McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved ETHICS SECTION 4.1

4-3 ETHICS Ethics – the principles and standards that guide our behavior toward other people Legal system also impacted by technology

4-4 Information Has No Ethics Acting ethically and legally are not always the same

4-5 ETHICS Issues affected by technology advances –Privacy –Confidentiality –Intellectual property, Copyright, Fair use doctrine –Pirated software

4-6 Legal System Technology changes faster than the law “Unintended consequences” most common source of issues

4-7 Information (and Technology) Have No Ethics Information does not care how it is used Information will not stop itself from sending spam, viruses, or highly-sensitive information Information cannot delete or preserve itself

4-8 DEVELOPING INFORMATION MANAGEMENT POLICIES Organizations strive to build a corporate culture based on ethical principles that employees can understand and implement Epolicies typically include: –Ethical computer use policy –Information privacy policy –Acceptable use policy – privacy policy –Internet use policy –Anti-spam policy

4-9 Anti-Spam Policy Spam – unsolicited Accounts for 40% - 60% of and cost U.S. businesses over $14 billion in 2005

4-10 Monitoring Technologies Common monitoring technologies include: –Key logger or key trapper software –Hardware key logger –Cookie –Adware –Spyware –Web log –Clickstream

McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2

4-12 Downtime How Much Will Downtime Cost Your Business?

4-13 PROTECTING INTELLECTUAL ASSETS Organizational information is intellectual capital - it must be protected Information security – the protection of information from accidental or intentional misuse by persons inside or outside an organization Ebusiness automatically creates tremendous information security risks for organizations

4-14 THE FIRST LINE OF DEFENSE - PEOPLE The biggest issue surrounding information security is not a technical issue, but a people issue 33% of security incidents originate within the organization –Insiders – legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business-affecting incident

4-15 THE FIRST LINE OF DEFENSE - PEOPLE The first line of defense an organization should follow to help combat insider issues: –Information security policies –Information security plan

4-16 THE FIRST LINE OF DEFENSE - PEOPLE Hackers frequently use “social engineering” to obtain password –Social engineering – using one’s social skills to trick people into revealing access credentials or other information valuable to the attacker

4-17 Other problems… Identity theft – the forging of someone’s identity for the purpose of fraud Phishing – a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent

4-18 THE SECOND LINE OF DEFENSE - TECHNOLOGY There are three primary information technology security areas 1.Authentication and authorization 2.Prevention and resistance 3.Detection and response

4-19 Authentication and Authorization Authentication – a method for confirming users’ identities Authorization – the process of giving someone permission to do or have something The most secure type of authentication involves: 1.Something the user knows 2.Something the user has 3.Something that is part of the user

4-20 Something the User Knows Such As a User ID and Password This is the most common way to identify individual users and typically contains a user ID and a password This is also the most ineffective form of authentication Over 50 percent of help-desk calls are password related

4-21 Smart cards and tokens are more effective than a user ID and a password –Tokens –Smart card Something the User Knows Such As a User ID and Password

4-22 Something That Is Part Of The User Such As a Fingerprint or Voice Signature This is by far the best and most effective way to manage authentication –Biometrics Unfortunately, this method can be costly and intrusive

4-23 Prevention and Resistance Downtime can cost an organization anywhere from $100 to $1 million per hour Technologies available to help prevent and build resistance to attacks include: 1.Content filtering 2.Encryption 3.Firewalls

4-24 Encryption If there is an information security breach and the information was encrypted, the person stealing the information would be unable to read it –Encryption –Public key encryption (PKE)

4-25 Firewalls One of the most common defenses for preventing a security breach

4-26 Detection and Response Antivirus software is the most common type of detection and response technology ICE

4-27 Detection and Response Hackers –White-hat hacker –Black-hat hacker (Cracker) –Hactivist –Script kiddies or script bunnies –Cyberterrorist

4-28 Detection and Response Virus - software written with malicious intent to cause annoyance or damage –Worm –Denial-of-service attack (DoS) –Trojan-horse virus Malware/Spyware