Ethics and Information Security Study Notes
CHAPTER FOUR: ETHICS AND INFORMATION SECURITY
SECTION 4.1: ETHICS
Learning Outcomes
Explain the ethical issues in the use of the information age.
Identify the six e-policies an organization should implement to protect themselves.
Information Ethics
Ethics: The principles and standards that guide our behavior toward other people.
Confidentiality: The assurance that messages and information remain available only to those authorized to view them.
Information Ethics: Governs the ethical and moral issues arising from the development and use of information technologies as well as the creation, collection, duplication, distribution, and processing of information with or without the aid of computer technologies.
Privacy: The right to be left alone, to have control over personal possessions, and not to be observed without consent.
Business Issues Related to Information Ethics
Copyright: Legal protection for the original works of authors, artists, and others.
Counterfeit Software: Unauthorized copies of software that are sold or distributed as if they are authentic.
Digital Rights Management (DRM): Technologies used to control the use of digital content after purchase.
Intellectual Property: Creations of the mind that can be legally protected.
Patent: Exclusive right granted for an invention, which provides the patent owner with the right to decide how the invention can be used by others.
Pirated Software: Unauthorized use, reproduction, or distribution of copyrighted software.
Legal vs. Ethical Considerations
Individuals are the only ethical component of Management Information Systems (MIS).
Actions of individuals include copying, using, and distributing software, searching databases, creating and spreading viruses, hacking into systems, and stealing or destroying information.
Acting ethically and legally are not always the same.
Data Scraping: The process of extracting large amounts of data from a website and saving it to a spreadsheet or computer.
Data Harvesting: Refers to the process of collecting and extracting large amounts of data from various sources, often through automated means, for analysis or business purposes.
Digital Trust and Ediscovery
Digital Trust: The measure of consumer, partner, and employee confidence in an organization's ability to protect and secure data and privacy.
Ediscovery: The ability of a company to identify, search, gather, seize, or export digital information in response to litigation, audits, investigations, or inquiries.
Ethical Considerations Surrounding AI/ML
AI Explainability: The ability to understand and interpret the output of an algorithm.
AI Transparency: The extent to which the decision-making processes and data used by AI systems are open and understandable to stakeholders.
AI Hallucination: The phenomenon where an AI model fabricates text, images, or sources when lacking sufficient data.
Developing Information Management Policies
Organizations should cultivate a corporate culture based on ethical principles that employees can understand and implement.
Ethical Computer Use Policy
Ethical Computer Use Policy: Contains general principles to guide computer user behavior. It ensures all users are informed of the rules and consent to abide by them.
Click-fraud: The abuse of pay-per-click models by repeatedly clicking a link to increase charges for the advertiser.
Competitive Click-Fraud: A crime where a competitor or disgruntled employee inflates a company's advertising costs by clicking their links.
Cyberbullying: Harassment or intimidation conducted through digital communication.
Threat: An act or object posing danger to assets.
Information Privacy Policy
Information Privacy Policy: Contains general principles concerning information privacy.
Fair Information Practices (FIPs): Standards governing the collection and use of personal data, addressing issues of privacy and accuracy.
General Data Protection Regulation (GDPR): Legal framework guidelines for the collection and processing of personal data within the EU.
Right to be Forgotten: Allows individuals to request the removal of content violating their privacy.
Acceptable Use Policy
Acceptable Use Policy (AUP): Requires users to agree to follow guidelines for system access.
Nonrepudiation: A stipulation ensuring that e-business participants cannot deny their online actions.
Internet Use Policy: Contains general principles guiding proper Internet use.
Email Privacy Policy
Organizations can mitigate risks of email communication by implementing an email privacy policy, which details how email messages may be accessed by others.
Spam: Unsolicited email.
Anti-spam Policy: States that users will not send unsolicited emails.
Opt-out: Option for users to deny permission for incoming emails.
Opt-in: Option for users to allow permissions for incoming emails.
Social Media Policy
Social Media Policy: Outlines corporate guidelines governing employee online communications.
Social Media Monitoring: The act of monitoring and responding to online discussions regarding the organization.
Social Media Manager: The trusted individual responsible for overseeing an organization's social media presence.
Cyberbullying Policy
Outlines guidelines and consequences related to cyberbullying in an organization or educational institution.
Workplace Monitoring Policy
Addressing concerns regarding employee monitoring in the workplace where organizations may be held financially liable for employees' actions.
There exists ethical tension between the necessity for organizational monitoring and employee privacy rights.
Workplace MIS Monitoring Policy
MIS Monitoring: Involves tracking employees' activities through metrics like keystrokes and error rates.
Employee Monitoring Policy: Clearly outlines how and when employee monitoring occurs.
Monitoring Technologies: Include keyloggers, cookies, adware, spyware, and web logs.
SECTION 4.2: INFORMATION SECURITY
Learning Outcomes
Describe the relationships and differences between hackers and viruses.
Describe the relationship between information security policies and an information security plan.
Provide examples of the three primary security areas: 1) Authentication and Authorization, 2) Prevention and Resistance, and 3) Detection and Response.
Protecting Intellectual Assets
Organizational information is intellectual capital that requires protection.
Information Security: The protection of information from accidental or intentional misuse.
Downtime: A period when a system is unavailable.
Cybersecurity: Involves prevention, detection, and response to cyberattacks.
Sources of Unplanned Downtime
Examples of causes:
Natural disasters: snowstorm, hurricane, earthquakes.
Human actions: hacker attacks, terrorism, chemical spills.
Operational failures: equipment failure, electrical shorts.
Other incidents: vandalism, fraud, epidemics.
Cost of Downtime
Organizational downtime can range from to per hour.
Hackers: A Dangerous Threat to Business
Hacker: Technology experts breaking into networks, motivated by profit or challenge.
Types of Hackers: Black-hat, cracker, cyberterrorist, hacktivist, script kiddies, white-hat.
Virus: Software created with malicious intent to cause damage or annoyance.
Types of malware include adware, ransomware, scareware, spyware, and worms.
Virus Types and Spread
Types of viruses include backdoor programs, denial-of-service attacks (DoS), distributed denial-of-service attacks (DDoS), polymorphic viruses, and Trojan-horse viruses.
Virus Spread: A hacker attaches a virus to a file, leading to widespread infection through user interactions and email sharing.
Security Threats to eBusiness
Include elevation of privilege, hoaxes, malicious code, packet tampering, sniffers, spoofing, splogs, and spyware.
First Line of Defense – People
Biggest issue in information security is often not technical but people-related (insider threats, social engineering, dumpster diving, pretexting).
Information Security Policies: Specify the rules to maintain security, like logging off when leaving and password management.
Information Security Plan: Outlines how the organization will enforce its policies.
Second Line of Defense – Technology
Comprised of three areas: Authentication and Authorization, Prevention and Resistance, and Detection and Response.
Authentication and Authorization
Identity Theft: Forging someone’s identity for fraud.
Phishing: Technique to gain personal information using fraudulent emails.
Pharming: Redirecting requests for legitimate websites to fake ones.
Authentication: Confirming user identities; Authorization: Granting permission for access.
Most secure authentication types include:
Something the user knows (user ID and password).
Something the user has (smart cards, tokens).
Something that is part of the user (biometrics such as fingerprints or voice).
Importance of Authentication Forms
Common user authentication via user ID/password is ineffective due to high help-desk call volumes.
Smart cards (with embedded tech) and tokens (devices that change passwords) offer better security.
Biometrics is the most effective but often costly and intrusive.
Prevention and Resistance Strategies
Privilege Escalation: Network intrusion exploits design flaws to gain elevated access.
Downtime has a financial impact; technologies for prevention include content filtering, encryption, and firewalls.
Spam: Unsolicited emails; content filtering helps combat spam and viral spread.
Protecting Personally Identifiable Information (PII) is critical, dividing into sensitive and nonsensitive categories.
Encryption: Essential to secure information, making stolen data unreadable without keys.
Firewall Technology
Firewall: An essential defense mechanism analyzing network traffic to guard private networks.
Detection and Response
If preventive measures fail, detection and response technologies can minimize damage beyond a security breach, utilizing intrusion detection software to monitor network patterns for intrusions.
Conclusion
During the chapter review, consider relationships between ethical practices, organizational strategies, and information security measures to ensure a holistic approach to managing information technologies.