Thương mại điện tử - Chapter 13: Security and ethical challenges

Security and Ethical ChallengesChapter13Identify several ethical issues in how the use of information technologies in business affects employment, individuality, working conditions, privacy, crime, health, and solutions of societal problems.Learning ObjectivesLearning ObjectivesIdentify several types of security management strategies and defenses, and explain how they can be used to ensure the security of business applications of information technology.Propose several ways that business managers and professionals can help to lessen the harmful effects and increase the beneficial effects of the use of information technology.Why Study Challenges of IT?Information technology in business presents major security challenges, poses serious ethical questions, and affects society in significant ways.Case #1: Computer VirusesWhy do security glitches exist?Microsoft and other software companies have placed a high priority on getting products out quickly and loading them with features, rather than attending to security.With a 95% market share, Microsoft’s Windows desktop operating system is a fat, juicy target for the bad guys.Case #1: Computer VirusesThe burden for combating viruses lies with computer users themselves. Most large corporations already have basic antivirus software. But security experts maintain that they need to come up with better procedures for frequently updating their computers with the latest security patches to programs and inoculations against new viruses.Case #1: Computer VirusesWhat security measures should companies, business professionals, and consumers take to protect their systems from being damaged by computer worms and viruses?What is the ethical responsibility of Microsoft in helping to prevent the spread of computer viruses? Have they met this responsibility? Why or why not?Case #1: Computer VirusesWhat are several possible reasons why some companies (like GM) were seriously affected by computer viruses, while others (like Verizon) were not?What are the ethical responsibilities of companies and business professionals in helping curb the spread of computer viruses?IT Security, Ethics and SocietyEthical ResponsibilityBusiness professionals have a responsibility to promote ethical uses of information technology in the workplace.Business EthicsDefinition:Questions that managers must confront as part of their daily business decision making including:EquityRightsHonestyExercise of Corporate PowerEthical Business Issues CategoriesCorporate Social Responsibility TheoriesStockholder Theory – managers are agents of the stockholders, and their only ethical responsibility is to increase the profits of the business without violating the law or engaging in fraudulent practicesSocial Contract Theory – companies have ethical responsibilities to all members of society, which allow corporations to exist based on a social contractCorporate Social Responsibility TheoriesStakeholder Theory – managers have an ethical responsibility to manage a firm for the benefit of all its stakeholders, which are all individuals and groups that have a stake in or claim on a companyPrinciples of Technology EthicsProportionality – the good achieved by the technology must outweigh the harm or riskInformed Consent – those affected by the technology should understand and accept the risksPrinciples of Technology EthicsJustice – the benefits and burdens of the technology should be distributed fairlyMinimized Risk – even if judged acceptable by the other three guidelines, the technology must be implemented so as to avoid all unnecessary riskAITP Standards of Professional ConductEthical GuidelinesActing with integrityIncreasing professional competenceSetting high standards of personal performanceAccepting responsibility for one’s own workAdvancing the health, privacy, and general welfare of the publicComputer CrimeThe unauthorized use, access, modification, and destruction of hardware, software, data, or network resourcesThe unauthorized release of informationThe unauthorized copying of softwareDenying an end user access to his or her own hardware, software, data, or network resourcesUsing or conspiring to use computer or network resources illegally to obtain information or tangible propertyCyber Crime SafeguardsHackingDefinition:The obsessive use of computers, or the unauthorized access and use of networked computer systemsCommon Hacking TacticsDenial of Service – hammering a website’s equipment with too many requests for information, effectively clogging the system, slowing performance or even crashing the siteScans – widespread probes of the Internet to determine types of computers, services, and connectionsCommon Hacking TacticsSniffer – programs that covertly search individual packets of data as they pass through the Internet, capturing passwords or entire contentsSpoofing – faking an e-mail address or Web page to trick users into passing along critical information like passwords or credit card numbersCommon Hacking TacticsTrojan Horse – a program that, unknown to the user, contains instructions that exploit a known vulnerability in some softwareBack Doors – a point hidden point of entry to be used in case the original entry point has been detected or blockedCommon Hacking TacticsMalicious Applets – tiny programs that misuse your computer’s resources, modify files on the hard disk, send fake e-mail, or steal passwordsWar Dialing – programs that automatically dial thousands of telephone numbers in search of a way in through a modem connectionCommon Hacking TacticsLogic Bombs – an instruction in a computer program that triggers a malicious actBuffer Overflow – a technique for crashing or gaining control of a computer by sending too much data to the buffer in a computer’s memoryPassword Crackers – software that can guess passwordsCommon Hacking TacticsSocial Engineering – a tactic used to gain access to computer systems by talking unsuspecting company employees out of valuable information such as passwordsDumpster Diving – sifting through a company’s garbage to find information to help break into their computersCyber TheftDefinition:Computer crime involving the theft of moneyUnauthorized UseDefinition:Time and resource theft may range from doing private consulting or personal finances, or playing video games, to unauthorized use of the Internet on company networksInternet Abuses in the WorkplacePiracySoftware Piracy – unauthorized copying of computer programsPiracy of Intellectual Property – unauthorized copying of copyrighted material, such as music, videos, images, articles, books and other written works especially vulnerable to copyright infringementVirus vs. WormComputer Virus – a program code that cannot work without being inserted into another programWorm – distinct program that can run unaidedPrivacy IssuesAccessing individuals’ private e-mail conversations and computer records, and collecting and sharing information about individuals gained from their visits to Internet websites and newsgroupsAlways knowing where a person is, especially as mobile and paging services become more closely associated with people rather than placesPrivacy IssuesUsing customer information gained from many sources to market additional business servicesCollecting telephone numbers, e-mail addresses, credit card numbers, and other personal information to build individual customer profilesPrivacy on the InternetE-mail can be encryptedNewsgroup postings can be sent through anonymous remailersISP can be asked not to sell your name and personal information to mailing list providers and other marketersDecline to reveal personal data and interests on online service and website user profilesComputer MatchingDefinition:Using physical profiles or personal data and profiling software to match individuals with dataPrivacy LawsDefinition:Rules that regulate the collection and use of personal data by businessesCensorshipSpamming – indiscriminate sending of unsolicited e-mail messages to many Internet usersFlaming – sending extremely critical, derogatory, and often vulgar e-mail messages or newsgroup postings to other users on the Internet or online servicesOther ChallengesEmployment – significant reductions in job opportunities as well as different types of skills required for new jobsComputer Monitoring – computers used to monitor the productivity and behavior of employees as they workOther ChallengesWorking Conditions – jobs requiring a skilled craftsman have been replaced by jobs requiring routine, repetitive tasks or standby rolesIndividuality – dehumanize and depersonalize activities because computers eliminate human relationshipsErgonomicsDefinition:Designing healthy work environments that are safe, comfortable, and pleasant for people to work in, thus increasing employee morale and productivityErgonomic FactorsSocietal SolutionsMany of the detrimental effects of information technology are caused by individuals or organizations that are not accepting the ethical responsibility for their actions.Like other powerful technologies, information technology possesses the potential for great harm or great good for all human kind.Case #2: Security ManagementSecurity needs must be balanced with:Push for greater access to dataCoping with government mandatesPlanning for possible budget cutsCase #2: Security ManagementWhat is Geisinger Health Systems doing to protect the security of their data resources? Are these measures adequate? Explain your evaluation.What security measures is Du Pont taking to protect their process-control networks? Are these measures adequate? Explain your evaluation.Case #2: Security ManagementWhat are several other steps Geisinger and Du Pont could take to increase the security of their data and network resources? Explain the value of your proposals.What unique challenges do mobile wireless applications pose for companies? What are several ways these challenges can be met?Security ManagementThe goal of security management is the accuracy, integrity, and safety of all information system processes and resources.Internetworked Security DefensesEncryption – data transmitted in scrambled form and unscrambled by computer systems for authorized users onlyFirewalls – a gatekeeper system that protects a company’s intranets and other computer networks from intrusion by providing a filter and safe transfer point for access to and from the Internet and other networksPublic/Private Key EncryptionInternet and Intranet FirewallsDenial of Service DefensesAt the zombie machines – set and enforce security policiesAt the ISP – monitor and block traffic spikesAt the victim’s website – create backup servers and network connectionsInternetworked Security DefensesE-mail Monitoring – use of content monitoring software that scans for troublesome words that might compromise corporate securityVirus Defenses – centralize the distribution and updating of antivirus softwareOther Security MeasuresSecurity Codes – multilevel password system used to gain access into the systemBackup Files – duplicate files of data or programsSecurity Monitors – software that monitors the use of computer systems and networks and protects them from unauthorized use, fraud, and destructionOther Security MeasuresBiometrics – computer devices that measure physical traits that make each individual uniqueComputer Failure Controls – devices used to prevent computer failure or minimize its effectsFault Tolerant SystemsSystems that have redundant processors, peripherals, and software that provide a:Fail-over capability to back up components in the event of system failureFail-safe capability where the computer system continues to operate at the same level even if there is a major hardware or software failureDisaster RecoverFormalized procedures to follow in the event a disaster occurs including:Which employees will participate What their duties will beWhat hardware, software, and facilities will be usedPriority of applications that will be processedUse of alternative facilitiesOffsite storage of an organization’s databasesInformation Systems ControlsDefinition:Methods and devices that attempt to ensure the accuracy, validity, and propriety of information system activitiesInformation Systems ControlsAuditing IT SecurityIT security audits review and evaluate whether proper and adequate security measures and management policies have been developed and implemented.This typically involves verifying the accuracy and integrity of the software used, as well as the input of data and output produced by business applications.Security Management for Internet UsersCase #3: Software Patch ManagementKeeping abreast of security patches has become an essential business practice for any company.IT managers must be aware of security at every level.If even one critical system is compromised, the entire network can be exposed.Case #3: Software Patch ManagementComplications of Patch Management:Volume of nodes that must be servicedComplexities of heterogeneous environmentsCase #3: Software Patch ManagementWhat types of security problems are typically addressed by a patch management strategy? Why do such problems arise in the first place?What challenges does the process of applying software patches and updates pose for many businesses? What are the limitations of the patching process?Case #3: Software Patch ManagementDoes the business value of a comprehensive patch management strategy outweigh its costs, limitations, and the demands it places on the IT function? Why or why not?Case #4: Network Security SystemsSecurity event management suites automate the process of gathering, consolidating, correlating, and prioritizing data from various security tools includingAntivirus softwareFirewallsIntrusion detection systemsIntrusion prevention systemsOperating systemsApplication softwareCase #4: Network Security SystemsSecurity information management tools typically normalize the security events data they collect by converting them into a common format and automatically filtering out duplicate data.The normalized data are then dumped into a central database where correlation software can match data from different systems and look for patterns that might indicate an attack.Case #4: Network Security SystemsFinally, threats are prioritized based on their severity and the importance of the systems that are vulnerable.Case #4: Network Security SystemsWhat is the function of each of the network security tools identified in this case? Visit the websites of security firms Check Point and NetForensics to help you answer.What is the value of security information management software to a company? Use the companies in this case as examples.Case #4: Network Security SystemsWhat can smaller firms who cannot afford the cost of such software do to properly manage and use the information about security from their network security systems? Give several examples.SummaryThe vital role of information technologies and systems in society raises serious ethical and societal issues in terms of their impact on employment, individuality, working conditions, privacy, health, and computer crime.SummaryBusiness and IT activities involve many ethical considerations. Basic principles of technology and business ethics can serve as guidelines for business professionals when dealing with ethical business issues that may arise in the widespread use of information technology in business and society.SummaryOne of the most important responsibilities of the management of a company is to assure the security and quality of its IT-enabled business activities.Security management tools and policies can ensure the accuracy, integrity, and safety of the information systems and resources of a company, and thus minimize errors, fraud, and security losses in their business activities.End of ChapterChapter13