1. McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 13 Security and Ethical Challenges

2. 13-2 Learning Objectives  Identify several ethical issues regarding how the use of information technologies in business affects employment, individuality, working conditions, privacy, crime, health, and solutions to societal problems.  Identify several types of security management strategies and defenses and explain how they can be used to ensure the security of business applications of information technology.  Propose several ways that business managers and professionals can help lessen the harmful effects and increase the beneficial effects of the use of information technology.

3. 13-3 Section 1 Security, Ethical, and Societal Challenges of IT

4. 13-4 I. Introduction  Use of IT in business poses security challenges, ethical questions, and societal challenges  The Nexus of IT, Ethics, Security, and Safety – we must consider the impact technologies have on society

5. 13-5 II. Ethical Responsibility of Business Professionals  As a business professional you have the responsibility to promote Ethical (what does that mean???) use of IS in the workplace  Business Ethics – ethical questions that are part of daily business decision making  Ethical Use of Technology – the use of technology raises its own ethical questions  Ethical Guidelines – many firms have specific guidelines for ethical computer and Internet use by employees

6. 13-6 II. Ethical Responsibility of Business Professionals Security, Ethical, and Societal Aspects of IT Use

7. 13-7 II. Ethical Responsibility of Business Professionals Categories of Ethical Business Issues

8. 13-8 Enron Corporation: Failure in Business Ethics  What were some of the unethical practices at Enron?  What two issues does the article suggest about Credibility?  Why would Enron (or any) executives engage in such activities?  How can people be encouraged to follow acceptable ethical/moral business practices?

9. 13-9 III. Computer Crime – using a computer to do something illegal  Hacking and Cracking  Hacking – obsessive use of computers, unauthorized use of networked systems  Cracking (black hat or dark-side hacker) – malicious or criminal hacker  Cyber Theft – many computer crimes involve theft of money; many firms do not reveal that they’ve been victims due to bad publicity  Cyber-terrorism – causing physical, real-world harm or severe disruption of infrastructure

10. 13-10 The Online Crusade Against Phishing  What is phishing?  Why is phishing dangerous?  What is the challenge for law enforcement?  Why does Warner see phishing as a personal, moral challenge?

11. 13-11 III. Computer Crime – using a computer to do something illegal  Cyber-Warfare – actions by a nation-state to cause damage or disruption to another nation- state  Unauthorized use at Work – time and resource theft, this can be a very wide range of actions, many firms have written policies for (im)proper use of computers and IT resources  Software Piracy –unauthorized copying of software  Theft of Intellectual Property – any infringement of copyrighted materials

12. 13-12 Leaving Your Job? Don’t Take Anything with You  What is an “orphaned account”?  Why are they dangerous?  Why do people take data with them when they leave an organization?  How many firms monitor or track these accounts?  What threats does this pose to the firm?

13. 13-13 III. Computer Crime – using a computer to do something illegal  Computer Viruses and Worms – insert destructive routines into computer systems to cause damage  Adware and Spyware  Adware – allows Internet advertisers to display ads without the consent of the user  Spyware – uses the network connection without the user’s knowledge or permission, collects and distributes information about the user

14. 13-14 Survey: E-mail and Internet Abuse Can Get You Fired  How many firms have fired workers for misuse of e-mail and the Internet?  What actions may be considered inappropriate use of e-mail/Internet?  How do firms prevent this behavior?  How do firms monitor employee behavior?  Do firms inform employees of monitoring?

15. 13-15 Music Piracy: The Long War  IS music piracy a recent phenomenon?  What is a copyright? Why is it an important legal issue?  How do feel about downloading music? Is it right or wrong? What ethical/moral issues does it raise?  What are the business/property issues raisd by downloading music?

16. 13-16 Oldies but Goodies: Old Threats That Just Won’t Go Away  What is malware?  What is the difference between a virus and a worm?  Why should malware concern businesses?  Why do old viruses and worms still proliferate?  What can a business do to encourage users to be more careful about malware?

17. 13-17 ommtouch: Trends in Internet Threats  Describe each of the threats listed.  What are the results of these threats to businesses?  How can you promote a business culture of caution toward these and other threats?

18. 13-18 IV. Privacy Issues  IT can store and retrieve information affecting the privacy of the individual  Privacy on the Internet – the Internet gives users a feeling of anonymity while making them vulnerable to privacy violations  Computer Matching – profiling

19. 13-19 Identity Theft: As Easy as Stealing a Check  What is Identity Theft?  What data does a check hold that criminals can use?  How many fraudulent checks are written every day?  What precautions can you take to prevent identity theft?

20. 13-20 IV. Privacy Issues  Privacy Laws – many countries regulate collection and use of personal data  HIPAA – health related privacy laws  Sarbanes-Oxley – standards for publicly held firms  Computer Libel and Censorship – what can and cannot be said (legally) online  Spamming – indiscriminate sending of unsolicited email  Flaming – extremely critical, derogatory, vulgar email

21. 13-21 V. The Current State of Cyber Law  A very wide range of legal and political issues, VERY controversial

22. 13-22 VI. Other Challenges  Employment Challenges – impact of IT on employment is a major ethical concern  Computer Monitoring – using a computer to monitor productivity in the workplace, or to monitor behavior in public  Challenges in Working Conditions – IT can eliminate monotonous tasks, and create some, too  Challenges of Individuality – one concern is the effect of IT on a person’s individuality

23. 13-23 VII. Health Issues  IT raises a variety of health issues  Ergonomics (Human Factors Engineering) – designing healthy work environments that are safe and comfortable

24. 13-24 VIII. Societal Solutions  IT can have many beneficial effects on society

25. 13-25 Section 2 Security Management of Information Technology

26. 13-26 I. Introduction  The number one problem with e-commerce is security; the Internet was developed for interoperability not impenetrability

27. 13-27 II. Tools of Security Management  Goal of Security Management – accuracy, integrity, and safety of all information processes and resources

28. 13-28 Top Executives Agree: Information Security Is a Top Priority  What are the reasons for executive support of IS/IT security?  What is a breach disclosure law?  Why would a firm not want consumers to know about a security breach?  What are the costs of a breach (both dollar and non-dollar costs)?

29. 13-29 III. Inter-Networked Security Defenses  How so you balance the need for security with the need for access?  Encryption – using a mathematical algorithm to encode a message before transmission and descramble it for reception  Firewalls – a hardware or software gatekeeper that keeps unauthorized transmissions out of a system  Denial of Service Attacks – using zombie/slave computers to overload another system with large volumes of service requests  E-Mail Monitoring – firms watch employees use of email

30. 13-30 III. Inter-Networked Security Defenses Public Key/Private Key Encryption

31. 13-31 WhiteHat Security: “Black Box Testing” Mimics Hackers to Discover Vulnerabilities  What do most attacks exploit today?  What service does WhiteHat sell?  How might a vulnerability re-appear?  Is this an ethical/moral approach to security?

32. 13-32 As If Phishing Wasn’t Enough: Denial of Service Attacks  How big is online crime today?  What is a Phishing scam?  What is a Denial of Service attack?  Why would someone want to create a denial of service attack?  Why would a CEO resist taking necessary steps to solve a denial of service attack?

33. 13-33 BNSF Railway: Well Balanced Web-Use Monitoring  Why is extensive use of the Internet a concern for BNSF?  Why is the BNSF Internet Policy important? What does it emphasize?  What information do the Cyfin reports contain and why are they important?  Why is employee monitoring a risk management obligation?

34. 13-34 IV. Viral Defenses  Antivirus software

35. 13-35 The Future of Antivirus  What is a computer virus?  What is a signature-based antivirus?  What other tools are used to add to strength to the antivirus approach?  Why do people still like the old approach?

36. 13-36 V. Other Security Measures  Security Codes – login IDs and passwords  Backup Files – duplicate files of data or programs  Security Monitors – monitor systems for unauthorized use, fraud, and destruction  Biometric Security – measure/verify an individual’s physical traits

37. 13-37 V. Other Security Measures  Computer Failure Controls – preventing computer failure or minimizing its effects  Fault-Tolerant Systems – providing backup components in case of a system failure  Disaster Recovery – getting a system running again after a disaster

38. 13-38 What If the Internet Went Down … and Didn’t Come Back Up?  What would the effects on your personal life be if the Internet went down?  What changes would there be to the businesses that you use every day?  Where would you go for information and research?  What other daily-use items would be unavailable to you?

39. 13-39 VI. System Controls and Audits  Information System Controls – assure accuracy, validity, and propriety of IS activities  Auditing IT Security – IT security should be periodically examined

40. 13-40 Georgetown University: All Systems Go  What new strategy did GU address?  What effects did this have to IT?  What are the most significant risks to the university?  What political and cultural issues had to be addressed?  How do they address “Risk”?