Chapter 10: Ethics, Privacy, and Security This chapter explores the responsibilities organizations and individuals share to treat such data with care, make ethical decisions about its use, and protect it from countless threats. We examine ethical dilemmas in the collection and use of information, explore the elusive concept of privacy, and discuss the critical importance of information security in all organizations. Copyright © 2015 Pearson Education, Inc.

Learning objectives Ethics Challenges Privacy Security Human behavior The material in this chapter will enable you to: Define ethics, describe two ethical frameworks, and explain the relationship between ethics and the law. Explain how intellectual property and plagiarism pose challenges for information ethics, and describe technologies that are used to deal with them. Describe information privacy and strategies to protect it, and explain why organizations may implement surveillance. Explain the steps that organizations use to manage security risks, identify threats, assess vulnerabilities, and develop administrative and technical controls. 5. Explain why human behavior is often the weakest link for ethics, privacy, and security, and provide examples of strategies that can be used to counteract the weaknesses. Copyright © 2015 Pearson Education, Inc.

Wikipedia Freedom of speech Ethical dilemmas Jimmy Wales, the founder of Wikipedia, vehemently supports freedom of speech, including the principle that anyone can contribute any information to the world’s largest open-source public reference work. But circumstances sometimes gnaw away at ethical commitments. When the New York Times reporter David Rohde was kidnapped by the Taliban, the newspaper’s editors begged Wales to suppress mention of it on Wikipedia, fearing it would reduce Rohde’s chances of survival. Wales asked his team to sanitize updates that mentioned the kidnapping as fast as they popped up. When that failed, he blocked off Rohde’s Wikipedia entry, securing it against any editing. Contributors were deeply divided over Wales’ decision to censor. Rohde eventually escaped to safety. In another ethical dilemma, Wikipedia’s estranged co-founder Larry Sanger, complained to the FBI that some entries featured child pornography. Without discussing it with the site’s administrators, Wales rushed to delete the images. In the ensuing uproar, Wales chose to relinquish his all-powerful access rights and downgraded his own account to a low-level administrator’s level, so the software’s security systems would prevent him from deleting anything. Ethics, privacy, and security issues underscore how the human element is so tightly interwoven with the other three components of information systems: technology, processes, and data. Freedom of speech Ethical dilemmas Copyright © 2015 Pearson Education, Inc.

Ethical frameworks Natural law and rights Utilitarianism Ethics refers to a system of moral principles that human beings use to judge right and wrong and to develop rules of conduct. Two ethical systems are widely adopted. One system emphasizes natural laws and rights. It judges the morality of an action based on how well it adheres to broadly accepted rules, regardless of the action’s actual consequences. “Thou shalt not steal,” for example, is one of Christianity’s Ten Commandments, and religious principles form the basis for many underlying rules. Others emerge from beliefs about fundamental and natural rights that belong to human beings. The U.S. Declaration of Independence lists life, liberty, and the pursuit of happiness as inalienable human rights. A second system, called utilitarianism, considers the consequences of an action, weighing its good effects against its harmful ones. “First, do no harm,” is a precept of medical ethics ensuring physicians will heavily weigh the possible harmful consequences of their remedy. When you try to judge what action would create the greatest good for the greatest number, you are using a utilitarian scheme. In many situations, both ethical approaches will lead people to the same conclusion about the proper action. But ethical dilemmas can arise when the application of different systems leads to different judgments about what is the ethical thing to do. Copyright © 2015 Pearson Education, Inc.

Ethics and the law Ethical principles Political pressures Legality vs. ethics Laws are often grounded in ethical principles, such as the prohibition against murder and theft, or the protection of private property and free speech. The U.S. Bill of Rights codifies many ethical principles into the Constitution, such as freedom of religion, freedom of the press, and the right to trial by jury. Its fourth amendment, about protection from unreasonable search and seizure, helps shape expectations about privacy, as we discuss later. However, some laws have less to do with ethics and instead come into existence from the pushes and pulls of lobbying efforts and other political pressures. Laws don’t cover all ethical principles, so just because an action is legal does not mean it is ethical. Lying, for instance, is not illegal in most circumstances, but it can have horrific consequences and would be clearly unethical under any framework. Copyright © 2015 Pearson Education, Inc.

Ethical issues and ICT New elements Free speech Decision making Information and communications technologies (ICT) also add important new elements to ethical decision making. First, they change the scope of effects, especially for the consequences of an action. Their worldwide, viral reach amplifies the extent of both good and harm, turning what might be a minor blunder into a catastrophe. ICT also affects decision making, especially because of the way the online world can change human behavior. People often become disinhibited when they interact online and the psychological distance between them is greater. These features can cause people to underestimate the harm their actions might inflict—out of sight, out of mind. For example, research shows that college students judge actions differently depending on whether ICT is involved. They consider cheating on tests, plagiarizing term papers, and illegal copying of intellectual property to be somehow more acceptable if they use the computer and the Internet to do it. Copyright © 2015 Pearson Education, Inc.

Information ethics The ethical issues most important for managing information systems touch especially on the storage and transmission of digitized data. As that mound of data grows, the scope of information ethics grows with it, and so do the controversies. Intellectual property (IP), which is now overwhelmingly digitized, is one example. Some consider IP protection to be a natural right. Others argue that the greater good is served when information is as widely distributed as possible. Copyright © 2015 Pearson Education, Inc.

Intellectual property and plagiarism Digital rights management Plagiarism Intellectual property (IP) includes intangible assets such as music, written works, software, art, designs, movies, creative ideas, discoveries, inventions, and other expressions of the human mind. Most societies have developed a maze of copyright laws, patents, and legal statutes to protect intellectual property rights. However, enforcing all those laws is nearly impossible when the IP is digitized. The Business Software Alliance reports large financial losses to businesses due to software piracy—more than $50 billion in 2009. For every $100 worth of software sold that year, another estimated $75 worth was installed illegally. Digital rights management (DRM) refers to technologies that software developers, publishers, media companies, and other IP holders use to control access to their digital content. As the technologies mature, however, they are becoming less intrusive and letting IP holders provide some technology protection for their products. A type of intellectual property theft that mushroomed with the easy cut-and-paste ability offered by word processors is plagiarism. Just as the Internet made plagiarism easy, it also made it easy to track. For example, Turnitin.com offers an “originality checking” service that color codes documents submitted to it, showing the sources of passages that match existing written work. Copyright © 2015 Pearson Education, Inc.

/ ??? ? Privacy (1:2) Elusive What is privacy? Information privacy / ??? ? Privacy (1:2) Elusive What is privacy? Information privacy Privacy has become elusive. On a typical day, you might visit hundreds of websites, enter dozens of search terms, download a few free screensavers, collect dozens of cookies, bid in an auction, upload a batch of photos, and click on some ads. Your photo might be snapped repeatedly by security cameras, and your credit card is swiped for every transaction. Your corporate ID badge, your car’s EZ pass, your mobile phone, your passport, and your GPS device track your whereabouts and movements. More than two-thirds of U.S. adults say they are seriously concerned about identity theft. The ease with which information systems can collect and interconnect data makes privacy a top ethical issue. But what exactly is privacy? The United Nations identified privacy as a fundamental human right in 1999, but its definition remains hazy. Nevertheless, societies from ancient history onward recognize the concept. The Qur’an, the Bible, and Jewish law all refer to elements of privacy. Information privacy, which refers to the protection of data about individuals, is a special concern for ICT. When all this data was on paper or in separate systems with clumsy interconnections, information privacy was easier to achieve. Now, it mainly rests on the decisions people, organizations, and governments make about what to collect, use, and distribute. Copyright © 2015 Pearson Education, Inc.

Privacy (2:2) Convenience Anonymity Surveillance People are surprisingly willing to disclose personal data to marketers for a little convenience, a discount coupon, or a free digital sample. Allowing a site to leave cookies, for instance, means we experience a more compelling site on our next visit, one that features information, products and promotions tailored to our interests. To earn trust, organizations should clearly state in their privacy policies what they are collecting and why. They must also take great care to protect the data they do collect and adhere to their own policies. Anonymity refers to a condition in which a person’s identity is unknown. On the positive side, anonymity protects people who participate in online support groups where they reveal embarrassing or stigmatizing facts without fear of disclosure. However, anonymity also protects criminals and spammers, as well as vengeful posters wreaking considerable harm or retaliation. Online identity can be obscured by using fake names, nicknames, free e-mail, and public computers. However, erasing digital tracks is far more challenging. Surveillance technologies to monitor e-mail, web surfing, and other online communications are readily available to all organizations, and surveys show that many have already adopted them. Although sound reasons for surveillance exist, the downsides are not trivial. Despite concerns about “cyberslacking,” surveillance itself can sometimes cause a drop in productivity. Many people argue that it shows the employer does not trust them. Copyright © 2015 Pearson Education, Inc.

Information security Risk management Information security broadly encompasses the protection of an organization’s information assets against misuse, disclosure, unauthorized access, or destruction. Many threats to information security arise both inside and outside the organization. They can be natural events or human-made, accidental, or deliberate. With countless threats and limited budgets, organizations can’t eliminate all risks and must make careful assessments to manage them. Risk managers consider many issues, beginning with a clear understanding of what information assets need protection. Laws play a large role, requiring organizations to safely secure medical records, financial information, social security numbers, academic records, and other sensitive data. Governments must secure classified documents, and companies must protect their trade secrets. Copyright © 2015 Pearson Education, Inc.

Identifying threats Malware and botnets Distributed denial of service Phishing Information leakage Human-made threats barrage servers and desktop computers every day with automated attempts to install all types of malware—malicious software designed to attack computer systems. Many attacks are launched by criminal gangs that build and manage thousands of botnets. The term combines “robot” and “network” and refers to a collection of computers that have been compromised by malware, often through some vulnerability in their software or operating system. The gangs activate botnets to capture user IDs, passwords, credit card numbers, social security numbers, and other sensitive information. Another grave threat posed by the botnets is the distributed denial of service (DDoS) attack, in which zombie computers are directed to flood a single site with rapid-fire page requests, causing it to slow to a crawl or just crash. DDoS attacks cost organizations many millions of dollars in downtime, lost business, and lost client goodwill. Because botnets mask the actual source of the millions of incoming messages, they are often used for phishing attacks. These typically start with an e-mail which cleverly lures taxpayers to click on a link. Recipients land on what appears to be a genuine website, where they innocently type in their social security number and other personal details. The threat of information leaks comes not just from cybercriminals. Employees can lose laptops and smartphones, mail containing backup media may go astray, and people may drop unshredded sensitive documents into the dumpster. Copyright © 2015 Pearson Education, Inc.

Assessing vulnerability Risk assessment Controls Risk matrix An organization’s risk assessment must examine its vulnerabilities to determine how effective its existing security measures are. Once it has analyzed its vulnerabilities, the organization can evaluate controls that fill in security gaps and protect against specific threats. Industry standards are often used for this step. Vulnerability depends on how likely any particular event may be. Risks also differ depending on the threat. The risk matrix lists the vulnerabilities in a table, and managers rate the level of risk each one presents in areas such as confidentiality, company reputation, finances, system availability, and operations. The matrix also includes an estimate of how likely that event might be, and may add other metrics to further refine the analysis. The matrix helps managers focus on the vulnerabilities that pose the greatest potential dangers. Copyright © 2015 Pearson Education, Inc.

Administrative security controls Processes Policies Incidence response plan Administrative security controls include all the processes, policies, and plans the organization creates to enhance information security and ensure it can recover if things go awry. Some controls may establish information security policies that restrict the Internet sites employees can visit, or whether they can use the Internet at all. The processes and policies that control employee access to systems are some of the most sensitive. Industries that routinely handle sensitive information will need to put very strict policies in place and ensure employees adhere to them. Administrative controls extend beyond the organization to its vendors, suppliers, and customers, because they all could pose threats. To avoid chaos, missteps, and communications failures, the organization should also have a clear incidence response plan that staff use to categorize the threat, determine the cause, preserve any evidence, and also get the systems back online so the organization can resume business. Copyright © 2015 Pearson Education, Inc.

Technical security controls Authentication strategies Encryption Intrusion prevention Technical controls for preventing unauthorized access draw on technologies that can authenticate people and determine what access privileges they should be granted. Most authentication strategies rely on something the user knows, something the user has in his or her possession, or something the user is. Biometric identifiers are also widely used. Multi-factor authentication combines two or more authentication strategies, creating much stronger security against unauthorized access to sensitive information. A powerful technical control that protects sensitive data is encryption. This process transforms the data using mathematical formulas, so that no one can read it unless they know the key to unscrambling it. For Internet transmission, a popular strategy is public key encryption, which uses a pair of keys, one to encrypt the data and the other to decrypt it. One key is public, widely shared with everyone, but the other is private, known only to the recipient. Many more tools are available now to prevent unauthorized traffic from entering the network and to detect any intrusions that do make it through. The most important defense is the firewall, a technical control that inspects incoming and outgoing traffic and either blocks or permits it according to rules the organization establishes. Firewall systems include features to detect suspicious events or breaches and alert managers immediately. Spam constitutes an estimated 90% of e-mail traffic, and intrusion prevention systems control this costly menace. Copyright © 2015 Pearson Education, Inc.

Information security and cloud computing Security considerations Standards and best practices The trend for businesses to move toward cloud computing, where their mission critical applications and data are hosted by a service off-site and accessed via the Internet, is largely driven by cost savings and convenience. IT managers worry about security for cloud computing, and whether cloud providers can adequately protect the organization’s most valuable assets. A movement is underway to develop security standards and best practices for cloud computing, along with transparent auditing mechanisms that will help assure potential clients that their information will be safe. The Cloud Security Alliance is a nonprofit organization that brings experts together to develop standards and controls that parallel those already required for e-commerce and medical records. The IT community holds mixed views on how safe their data will be in the cloud, and the fate of this architectural trend may well depend on robust security. Copyright © 2015 Pearson Education, Inc.

Human element (1:2) Cognitive issues Passwords The sheer complexity of computers and information systems challenges even the brightest humans, and it is not surprising that people will turn off their security features for a few minutes to install software. We prefer to apply our cognitive skills to productive pursuits, and when security policies and procedures seem to get in the way, we may bypass them. The limits of human memory (and patience) make the password, the most widely used authentication strategy, a serious vulnerability. On their own, people tend to create very weak passwords that are easy to remember but also easy to crack. Although technical controls can force users to embed numbers and nonalphabetic characters and change them frequently, the results are still not promising. Users then tend to write passwords down and reuse them on multiple systems, even far less secure systems such as online games and news sites. The cognitive roadblock to strong passwords is just the capacity of human memory. To reduce the cognitive load associated with multiple passwords, many organizations implement the single sign-on, which is a gateway service that permits users to log in once with a single user ID and password and gain access to multiple software applications. Copyright © 2015 Pearson Education, Inc.

Human element (2:2) Social engineering Security awareness Social engineering manipulates people into breaking normal security procedures or divulging confidential information. Humans are tempting targets for those with malicious intent who understand such behavior. One weak spot is the human desire to do a favor or help others. People routinely pass virus-laden hoaxes along to friends and neighbors, trying to be helpful. Respect for authority is another common human tendency that intruders use, relying on uniforms, titles, or just verbal hints that the company president wants something done. Humans are certainly not immune to greed, and scammers tap this human frailty routinely to persuade people to turn over confidential information. Organizations should have robust security-awareness programs to help educate and continually remind people about the risks that lax security presents. The program should cover the organization’s own policies and procedures, as well as applicable laws and regulations about how information should be handled to ensure compliance. Beyond meeting legal compliance requirements, a security awareness program should also alert people to the many ways in which social engineering can exploit human tendencies toward kindness, helpfulness, greed, or just productivity. It should provide training in tools such as encryption and help people spot areas in which breaches might occur. Finally, it should reinforce the principle that the organization has an ethical responsibility to maintain information security. Copyright © 2015 Pearson Education, Inc.

Ethical decision making Sales rep Sixth grader University employee Coworker CFO Consider the extent of harm each of these actions might inflict on other people, from customers, employees, and students to stockholders and citizens. How would you judge the actions of these people? ● A sales rep copies customer data to her smartphone and quickly drops it into a jacket pocket. Corporate policy forbids taking confidential documents out of the building, but she just wants to work on them at home to catch up. She leaves her jacket on the subway but says nothing to her supervisor about the incident. ● A sixth grader finds a USB drive in a school computer and sees the names and addresses of all the students and teachers. He uploads it to his social networking account so all his friends have contact information. ● A university employee looks up old academic records of political candidates and sends some provocative tidbits to the press. ● A coworker suspects an employee of accessing illicit websites at work but hesitates to mention it because it might get the employee in big trouble. ● Worried about some e-mail he exchanged with a supplier that might show a conflict of interest and get the company in legal trouble, the CFO asks someone in IT to delete his whole e-mail account from the server and backup media.

Summary Ethics Challenges Privacy Security Human behavior Ethics is a system of moral principles used to judge right from wrong. One ethical framework focuses on fundamental rights and rules. A second, called utilitarianism, emphasizes the consequences of actions. Information ethics focuses on the storage and transmission of digitized data, and raises both ethical and legal issues. Privacy is under considerable pressure because of the growing volume of personal information online, the complexity of privacy settings and privacy policies, and users’ willingness to trade privacy for convenience. Information security ensures the protection of an organization’s information assets against misuse, disclosure, unauthorized access, or destruction. Organizations use risk management to identify assets needing protection, identify threats, assess vulnerabilities, determine the impact of each risk. 5. Human beings prize productivity highly and may neglect security when it interferes. Social engineering tactics take advantage of human behavioral tendencies to manipulate people into disclosing sensitive information. Training in security awareness and ethical decision making can help counteract these weaknesses. Copyright © 2015 Pearson Education, Inc. publishing as Prentice Hall

Zynga case Develops social games Ended Petville creating player firestorm Ethical questions Future of Zynga Social game developer Zynga is a leading player in the industry, with 240 million active users in more than 175 countries. Most people play the games on Facebook or on Zynga’s website (Zynga.com). Zynga’s popularity exploded in 2012 when revenue topped $1.2 billion. Expenses for game development and acquisitions are high, however, so despite 12.8% sales growth, the company posted a loss in net income. Zynga earns over 90% of its revenue from in-game purchases of virtual goods. The games are free to play, but advancement can take a long time. Players who want to advance more quickly can use their Paypal accounts to purchase in game currency, energy points, or virtual goods. Social games rise and fall in popularity, and Zynga pulls the plug on games that falter. With barely two weeks’ notice Zynga killed off Petville, and outraged players were furious. Thousands posted their sadness and anger on social media sites. Clearly, the players had an emotional investment in their virtual pets, and also in the social dimension of the game. Zynga offered credits for its other games, but Petville players were quite dismayed by the company’s lack of sensitivity. There is a difference between terminating a product like shampoo and killing off a game like Petville. Even though the terms of service agreement gave the company vast leeway to terminate services and close down games, and Zynga’s metric-driven business strategy justified the shut-down, its approach generated a lot of ill will. It raised ethical questions. The company’s software is specifically designed to create emotional ties, so observers thought the company should have arranged a more sensitive closing. Certainly more advance notice was warranted. Zynga is no longer closely tied to Facebook, which was taking a cut of Zynga’s profits. It’s own website is open to anyone who loves gaming, whether a Facebook user or not. The company’s future is unclear, and time will tell whether Zynga can use its big data to better understand its own customers and develop a profitable business. Copyright © 2015 Pearson Education, Inc.

Spamhaus case Mission Block list Legal issues Silently protecting the inboxes of over 1.4 billion people worldwide is an international nonprofit organization called Spamhaus, which describes its four-point mission as: ● Tracking the Internet’s spam operations ● Providing dependable real-time anti-spam protection for Internet networks ● Working with law enforcement agencies to identify and pursue spammers worldwide ● Lobbying governments for effective anti-spam legislation Spamhaus maintains a “block list” containing the IP addresses believed to originate spam. Governments, corporations, universities, and other organizations check the list before delivering mail, blocking any messages whose senders match an entry on it. Spamhaus defines spam as any mail that is both unsolicited and sent in bulk. Mail that meets this definition may not be illegal in many places, including the United States, so Spamhaus is the target of many lawsuits claiming damages for lost business. Copyright © 2015 Pearson Education, Inc.

Chapter 10 - 23