Security and Ethical

Challenges
Introduction to information systems. James A.
O'Brien, George M. Marakas
 Learning Objectives
1. Identify several ethical issues in how the use of information
technologies in business affects employment, individuality,
working conditions, privacy, crime, health, and solutions to
societal problems.
2. Identify several types of security management strategies and
defenses, and explain how they can be used to ensure the
security of business applications of information technology.
3. Propose several ways that business managers and professionals
can help to lessen the harmful effects and increase the beneficial
effects of the use of information technology.

11-2
 IT Security, Ethics and Society

11-3
 Ethical Responsibility
• Business professionals
 have a responsibility to promote ethical uses of information technology in
the workplace.

11-4
 Business Ethics
• Questions that managers must confront as part of their daily
business decision making including:
 Equity
 Rights
 Honesty
 Exercise of Corporate Power

11-5
 Ethical Business Issues Categories

11-6
 Corporate Social Responsibility Theories
• Stockholder Theory
• Managers are agents of the stockholders
• Their only ethical responsibility is to increase the profits of the business
• Without violating the law or engaging in fraudulent practices
• Social Contract Theory
• Companies have ethical responsibilities to all members of society
• Which allow corporations to exist based on a social contract
• Stakeholder Theory
• Managers have an ethical responsibility to manage a firm for the benefit of
all its stakeholders
• Stakeholders are all individuals and groups that have a stake in, or claim
on, a company
11-7
 Principles of Technology Ethics
• Proportionality – the good achieved by the technology must
outweigh the harm or risk
• Informed Consent – those affected by the technology should
understand and accept the risks
• Justice – the benefits and burdens of the technology should be
distributed fairly
• Minimized Risk – even if judged acceptable by the other three
guidelines, the technology must be implemented so as to avoid all
unnecessary risk

11-8
 AITP Standards of Professional Conduct

11-9
 Computer Crime
• The unauthorized use, access, modification, and destruction of
hardware, software, data, or network resources
• The unauthorized release of information
• The unauthorized copying of software
• Denying an end user access to his or her own hardware, software,
data, or network resources
• Using or conspiring to use computer or network resources illegally
to obtain information or tangible property

11-10
 How large companies protect themselves from
cybercrime

11-11
Source: 2003 Global Security Survey by Deloitte Touche Tohmatsu, New York, June 2003, In Mitch Betts, “The Almanac,” Computerworld, July 14, 2003, p 42.
 Hacking
• The obsessive use of computers,
• Or the unauthorized access and use of networked computer
systems

11-12
 Common Hacking Tactics
• Denial of Service
 Hammering a website’s equipment with too many requests for
information
 Clogging the system, slowing performance or even crashing the site
• Scans
 Widespread probes of the Internet to determine types of computers,
services, and connections
 Looking for weaknesses

11-13
 Common Hacking Tactics
• Sniffer
 Programs that search individual packets of data as they pass through the
Internet
 Capturing passwords or entire contents
• Spoofing
 Faking an e-mail address or Web page to trick users into passing along
critical information like passwords or credit card numbers

11-14
 Common Hacking Tactics
• Trojan Horse
 A program that, unknown to the user, contains instructions that exploit a
known vulnerability in some software
• Back Doors
 A hidden point of entry to be used in case the original entry point has
been detected or blocked
• Malicious Applets
 Tiny Java programs that misuse your computer’s resources, modify files
on the hard disk, send fake e-mail, or steal passwords

11-15
 Common Hacking Tactics
• War Dialing
 Programs that automatically dial thousands of telephone numbers in
search of a way in through a modem connection
• Logic Bombs
 An instruction in a computer program that triggers a malicious act
• Buffer Overflow
 A technique for crashing or gaining control of a computer by sending too
much data to the buffer in a computer’s memory

11-16
 Common Hacking Tactics
• Password Crackers
 Software that can guess passwords
• Social Engineering
 Gaining access to computer systems
 By talking unsuspecting company employees out of valuable information
such as passwords
• Dumpster Diving
 Sifting through a company’s garbage to find information to help break into
their computers

11-17
 Cyber Theft
• Computer crime involving the theft of money
• Often inside jobs
• Or use Internet to break in

11-18
 Unauthorized Use at Work
• Time and resource theft
• May range from doing private consulting or personal finances, or
playing video games, to unauthorized use of the Internet on
company networks

11-19
 Internet Abuses in the Workplace
• General e-mail abuses
• Unauthorized usage and access
• Copyright infringement/plagiarism
• Newsgroup postings
• Transmission of confidential data
• Pornography – accessing sexually explicit sites
• Hacking
• Non-work related download or upload
• Leisure use of the Internet
• Usage of external ISPs
• Moonlighting

11-20
 Software Piracy
• Software Piracy
 Unauthorized copying of computer programs
• Licensing
 Purchase of software is really a payment for a license for fair use
 Site license allow a certain number of copies
• A third of the software industry’s revenues are lost due to piracy

11-21
 Theft of Intellectual Property
• Intellectual property
 Copyrighted material such as
 Music, videos, images, articles, books, software
• Copyright infringement is illegal

• Peer-to-peer networking techniques have made it easy to trade

pirated intellectual property

11-22
 Viruses and Worms
• Virus and worms copy annoying or destructive routines into
networked computers
• Often spread via e-mail or file attachments
• Computer Virus
 Program code that cannot work without being inserted into another
program
• Worm
 Distinct program that can run unaided

11-23
 Cost of viruses and worms
• Nearly 115 million computers were infected in 2004
• As many as 11 million computers are believed to be permanently
infected
• Total economic damage estimated to be between $166 and $292
billion in 2004
• Average damage per installed Windows-based machine is between
$277 and $366

11-24
 Adware and Spyware
• Adware
 Software that purports to serve a useful purpose
 But also allows Internet advertisers to display advertisements (pop-up
and banner ads)
 Without the consent of the computer’s user
• Spyware
 Adware that employs the user’s Internet connection in the background
without your permission or knowledge
 Captures information about you and sends it over the Internet

11-25
 Privacy: Opt-in versus Opt-out
• Opt-in
 You explicitly consent to allow data to be compiled about them
 Law in Europe
• Opt-out
 Data can be compiled about you unless you specifically request it not be
 Default in the US

11-26
 Privacy Issues
• Violation of Privacy:
 Accessing individuals’ private e-mail conversations and computer records,
 Collecting and sharing information about individuals gained from their
visits to Internet websites
• Computer Monitoring:
 Always knowing where a person is, especially as mobile and paging
services become more closely associated with people rather than places

11-27
 Privacy Issues
• Computer Matching
 Using customer information gained from many sources to market
additional business services
• Unauthorized Personal Files
 Collecting telephone numbers, e-mail addresses, credit card numbers, and
other personal information to build individual customer profiles

11-28
 Protecting your Privacy on the Internet
• E-mail can be encrypted
• Newsgroup postings can be sent through anonymous remailers
• ISP can be asked not to sell your name and personal information to
mailing list providers and other marketers
• Decline to reveal personal data and interests on online service and
website user profiles

11-29
 Privacy Laws
• Rules that regulate the collection and use of personal data by
businesses and the government

11-30
 Censorship Issues
• Spamming
 Indiscriminate sending of unsolicited e-mail messages to many Internet
users
• Flaming
 Sending extremely critical, derogatory, and often vulgar e-mail messages
or newsgroup postings to other users on the Internet or online services

11-31
 Cyberlaw
• Laws intended to regulate activities over the Internet or via
electronic data communications

11-32
 Other Challenges
• Employment
 IT creates new jobs and increases productivity
 But can also cause significant reductions in job opportunities as well as
different types of skills required for new jobs
• Computer Monitoring
 Computers used to monitor the productivity and behavior of employees as
they work

11-33
 Other Challenges
• Working Conditions
 IT has eliminated monotonous or obnoxious tasks
 But some jobs requiring a skilled craftsman have been replaced by jobs
requiring routine, repetitive tasks or standby roles
• Individuality
 Dehumanize and depersonalize activities because computers eliminate
human relationships
 Systems without flexibility

11-34
 Health Issues
• Cumulative Trauma Disorders (CTDs)
 Disorders suffered by people who sit at a PC or terminal and do fast-paced
repetitive keystroke jobs
• Carpal Tunnel Syndrome
 Painful crippling ailment of the hand and wrist

11-35
 Ergonomics
• Designing healthy work environments
• That are safe, comfortable, and pleasant for people to work in
• Thus increasing employee morale and productivity

11-36
 Ergonomic Factors

11-37
 Security Management
• The goal of security management is the
accuracy, integrity, and safety of all
information system processes and
resources.

Source: Courtesy of Wang Global.

11-38
 Internetworked Security Defenses
• Encryption
 Data transmitted in scrambled form and unscrambled by computer
systems for authorized users only

11-39
 Public/Private Key Encryption

11-40
 Internetworked Security Defenses
• Firewalls
 A gatekeeper system that protects a company’s intranets and other
computer networks from intrusion
 By providing a filter and safe transfer point for access to and from the
Internet and other networks
• Firewalls are also important for individuals who connect to the
Internet with DSL or cable modems

11-41
 Internet and Intranet Firewalls

11-42
 How to Defend Against Denial of Service Attacks

• At the zombie machines (computers commandeered by cyber

criminals)
 Set and enforce security policies
 Scan for vulnerabilities
• At the ISP
 Monitor and block traffic spikes
• At the victim’s website
 Create backup servers and network connections

11-43
 Internetworked Security Defenses
• E-mail Monitoring
 Use of content monitoring software that scans for troublesome words that
might compromise corporate security
• Virus Defenses
 Centralize the distribution and updating of antivirus software
 Use security suite that integrates virus protection with firewalls, Web
security, and content blocking features

11-44
 Other Security Measures
• Security Codes
 Multilevel password system
 Encrypted passwords
 Smart cards with microprocessors
• Backup Files
 Duplicate files of data or programs
• System Security Monitors
 Programs that monitor the use of computer systems and networks and
protects them from unauthorized use, fraud, and destruction

11-45
 Biometrics
• Computer devices that measure physical traits that make each
individual unique
• Examples:
 Voice verification
 Fingerprints
 Retina scan

11-46
 Computer Failure Controls
• Prevent computer failure or minimize its effects
• Preventative maintenance
• Arrange backups with a disaster recovery organization

11-47
 Fault Tolerant Systems
• Systems that have redundant processors, peripherals, and
software that provide a:
 Fail-over capability to back up components in the event of system failure
 Fail-safe capability where the computer system continues to operate at
the same level even if there is a major hardware or software failure
 Fail-soft capability where the computer system continues to operate at a
reduced but acceptable level in the event of system failure

11-48
 Information Systems Controls
• Methods and devices that attempt to ensure the accuracy,
validity, and propriety of information system activities

11-49
 Auditing IT Security
• IT security audits
 By internal or external auditors
 Review and evaluate whether proper and adequate security measures and
management policies have been developed and implemented

11-50
 How to protect yourself from cybercrime

11-51
 CASE STUDY
Với bối cảnh COVID-19 như hiện nay, nhiều công ty cho nhân
viên làm việc từ xa qua mạng, bạn hãy phân tích các vấn đề có
thể xảy ra về mặt đạo đức và bảo mật liên quan đến các doanh
nghiệp. Bạn hãy đưa giải pháp cho các vấn đề trên.
 Bài tập nhóm
• Tìm 1 tình huống thực tế về việc ứng dụng CNTT. Phân tích ứng
dụng này mang lại những rủi ro, lợi ích gì cho các bên liên quan:
doanh nghiệp, cá nhân và XH => vấn đề này có nên ứng dụng ko

• Tìm vấn đề
• Xác định bên liên quan
• Ứng với từng bên liên quan => rui ro, lợi ich
• Đê xuất có nên ứng dụng ko-> giải pháp giảm rủi ro