Explain how following an acceptable use policy is ethical

Ethics and Information Security: MIS Business Concerns

Business Driven Information Systems, Ch. 4.2: Information Security

Read Ch. 4.2 of Business Driven Information Systems: Information Security.

CHAPTER OUTLINE

SECTION 4.1 Ethics

SECTION 4.2 Information Security

Information Ethics

Developing Information Management Policies

Protecting Intellectual Assets

The First Line of Defense—People

The Second Line of Defense—Technology

What’s in IT for me?

This chapter concerns itself with protecting information from potential misuse. Organizations must ensure that they collect, capture, store, and use information in an ethical manner. This means any type of information they collect and use, including about customers, partners, and employees. Companies must ensure that personal information collected about someone remains private. This is not just a nice thing to do. The law requires it. Perhaps more important, information must be kept physically secure to prevent access and possible dissemination and use by unauthorized sources.

You, the business student, must understand ethics and security because they are the top concerns customers voice today. The way they are handled directly influences a customer’s likelihood of embracing electronic technologies and conducting business over the web—and thus the company’s bottom line. You can find evidence in recent news reports about how the stock price of organizations falls dramatically when information privacy and security breaches are made known. Further, organizations face potential litigation if they fail to meet their ethical, privacy, and security obligations in the handling of information.

Page 134

opening case study

Five Ways Hackers Can Get Into Your Business

Did you know:

Once every 3 minutes, the average company comes into contact with viruses and malware.

One in every 291 email messages contains a virus.

Three things hackers want most are customer data, intellectual property, and bank account information.

The top five file names used in phishing scams are Details.zip, UPS_document.zip, DCIM.zip, Report.zip, and Scan.zip.

The average annual cost of a cyberattack on a small or medium-sized business is $188,242.

Cyberthieves are always looking for new ways to gain access to your business data, business networks, and business applications. The best way to protect your business from cybertheft is to build a strong defense and be able to identify vulnerabilities and weak spots. According to John Brandon of Inc. magazine, the top five ways hackers will try to gain access to your businesses are highlighted in Figure 4.1. (Please note that there are far more than five ways; these are just the five most common.)

FIGURE 4.1

Five ways hackers gain access to your business

Page 135

Page 136

section 4.1

Ethics

LEARNING OUTCOMES

4.1Explain the ethical issues in the use of information technology.

4.2Identify the six epolicies organizations should implement to protect themselves.

INFORMATION ETHICS

LO 4.1: Explain the ethical issues in the use of information technology.

Ethics and security are two fundamental building blocks for all organizations. In recent years, enormous business scandals along with 9/11 have shed new light on the meaning of ethics and security. When the behavior of a few individuals can destroy billion-dollar organizations, the value of ethics and security should be evident.

Copyright is the legal protection afforded an expression of an idea, such as a song, book, or video game. Intellectual property is intangible creative work that is embodied in physical form and includes copyrights, trademarks, and patents. A patent is an exclusive right to make, use, and sell an invention and is granted by a government to the inventor. As it becomes easier for people to copy everything from words and data to music and video, the ethical issues surrounding copyright infringement and the violation of intellectual property rights are consuming the ebusiness world. Technology poses new challenges for our ethics —the principles and standards that guide our behavior toward other people.

The protection of customers’ privacy is one of the largest, and murkiest, ethical issues facing organizations today. Privacy is the right to be left alone when you want to be, to have control over your personal possessions, and not to be observed without your consent. Privacy is related to confidentiality , which is the assurance that messages and information remain available only to those authorized to view them. Each time employees make a decision about a privacy issue, the outcome could sink the company.

Trust among companies, customers, partners, and suppliers is the support structure of ebusiness. Privacy is one of its main ingredients. Consumers’ concerns that their privacy will be violated because of their interactions on the web continue to be one of the primary barriers to the growth of ebusiness.

Information ethics govern the ethical and moral issues arising from the development and use of information technologies as well as the creation, collection, duplication, distribution, and processing of information itself (with or without the aid of computer technologies). Ethical dilemmas in this area usually arise not as simple, clear-cut situations but as clashes among competing goals, responsibilities, and loyalties. Inevitably, there will be more than one socially acceptable or correct decision. The two primary areas concerning software include pirated software and counterfeit software. Pirated software is the unauthorized use, duplication, distribution, or sale of copyrighted software. Counterfeit software is software that is manufactured to look like the real thing and sold as such. Digital rights management is a technological solution that allows publishers to control their digital media to discourage, limit, or prevent illegal copying and distribution. Figure 4.2 contains examples of ethically questionable or unacceptable uses of information technology.2

FIGURE 4.2

Ethically Questionable or Unacceptable Information Technology Use

Page 137

APPLY YOUR KNOWLEDGE

BUSINESS DRIVEN DISCUSSION

Information—Does It Have Ethics?

A high school principal decided it was a good idea to hold a confidential conversation about teachers, salaries, and student test scores on his cellular phone in a local Starbucks. Not realizing that one of the students’ parents was sitting next to him, the principal accidentally divulged sensitive information about his employees and students. The irate parent soon notified the school board about the principal’s inappropriate behavior and a committee was formed to decide how to handle the situation.3

With the new wave of collaboration tools, electronic business, and the Internet, employees are finding themselves working outside the office and beyond traditional office hours. Advantages associated with remote workers include increased productivity, decreased expenses, and boosts in morale as employees are given greater flexibility to choose their work location and hours. Unfortunately, disadvantages associated with workers working remotely include new forms of ethical challenges and information security risks.

In a group, discuss the following statement: Information does not have any ethics. If you were elected to the committee to investigate the principal’s inappropriate Starbucks phone conversation, what types of questions would you want answered? What type of punishment, if any, would you enforce on the principal? What types of policies would you implement across the school district to ensure that this scenario is never repeated? Be sure to highlight how workers working remotely affect business along with any potential ethical challenges and information security issues.

Unfortunately, few hard and fast rules exist for always determining what is ethical. Many people can either justify or condemn the actions in Figure 4.2, for example. Knowing the law is important, but that knowledge will not always help because what is legal might not always be ethical, and what might be ethical is not always legal. For example, Joe Reidenberg received an offer for AT&T cell phone service. AT&T used Equifax, a credit reporting agency, to identify potential customers such as Joe Reidenberg. Overall, this seemed like a good business opportunity between Equifax and AT&T wireless. Unfortunately, the Fair Credit Reporting Act (FCRA) forbids repurposing credit information except when the information is used for “a firm offer of credit or insurance.” In other words, the only product that can be sold based on credit information is credit. A representative for Equifax stated, “As long as AT&T Wireless (or any company for that matter) is offering the cell phone service on a credit basis, such as allowing the use of the service before the consumer has to pay, it is in compliance with the FCRA.” However, the question remains—is it ethical?4

Figure 4.3 shows the four quadrants where ethical and legal behaviors intersect. The goal for most businesses is to make decisions within quadrant I that are both legal and ethical. There are times when a business will find itself in the position of making a decision in quadrant III, such as hiring child labor in foreign countries, or in quadrant II when a business might pay a foreigner who is getting her immigration status approved because the company is in the process of hiring the person. A business should never find itself operating in quadrant IV. Ethics are critical to operating a successful business today.

Information Does Not Have Ethics, People Do

Information itself has no ethics. It does not care how it is used. It will not stop itself from spamming customers, sharing itself if it is sensitive or personal, or revealing details to third parties. Information cannot delete or preserve itself. Therefore, it falls to those who own the information to develop ethical guidelines about how to manage it.

Page 138

APPLY YOUR KNOWLEDGE

BUSINESS DRIVEN ETHICS AND SECURITY

Is IT Really Worth the Risk?

Ethics. It’s just one tiny word, but it has monumental impact on every area of business. From the magazines, blogs, and newspapers you read to the courses you take, you will encounter ethics because it is a hot topic in today’s electronic world. Technology has provided so many incredible opportunities, but it has also provided those same opportunities to unethical people. Discuss the ethical issues surrounding each of the following situations (yes, these are true stories):

A student raises her hand in class and states, “I can legally copy any DVD I get from Netflix because Netflix purchased the DVD and the copyright only applies to the company who purchased the product.”

A student stands up the first day of class before the professor arrives and announces that his fraternity scans textbooks and he has the textbook for this course on his thumb drive, which he will gladly sell for $20. Several students pay on the spot and upload the scanned textbook to their PCs. One student takes down the student information and contacts the publisher about the incident.

A senior marketing manager is asked to monitor his employee’s email because there is a rumor that the employee is looking for another job.

A vice president of sales asks her employee to burn all of the customer data onto an external hard drive because she made a deal to provide customer information to a strategic partner.

A senior manager is asked to monitor his employee’s email to discover whether she is sexually harassing another employee.

An employee is looking at the shared network drive and discovers that his boss’s entire hard drive, including his email backup, has been copied to the network and is visible to all.

An employee is accidently copied on an email listing the targets for the next round of layoffs.

FIGURE 4.3

Acting Ethically and Acting Legally Are Not Always the Same Thing

Page 139

FIGURE 4.4

Ethical Guidelines for Information Management

A few years ago, the ideas of information management, governance, and compliance were relatively obscure. Today, these concepts are a must for virtually every company, both domestic and global, primarily due to the role digital information plays in corporate legal proceedings or litigation. Frequently, digital information serves as key evidence in legal proceedings, and it is far easier to search, organize, and filter than paper documents. Digital information is also extremely difficult to destroy, especially if it is on a corporate network or sent by email. In fact, the only reliable way to obliterate digital information reliably is to destroy the hard drives on which the file was stored. Ediscovery (or electronic discovery ) refers to the ability of a company to identify, search, gather, seize, or export digital information in responding to a litigation, audit, investigation, or information inquiry. As the importance of ediscovery grows, so does information governance and information compliance. The Child Online Protection Act (COPA) was passed to protect minors from accessing inappropriate material on the Internet. Figure 4.4 displays the ethical guidelines for information management.

DEVELOPING INFORMATION MANAGEMENT POLICIES

LO 4.2: Identify the six epolicies organizations should implement to protect themselves.

Treating sensitive corporate information as a valuable resource is good management. Building a corporate culture based on ethical principles that employees can understand and implement is responsible management. Organizations should develop written policies establishing employee guidelines, employee procedures, and organizational rules for information. These policies set employee expectations about the organization’s practices and standards and protect the organization from misuse of computer systems and IT resources. If an organization’s employees use computers at work, the organization should, at a minimum, implement epolicies. Epolicies are policies and procedures that address information management along with the ethical use of computers and the Internet in the business environment. Figure 4.5 displays the epolicies a firm should implement to set employee expectations.

Page 140

FIGURE 4.5

Overview of Epolicies

Ethical Computer Use Policy

In a case that illustrates the perils of online betting, a leading Internet poker site reported that a hacker exploited a security flaw to gain an insurmountable edge in high-stakes, no-limit Texas hold- ’em tournaments—the ability to see his opponents’ hole cards. The cheater, whose illegitimate winnings were estimated at between $400,000 and $700,000 by one victim, was an employee of AbsolutePoker.com and hacked the system to show that it could be done. Regardless of what business a company operates—even one that many view as unethical—the company must protect itself from unethical employee behavior.5 Cyberbullying includes threats, negative remarks, or defamatory comments transmitted through the Internet or posted on the website. A threat is an act or object that poses a danger to assets. Click-fraud is the abuse of pay-per-click, pay-per-call, and pay-per-conversion revenue models by repeatedly clicking a link to increase charges or costs for the advertiser. Competitive click-fraud is a computer crime in which a competitor or disgruntled employee increases a company’s search advertising costs by repeatedly clicking the advertiser’s link.

Cyberbullying and click-fraud are just a few examples of the many types of unethical computer use found today.

One essential step in creating an ethical corporate culture is establishing an ethical computer use policy. An ethical computer use policy contains general principles to guide computer user behavior. For example, it might explicitly state that users should refrain from playing computer games during working hours. This policy ensures that the users know how to behave at work and the organization has a published standard to deal with infractions. For example, after appropriate warnings, the company may terminate an employee who spends significant amounts of time playing computer games at work.

Organizations can legitimately vary in how they expect employees to use computers, but in any approach to controlling such use, the overriding principle should be informed consent. The users should be informed of the rules and, by agreeing to use the system on that basis, consent to abide by them.

Managers should make a conscientious effort to ensure all users are aware of the policy through formal training and other means. If an organization were to have only one epolicy, it should be an ethical computer use policy because that is the starting point and the umbrella for any other policies the organization might establish.

Part of an ethical computer use policy can include a BYOD policy. A bring your own device (BYOD) policy allows employees to use their personal mobile devices and computers to access enterprise data and applications. BYOD policies offer four basic options, including:

Unlimited access for personal devices.

Access only to nonsensitive systems and data.

Access, but with IT control over personal devices, apps, and stored data.

Access, but preventing local storage of data on personal devices.

Page 141

Information Privacy Policy

An organization that wants to protect its information should develop an information privacy policy , which contains general principles regarding information privacy. Visa created Innovant to handle all its information systems, including its coveted customer information, which details how people are spending their money, in which stores, on which days, and even at what time of day. Just imagine what a sales and marketing department could do if it gained access to this information. For this reason, Innovant bans the use of Visa’s customer information for anything outside its intended purpose—billing. Innovant’s privacy specialists developed a strict credit card information privacy policy, which it follows.

Innovant has been asked whether it can guarantee that unethical use of credit card information will never occur. In a large majority of cases, the unethical use of information happens not through the malicious scheming of a rogue marketer but, rather, unintentionally. For instance, information is collected and stored for some purpose, such as record keeping or billing. Then, a sales or marketing professional figures out another way to use it internally, share it with partners, or sell it to a trusted third party. The information is “unintentionally” used for new purposes. The classic example of this type of unintentional information reuse is the Social Security number, which started simply as a way to identify government retirement benefits and then was used as a sort of universal personal ID, found on everything from drivers’ licenses to savings accounts.

Fair information practices is a general term for a set of standards governing the collection and use of personal data and addressing issues of privacy and accuracy. Different organizations and countries have their own terms for these concerns. The United Kingdom terms it “Data Protection,” and the European Union calls it “Personal Data Privacy”; the Organisation for Economic Co-operation and Development (OECD) has written Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which can be found at www.oecd.org/unitedstates.6

Acceptable Use Policy

An acceptable use policy (AUP) requires a user to agree to follow it to be provided access to corporate email, information systems, and the Internet. Nonrepudiation is a contractual stipulation to ensure that ebusiness participants do not deny (repudiate) their online actions. A nonrepudiation clause is typically contained in an acceptable use policy. Many businesses and educational facilities require employees or students to sign an acceptable use policy before gaining network access. When signing up with an email provider, each customer is typically presented with an AUP, which states that the user agrees to adhere to certain stipulations. Users agree to the following in a typical acceptable use policy:

Not using the service as part of violating any law.

Not attempting to break the security of any computer network or user.

Not posting commercial messages to groups without prior permission.

Not performing any nonrepudiation.

Some organizations go so far as to create a unique information management policy focusing solely on Internet use. An Internet use policy contains general principles to guide the proper use of the Internet. Because of the large amounts of computing resources that Internet users can expend, it is essential for such use to be legitimate. In addition, the Internet contains numerous materials that some believe are offensive, making regulation in the workplace a requirement. Cybervandalism is the electronic defacing of an existing website. Typosquatting is a problem that occurs when someone registers purposely misspelled variations of well-known domain names. These variants sometimes lure consumers who make typographical errors when entering a URL. Website name stealing is the theft of a website’s name that occurs when someone, posing as a site’s administrator, changes the ownership of the domain name assigned to the website to another website owner. These are all examples of unacceptable Internet use. Internet censorship is government attempts to control Internet traffic, thus preventing some material from being viewed by a country’s citizens. Generally, an Internet use policy:

Describes the Internet services available to users.

Defines the organization’s position on the purpose of Internet access and what restrictions, if any, are placed on that access.

Page 142

APPLY YOUR KNOWLEDGE

BUSINESS DRIVEN GLOBALIZATION

The Right to Be Forgotten

The European Commissioner for Justice, Fundamental Rights, and Citizenship, Viviane Reding, announced the European Commission’s proposal to create a sweeping new privacy right—the right to be forgotten, allowing individuals to request to have all content that violates their privacy removed. The right to be forgotten addresses an urgent problem in the digital age: the great difficulty of escaping your past on the Internet now that every photo, status update, and tweet lives forever in the cloud. To comply with the European Court of Justice’s decision, Google created a new online form by which individuals can request search providers to remove links that violate their online privacy. In the first month, Google received more than 50,000 submissions from people asking the company to remove links. Many people in the United States believe that the right to be forgotten conflicts with the right to free speech. Do people who want to erase their past deserve a second chance? Do you agree or disagree?7

Describes user responsibility for citing sources, properly handling offensive material, and protecting the organization’s good name.

States the ramifications if the policy is violated.

Email Privacy Policy

An email privacy policy details the extent to which email messages may be read by others. Email is so pervasive in organizations that it requires its own specific policy. Most working professionals use email as their preferred means of corporate communications. Although email and instant messaging are common business communication tools, risks are associated with using them. For instance, a sent email is stored on at least three or four computers (see Figure 4.6). Simply deleting an email from one computer does not delete it from the others. Companies can mitigate many of the risks of using electronic messaging systems by implementing and adhering to an email privacy policy.

FIGURE 4.6

Email Is Stored on Multiple Computers

Page 143

One major problem with email is the user’s expectations of privacy. To a large extent, this expectation is based on the false assumption that email privacy protection exists somehow analogous to that of U.S. first-class mail. Generally, the organization that owns the email system can operate the system as openly or as privately as it wishes. Surveys indicate that the majority of large firms regularly read and analyze employees’ email looking for confidential data leaks such as unannounced financial results or the sharing of trade secrets that result in the violation of an email privacy policy and eventual termination of the employee. That means that if the organization wants to read everyone’s email, it can do so. Basically, using work email for anything other than work is not a good idea. A typical email privacy policy:

Defines legitimate email users and explains what happens to accounts after a person leaves the organization.

Explains backup procedure so users will know that at some point, even if a message is deleted from their computer, it is still stored by the company.

Describes the legitimate grounds for reading email and the process required before such action is performed.

Discourages sending junk email or spam to anyone who does not want to receive it.

Prohibits attempting to mail bomb a site. A mail bomb sends a massive amount of email to a specific person or system that can cause that user’s server to stop functioning.

Informs users that the organization has no control over email once it has been transmitted outside the organization.

Spam is unsolicited email. It plagues employees at all levels within an organization, from receptionist to CEO, and clogs email systems and siphons MIS resources away from legitimate business projects. An anti-spam policy simply states that email users will not send unsolicited emails (or spam). It is difficult to write anti-spam policies, laws, or software because there is no such thing as a universal litmus test for spam. One person’s spam is another person’s newsletter. End users have to decide what spam is, because it can vary widely not just from one company to the next, but from one person to the next. A user can opt out of receiving emails by choosing to deny permission to incoming emails. A user can opt in to receive emails by choosing to allow permissions to incoming emails.

Teergrubing is an anti-spamming approach by which the receiving computer launches a return attack against the spammer, sending email messages back to the computer that originated the suspected spam.

Social Media Policy

Did you see the YouTube video showing two Domino’s Pizza employees violating health codes while preparing food by passing gas on sandwiches? Millions of people did, and the company took notice when disgusted customers began posting negative comments all over Twitter. Because they did not have a Twitter account, corporate executives at Domino’s did not know about the damaging tweets until it was too late. The use of social media can contribute many benefits to an organization, and implemented correctly, it can become a huge opportunity for employees to build brands. But there are also tremendous risks because a few employees representing an entire company can cause tremendous brand damage. Defining a set of guidelines implemented in a social media policy can help mitigate that risk. Companies can protect themselves by implementing a social media policy outlining the corporate guidelines or principles governing employee online communications. Having a single social media policy might not be enough to ensure that the company’s online reputation is protected. Additional, more specific, social media policies a company might choose to implement include:

Employee online communication policy detailing brand communication.

Employee blog and personal blog policies.

Employee social network and personal social network policies.

Employee Twitter, corporate Twitter, and personal Twitter policies.

Employee LinkedIn policy.

Employee Facebook usage and brand usage policy.

Corporate YouTube policy.

Page 144

APPLY YOUR KNOWLEDGE

BUSINESS DRIVEN MIS

15 Million Identity Theft Victims

Identity theft has quickly become the most common, expensive, and pervasive crime in the United States. The identities of more than 15 million U.S. citizens are stolen each year, with financial losses exceeding $50 billion. This means that the identities of almost 10 percent of U.S. adults will be stolen this year, with losses of around $4,000 each, not to mention the 100 million U.S. citizens whose personal data will be compromised due to data breaches on corporate and government databases.

The growth of organized crime can be attributed to the massive amounts of data collection along with the increased cleverness of professional identity thieves. Starting with individually tailored phishing and vishing scams, increasingly successful corporate and government databases hackings, and intricate networks of botnets that hijack millions of computers without a trace, we must wake up to this ever-increasing threat to all Americans.8

You have the responsibility to protect yourself from data theft. In a group, visit the Federal Trade Commission’s Consumer Information Identity Theft website at http://www.consumer.ftc.gov/features/feature-0014-identity-theft and review what you can do today to protect your identity and how you can ensure that your personal information is safe.

Social media monitoring is the process of monitoring and responding to what is being said about a company, individual, product, or brand. Social media monitoring typically falls to the social media manager , a person within the organization who is trusted to monitor, contribute, filter, and guide the social media presence of a company, individual, product, or brand. Organizations must protect their online reputations and continuously monitor blogs, message boards, social networking sites, and media sharing sites. However, monitoring the hundreds of social media sites can quickly become overwhelming. To combat these issues, a number of companies specialize in online social media monitoring; for example, Trackur.com creates digital dashboards that allow executives to view at a glance the date published, source, title, and summary of every item tracked. The dashboard not only highlights what’s being said but also the influence of the particular person, blog, or social media site.

Workplace Monitoring Policy

Increasingly, employee monitoring is not a choice; it is a risk-management obligation. Michael Soden, CEO of the Bank of Ireland, issued a mandate stating that company employees could not surf illicit websites with company equipment. Next, he hired Hewlett-Packard to run the MIS department, and illicit websites were discovered on Soden’s own computer, forcing Soden to resign. Monitoring employees is one of the biggest challenges CIOs face when developing information management policies.9

Physical security is tangible protection such as alarms, guards, fireproof doors, fences, and vaults. New technologies enable employers to monitor many aspects of their employees’ jobs, especially on telephones, computer terminals, through electronic and voice mail, and when employees are using the Internet. Such monitoring is virtually unregulated. Therefore, unless company policy specifically states otherwise (and even this is not ensured), your employer may listen, watch, and read most of your workplace communications. Workplace MIS monitoring tracks people’s activities by such measures as number of keystrokes, error rate, and number of transactions processed (see Figure 4.7 for an overview). The best path for an organization planning to engage in employee monitoring is open communication, including an employee monitoring policy stating explicitly how, when, and where the company monitors its employees. Several common stipulations an organization can follow when creating an employee monitoring policy include:

Page 145

APPLY YOUR KNOWLEDGE

BUSINESS DRIVEN DEBATE

Monitoring Employees

Every organization has the right to monitor its employees. Organizations usually inform their employees when workplace monitoring is occurring, especially regarding organizational assets such as networks, email, and Internet access. Employees traditionally offer their consent to be monitored and should not have any expectations of privacy when using organizational assets.

Do you agree or disagree that organizations have an obligation to notify employees about the extent of workplace monitoring, such as how long employees are using the Internet and which websites they are visiting? Do you agree or disagree that organizations have the right to read all employees’ email sent or received on an organizational computer, including personal Gmail accounts?

Be as specific as possible stating when and what (email, IM, Internet, network activity, etc.) will be monitored.

Expressly communicate that the company reserves the right to monitor all employees.

State the consequences of violating the policy.

Always enforce the policy the same for everyone.

Many employees use their company’s high-speed Internet access to shop, browse, and surf the web. Most managers do not want their employees conducting personal business during working hours, and they implement a Big Brother approach to employee monitoring. Many management gurus advocate that organizations whose corporate cultures are based on trust are more successful than those whose corporate cultures are based on mistrust. Before an organization implements monitoring technology, it should ask itself, “What does this say about how we feel about our employees?” If the organization really does not trust its employees, then perhaps it should find new ones. If an organization does trust its employees, then it might want to treat them accordingly. An organization that follows its employees’ every keystroke might be unwittingly undermining the relationships with its employees, and it might find the effects of employee monitoring are often worse than lost productivity from employee web surfing.

FIGURE 4.7

Internet Monitoring Technologies

Page 146

section 4.2

Information Security

LEARNING OUTCOMES

4.3Describe the relationships and differences between hackers and viruses.

4.4Describe the relationship between information security policies and an information security plan.

4.5Provide an example of each of the three primary information security areas: (1) authentication and authorization, (2) prevention and resistance, and (3) detection and response.

PROTECTING INTELLECTUAL ASSETS

LO 4.3: Describe the relationships and differences between hackers and viruses.

To reflect the crucial interdependence between MIS and business processes accurately, we should update the old business axiom “Time is money” to say “Uptime is money.” Downtime refers to a period of time when a system is unavailable. Unplanned downtime can strike at any time for any number of reasons, from tornadoes to sink overflows to network failures to power outages (see Figure 4.8). Although natural disasters may appear to be the most devastating causes of MIS outages, they are hardly the most frequent or most expensive. Figure 4.9demonstrates that the costs of downtime are not only associated with lost revenues but also with financial performance, damage to reputations, and even travel or legal expenses. A few questions managers should ask when determining the cost of downtime are:10

How many transactions can the company afford to lose without significantly harming business?

Does the company depend on one or more mission-critical applications to conduct business?

How much revenue will the company lose for every hour a critical application is unavailable?

FIGURE 4.8

Sources of Unplanned Downtime

Page 147

FIGURE 4.9

The Cost of Downtime

What is the productivity cost associated with each hour of downtime?

How will collaborative business processes with partners, suppliers, and customers be affected by an unexpected IT outage?

What is the total cost of lost productivity and lost revenue during unplanned downtime?

The reliability and resilience of IT systems have never been more essential for success as businesses cope with the forces of globalization, 24/7 operations, government and trade regulations, global recession, and overextended IT budgets and resources. Any unexpected downtime in today’s business environment has the potential to cause both short- and long-term costs with far-reaching consequences.

Information security is a broad term encompassing the protection of information from accidental or intentional misuse by persons inside or outside an organization. Information security is the primary tool an organization can use to combat the threats associated with downtime. Understanding how to secure information systems is critical to keeping downtime to a minimum and uptime to a maximum. Hackers and viruses are two of the hottest issues currently facing information security.

Security Threats Caused by Hackers and Viruses

Hackers are experts in technology who use their knowledge to break into computers and computer networks, either for profit or simply for the challenge. Smoking is not just bad for a person’s health; it seems it is also bad for company security because hackers regularly use smoking entrances to gain building access. Once inside, they pose as employees from the MIS department and either ask for permission to use an employee’s computer to access the corporate network or find a conference room where they simply plugin their own laptop. Drive-by hacking is a computer attack by which an attacker accesses a wireless computer network, intercepts data, uses network services, and/or sends attack instructions without entering the office or organization that owns the network. Figure 4.10 lists the various types of hackers for organizations to be aware of, and Figure 4.11 shows how a virus is spread.

Page 148

FIGURE 4.10

Types of Hackers

One of the most common forms of computer vulnerabilities is a virus. A virus is software written with malicious intent to cause annoyance or damage. Some hackers create and leave viruses, causing massive computer damage. A worm spreads itself not only from file to file but also from computer to computer. The primary difference between a virus and a worm is that a virus must attach to something, such as an executable file, to spread. Worms do not need to attach to anything to spread and can tunnel themselves into computers. Figure 4.12 provides an overview of the most common types of viruses. Two additional computer vulnerabilities include adware and spyware. Adware is software that, although purporting to serve some useful function and often fulfilling that function, also allows Internet advertisers to display advertisements without the consent of the computer user. Spyware is a special class of adware that collects data about the user and transmits it over the Internet without the user’s knowledge or permission. Spyware programs collect specific data about the user, ranging from general demographics such as name, address, and browsing habits to credit card numbers, Social Security numbers, and user names and passwords. Not all adware programs are spyware and, used correctly, it can generate revenue for a company, allowing users to receive free products. Spyware is a clear threat to privacy. Ransomware is a form of malicious software that infects your computer and asks for money. Simplelocker is a new ransomware program that encrypts your personal files and demands payment for the files’ decryption keys. Figure 4.13 displays a few additional weapons hackers use for launching attacks.11

FIGURE 4.11

How Computer Viruses Spread

Page 149

FIGURE 4.12

Common Forms of Viruses

FIGURE 4.13

Hacker Weapons

Organizational information is intellectual capital. Just as organizations protect their tangible assets—keeping their money in an insured bank or providing a safe working environment for employees—they must also protect their intellectual capital, everything from patents to transactional and analytical information. With security breaches and viruses on the rise and computer hackers everywhere, an organization must put in place strong security measures to survive.

THE FIRST LINE OF DEFENSE—PEOPLE

LO 4.4: Describe the relationship between information security policies and an information security plan.

Organizations today can mine valuable information such as the identity of the top 20 percent of their customers, who usually produce 80 percent of revenues. Most organizations view this type of information as intellectual capital and implement security measures to prevent it from walking out the door or falling into the wrong hands. At the same time, they must enable employees, customers, and partners to access needed information electronically. Organizations address security risks through two lines of defense; the first is people, the second is technology.

Surprisingly, the biggest problem is people because the majority of information security breaches result from people misusing organizational information. Insiders are legitimate users who purposely or accidentally misuse their access to the environment and cause some kind of business-affecting incident. For example, many individuals freely give up their passwords or write them on sticky notes next to their computers, leaving the door wide open for hackers. Through social engineering , hackers use their social skills to trick people into revealing access credentials or other valuable information. Dumpster diving , or looking through people’s trash, is another way hackers obtain information. Pretexting is a form of social engineering in which one individual lies to obtain confidential data about another individual.

Page 150

Information security policies identify the rules required to maintain information security, such as requiring users to log off before leaving for lunch or meetings, never sharing passwords with anyone, and changing passwords every 30 days. An information security plan details how an organization will implement the information security policies. The best way a company can safeguard itself from people is by implementing and communicating its information security plan. This becomes even more important with Web 2.0 as the use of mobile devices, remote workforce, and contractors continue growing. A few details managers should consider surrounding people and information security policies include defining the best practices for12

Applications allowed to be placed on the corporate network, especially various file sharing applications (Kazaz), IM software, and entertainment or freeware created by unknown sources (iPhone applications).

Corporate computer equipment used for personal reasons on personal networks.

Password creation and maintenances including minimum password length, characters to be included while choosing passwords, and frequency for password changes.

Personal computer equipment allowed to connect to the corporate network.

Virus protection, including how often the system should be scanned and how frequently the software should be updated. This could also include if downloading attachments is allowed and practices for safe downloading from trusted and untrustworthy sources.

THE SECOND LINE OF DEFENSE—TECHNOLOGY

LO 4.5: Provide an example of each of the three primary information security areas: (1) authentication and authorization, (2) prevention and resistance, and (3) detection and response.

Once an organization has protected its intellectual capital by arming its people with a detailed information security plan, it can begin to focus on deploying technology to help combat attackers. Destructive agents are malicious agents designed by spammers and other Internet attackers to farm email addresses off websites or deposit spyware on machines. Figure 4.14 displays the three areas where technology can aid in the defense against attacks.

People: Authentication and Authorization

Identity theft consists of forging someone’s identity for the purpose of fraud. The fraud is often financial because thieves apply for and use credit cards or loans in the victim’s name. Two means of stealing an identity are phishing and pharming. Phishing is a technique to gain personal information for the purpose of identity theft, usually by means of fraudulent emails that look as though they came from legitimate businesses. The messages appear to be genuine, with official-looking formats and logos, and typically ask for verification of important information such as passwords and account numbers, ostensibly for accounting or auditing purposes. Since the emails look authentic, up to one in five recipients responds with the information and subsequently becomes a victim of identity theft and other fraud. Figure 4.15 displays a phishing scam attempting to gain information for Skyline Bank; you should never click emails asking you to verify your identity because companies will never contact you directly asking for your user name or password.13 A phishing expedition is a masquerading attack that combines spam with spoofing. The perpetrator sends millions of spam emails that appear to be from a respectable company. The emails contain a link to a website that is designed to look exactly like the company’s website. The victim is encouraged to enter his or her username, password, and sometimes credit card information. Spear phishing is a phishing expedition in which the emails are carefully designed to target a particular person or organization. Vishing (or voice phishing) is a phone scam that attempts to defraud people by asking them to call a bogus telephone number to confirm their account information.

FIGURE 4.14

Three Areas of Information Security

Page 151

Pharming reroutes requests for legitimate websites to false websites. For example, if you were to type in the URL to your bank, pharming could redirect to a fake site that collects your information. A zombie is a program that secretly takes over another computer for the purpose of launching attacks on other computers. Zombie attacks are almost impossible to trace back to the attacker. A zombie farm is a group of computers on which a hacker has planted zombie programs. A pharming attack uses a zombie farm, often by an organized crime association, to launch a massive phishing attack.

FIGURE 4.15

Skyline Bank Phishing Scam

Page 152

APPLY YOUR KNOWLEDGE

BUSINESS DRIVEN INNOVATION

Beyond the Password

The password, a combination of a user name and personal code, has been the primary way to secure systems since computers first hit the market in the 1980s. Of course, in the 1980s, users had only one password to maintain and remember, and chances are they still probably had to write it down. Today, users have dozens of user names and passwords they have to remember to multiple systems and websites—it is simply no longer sustainable! A few companies are creating new forms of identification, hoping to eliminate the password problem.

Bionym is developing the Nymi, a wristband with two electrodes that reads your heart’s unique electrocardiogram signal and can unlock all your devices.

Clef is developing the Clef Wave, a free app that generates a unique image on your smart phone that you can point at your webcam, which reads the image and unlocks your websites. The image cannot be stolen because it only stays on your screen for a few seconds. More than 300 websites have enabled the Clef Wave service.

Illiri is developing an app that emits a unique sound on your smart phone that can be used to unlock other devices, process payments, and access websites. The sound lasts for 10 seconds and can be heard within 1 foot of your device.

In a group, evaluate the three preceding technologies and determine which one you would choose to implement at your school.

Authentication and authorization technologies can prevent identity theft, phishing, and pharming scams. Authentication is a method for confirming users’ identities. Once a system determines the authentication of a user, it can then determine the access privileges (or authorization) for that user. Authorization is the process of providing a user with permission, including access levels and abilities such as file access, hours of access, and amount of allocated storage space. Authentication and authorization techniques fall into three categories; the most secure procedures combine all three:

1.Something the user knows, such as a user ID and password. The first type of authentication, using something the user knows, is the most common way to identify individual users and typically consists of a unique user ID and password. However, this is actually one of the most ineffective ways for determining authentication because passwords are not secure. All it typically takes to crack one is enough time. More than 50 percent of help-desk calls are password related, which can cost an organization significant money, and a social engineer can coax a password from almost anybody.

2.Something the user has, such as a smart card or token. The second type of authentication, using something the user has, offers a much more effective way to identify individuals than a user ID and password. Tokens and smart cards are two of the primary forms of this type of authentication. Tokens are small electronic devices that change user passwords automatically. The user enters his or her user ID and token-displayed password to gain access to the network. A smart card is a device about the size of a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing. Smart cards can act as identification instruments, a form of digital cash, or a data storage device with the ability to store an entire medical record.

Page 153

3.Something that is part of the user, such as a fingerprint or voice signature. The third kind of authentication, something that is part of the user, is by far the best and most effective way to manage authentication. Biometrics (narrowly defined) is the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting. A voiceprint is a set of measurable characteristics of a human voice that uniquely identifies an individual. These characteristics, which are based on the physical configuration of a speaker’s mouth and throat, can be expressed as a mathematical formula. Unfortunately, biometric authentication such as voiceprints can be costly and intrusive.

Single-factor authentication is the traditional security process, which requires a user name and password. Two-factor authentication requires the user to provide two means of authentication, what the user knows (password) and what the user has (security token). Multifactor authentication requires more than two means of authentication such as what the user knows (password), what the user has (security token), and what the user is (biometric verification). The goal of multifactor authentication is to make it difficult for an unauthorized person to gain access to a system because, if one security level is broken, the attacker will still have to break through additional levels.

Data: Prevention and Resistance

Prevention and resistance technologies stop intruders from accessing and reading data by means of content filtering, encryption, and firewalls. Time bombs are computer viruses that wait for a specific date before executing their instructions. Content filtering occurs when organizations use software that filters content, such as emails, to prevent the accidental or malicious transmission of unauthorized information. Organizations can use content filtering technologies to filter email and prevent emails containing sensitive information from transmitting, whether the transmission was malicious or accidental. It can also filter emails to prevent any suspicious files from transmitting, such as potentially virus-infected files. Email content filtering can also filter for spam, a form of unsolicited email.

Encryption scrambles information into an alternative form that requires a key or password to decrypt. If there were a security breach and the stolen information were encrypted, the thief would be unable to read it. Encryption can switch the order of characters, replace characters with other characters, insert or remove characters, or use a mathematical formula to convert the information into a code. Companies that transmit sensitive customer information over the Internet, such as credit card numbers, frequently use encryption. To decrypt information is to decode it and is the opposite of encrypt. Cryptography is the science that studies encryption, which is the hiding of messages so that only the sender and receiver can read them. The National Institute of Standards and Technology (NIST) introduced an advanced encryption standard (AES) designed to keep government information secure.

Some encryption technologies use multiple keys. Public key encryption (PKE) uses two keys: a public key that everyone can have and a private key for only the recipient (see Figure 4.16). The organization provides the public key to all customers, whether end consumers or other businesses, who use that key to encrypt their information and send it via the Internet. When it arrives at its destination, the organization uses the private key to unscramble it.

FIGURE 4.16

Public Key Encryption (PKE)

Page 154

FIGURE 4.17

Sample Firewall Architecture Connecting Systems Located in Chicago, New York, and Boston

Public keys are becoming popular to use for authentication techniques consisting of digital objects in which a trusted third party confirms correlation between the user and the public key. A certificate authority is a trusted third party, such as VeriSign, that validates user identities by means of digital certificates. A digital certificate is a data file that identifies individuals or organizations online and is comparable to a digital signature.

A firewall is hardware and/or software that guard a private network by analyzing incoming and outgoing information for the correct markings. If they are missing, the firewall prevents the information from entering the network. Firewalls can even detect computers communicating with the Internet without approval. As Figure 4.17 illustrates, organizations typically place a firewall between a server and the Internet. Think of a firewall as a gatekeeper that protects computer networks from intrusion by providing a filter and safe transfer points for access to and from the Internet and other networks. It screens all network traffic for proper passwords or other security codes and allows only authorized transmissions in and out of the network.

Firewalls do not guarantee complete protection, and users should enlist additional security technologies such as antivirus software and antispyware software. Antivirus software scans and searches hard drives to prevent, detect, and remove known viruses, adware, and spyware. Antivirus software must be frequently updated to protect against newly created viruses.

Attack: Detection and Response

Cyberwar is an organized attempt by a country’s military to disrupt or destroy information and communication systems for another country. Cyberterrorism is the use of computer and networking technologies against persons or property to intimidate or coerce governments, individuals, or any segment of society to attain political, religious, or ideological goals. With so many intruders planning computer attacks, it is critical for all computer systems to be protected. The presence of an intruder can be detected by watching for suspicious network events such as bad passwords, the removal of highly classified data files, or unauthorized user attempts. Intrusion detection software (IDS) features full-time monitoring tools that search for patterns in network traffic to identify intruders. IDS protects against suspicious network traffic and attempts to access files and data. If a suspicious event or unauthorized traffic is identified, the IDS will generate an alarm and can even be customized to shut down a particularly sensitive part of a network. After identifying an attack, an MIS department can implement response tactics to mitigate the damage. Response tactics outline procedures such as how long a system under attack will remain plugged in and connected to the corporate network, when to shut down a compromised system, and how quickly a backup system will be up and running.

Page 155

APPLY YOUR KNOWLEDGE

BUSINESS DRIVEN START-UP

LifeLock: Keeping Your Identity Safe

Have you ever seen a LifeLock advertisement? If so, you know the Social Security number of LifeLock CEO Todd Davis because he posts it in all ads daring hackers to try to steal his identity. Davis has been a victim of identity theft at least 13 times. The first theft occurred when someone used his identity to secure a $500 loan from a check-cashing company. Davis discovered the crime only after the company called his wife’s cell phone to recover the unpaid debt.14

If you were starting an identity theft prevention company, do you think it would be a good idea to post your Social Security number in advertisements? Why or why not? What do you think happened that caused Davis’s identity to be stolen? What types of information security measures should LifeLock implement to ensure that Davis’s Social Security number is not stolen again? If you were LifeLock’s CEO, what type of marketing campaign would you launch next?

Guaranteeing the safety of organization information is achieved by implementing the two lines of defense: people and technology. To protect information through people, firms should develop information security policies and plans that provide employees with specific precautions they should take in creating, working with, and transmitting the organization’s information assets. Technology-based lines of defense fall into three categories: authentication and authorization; prevention and resistance; and detection and response.

LEARNING OUTCOME REVIEW

Learning Outcome 4.1: Explain the ethical issues in the use of information technology.

Information ethics govern the ethical and moral issues arising from the development and use of information technologies as well as the creation, collection, duplication, distribution, and processing of information itself (with or without the aid of computer technologies). Ethical dilemmas in this area usually arise not as simple, clear-cut situations but as clashes among competing goals, responsibilities, and loyalties. Inevitably, there will be more than one socially acceptable or correct decision. For this reason, acting ethically and legally are not always the same.

Learning Outcome 4.2: Identify the six epolicies organizations should implement to protect themselves.

1.An ethical computer use policy contains general principles to guide computer user behavior. For example, it might explicitly state that users should refrain from playing computer games during working hours.

2.An information privacy policy contains general principles regarding information privacy.

3.An acceptable use policy (AUP) is a policy that a user must agree to follow to be provided access to corporate email, information systems, and the Internet.

4.An email privacy policy details the extent to which email messages may be read by others.

Page 156

5.A social media policy outlines the corporate guidelines or principles governing employee online communications.

6.An employee-monitoring policy states explicitly how, when, and where the company monitors its employees.