1. McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved CHAPTER 4 ETHICS AND INFORMATION SECURITY Business Driven Information Systems 2e

2. McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved ETHICS SECTION 4.1

3. 4-3 ETHICS Ethics – the principles and standards that guide our behavior toward other people Legal system also impacted by technology

4. 4-4 Information Has No Ethics Acting ethically and legally are not always the same

5. 4-5 ETHICS Issues affected by technology advances –Privacy –Confidentiality –Intellectual property, Copyright, Fair use doctrine –Pirated software

6. 4-6 Legal System Technology changes faster than the law “Unintended consequences” most common source of issues

7. 4-7 Information (and Technology) Have No Ethics Information does not care how it is used Information will not stop itself from sending spam, viruses, or highly-sensitive information Information cannot delete or preserve itself

8. 4-8 DEVELOPING INFORMATION MANAGEMENT POLICIES Organizations strive to build a corporate culture based on ethical principles that employees can understand and implement Epolicies typically include: –Ethical computer use policy –Information privacy policy –Acceptable use policy –email privacy policy –Internet use policy –Anti-spam policy

9. 4-9 Anti-Spam Policy Spam – unsolicited email Accounts for 40% - 60% of email and cost U.S. businesses over $14 billion in 2005

10. 4-10 Monitoring Technologies Common monitoring technologies include: –Key logger or key trapper software –Hardware key logger –Cookie –Adware –Spyware –Web log –Clickstream

11. McGraw-Hill/Irwin ©2009 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2

12. 4-12 Downtime How Much Will Downtime Cost Your Business?

13. 4-13 PROTECTING INTELLECTUAL ASSETS Organizational information is intellectual capital - it must be protected Information security – the protection of information from accidental or intentional misuse by persons inside or outside an organization Ebusiness automatically creates tremendous information security risks for organizations

14. 4-14 THE FIRST LINE OF DEFENSE - PEOPLE The biggest issue surrounding information security is not a technical issue, but a people issue 33% of security incidents originate within the organization –Insiders – legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business-affecting incident

15. 4-15 THE FIRST LINE OF DEFENSE - PEOPLE The first line of defense an organization should follow to help combat insider issues: –Information security policies –Information security plan

16. 4-16 THE FIRST LINE OF DEFENSE - PEOPLE Hackers frequently use “social engineering” to obtain password –Social engineering – using one’s social skills to trick people into revealing access credentials or other information valuable to the attacker

17. 4-17 Other problems… Identity theft – the forging of someone’s identity for the purpose of fraud Phishing – a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent email

18. 4-18 THE SECOND LINE OF DEFENSE - TECHNOLOGY There are three primary information technology security areas 1.Authentication and authorization 2.Prevention and resistance 3.Detection and response

19. 4-19 Authentication and Authorization Authentication – a method for confirming users’ identities Authorization – the process of giving someone permission to do or have something The most secure type of authentication involves: 1.Something the user knows 2.Something the user has 3.Something that is part of the user

20. 4-20 Something the User Knows Such As a User ID and Password This is the most common way to identify individual users and typically contains a user ID and a password This is also the most ineffective form of authentication Over 50 percent of help-desk calls are password related

21. 4-21 Smart cards and tokens are more effective than a user ID and a password –Tokens –Smart card Something the User Knows Such As a User ID and Password

22. 4-22 Something That Is Part Of The User Such As a Fingerprint or Voice Signature This is by far the best and most effective way to manage authentication –Biometrics Unfortunately, this method can be costly and intrusive

23. 4-23 Prevention and Resistance Downtime can cost an organization anywhere from $100 to $1 million per hour Technologies available to help prevent and build resistance to attacks include: 1.Content filtering 2.Encryption 3.Firewalls

24. 4-24 Encryption If there is an information security breach and the information was encrypted, the person stealing the information would be unable to read it –Encryption –Public key encryption (PKE)

25. 4-25 Firewalls One of the most common defenses for preventing a security breach

26. 4-26 Detection and Response Antivirus software is the most common type of detection and response technology ICE

27. 4-27 Detection and Response Hackers –White-hat hacker –Black-hat hacker (Cracker) –Hactivist –Script kiddies or script bunnies –Cyberterrorist

28. 4-28 Detection and Response Virus - software written with malicious intent to cause annoyance or damage –Worm –Denial-of-service attack (DoS) –Trojan-horse virus Malware/Spyware