Security, Privacy, and Ethical Issues in Information Systems and the Internet

Chapter 14

Social Issues in Information Systems Computer Waste Cyber Crime Privacy Issues Ethical Issues Health Concerns Patent & Copyright

Issues

Computer Waste

Personal use of corporate time and technology

Discarded technology and unused systems– Older systems may still

have value

– Software is often under-utilized

Should they be monitored?

According to a Vault.com survey– 90.3 percent of employees admit to surfing non-work-

related sites everyday

– 83.6 percent admit to sending personal e-mails everyday.

Managers should be scrambling to scrutinize server logs to prevent this epidemic of goofing off, right?

Should they be monitored? “Using the Internet for errands or

short personal breaks has become part of the fabric of normal human behavior.”

Preventing personal use of the Internet and Email may not increase overall productivity. Why?

What are the trade-offs, costs, or negatives if a company monitors and blocks personal use?

Should they be monitored? “Employees who use the Internet to

access pornography, hate groups, etc. can land a company in hot water.”

Companies need to have an enforceable Internet-usage policy that clearly outlines what is acceptable and what isn't.

What risks or problems could arise if a company does NOT have an Internet-usage policy?

Should they be monitored? Companies are obligated to protect

themselves by developing a strict Internet-usage Policy.

Monitoring systems should be in place for other reasons: To detect hackers, internal attacks, etc.

Excessive personal usage may not imply poor productivity. How so?

Use monitoring to deter inappropriate usage but not as evaluation measure of productivity.

Computer Mistakes

Data entry errors Program bugs or errors Accidental deletion or over-write Inadequate planning for malfunctions Inadequate computing resources Failure to keep things updated

Preventing Computer Waste and Mistakes

Establish and Implement Policies Monitor and Review Polices Examples:

– Requiring employees to update virus software.– Requiring backup of key files– Requiring “modified-on dates” for websites.– Required training– Make user manuals and documentation

available

Preventing Computer Waste and Mistakes

The Good– Tons of info online

– Policies & procedures made public

– Training is available

– What else?

The Bad– Info poorly organized

– Policies and procedures are NOT simple

– Training is not mandatory

– What else?

Siena as an example:http://www.siena.edu/technology/computing/

Computer Crime

Number of Incidents Reported to CERT Established in 1988, CERT is a center of Internet

security expertise located at the Software Engineering Institute.

Federally funded research and development center operated by Carnegie Mellon University.

Computer Crime and Security Survey FBI Computer Crime and Security Survey

of Companies 2002– 90% - detected security breach in last 12

months– 80% - acknowledged financial losses– 74% - frequent external attacks via Internet– 34% - frequent internal attacks (insider job)– 33% - reported incidents to FBI

Simple Cyber Crime Techniques

Social engineering– talking a critical password out of someone– knowing typical hiding spots

Dumpster diving– gathering critical information about someone– to help guess/break passwords– leading to identify theft

Computers as tools for criminals

Cyber-terrorism– From Individual harassment online

to– Terrorist strike on critical IT infrastructure

Identity Theft– From using an individuals credit card

to– obtaining fraudulent Drivers License or

Passport

The Criminals

Hacker– enjoys learning the details of how computer

systems work Cracker

– a Criminal Hacker Script Bunnies (Script Kiddies)

– Wannabe Crackers who use scripts Insider

– Disgruntled employees

The Acts Illegal Access

– Hack into Equifax to see Bill Clinton’s credit report Data Alteration

– Hack into Citibank to increase account balance. Data Destruction

– Hack into Dr. Breimer’s account to delete future quizzes

Software Piracy– Warning: All we need is a technologically aware, pro-

active DA, and a quarter of Siena would be in jail.

The Acts Internet Scams

– Nigerian letter fraud Phishing

– Tricking someone into sharing private information Spam

– Can be considered harassment Spyware

– Legal but dishonest access to private information Viruses

– Can be considered data alteration or destruction

Data Alteration and Destruction

Preventing Computer-Related Crime Crime prevention by state and federal agencies

– FBI handles a lot because of the inter-state issues.– FBI hampered by International issues– CERT (Dept. of Defense)

Crime prevention by corporations– Public Key Infrastructure (PKI)– Biometrics (finger-printing mouse, voice recognition,

etc.)

Antivirus programs

Preventing Computer-Related Crime is a business Firewalls

– Hardware of software that can block access to a computer or network

Intrusion Detection Software– Uses sophisticated measures to detect intruders or

suspicious activity Managed Security Service Providers (MSSPs)

– Consulting firms that manage security for smaller companies

Protection of Decency– Net Nanny and other filtering software

Internet Laws for Libel

A Newspaper or Publisher can be sued for libel or indecency– in addition to the actual author

Can an Internet Service Provider (AOL, MSN, etc.) be sued for libel or indecency?– How can they be responsible for all the

content?– Don’t they have a right to protect the privacy of

their customers?

How to Protect Your Corporate Data from Hackers

Systems with strong user authentication and data encryption

Up-to-date security patches and virus definitions Disable guest accounts or no password accounts Put different services on separate dedicated

servers. Why? Turn on logs and audit trails Conduct security audits Frequent backup of data. Why?

Privacy

Privacy Issues

Privacy and the Federal Government– Individual privacy vs. national security

Privacy at work– Individual privacy vs. company’s right to

protect itself E-mail privacy

– Business document or personal information? Privacy and the Internet

– Right to use right to know?

Major Issue Adware & Spyware

– Free (and sometimes useful) Software Usign it requires agreeing to a policy (Double-

negative trickery).– Gives software permission to

• Track your Internet usage• Share information about you

Should this type business be outlawed? Privacy protection vs. entrepreneurial freedom

– What are the compromises?

Federal Privacy Laws and Regulations The Privacy Act of 1979

– Applies to federal agencies– Individuals can determine what records

(pertaining to them) are collected, maintained, used, or disseminated.

Gramm-Leach-Bliley Act 1999– Applies to non-public financial institutions– Requires privacy polices to be in place

USA Patriot Act

Health Concerns

Repetitive stress injury (RSI) Carpal tunnel syndrome (CTS) Ergonomics

Avoiding Health and Environment Problems Maintain good posture and positioning. Don’t ignore pain or discomfort. Use stretching and strengthening exercises. Find a good physician who is familiar with

RSI and how to treat it.

Ethical Issues in Information Systems The AITP Code of Ethics

– Obligation to management– Obligation to fellow AITP members– Obligation to society

The ACM Code of Professional Conduct– Acquire and maintain professional competence