Management Information System Chapter 13 GTU MBA

7/31/2019 Management Information System Chapter 13 GTU MBA

1/71

13-1


2/71

13-2


3/71

13-3


4/71

Chapter

13Security and EthicalChallenges


5/71

Learning Objectives

Identify several ethical issues in how the useof information technologies in business affects

Employment

Individuality

Working conditions

Privacy Crime

Health

Solutions to societal problems

13-5


6/71

Learning Objectives

Identify several types of security managementstrategies and defenses, and explain how theycan be used to ensure the security of businessapplications of information technology

Propose several ways that business managers

and professionals can help to lessen the harmfuleffects and increase the beneficial effects of theuse of information technology

13-6


7/71

IT Security, Ethics, and Society

13-7


8/71

IT Security, Ethics, and Society

Information technology has both beneficialand detrimental effects on society and people

Manage work activities to minimize thedetrimental effects of information technology

Optimize the beneficial effects

13-8


9/71

Business Ethics

Ethics questions that managers confront as partof their daily business decision making include

Equity

Rights

Honesty

Exercise of corporate power

13-9


10/71

Categories of Ethical Business Issues

10


11/71

Corporate Social ResponsibilityTheories Stockholder Theory

Managers are agents of the stockholders Their only ethical responsibility is to increase

the profits of the business without violating thelaw or engaging in fraudulent practices

Social Contract Theory

Companies have ethical responsibilities to allmembers of society, who allow corporations

to exist

13-11


12/71

Corporate Social ResponsibilityTheories Stakeholder Theory

Managers have an ethical responsibility to managea firm for the benefit of all its stakeholders

Stakeholders are all individuals and groupsthat have a stake in, or claim on, a company

12


13/71

Principles of Technology Ethics

Proportionality

The good achieved by the technology mustoutweigh the harm or risk; there must be noalternative that achieves the same orcomparable benefits with less harm or risk

Informed Consent Those affected by the technology should

understand and accept the risks

13


14/71

Principles of Technology Ethics Justice

The benefits and burdens of the technology shouldbe distributed fairly.

Those who benefit should bear their fair shareof the risks, and those who do not benefit shouldnot suffer a significant increase in risk

Minimized Risk

Even if judged acceptable by the other threeguidelines, the technology must be implemented

so as to avoid all unnecessary risk

14


15/71

AITP Standards of Professional Conduct

15

16


16/71

Responsible Professional Guidelines

A responsible professional

Acts with integrity

Increases personal competence

Sets high standards of personal performance

Accepts responsibility for his/her work

Advances the health, privacy, and generalwelfare of the public

16

17


17/71

Computer Crime

Computer crime includes

Unauthorized use, access, modification, or destruction

of hardware, software, data, or network resources

The unauthorized release of information

The unauthorized copying of software

Denying an end user access to his/her own hardware,software, data, or network resources

Using or conspiring to use computer or networkresources illegally to obtain information or tangibleproperty

17

18


18/71

Cybercrime Protection Measures

18

19


19/71

Hacking Hacking is

The obsessive use of computers

The unauthorized access and use of networkedcomputer systems

Electronic Breaking and Entering Hacking into a computer system and reading files, but

neither stealing nor damaging anything Cracker

A malicious or criminal hacker who maintainsknowledge of the vulnerabilities found for

private advantage

19

20


20/71

Common Hacking Tactics Denial of Service

Hammering a websites equipment with too

many requests for information

Clogging the system, slowing performance,or crashing the site

Scans Widespread probes of the Internet to determine

types of computers, services, and connections

Looking for weaknesses

20

21


21/71

Common Hacking Tactics

Sniffer

Programs that search individual packets ofdata as they pass through the Internet

Capturing passwords or entire contents

Spoofing

Faking an e-mail address or Web page to trickusers into passing along critical informationlike passwords or credit card numbers

21

22


22/71

Common Hacking Tactics

Trojan House A program that, unknown to the user, contains

instructions that exploit a known vulnerabilityin some software

Back Doors A hidden point of entry to be used in case the

original entry point is detected or blocked

Malicious Applets Tiny Java programs that misuse your computersresources, modify files on the hard disk, send fakeemail, or steal passwords

22

23


23/71

Common Hacking Tactics War Dialing

Programs that automatically dial thousands of

telephone numbers in search of a way in through amodem connection

Logic Bombs An instruction in a computer program that

triggers a malicious act

Buffer Overflow Crashing or gaining control of a computer by

sending too much data to buffer memory

23

24


24/71

Common Hacking Tactics Password Crackers

Software that can guess passwords

Social Engineering

Gaining access to computer systems by talkingunsuspecting company employees out ofvaluable information, such as passwords

Dumpster Diving

Sifting through a companys garbage to findinformation to help break into their computers

24

25


25/71

Cyber Theft Many computer crimes involve the theft of

money

The majority are inside jobs that involveunauthorized network entry and alternationof computer databases to cover the tracksof the employees involved

Many attacks occur through the Internet

Most companies dont reveal that they havebeen targets or victims of cybercrime

25

26


26/71

Unauthorized Use at Work Unauthorized use of computer systems and

networks is time and resource theft

Doing private consulting Doing personal finances

Playing video games

Unauthorized use of the Internet or company

networks Sniffers

Used to monitor network traffic or capacity

Find evidence of improper use

26

27


27/71

Internet Abuses in the Workplace General email abuses Unauthorized usage and access

Copyright infringement/plagiarism Newsgroup postings Transmission of confidential data Pornography Hacking

Non-work-related download/upload Leisure use of the Internet Use of external ISPs Moonlighting

27

28


28/71

Software Piracy

Software Piracy

Unauthorized copying of computer programs

Licensing

Purchasing software is really a paymentfor a license for fair use

Site license allows a certain number of copies

28

A third of the software

industrys revenues are

lost to piracy

29


29/71

Theft of Intellectual Property Intellectual Property

Copyrighted material

Includes such things as music, videos, images, articles,books, and software

Copyright Infringement is Illegal

Peer-to-peer networking techniques have made

it easy to trade pirated intellectual property

Publishers Offer Inexpensive Online Music

Illegal downloading of music and video isdown and continues to drop

29

30


30/71

Viruses and Worms A virus is a program that cannot work without being

inserted into another program

A worm can run unaided These programs copy annoying or destructive

routines into networked computers Copy routines spread the virus

Commonly transmitted through The Internet and online services Email and file attachments Disks from contaminated computers Shareware

30

31


31/71

Top Five Virus Families of all Time My Doom, 2004

Spread via email and over Kazaa file-sharing network

Installs a back door on infected computers

Infected email poses as returned message or one thatcant be opened correctly, urging recipientto click on attachment

Opens up TCP ports that stay open even aftertermination of the worm

Upon execution, a copy of Notepad is opened, filledwith nonsense characters

31

32


32/71

Top Five Virus Families of all Time

Netsky, 2004

Mass-mailing worm that spreads by emailing itselfto all email addresses found on infectedcomputers

Tries to spread via peer-to-peer file sharing

by copying itself into the shared folder It renames itself to pose as one of 26 other

common files along the way

32

33


33/71

Top Five Virus Families of all Time SoBig, 2004

Mass-mailing email worm that arrives asan attachment

Examples: Movie_0074.mpg.pif, Document003.pif

Scans all .WAB, .WBX, .HTML, .EML, and .TXT

files looking for email addresses towhich it can send itself

Also attempts to download updates for itself

33

34


34/71

Top Five Virus Families of all Time Klez, 2002

A mass-mailing email worm that arrives

with a randomly named attachment

Exploits a known vulnerability in MSOutlook to auto-execute on unpatched clients

Tries to disable virus scanners and then copy itself to

all local and networked drives with a random file name

Deletes all files on the infected machine andany mapped network drives on the 13th of all even-numbered months

34

35


35/71

Top Five Virus Families of all Time Sasser, 2004

Exploits a Microsoft vulnerability to spreadfrom computer to computer with no userintervention

Spawns multiple threads that scan local subnets

for vulnerabilities

36


36/71

The Cost of Viruses, Trojans, Worms

Cost of the top five virus families

Nearly 115 million computers in 200 countrieswere infected in 2004

Up to 11 million computers are believed tobe permanently infected

In 2004, total economic damage from virusproliferation was $166 to $202 billion

Average damage per computer is between$277 and $366

37


37/71

Adware and Spyware

Adware

Software that purports to serve a useful purpose,and often does

Allows advertisers to display pop-up and bannerads without the consent of the computer users

Spyware

Adware that uses an Internet connection in thebackground, without the users permissionor knowledge

Captures information about the user and sendsit over the Internet

38


38/71

Spyware Problems

Spyware can steal private information and also Add advertising links to Web pages

Redirect affiliate payments

Change a users home page and search settings Make a modem randomly call premium-rate

phone numbers

Leave security holes that let Trojans in

Degrade system performance

Removal programs are often not completelysuccessful in eliminating spyware

39


39/71

Privacy Issues

The power of information technology to storeand retrieve information can have a negativeeffect on every individuals right to privacy

Personal information is collected with everyvisit to a Web site

Confidential information stored by creditbureaus, credit card companies, and the

government has been stolen or misused

40


40/71

Opt-in Versus Opt-out

Opt-In You explicitly consent to allow data to be compiled

about you

This is the default in Europe Opt-Out

Data can be compiled about you unless youspecifically request it not be

This is the default in the U.S.

41


41/71

Privacy Issues

Violation of Privacy

Accessing individuals private email conversationsand computer records

Collecting and sharing information aboutindividuals gained from their visits toInternet websites

Computer Monitoring

Always knowing where a person is

Mobile and paging services are becoming moreclosely associated with people than with places

42


42/71

Privacy Issues

Computer Matching

Using customer information gained from many

sources to market additional business services

Unauthorized Access of Personal Files

Collecting telephone numbers, email addresses,

credit card numbers, and other information tobuild customer profiles

43


43/71

Protecting Your Privacy on the Internet

There are multiple ways to protect your privacy

Encrypt email

Send newsgroup postings through anonymousremailers

Ask your ISP not to sell your name and

information to mailing list providers andother marketers

Dont reveal personal data and interests ononline service and website user profiles

44


44/71

Privacy Laws Electronic Communications Privacy Act

and Computer Fraud and Abuse Act

Prohibit intercepting data communicationsmessages, stealing or destroying data, ortrespassing in federal-related computer systems

U.S. Computer Matching and Privacy Act Regulates the matching of data held in

federal agency files to verify eligibilityfor federal programs

45


45/71

Privacy Laws Other laws impacting privacy and how

much a company spends on compliance

Sarbanes-Oxley Health Insurance Portability and

Accountability Act (HIPAA)

Gramm-Leach-Bliley

USA Patriot Act

California Security Breach Law

Securities and Exchange Commission rule 17a-4

46


46/71

Computer Libel and Censorship The opposite side of the privacy debate

Freedom of information, speech, and press

Biggest battlegrounds Bulletin boards Email boxes Online files of Internet and public networks

Weapons used in this battle Spamming Flame mail Libel laws Censorship

47


47/71

Computer Libel and Censorship Spamming

Indiscriminate sending of unsolicited emailmessages to many Internet users

Flaming

Sending extremely critical, derogatory, and often

vulgar email messages or newsgroup posting toother users on the Internet or online services

Especially prevalent on special-interestnewsgroups

48


48/71

Cyberlaw Laws intended to regulate activities over

the Internet or via electronic communication

devices

Encompasses a wide variety of legal andpolitical issues

Includes intellectual property, privacy,freedom of expression, and jurisdiction

49


49/71

Cyberlaw

The intersection of technology and the lawis controversial Some feel the Internet should not be regulated

Encryption and cryptography make traditionalform of regulation difficult

The Internet treats censorship as damage andsimply routes around it

Cyberlaw only began to emerge in 1996 Debate continues regarding the applicability

of legal principles derived from issues thathad nothing to do with cyberspace

50


50/71

Other Challenges Employment

IT creates new jobs and increases productivity

It can also cause significant reductions in jobopportunities, as well as requiring new job skills

Computer Monitoring Using computers to monitor the productivity

and behavior of employees as they work Criticized as unethical because it monitorsindividuals, not just work, and is done constantly

Criticized as invasion of privacy because manyemployees do not know they are being monitored

51


51/71

Other Challenges Working Conditions

IT has eliminated monotonous or obnoxious tasks

However, some skilled craftsperson jobs havebeen replaced by jobs requiring routine,repetitive tasks or standby roles

Individuality

Dehumanizes and depersonalizes activitiesbecause computers eliminate human relationships

Inflexible systems

52


52/71

Health Issues Cumulative Trauma Disorders (CTDs)

Disorders suffered by people who sit at aPC or terminal and do fast-paced repetitivekeystroke jobs

Carpal Tunnel Syndrome

Painful, crippling ailment of the handand wrist

Typically requires surgery to cure

53


53/71

Ergonomics Designing healthy work environments

Safe, comfortable, and pleasant for peopleto work in

Increases employee morale and productivity

Also called human factors engineering

54


54/71

Ergonomics Factors

55


55/71

Societal Solutions Using information technologies to solve

human and social problems

Medical diagnosis

Computer-assisted instruction

Governmental program planning

Environmental quality control

Law enforcement

Job placement

56


56/71

Societal Solutions The detrimental effects of

information technology

Often caused by individualsor organizations notaccepting ethicalresponsibility fortheir actions

57


57/71

Security Management of IT The Internet was developed for inter-operability,

not impenetrability

Business managers and professionals alikeare responsible for the security, quality, andperformance of business information systems

Hardware, software, networks, and dataresources must be protected by a varietyof security measures

58


58/71

Internetworked Security Defenses Encryption

Data is transmitted in scrambled form

It is unscrambled by computer systems forauthorized users only

The most widely used method uses a pair of public

and private keys unique to each individual

59


59/71

Public/Private Key Encryption

60


60/71

Internetworked Security Defenses Firewalls

A gatekeeper system that protects a companys

intranets and other computer networks fromintrusion

Provides a filter and safe transfer point for

access to/from the Internet and other networks Important for individuals who connect to the

Internet with DSL or cable modems

Can deter hacking, but cannot prevent it

61


61/71

Internet and Intranet Firewalls

62


62/71

Denial of Service Attacks Denial of service attacks depend on three

layers of networked computer systems

The victims website

The victims Internet service provider

Zombie or slave computers that have been

commandeered by the cybercriminals

63


63/71

Defending Against Denial of Service

At Zombie Machines

Set and enforce security policies

Scan for vulnerabilities

At the ISP

Monitor and block traffic spikes

At the Victims Website

Create backup servers and network connections

64


64/71

Internetworked Security Defenses Email Monitoring

Use of content monitoring software that scans

for troublesome words that might compromisecorporate security

Virus Defenses

Centralize the updating and distribution ofantivirus software

Use a security suite that integrates virusprotection with firewalls, Web security,and content blocking features

65


65/71

Other Security Measures Security Codes

Multilevel password system

Encrypted passwords Smart cards with microprocessors

Backup Files

Duplicate files of data or programs

Security Monitors Monitor the use of computers and networks

Protects them from unauthorized use, fraud,and destruction

66


66/71

Other Security Measures Biometrics

Computer devices measure physical traits

that make each individual unique Voice recognition, fingerprints, retina scan

Computer Failure Controls

Prevents computer failures or minimizes

its effects Preventive maintenance

Arrange backups with a disaster recoveryorganization

67


67/71

Other Security Measures In the event of a system failure, fault-tolerant

systems have redundant processors,

peripherals, and software that provide Fail-over capability: shifts to back up

components

Fail-save capability: the system continuesto operate at the same level

Fail-soft capability: the system continuesto operate at a reduced but acceptable level

68


68/71

Other Security Measures Adisaster recovery plan contains formalized

procedures to follow in the event of a disaster

Which employees will participate What their duties will be

What hardware, software, and facilitieswill be used

Priority of applications that will be processed

Use of alternative facilities

Offsite storage of databases

69


69/71

Information System Controls Methods and devices that attempt to ensure the

accuracy, validity, and propriety of information

system activities

70


70/71

Auditing IT Security IT Security Audits

Performed by internal or external auditors

Review and evaluation of security measuresand management policies

Goal is to ensure that that proper and adequate

measures and policies are in place

71


71/71

Protecting Yourself from Cybercrime

Management Information System Chapter 13 GTU MBA

Documents

Transcript of Management Information System Chapter 13 GTU MBA