MIS Module 5: Information Systems: Ethics, Privacy and Security

I.Time Frame:
1. Date: July 2015
2. Number of Hours: 3 Hours
3. Time:  830-1130

II. Class Schedule:
1. Course Code:
2. Course Title: M.I.S
3. Year: BSBA Operations Management
4. School: B.U.

III. Objectives
1. Describe the major ethical issues related to information technology and identify situations in which they occur.
2. Describe the many threats to information security.
3. Understand the various defense mechanisms used to protect information systems.
4. Explain IT auditing and planning for disaster recovery.

IV. Subject Matter
1. Ethics, Security and privacy
2. Reference: Introduction to Information System

V. Procedure
1. Daily Routine
a. Checking of Attendance

2. Motivation

3. Motive Question
Scenario:

You have recently bought some graphic design software that is a far superior product, you believe, to its competitors on the market. The price is rather high, but the purchase was authorised by your boss for work related purposes. The software is delivered on a single CD ROM. You believe that many of your friends who work for other companies would benefit if they were able to use this software – and that the software developer would benefit as well through additional sales.

From an ethical perspective, you believe that it would be unethical to keep this information to yourself, given its likely value for your friends, so you decide to share it with them. You make 10 copies on CD ROM and send it to them as a gift.

Is this action legal? Is it ethical? What would you do?

4.Vocabulary Building
a. Ethics
-is about what is good, and how we should think about good.
-pertains to a system of moral principles; the branch of philosophy dealing with values relating to human conduct, with respect to the rightness and wrongness of certain actions and to the goodness and badness of the motives and ends of such actions .

Code of Ethics

collection of principles that are intended to guide decision making by members of organization ( ex: _______)

b. Fundamental Tenets of Ethics
1. Responsibility - Accepting the consequences of your decisions and actions.
2. Accountability - determination of who is responsible for actions that were taken. Liability legal concept meaning that individuals have the right to recover the damages done to them
3. Liability legal concept meaning that individuals have the right to recover the damages done to them

3. Pre-Discussion
a.
b. Jeopardy Game

4. Discussion
a. Engagement Activity

Categories of Ethical Issues
1. Privacy Issues - collecting, storing and disseminating information about individuals.
2. Accuracy Issues - authenticity, fidelity and accuracy of information that is collected and processed.
3. Property Issues - the ownership and value of information.
4. Accessibility Issues - who should have access to information and whether they should have to pay for this access
5. Security Issues
  - data stored on computer must be kept safe
  -  a system of safeguards
  -  Protects system and data from deliberate or accidental damage
  -  Protects system and data from unauthorized access

Privacy
The right to be left alone and to be free of unreasonable personal intrusions. Private data must be kept from prying eyes
Court decisions have followed two rules:
(1) The right of privacy is not absolute. Your privacy must be balanced against the needs of society.
(2) The public’s right to know is superior to the individual’s right of privacy.

Threats to Privacy
1. Data aggregators companies that collect public data (e.g., real estate records, telephone numbers) and nonpublic data (e.g., social security numbers, financial data, police records, motor vehicle records) and integrate them to produce digital dossiers.
2. Digital dossiers, and profiling
All the tracks of information you leave behind on your internet life. All of the things you do in the net, even simple google searches are stored and saved forever in your digital dossier
3. Electronic Surveillance

4. Personal Information in Databases - Banks Utility companies Government agencies Credit reporting agencies
5. Information on Internet Bulletin Boards, Newsgroups, and Social Networking Sites

Protecting Privacy
Privacy Codes and Policies
Opt-out Model
Opt-in Model

Factors Increasing the Threats to Information Security  
Today’s interconnected, interdependent, wirelesslynetworked business environment
Government legislation
Smaller, faster, cheaper computers and storage devices
Decreasing skills necessary to be a computer hacker
International organized crime turning to cybercrime
Downstream liability
Increased employee use of unmanaged devices
Lack of management support

Key Information Security Terms  
1. Threat is any danger to which a system may be exposed.
2. Exposure is the harm, loss or damage that can result if a threat compromises that resource.
3. Vulnerability the possibility that the system will suffer harm by a threat.
4. Risk the likelihood that a threat will occur.
5. Information system controls are the procedures, devices, or software aimed at preventing a compromise to the system.

Categories of Threats to Information Systems  
Unintentional acts
Natural disasters
Technical failures
Management failures D
Deliberate acts

Unintentional Acts
Human errors
  *Tailgating
  *Shoulder surfing
  *Carelessness with laptops and portable computing devices
  *Opening questionable e-mails
  *Careless Internet surfing
  *Poor password selection and use And more
Deviations in quality of service by service providers (e.g., utilities)
Environmental hazards (e.g., dirt, dust, humidity)

Deliberate Acts

Computer Crime
Hacker – someone who attempts to gain access to computer systems illegally, originally referred to as someone with a high degree of computer expertise
Social engineering – a tongue-in-cheek term for con artist actions, pPersuade people to give away password information
Cracker – someone who uses the computer to engage in illegal activity

1. Espionage or trespass
    -Unauthorized access to computer files

2. Information extortion

3. Sabotage or vandalism
      Data Diddling
       Refers to changing data before or as it enters the system
       Auditors must verify accuracy of the source data as well as the processing that occurs

4. Theft of equipment or information For example, dumpster diving or scavenging
Searching company trash cans and dumpsters for lists of information
Thieves will search garbage and recycling bins of individuals looking for bank account numbers, credit card numbers, etc.
Shred documents that contain personal information

5. Identity theft

6.Compromises to intellectual property /Unlawful copying of copyrighted software
   Intellectual property - Property created by individuals or corporations which is protected under trade       secret, patent, and copyright laws.

   Trade secret - Intellectual work, such as a business plan, that is a company secret and is not based on public information.

   Patent - Document that grants the holder exclusive rights on an invention or process for 20 years.

  Copyright - Statutory grant that provides creators of intellectual property with ownership rights for life of the creator plus 70 years

7. Software attacks
   Virus - A set of illicit instructions that passes itself on to other files
 
   Worm

   Trojan horse - Involves illegal instructions placed in the middle of a legitimate program; Program does something useful, but the Trojan horse instructions do something destructive in the background

   Logic Bomb
     Causes a program to trigger damage under certain conditions
      Usually set to go off at a later date
      Sometimes planted in commercial software
      Shareware is more prone to having a bomb planted in it

  Phishing attacks - use deception to acquire sensitive personal information by masquerading as

   Distributed denial-of-service attacks
     Hackers bombard a site with more requests than it can possibly handle
     Prevents legitimate users from accessing the site
     Hackers can cause attacks to come from many different sites simultaneously

8. Alien Software
   Spyware - collects personal information about users without their consent.
     keystroke loggers (keyloggers) record your keystrokes and your Web browsing history
     screen scrapers record a continuous “movie” of what you do on a screen.
   Spamware - alien software that is designed to use your computer as a launchpad for spammers
   Cookies- small amounts of information that Web sites store on your

9. Fraud
    Credit Card Fraud and data comunications fraud

10. Piggybacking
        An illicit user “rides” into the system on the back of an authorized user
        If the user does not exit the system properly, the intruder can continue where the original user has left             off
       Always log out of any system you log into

11. Salami Technique
An embezzlement technique where small “slices” of money are funneled into accounts

12. Trapdoor
An illicit program left within a completed legitimate program
Allows subsequent unauthorized and unknown entry by the perpetrator to make changes to the program

13. Zapping
Refers to a variety of software designed to bypass all security systems

Risk Management
1. Risk - The probability that a threat will impact an information resource.
2. Risk management - To identify, control and minimize the impact of threats.
3. Risk analysis - To assess the value of each asset being protected, estimate the probability it might be 4. compromised, and compare the probable costs of it being compromised with the cost of protecting it.
4. Risk mitigation -when the organization takes concrete actions against risk. It has two functions: (1) implement controls to prevent identified threats from occurring, and (2) developing a means of recovery should the threat become a reality. Risk Mitigation Strategies Risk Acceptance Risk limitation Risk transference

Controls
Physical controls - Physical protection of computer facilities and resources.
Access controls - Restriction of unauthorized user access to computer resources; use biometrics and passwords controls for user identification.
Communications (network) controls - To protect the movement of data across networks and include border security controls, authentication and authorization
Application controls - protect specific application

Access Controls
Authentication -

1. Something the user is (biometrics) -
 The Raytheon Personal Identification Device
Uses biometrics – the science of measuring body characteristics The latest biometric: gait recognition
Uses fingerprinting, voice pattern, retinal scan, etc. to identify a person
Can combine fingerprinting and reading a smart card to authenticate

2. Something the user has /you have
Requires you to have some device to gain access to the computer
Badge, key, or card to give you physical access to the computer room or a locked terminal
Debit card with a magnetic strip gives you access to your bank account at an ATM
Active badge broadcasts your location by sending out radio signals

3. Something the user does
Software can verify scanned and online signatures

4. Something the user knows
Requires you to know something to gain access
Password and login name give you access to computer system
Cipher locks on doors require you to know the combination to get in

Security and Privacy Problems on the Internet

VI. Assessment
1. Short Quiz

I. IDENTIFICATION
1. These verify the identity of the user, thus ensuring that only the intended and authorized user gain access to the system
2. It separates an internal network from an external network and prevents passage of specific type of traffic.
3. It is an attempt to overload a system with false messages so that the system will crash.
4. It is an identity misrepresentation in cyber space, like for instance using fake website to obtain information about visitor- common passwords attacks.
5. It is a program code that copies itself from file to file that may destroy data or programs – a common way of spreading it is by e-mail attachments and downloads.
6. Data stored on a computer must be kept from prying eyes.

PRIVACY SHAREWARE VIRUS PASSWORD      WORM    TROJAN HORSE
MACROS SNIFFING BRUTE FORCE ATTACK SPOOFING
DENIAL OF SERVICE ATTACK  ENCRYPTION FIREWALL SECURITY DECODING AUTHENTICATION MEASURES BIOMETRICS

II. SHORT ANSWER
1. At today’s management meeting, several managers expressed concern about the security of information on the network because it had come to their attention that som employees were gaining access to confidential information. As CEO of the company, SPECIFICALLY INDICATE what you would do in the situation in 10 sentences only. (10 points)
2. Identify five (5) mistakes that you have heard of that were blamed on a computer and discuss in one sentence each how those errors might have been caused by a human. (5 points)
3. Why is it difficult to protect information? Give 5 reasons. (5 points)

2. Debate
a. Resolved that the Paperless office will happen in the Philippines

VII. Assignment

Which of these activities involve and do not involve ethical decisions? Please provide two-three sentences as an explanation in the space provided.

1.    Deciding whether to copy software---freeware.

2.    Deciding whether to copy software--not freeware.

3.    Deciding whether to buy a term paper online. 

4.    Deciding whether to make your Website handicap accessible.

5.    Requiring that all freshmen buy laptops.

6.    Deciding whether to meet your software engineering project group or to go to the movies. 

7.    Deciding to sell personal information acquired at your Web site.

8.    Creating and using a virus to explore the security holes of a network.

9.    Deciding to release your product to meet a deadline even though testing has not been completed.

10. Forwarding a chain letter through email.

11. Watching pornography online.

What would you do? In the space provided, indicate what you would do in the following situations.

    1.   A colleague who enjoys using the communicating feature of your networked system uses profanities when making communications. You want to stop this.

      _____________________________________________________________________

      _____________________________________________________________________

    2.   You are going to introduce new technology in your office in the next few months. You have heard through the grapevine that some employees are concerned about their jobs being phased out.

      _____________________________________________________________________

      _____________________________________________________________________

    3.   You have heard that your competitors, who have the same type of network as you, have recently had a major system crash that was costly and frustrating. You do not want the same thing to happen in your organization.

      _____________________________________________________________________

      _____________________________________________________________________

    4.   At today's management meeting, several managers expressed concern about the security of information on the network because it had come to their attention that some employees were gaining access to confidential information.

      _____________________________________________________________________

      _____________________________________________________________________

    5.   You have noticed that the network is clogged with outdated information.

      _____________________________________________________________________

      _____________________________________________________________________

    6.   Employees at your company feel uncomfortable because the managers are monitoring their performance through the computer.

      _____________________________________________________________________

      _____________________________________________________________________

    7.   Your new network has a calendaring feature. You are annoyed because people are making appointments in your calendar without checking with you first.

      _____________________________________________________________________

      _____________________________________________________________________

    8.   One of your co-workers is complaining that the company keeps adding new hardware and software to the network but not providing training first. His supervisor expects maximum productivity as soon as the new hardware or software is installed and criticizes employees when productivity actually drops while they are learning.

      _____________________________________________________________________

      _____________________________________________________________________

    9.   Your company has issued smart cards to its European sales representatives. You overhear one representative saying that she uses the card for both her personal and business telephone calls.

      _____________________________________________________________________

      _____________________________________________________________________

  10.   You notice several employees playing with some shareware that has nothing to do with work. On enquiry, you find out that your in-house computer "whiz kid" has installed some entertainment shareware at all of the workstations.

      _____________________________________________________________________

      _____________________________________________________________________