48
Real World Internet Activity
1. The focus on information security is an important
one for modern organizations of all sizes. Using
the Internet,
 See if you can find examples of companies that are
focused on improving information security.
 What approaches are they using to improve the
situation?

49. 11-49
Real World Group Activity
 Private and corporate information is under attack
from a wide variety of sources. In small groups,
 Discuss the various threats to information security.
 Are you doing your share to protect your information?

50. 11-50
Security Management
 The goal of security
management is the accuracy,
integrity, and safety of all
information system processes
and resources.
Source: Courtesy of Wang Global.

51. 11-51
Internetworked Security
Defenses
 Encryption
 Data transmitted in scrambled form and unscrambled
by computer systems for authorized users only

52. 11-52
Public/Private Key Encryption

53. 11-53
Internetworked Security
Defenses
 Firewalls
 A gatekeeper system that protects a company’s
intranets and other computer networks from intrusion
 By providing a filter and safe transfer point for access
to and from the Internet and other networks
 Firewalls are also important for individuals who
connect to the Internet with DSL or cable modems

54. 11-54
Internet and Intranet Firewalls

55. 11-55
How to Defend Against Denial of
Service Attacks
 At the zombie machines (computers commandeered
by cyber criminals)
 Set and enforce security policies
 Scan for vulnerabilities
 At the ISP
 Monitor and block traffic spikes
 At the victim’s website
 Create backup servers and network connections

56. 11-56
Internetworked Security
Defenses
 E-mail Monitoring
 Use of content monitoring software that scans for
troublesome words that might compromise corporate
security
 Virus Defenses
 Centralize the distribution and updating of antivirus
software
 Use security suite that integrates virus protection with
firewalls, Web security, and content blocking features

57. 11-57
Other Security Measures
 Security Codes
 Multilevel password system
 Encrypted passwords
 Smart cards with microprocessors
 Backup Files
 Duplicate files of data or programs
 System Security Monitors
 Programs that monitor the use of computer systems
and networks and protects them from unauthorized
use, fraud, and destruction

58. 11-58
Biometrics
 Computer devices that measure physical traits that
make each individual unique
 Examples:
 Voice verification
 Fingerprints
 Retina scan

59. 11-59
Computer Failure Controls
 Prevent computer failure or minimize its effects
 Preventative maintenance
 Arrange backups with a disaster recovery
organization

60. 11-60
Fault Tolerant Systems
 Systems that have redundant processors, peripherals,
and software that provide a:
 Fail-over capability to back up components in the event
of system failure
 Fail-safe capability where the computer system
continues to operate at the same level even if there is a
major hardware or software failure
 Fail-soft capability where the computer system
continues to operate at a reduced but acceptable level
in the event of system failure

61. 11-61
Disaster Recovery Plan
 Formalized procedures to follow in the event a
disaster occurs including:
 Which employees will participate
 What their duties will be
 What hardware, software, and facilities will be used
 Priority of applications that will be processed
 Use of alternative facilities
 Offsite storage of an organization’s databases

62. 11-62
Information Systems Controls
 Methods and devices that attempt to ensure the
accuracy, validity, and propriety of information
system activities

63. 11-63
Auditing IT Security
 IT security audits
 By internal or external auditors
 Review and evaluate whether proper and adequate
security measures and management policies have been
developed and implemented

64. 11-64
How to protect yourself from
cybercrime

65. 11-65
Case 3: A Day in the Life of the Patch
Patrol
 After Microsoft announces security alerts and fixes
 Race starts between hackers and virus writers and
the security administrators rushing to patch their
systems before an attack

66. 11-66
Case Study Questions
1. What types of security problems are typically
addressed by a patch management strategy? Why
do such problems arise in the first place?
2. What challenges does the process of applying
software patches and updates pose for many
businesses? What are the limitations of the
patching process?
3. Does the business value of a comprehensive patch
management strategy outweigh its costs,
limitations, and the demands it places on the IT
function? Why or why not?

67. 11-67
Real World Internet Activity
1. Anyone or any organization that uses Microsoft
products is familiar with the myriad of patches
necessary to keep up with managing potential
security risks. Using the Internet,
 See if you can find other examples of companies like
Shavlik that specialize in helping manage the
software patch process.

68. 11-68
Real World Group Activity
 Many people argue that software patches are simply
a way that software vendors can get away with
releasing products that are not fully tested. In small
groups,
 Discuss this issue.
 Is it reasonable to expect a complex operating system to
be completely secure and tested before being released?
 How would such a thorough approach to testing affect
the availability and price of complex software?