D333 Study Notes PDF
Document Details
Uploaded by CapableAmethyst
Tags
Summary
These notes summarize chapters from a textbook on ethics in information technology. They cover topics like the definition of ethics, unethical behavior trends, corporate social responsibility, measures to improve business ethics, and ethical considerations in decision-making.
Full Transcript
Collection of chapter summaries from Ethics in Information Technology (Reynolds, G. 6th edition, 2019) Chapter 1 summary: An Overiview of Ethics What is ethics? Ethics is a code of behavior that is defined by the group to which an individual belongs. Morals are the personal principles upon which...
Collection of chapter summaries from Ethics in Information Technology (Reynolds, G. 6th edition, 2019) Chapter 1 summary: An Overiview of Ethics What is ethics? Ethics is a code of behavior that is defined by the group to which an individual belongs. Morals are the personal principles upon which an individual bases his or her decisions about what is right and what is wrong. A person who acts with integrity acts in accordance with a personal code of principles. Law is a system of rules that tells us what we can and cannot do. Laws are enforced by a set of institutions (the police, courts, and law-making bodies). A code of ethics states the principles and core values that are essential to one's work. Just because an activity is defined as legal does not mean that it is ethical. What trends have increased the likelihood of an unethical behavior? Globalization has created a much more complex work environment, making it more difficult to apply principles and codes of ethics consistently. Organizations may be tempted to resort to unethical behavior to maintain profits in today's more challenging and uncertain economic climate. It is not unusual for powerful, highly successful individuals to fail to act in morally appropriate ways as such people are often aggressive in striving for what they want and are used to having privileged access to information, people, and other resources. Furthermore, their success often inflates their belief that they have the ability and the right to manipulate the outcome of any situation. What is corporate social responsibility, and why is fostering good business ethics important? Corporate social responsibility is the concept that an organization should act ethically by taking responsibility for the impact of its actions on its shareholders, consumers, employees, community, environment, and suppliers. Supply chain sustainability is a component of CSR that focuses on developing and maintaining a supply chain that meets the needs of the present without compromising the ability of future generations to meet their needs. Each organization must decide if CSR is a priority, and if so, what its specific CSR goals are. Organizations have five good reasons for pursuing CSR goals and promoting a work environment in which they encourage employees to act ethically: (1) to gain the goodwill of the community, (2) to create an organization that operates consistently, (3) to foster good business practices, (4) to protect the organization and its employees from legal action, and (5) to avoid unfavorable publicity. What measures can organizations take to improve their business ethics? An organization can take several actions to improve its business ethics including: appointing a corporate ethics officer, requiring its board of directors to set and model high ethical standards, establish a corporate code of ethics, conduct social audits, require employees to take ethics training, include ethical criteria in employee appraisals, and create an ethical work environment. How can you include ethical considerations in your decision making? Often, people employ a simple decision-making model that includes these steps: (1) define the problem, (2) identify alternatives, (3) choose an alternative, (4) implement the decision, and (5) monitor the results. You can incorporate ethical considerations into decision making by identifying and involving the stakeholders; weighing various laws, guidelines, and principles—including the organization's code of ethics—that may apply; and considering the impact of the decision on you, your organization, stakeholders, your customers and suppliers, and the environment. What trends have increased the risk that information technology will be used in an unethical manner? The growth of the Internet and social networks; the ability to capture, store, and analyze vast amounts of personal data; and a greater reliance on information systems in all aspects of life have increased the risk that information technology will be used unethically. In the midst of the many IT breakthroughs in recent years, the importance of ethics and human values has been underemphasized—with a range of consequences. Chapter 2 Summary: Ethics for IT Workers and IT Users What relationships must an IT worker manage, and what key ethical issues can arise in each? An IT worker must maintain good working relationships with employers, clients, suppliers, other professionals, IT users, and society at large. Each relationship has its own set of ethical issues and potential problems. In relationships between IT workers and employers, important issues include setting and enforcing policies regarding the ethical use of IT, the potential for whistle-blowing, and the safeguarding of trade secrets. In relationships between IT workers and clients, key issues revolve around defining, sharing, and fulfilling each party's responsibilities for successfully completing an IT project. The IT worker must remain objective and guard against any sort of conflict of interest, fraud, misrepresentation, or breach of contract. A major goal for IT workers and suppliers is to develop good working relationships in which no action can be perceived as unethical. Bribery is the act of providing money, property, or favors to someone in business or government in order to obtain a business advantage. Internal control is the process established by an organization's board of directors, managers, and IT group to provide reasonable assurance for the effectiveness and efficiency of operations, the reliability of financial reporting, and compliance with applicable laws and regulations. Policies are the guidelines, standards, and laws by which the organization must abide. Policies drive processes and procedures. Processes are a collection of tasks designed to accomplish a stated objective. A procedure defines the exact instructions for completing each task in a process. A fundamental concept of good internal control is the careful separation of duties associated with any process that involves the handling of financial transactions so that different aspects of the process are handled by different people. The Foreign Corrupt Practices Act (FCPA) makes it a crime to bribe a foreign official, a foreign political party official, or a candidate for foreign political office. The act applies to any U.S. citizen or company and to any company with shares listed on any U.S. stock exchange. In relationships between IT workers and other professionals, the priority is to improve the profession through activities such as mentoring inexperienced colleagues, demonstrating professional loyalty, and avoiding résumé inflation and the inappropriate sharing of corporate information. In relationships between IT professionals and IT users, important issues include software piracy, inappropriate use of IT resources, and inappropriate sharing of information. When it comes to the relationship between IT workers and society at large, the main challenge for IT workers is to practice the profession in ways that cause no harm to society and provide significant benefits. What can be done to encourage the professionalism of IT workers? A professional is one who possess the skill, good judgment, and work habits expected from a person who has the training and experience to do a job well. A professional is expected to contribute to society, to participate in a lifelong training program, to keep abreast of developments in the field, and to help develop other professionals. IT workers of all types can improve their profession's reputation for professionalism by (1) subscribing to a professional code of ethics, (2) joining and participating in professional organizations, (3) obtaining appropriate certifications, and (4) supporting government licensing where available. A professional code of ethics states the principles and core values that are essential to the work of a particular occupational group. Codes of ethics usually have two main parts—the first outlines what the organization aspires to become and the second typically lists rules and principles that members are expected to live by. The codes also typically include a commitment to continuing education for those who practice the profession. Adherence to a code of ethics can produce many benefits for the individual, the profession, and society as a whole, including ethical decision making, high standards of practice and ethical behavior, trust and respect with the general public, and access to an evaluation benchmark that can be used for self- assessment. Several IT-related professional organizations have developed a code of ethics, including ACM, IEEE-CS, AITP, and SANS. Many people believe that the licensing and certification of IT workers would increase the reliability and effectiveness of information systems. Certification indicates that a professional possesses a particular set of skills, knowledge, or abilities, in the opinion of the certifying organization. Numerous companies and professional organization offer certification. Most states support the licensing of software engineers, and the state licensing boards have ultimate responsibility over specific requirements for licensing in their jurisdiction. What ethical issues do IT users face, and what can be done to encourage their ethical behavior? IT users face several common ethical issues, including software piracy, inappropriate use of computing resources, and inappropriate sharing of information. Actions that can be taken to encourage the ethical behavior of IT users include establishing guidelines for the use of company hardware and software; defining an AUP for the use of IT resources; structuring information systems to protect data and information; installing and maintaining a corporate firewall; and ensuring compliance with laws, policies, and standards. The information security (infosec) group is responsible for managing the processes, tools, and policies necessary to prevent, detect, document, and counter threats to digital and nondigital information. The audit committee of a board of directors and members of the internal audit team have a major role in ensuring that both the IT organization and IT users are in compliance with organizational guidelines and policies as well as various legal and regulatory practices. Chapter 3 summary: Cyberattacks and Cybersecurity Why are computer incidents so prevalent, and what are their effects? Increasing computing complexity, expanding and changing systems, an increase in the prevalence of BYOD policies, a growing reliance on software with known vulnerabilities, and the increasing sophistication of those who would do harm have caused a dramatic increase in the number, variety, and severity of security incidents. An exploit is an attack on an information system that takes advantage of a particular system vulnerability. Often this attack is due to poor system design or implementation. Many different types of people launch computer attacks, including the black hat hacker, cracker, malicious insider, industrial spy, cybercriminal, hacktivist, and cyberterrorist. Each type has a different motivation. A white hat hacker is someone who has been hired by an organization to test the security of its information systems allowing the organizations to improve its defenses. Ransomware, viruses, worms, Trojan horses, logic bombs, blended threats, spam, DDoS attacks, rootkits, advanced persistent threats, phishing, spear phishing, smishing, vishing, cyberespionage, and cyberterrorism are among the most common computer exploits. The DHS has the responsibility to provide for a “safer, more secure America, which is resilient against terrorism and other potential threats.” The agency's Office of Cybersecurity and Communications is responsible for enhancing the security, resilience, and reliability of U.S. cyber and communications infrastructure. The US-CERT is a partnership between DHS and the public and private sectors that was established to protect the nation's Internet infrastructure against cyberattacks by serving as a clearinghouse for information on new viruses, worms, and other computer security topics. Over the years, several laws have been enacted to prosecute those responsible for computer-related crime, including the Computer Fraud and Abuse Act, the Fraud and Related Activity in Connection with Access Devices Statute, the Stored Wire and Electronic Communications and Transactional Records Access Statutes, and the USA Patriot Act. What can be done to implement a strong security program to prevent cyberattacks? The IT security practices of organizations worldwide must be focused on ensuring confidentiality, maintaining integrity, and guaranteeing the availability of their systems and data. Confidentiality, integrity, and availability are referred to as the CIA security triad. An organization's security strategy must include security measures that are planned for, designed, implemented, tested, and maintained at the organization, network, application, and end-user levels. Every organization needs a risk-based strategy with an active governance process to minimize the potential impact of any security incident and to ensure business continuity in the event of a cyberattack. Key elements of such a strategy include a risk assessment to identify and prioritize the threats that the organization faces, a well-defined disaster recovery plan that ensures the availability of key data and information technology assets, definition of security policies needed to guide employees to follow recommended processes and practices to avoid security-related problems, periodic security audits to ensure that individuals are following established policies and to assess if the policies are still adequate even under changing conditions, compliance standards defined by external parties, and use of a security dashboard to help track the key performance indicators of their security strategy. The concept of reasonable assurance in connection with IT security recognizes that managers must use their judgment to ensure that the cost of control does not exceed the system's benefits or the risks involved. Authentication methods, a firewall, routers, encryption, proxy servers, VPN, and an IDS are key elements of the network security layer. Authentication methods, user roles and accounts, and data encryption are key elements of the application security layer. Security education, authentication methods, antivirus software, and data encryption are key elements of the end-user security layer. What actions must be taken in the event of a successful security intrusion? No security system is perfect, so systems and procedures must be monitored to detect a possible intrusion. A response plan should be developed well in advance of any incident and be approved by both the organization's legal department and senior management. The response plan should address notification, evidence protection, activity log maintenance, containment, eradication, and follow-up. Organizations must implement fixes against well-known vulnerabilities and conduct periodic IT security audits. Many organizations outsource their network security operations to a MSSP, which is a company that monitors, manages, and maintains computer and network security for other organizations. Organizations must be knowledgeable of and have access to trained experts in computer forensics to identify, collect, examine, and preserve data from computer systems, networks, and storage devices in a manner that preserves the integrity of the data gathered so that it is admissible as evidence in a court of law. Chapter 4 summary: Privacy What is the right of privacy, and what is the basis for protecting personal privacy under the law? The right of privacy is “the right to be left alone—the most comprehensive of rights, and the right most valued by a free people.” Information privacy is the combination of communications privacy (the ability to communicate with others without those communications being monitored by other persons or organizations) and data privacy (the ability to limit access to one's personal data by other individuals and organizations in order to exercise a substantial degree of control over that data and its use). The use of information technology in business requires balancing the needs of those who use the information that is collected against the rights and desires of the people whose information is being used. A combination of approaches—new laws, technical solutions, and privacy policies—is required to balance the scales. The Fourth Amendment reads, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” The courts have ruled that without a reasonable expectation of privacy, there is no privacy right to protect. Today, in addition to protection from government intrusion, people want and need privacy protection from private industry. For many, the existing hodgepodge of privacy laws and practices fails to provide adequate protection and fuels a sense of distrust and skepticism, and concerns over identity theft. What are some of the laws that provide protection for the privacy of personal data, and what are some of the associated ethical issues? Few laws provide privacy protection from private industry and there is no single, overarching national data privacy policy for the United States. The Fair Credit Reporting Act regulates operations of credit reporting bureaus. The Right to Financial Privacy Act protects the financial records of financial institution customers from unauthorized scrutiny by the federal government. The GLBA established mandatory guidelines for the collection and disclosure of personal financial information by financial institutions; requires financial institutions to document their data security plans; and encourages institutions to implement safeguards against pretexting. The Fair and Accurate Credit Transaction Act allows consumers to request and obtain a free credit report each year from each of the three consumer credit reporting agencies. The HIPAA defined numerous standards to improve the portability and continuity of health insurance coverage; reduce fraud, waste, and abuse in health insurance care and healthcare delivery; and simplify the administration of health insurance. The American Recovery and Reinvestment Act included strong privacy provisions for EHRs, including banning the sale of health information, promoting the use of audit trails and encryption, and providing rights of access for patients. It also mandated that each individual whose health information has been exposed be notified within 60 days after discovery of a data breach. The FERPA provides students and their parents with specific rights regarding the release of student records. The COPPA requires websites that cater to children to offer comprehensive privacy policies, notify parents or guardians about their data collection practices, and receive parental consent before collecting any personal information from children under the age of 13. Title III of the Omnibus Crime Control and Safe Streets Act (also known as the Wiretap Act) regulates the interception of wire (telephone) and oral communications. The FISA describes procedures for the electronic surveillance and collection of foreign intelligence information between foreign powers and agents of foreign powers. Executive Order 12333 identifies the various government intelligence-gathering agencies and defines what information can be collected, retained, and disseminated by the agencies. It allows for the tangential collection of U.S. citizen data—even when those citizens are not specifically targeted. The ECPA deals with the protection of communications while in transit from sender to receiver; the protection of communications held in electronic storage; and the prohibition of devices from recording dialing, routing, addressing, and signaling information without a search warrant. The CALEA requires the telecommunications industry to build tools into its products that federal investigators can use—after gaining a court order—to eavesdrop on conversations and intercept electronic communications. The USA PATRIOT Act modified 15 existing statutes and gave sweeping new powers both to domestic law enforcement and to international intelligence agencies, including increasing the ability of law enforcement agencies to eavesdrop on telephone communication, intercept email messages, and search medical, financial, and other records; the act also eased restrictions on foreign intelligence gathering in the United States. The Foreign Intelligence Surveillance Act Amendments Act of 2004 authorized intelligence gathering on individuals not affiliated with any known terrorist organization (so-called lone wolves). The Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008 granted the NSA expanded authority to collect, without court-approved warrants, international communications as they flow through the U.S. telecommunications equipment and facilities. The PATRIOT Sunsets Extension Act granted a four-year extension of provisions of the USA PATRIOT Act that allowed roving wiretaps and searches of business records. It also extended authorization intelligence gathering on “lone wolves.” USA Freedom Act terminated the bulk collection of telephone metadata by the NSA instead requiring telecommunications carriers to hold the data and respond to NSA queries for data. The act also restored authorization for roving wiretaps and the tracking of lone wolf terrorists. “Fair information practices” is a term for a set of guidelines that govern the collection and use of personal data. Various organizations as well as countries have developed their own set of such guidelines and call them by different names. The OECD for the Protection of Privacy and Transborder Data Flows of Personal Data created a set of fair information practices that are often held up as the model for organizations to adopt for the ethical treatment of consumer data. The European Union Data Protection Directive requires member countries to ensure that data transferred to non-EU countries is protected. It also bars the export of data to countries that do not have data privacy protection standards comparable to those of the EU. After the passage of this directive, the EU and the United States worked out an agreement that allowed U.S. companies that were certified as meeting certain “safe harbor” principles to process and store data of European consumers and companies. The European–United States Privacy Shield Data Transfer Program Guidelines is a stopgap measure that allows businesses to transfer personal data about European citizens to the United States. The guidelines were established after the European Court of Justice declared invalid the Safe Harbor agreement between the EU and the United States. The GDPR takes effect in May 2018 and addresses the export of personal data outside the EU enabling citizens to see and correct their personal data, standardizing data privacy regulations within the EU, and establishing substantial penalties for violation of its guidelines. The FOIA grants citizens the right to access certain information and records of the federal government upon request. The Privacy Act prohibits U.S. government agencies from concealing the existence of any personal data record-keeping system. What are the various strategies for consumer profiling, and what are the associated ethical issues? Companies use many different methods to collect personal data about visitors to their websites, including depositing cookies on visitors' hard drives. Consumer data privacy has become a major marketing issue— companies that cannot protect or do not respect customer information have lost business and have become defendants in class actions stemming from privacy violations. A data breach is the unintended release of sensitive data or the access of sensitive data (e.g., credit card numbers, health insurance member ids, and Social Security numbers) by unauthorized individuals. The increasing number of data breaches is alarming, as is the lack of initiative by some companies in informing the people whose data are stolen. A number of states have passed data breach notifications laws that require companies to notify affected customers on a timely basis. What is e-discovery, and how is it being used? Discovery is part of the pretrial phase of a lawsuit in which each party can obtain evidence from the other party by various means, including requests for the production of documents. E-discovery is the collection, preparation, review, and production of electronically stored information for use in criminal and civil actions and proceedings. Predictive coding is a process that couples human intelligence with computer-driven concept searching in order to “train” document review software to recognize relevant documents within a document universe. Why and how are employers increasingly using workplace monitoring? Many organizations have developed IT usage policies to protect against employee abuses that can reduce worker productivity and expose employers to harassment lawsuits. About 80 percent of U.S. firms record and review employee communications and activities on the job, including phone calls, email, web surfing, and computer files. The use of fitness trackers in the workplace has opened up potential new legal and ethical issues. What are the capabilities of advanced surveillance technologies, and what ethical issues do they raise? Surveillance cameras are used in major cities around the world to deter crime and terrorist activities. Critics believe that such security is a violation of civil liberties. An EDR is a device that records vehicle and occupant data for a few seconds before, during, and after any vehicle crash that is severe enough to deploy the vehicle's air bags. The fact that most cars now come equipped with an EDR and that the data from this device may be used as evidence in a court of law is not broadly known by the public. Stalking apps can be downloaded onto a person's cell phone, making it possible to perform location tracking, record calls and conversations, view every text and photograph sent or received, and record the URLs of any website visited on that phone. Chapter 5: Freedom of Expression What is the basis for the protection of freedom of expression in the United States, and what types of expressions are not protected under the law? The First Amendment protects Americans’ rights to freedom of religion, freedom of expression, and freedom to assemble peaceably. The Supreme Court has ruled that the First Amendment also protects the right to speak anonymously. Obscene speech, defamation, incitement of panic, incitement to crime, “fighting words,” and sedition are not protected by the First Amendment and may be forbidden by the government. What are some key federal laws that affect online freedom of expression, and how do they impact organizations? Although there are clear and convincing arguments to support freedom of speech on the Internet, the issue is complicated by the ease with which children can use the Internet to gain access to material that many parents and others feel is inappropriate for children. The conundrum is that it is difficult to restrict children’s Internet access without also restricting adults’ access. The U.S. government has passed several laws to attempt to address this issue, including the Communications Decency Act (CDA), which is aimed at protecting children from online pornography, and the Child Online Protection Act (COPA), which prohibits making harmful material available to minors via the Internet. Both laws were ultimately ruled largely unconstitutional. However, Section 230 of the CDA, which was not ruled unconstitutional, provides immunity from defamation charges to ISPs that publish user-generated content, as long as they do not also serve as a content provider. Software manufacturers have developed Internet filters, which are designed to block access to objectionable material through a combination of URL, keyword, and dynamic content filtering. The Children’s Internet Protection Act (CIPA) requires federally financed schools and libraries to use filters to block computer access to any material considered harmful to minors. In United States v. American Library Association, Inc., the American Library Association challenged CIPA. Ultimately in that case, the Supreme Court made it clear that the constitutionality of government-mandated filtering schemes depends on adult patrons’ ability to request and receive unrestricted access to protected speech. The Digital Millennium Copyright Act (DMCA) addresses a number of copyright-related issues, with Title II of the act providing limitations on the liability of an ISP for copyright infringement. What important freedom of expression issues relate to the use of information technology? Internet censorship is the control or suppression of the publishing or accessing of information on the Internet. There are many forms of Internet censorship. Many countries practice some form of Internet censorship. A SLAPP (strategic lawsuit against public participation) is a lawsuit filed by corporations, government officials, and others against citizens and community groups who oppose them on matters of concern. Anti-SLAPP laws are designed to reduce frivolous SLAPPs. As of 2015, 28 states and the District of Columbia have put into effect anti-SLAPP legislation to protect people who are the target of a SLAPP. Anonymous expression is the expression of opinions by people who do not reveal their identity. The freedom to express an opinion without fear of reprisal is an important right of a democratic society. Anonymity is even more important in countries that don’t allow free speech. Maintaining anonymity on the Internet is important to some computer users. Such users sometimes use an anonymous remailer service, which strips the originating header and/or IP address from the message and then forwards the message to its intended recipient. Doxing involves doing research on the Internet to obtain someone’s private personal information (such as home address, email address, phone numbers, and place of employment) and even private electronic documents (such as photographs), and then posting that information online without permission. Many businesses monitor the web for the public expression of opinions that might hurt their reputations. They also try to guard against the public sharing of company confidential information. Organizations may file a John Doe lawsuit to enable them to gain subpoena power in an effort to learn the identity of anonymous Internet users who they believe have caused some form of harm to the organization through their postings. In the United States, speech that is merely annoying, critical, demeaning, or offensive enjoys protection under the First Amendment. Legal recourse is possible only when hate speech turns into clear threats and intimidation against specific citizens. Some ISPs and social networking sites have voluntarily agreed to prohibit their subscribers and members from sending hate messages using their services. Because such prohibitions can be included in the service contracts between a private ISP and its subscribers or a social networking site and it members—and do not involve the federal government—they do not violate subscribers’ First Amendment rights. Many adults, including some free-speech advocates, believe there is nothing illegal or wrong about purchasing adult pornographic material made by and for consenting adults. However, organizations must be very careful when dealing with pornography in the workplace. As long as companies can show that they were taking reasonable steps to prevent pornography, they have a valid defense if they are subject to a sexual harassment lawsuit. Reasonable steps include establishing a computer usage policy that prohibits access to pornography sites, identifying those who violate the policy, and taking action against those users— regardless of how embarrassing it is for the users or how harmful it might be for the company. Sexting—sending sexual messages, nude or seminude photos, or sexually explicit videos over a cell phone—is a fast-growing trend that can lead to many problems for both senders and receivers. The Controlling the Assault of Non Solicited Pornography and Marketing (CAN-SPAM) Act specifies requirements that commercial emailers must follow when sending out messages that advertise a commercial product or service. The CAN-SPAM Act is also sometimes used in the fight against the dissemination of pornography. The proliferation of online sources of information and opinion means that the Internet is full of “news” accounts that are, in fact, highly opinionated, fictionalized, or satirical accounts of current events presented in journalistic style. Chapter 6 summary: Intellectual property What does the term intellectual property encompass, and what measures can organizations take to protect their intellectual property? Intellectual property is a term used to describe works of the mind—such as art, books, films, formulas, inventions, music, and processes—that are distinct and owned or created by a single person or group. Copyrights, patents, trademarks, and trade secrets form a complex body of law relating to the ownership of intellectual property, which represents a large and valuable asset to most companies. If these assets are not protected, other companies can copy or steal them, resulting in significant loss of revenue and competitive advantage. A copyright is the exclusive right to distribute, display, perform, or reproduce an original work in copies; to prepare derivative works based on the work; to and grant these exclusive rights to others. Copyright infringement is a violation of the rights secured by the owner of a copyright. Infringement occurs when someone copies a substantial and material part of another’s copyrighted work without permission. Copyright law has proven to be extremely flexible in covering new technologies, including software, video games, multimedia works, and web pages. However, evaluating the originality of a work can be difficult and disagreements over whether or not a work is original sometimes lead to litigation. Copyrights provide less protection for software than patents; software that produces the same result in a slightly different way may not infringe a copyright if no copying occurred. The fair use doctrine established four factors for courts to consider when deciding whether a particular use of copyrighted property is fair and can be allowed without penalty: (1) the purpose and character of the use, (2) the nature of the copyrighted work, (3) the portion of the copyrighted work used, and (4) the effect of the use on the value of the copyrighted work. The use of copyright to protect computer software raises many complicated issues of interpretation of what constitutes infringement. The Prioritizing Resources and Organization for Intellectual Property (PRO-IP) Act of 2008 increased trademark and copyright enforcement; it also substantially increased penalties for infringement. The original General Agreement on Tariffs and Trade (GATT), signed in 1993, created the World Trade Organization (WTO) in Geneva, Switzerland, to enforce compliance with the agreement. GATT includes a section covering copyrights called the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS). The WTO is a global organization that deals with rules of international trade based on WTO agreements that are negotiated and signed by representatives of the world’s trading nations The goal of the WTO is to help producers of goods and services, exporters, and importers conduct their business. The World Intellectual Property Organization (WIPO) is an agency of the United Nations dedicated to “the use of intellectual property as a means to stimulate innovation and creativity.” The Digital Millennium Copyright Act (DMCA), which was signed into law in 1998, implements two WIPO treaties in the United States. The DMCA also makes it illegal to circumvent a technical protection or develop and provide tools that allow others to access a technologically protected work. In addition, the DMCA limits the liability of Internet service providers for copyright infringement by their subscribers or customers. Some view the DMCA as a boon to the growth of the Internet and its use as a conduit for innovation and freedom of expression. Others believe that the DMCA has given excessive powers to copyright holders. A patent is a grant of property right issued by the U.S. Patent and Trademark Office (USPTO) to an inventor that permits its owner to exclude the public from making, using, or selling a protected invention, and it allows for legal action against violators. A patent prevents copying as well as independent creation (which is allowable under copyright law). For an invention to be eligible for a patent, it must fall into one of three statutory classes of items that can be patented: (1) it must be useful, (2) it must be novel, and (3) it must not be obvious to a person having ordinary skill in the same field. A utility patent is “issued for the invention of a new and useful process, machine, manufacture, or composition of matter, or a new and useful improvement thereof.” A design patent, which is “issued for a new, original, and ornamental design embodied in or applied to an article of manufacture,” permits its owner to exclude others from making, using, or selling the design in question. Unlike copyright infringement, for which monetary penalties are limited to certain specified dollar amounts, if the court determines that a patent has been intentionally infringed, it can award up to triple the amount of the damages claimed by the patent holder. The Leahy-Smith America Invents Act changed the U.S. patent system from a “first-to-invent” to a “first-inventor-to file” system and expanded the definition of prior art, which is used to determine the novelty of an invention and whether it can be patented. The act made it more difficult to obtain a patent in the United States. The courts and the U.S. Patent and Trademark Office (USPTO) have changed their attitudes and opinions of the patenting of software over the years. To qualify as a trade secret, information must have economic value and must not be readily ascertainable. In addition, the trade secret’s owner must have taken steps to maintain its secrecy. Trade secret laws do not prevent someone from using the same idea if it was developed independently or from analyzing an end product to figure out the trade secret behind it. Trade secrets are protected by the Uniform Trade Secrets Act, the Economic Espionage Act, and the Defend Trade Secrets Act, which amended the Economic Espionage Act to create a federal civil remedy for trade secret misappropriation. Trade secret law has three key advantages over the use of patents and copyrights in protecting companies from losing control of their intellectual property: (1) There are no time limitations on the protection of trade secrets, unlike patents and copyrights; (2) there is no need to file any application or otherwise disclose a trade secret to outsiders to gain protection; and (3) there is no risk that a trade secret might be found invalid in court. Because organizations can risk losing trade secrets when key employees leave, they often try to prohibit employees from revealing secrets by adding nondisclosure clauses to employment contracts. Employers can also use noncompete agreements to protect intellectual property from being used by competitors when key employees leave. A noncompete agreement prohibits an employee from working for any competitors for a period of time, often one to two years. What are some of the current issues associated with the protection of intellectual property? Plagiarism is the act of stealing someone’s ideas or words and passing them off as one’s own. Plagiarism detection systems enable people to check the originality of documents and manuscripts. Reverse engineering is the process of breaking something down in order to understand it, build a copy of it, or improve it. It was originally applied to computer hardware but is now commonly applied to software. In some situations, reverse engineering might be considered unethical because it enables access to information that another organization may have copyrighted or classified as a trade secret. Recent court rulings and software license agreements that forbid reverse engineering, as well as restrictions in the DMCA, have made reverse engineering a riskier proposition in the United States. Open source code is any program whose source code is made available for use or modification, as users or other developers see fit. The basic premise behind open source code is that when many programmers can read, redistribute, and modify it, the software improves. Open source code can be adapted to meet new needs, and bugs can be rapidly identified and fixed. Competitive intelligence is legally obtained information that is gathered to help a company gain an advantage over its rivals. It is not the same as industrial espionage, which is the use of illegal means to obtain business information that is not readily available to the general public. In the United States, industrial espionage is a serious crime that carries heavy penalties. Competitive intelligence analysts must take care to avoid unethical or illegal behavior, including lying, misrepresentation, theft, bribery, or eavesdropping with illegal devices. A trademark is a logo, package design, phrase, sound, or word that enables a consumer to differentiate one company’s products from another’s. Website owners who sell trademarked goods or services must take care to ensure they are not sued for trademark infringement. Cybersquatters register domain names for famous trademarks or company names to which they have no connection, with the hope that the trademark’s owner will eventually buy the domain name for a large sum of money. The main tactic organizations use to circumvent cybersquatting is to protect a trademark by registering numerous domain names and variations as soon as they know they want to develop a web presence. Chapter 7 Summary: Ethical Decisions in Software Development What is meant by software quality, why is it so important, and what potential ethical issues do software manufacturers face when making decisions that involve trade-offs between project schedules, project costs, and software quality? High-quality software systems are easy to learn and use. They perform quickly and efficiently to meet their users’ needs, operate safely and reliably, and have a high degree of availability that keeps unexpected downtime to a minimum. High-quality software has long been required to support the fields of air traffic control, nuclear power, automobile safety, health care, military and defense, and space exploration. Computers and software are integral parts of almost every business, and the demand for high-quality software is increasing. End users cannot afford system crashes, lost work, or lower productivity. Nor can they tolerate security holes through which intruders can spread viruses, steal data, or shut down websites. A software defect is any error that, if not removed, could cause a software system to fail to meet its users’ needs. Software quality is the degree to which a software product meets the needs of its users. Quality management focuses on defining, measuring, and refining the quality of the development process and the products developed during its various stages. Software developers are under extreme pressure to reduce the time to market of their products. They are driven by the need to beat the competition in delivering new functionality to users, to begin generating revenue to recover the cost of development, and to show a profit for shareholders. The resources and time needed to ensure quality are often cut under the intense pressure to ship a new software product. When forced to choose between adding more user features and doing more testing, many software companies decide in favor of more features. A business information system is a set of interrelated components—including hardware, software, databases, networks, people, and procedures—that collects and processes data and disseminates the output. Software product liability claims are typically based on strict liability, negligence, breach of warranty, or misrepresentation— sometimes in combination. Strict liability means that the defendant is held responsible for injuring another person regardless of negligence or intent. A warranty assures buyers or lessees that a product meets certain standards of quality and may be either expressly stated or implied by law. If the product fails to meet the terms of its warranty, the buyer or lessee can sue for breach of warranty. What are some effective strategies for developing quality systems? A software development methodology is a standard, proven work process that enables systems analysts, programmers, project managers, and others to make controlled and orderly progress in developing high-quality software. Software methodologies define the activities in the software development process as well as the individual and group responsibilities for accomplishing objectives, recommend specific techniques for accomplishing the objectives, and offer guidelines for managing the quality of the products during the various stages of the development cycle. The waterfall system development model is a sequential, multistage system development process in which development of the next stage of the system cannot begin until the results of the current stage are approved or modified as necessary. Under the agile development methodology, a system is developed in iterations (often called sprints), lasting from one to four weeks. Agile development, which accepts the fact that system requirements are evolving and cannot be fully understood or defined at the start of the project, concentrates on maximizing the team’s ability to deliver quickly and respond to emerging requirements. Using an effective development methodology enables a manufacturer to produce high-quality software, forecast project-completion milestones, and reduce the overall cost to develop and support software. An effective development methodology can also help protect software manufacturers from legal liability for defective software in two ways: by reducing the number of software errors that could cause damage and by making negligence more difficult to prove. The cost to identify and remove a defect in the early stages of software development can be up to 100 times less than removing a defect in a piece of software that has been distributed to customers. Quality assurance (QA) refers to methods within the development process that are designed to guarantee reliable operation of a product. Ideally, these methods are applied at each stage of the development cycle. There are several tests employed in software development including black-box and white-box dynamic testing, static testing, unit testing, integration testing, system testing, and user acceptance testing. Capability Maturity Model Integration (CMMI) models are collections of best practices that help organizations improve their processes. A best practice is a method or technique that has consistently shown results superior to those achieved with other means, and that is used as a benchmark within a particular industry. CMMI-Development (CMMI-DEV)—is frequently used to assess and improve software development practices. CMMI defines five levels of software development maturity: initial, managed, defined, quantitatively managed, and optimizing. CMMI identifies the issues that are most critical to software quality and process improvement. Its use can improve an organization’s ability to predict and control quality, schedule, costs, and productivity when acquiring, building, or enhancing software systems. CMMI also helps software engineers analyze, predict, and control selected properties of software systems. A safety-critical system is one whose failure may cause human injury or death. In the development of safety-critical systems, a key assumption is that safety will not automatically result from following an organization’s standard software development methodology. Safety-critical software must go through a much more rigorous and time-consuming development and testing process than other kinds of software; the appointment of a project safety engineer and the use of a hazard log and risk analysis are common in the development of safety-critical software. Risk is the potential of gaining or losing something of value. Risk can be quantified by three elements: a risk event, the probability of the event happening, and the impact (positive or negative) on the business outcome if the risk does actually occur. The annualized rate of occurrence (ARO) is an estimate of the probability that an event will occur over the course of a year. The single loss expectancy (SLE) is the estimated loss that would be incurred if the event happens. The annualized loss expectancy (ALE) is the estimated loss from this risk over the course of a year. The following equation is used to calculate the annual loss expectancy: ARO × SLE = ALE. Risk management is the process of identifying, monitoring, and limiting risks to a level that an organization is willing to accept. Reliability is a measure of the rate of failure in a system that would render it unusable over its expected lifetime. The International Organization for Standardization (ISO) issued its 9000 series of business management standards in 1988. These standards require organizations to develop formal quality management systems that focus on identifying and meeting the needs, desires, and expectations of their customers. The ISO 9001 family of standards serves as a guide to quality products, services, and management; it provides a set of standardized requirements for a quality management system. Many businesses and government agencies specify that a vendor must be ISO 9001 certified to win a contract from them. Failure mode and effects analysis (FMEA) is an important technique used to develop ISO 9001–compliant quality systems. FMEA is used to evaluate reliability and determine the effects of system and equipment failures. Chapter 8 summary: The Impact of Information Technology on Society What is the relationship between IT investment and productivity growth in the United States? The most widely used measurement of the material standard of living is gross domestic product (GDP) per capita. In the United States, as in most developed nations, the standard of living has been improving over time. However, its rate of change varies as a result of business cycles that affect prices, wages, employment levels, and the production of goods and services. Labor productivity is a measure of the economic performance that compares the amount of goods and services produced with the number of labor hours used in producing those goods and services. Most countries have been able to produce more goods and services over time—not through a proportional increase in labor but rather by making production more efficient. These gains in productivity have led to increases in the GDP-based standard of living because the average hour of labor produced more goods and services. Innovation is a key factor in productivity improvement, and IT has played an important role in enabling innovation. Organizations use IT, other new technology, and capital investment to implement innovations in products, processes, and services. It can be difficult to quantify the benefits of IT investments on worker productivity because there can be a considerable lag between the application of innovative IT solutions and the capture of significant productivity gains. In addition, many factors other than IT influence worker productivity rates. How will artificial intelligence, machine learning, robotics, and natural language processing affect the future workforce? Advances in artificial intelligence, machine learning, robotics, and natural language processing are fundamentally changing the way work gets done and have the potential to affect the tasks, roles, and responsibilities of most workers. Almost every job has partial automation potential and research suggests that 45 percent of human work activities could be automated using existing technology. It is likely to take decades for automation to achieve anywhere near its full potential. Artificial intelligence systems can simulate human intelligence processes, including learning, reasoning, and self-correction. Machine learning, a type of artificial intelligence (AI), involves computer programs that can learn some task and improve their performance with experience. Robotics is a branch of engineering that involves the development and manufacture of mechanical or computer devices that can perform tasks that require a high degree of precision or that are tedious or hazardous for human beings. Natural language processing is an aspect of artificial intelligence that involves technology that allows computers to understand, analyze, manipulate, and/or generate “natural languages” such as English. What impact has the application of IT had on health care? Healthcare costs in the United States are expected to increase an average of 5.6 percent per year from 2016 to 2025. Much of this increase is due to the continued aging of the population, government policy, and life style changes, and to a lesser extent the development and use of new medical technology. In order for the United States to rein in healthcare spending, patient awareness must be raised and technology costs must be managed more carefully. An electronic medical record (EMR) is a collection of health- related information on an individual that is created, managed, and consulted by authorized clinicians and staff within a single healthcare organization. The information in an EMR is not easily shared with others outside of the healthcare organization where the data originated. An electronic health record (EHR) is a comprehensive view of the patient’s complete medical history designed to be shared with authorized providers and staff from more than one organization. Health information exchange (HIE) is the process of sharing patient-level electronic health information between different organizations. HIE can result in more cost-effective and higher- quality care. A personal health record (PHR) includes those portions of the EHR that an individual patient “owns” and controls such as personal identifiers, contact information, health provider information, problem list, medication history, allergies, immunizations, and lab and test results. Clinical decision support (CDS) is a process and a set of tools designed to enhance health-related decision making through the use of clinical knowledge and patient-specific information to improve healthcare delivery. Effective use of CDS systems increases the quality of patient care while at the same time cutting costs. A computerized provider order entry (CPOE) system enables physicians to place orders (for drugs, laboratory tests, radiology, physical therapy) electronically with the orders transmitted directly to the recipient. CPOE streamlines the ordering process. Telehealth employs modern telecommunications and information technologies to provide medical care to people who live or work far away from healthcare providers, provide professional and patient health related training, and support healthcare administration. Telemedicine is the component of telehealth that provides medical care to people at a location different from the healthcare providers. Telemedicine helps reduce the need for patients to travel for treatment and allows healthcare professionals to serve more patients in a broader geographic area. Store-and-forward telemedicine involves acquiring data, sound, images, and video from a patient and then transmitting everything to a medical specialist for later evaluation. Chapter 9 summary: Social Media How do individuals use social networks, and what are some practical business uses of social networking and other social media tools? Social media are web-based communication channels and tools that enable people to interact with each other by creating online communities where they can share information, ideas, messages, and other content, including images, audio, and video. A social networking platform creates an online community of Internet users that enables members to break down barriers created by time, distance, and cultural differences; such a site allows people to interact with others online by sharing opinions, insights, information, interests, and experiences. The number of Internet users worldwide is approaching 4 billion or roughly half the population. Many organizations employ social networking platforms to advertise, identify and access job candidates, improve customer service, and sell products and services. An increasing number of business-oriented social networking platforms are designed to encourage and support relationships with consumers, clients, potential employees, suppliers, and business partners around the world. Social media marketing involves the use of social networks to communicate and promote the benefits of products and services. Two significant advantages of social media marketing over traditional marketing are that marketers can create a conversation with viewers of their ads and that ads can be targeted to reach people with the desired demographic characteristics. Social media marketing involves the use of social networks to communicate and promote the benefits of products and services. The two primary objectives of social media marketers are raising brand awareness and driving traffic to a website to increase product sales. Organic media marketing employs tools provided by or tailored for a particular social media platform to build a social community and interact with it by sharing posts and responding to customer comments on the organization's blog and social media accounts. Paid media marketing involves paying a third party to broadcast an organization's display ads or sponsored messages to social network users. Two common methods of charging for paid media are cost per thousand impressions and cost per click. Earned media refers to media exposure an organization gets through press and social media mentions, positive online ratings and reviews, tweets and retweets, reposts (or “shares”), recommendations, and so on. Earned social media traffic enables an organization to reach more people without any additional cost. Viral marketing is an approach to social media marketing that encourages individuals to pass along a marketing message to others, thus creating the potential for exponential growth in the message's exposure and influence. Some 60 percent of employers used social media to research job candidates with half of those finding information that gave a negative impression of the candidate. Employers can legally reject a job applicant based on the contents of the individual's social networking profile as long as the company is not violating federal or state discrimination laws. Job seeking candidates should review their presence on social media and remove photos and postings that portray them in a potentially negative light. Many jobseekers delete their social media accounts altogether. Increasingly, consumers are using social networks to share their experiences, both good and bad, with others. Because of this, many organizations actively monitor social media networks as a means of improving customer service, retaining customers, and increasing sales. A social shopping platform brings shoppers and sellers together in a social networking environment in which members share information and make recommendations while shopping online. What are some of the key ethical issues associated with the use of social networks and other social media? Cyberabuse is any form of mistreatment or lack of care, both physical and mental, based on the use of an electronic communications device that causes harm and distress to others. Nearly three-quarters of U.S. Internet users have witnessed online harassment or abuse and almost half have personally experienced it. Cyberharassment is a form of cyberabuse in which the abusive behavior, which involves the use of an electronic communications device, is degrading, humiliating, hurtful, insulting, intimidating, malicious, or otherwise offensive to an individual or group of individuals causing substantial emotional distress. Cyberstalking is also a form of cyberabuse that consists of a long-term pattern of unwanted persistent pursuit and intrusive behavior (involving the use of an electronic communications device) that is directed by one person against another that causes fear and distress in the victim. The National Center for Victims of Crime offers tips on how to combat cyberstalking. The 1994 Jacob Wetterling Crimes Against Children and Sexually Violent Offender Registration Act set requirements for sex offender registration and notification in the United States. It also that states create websites that provide information on sex offenders within the state. The Sex Offender Registration and Notification Provisions (SORNA) of the Adam Walsh Child Protection and Safety Act of 2006 set national standards that govern which sex offenders must register and what data must be captured. Most social networking platforms have terms of use agreements, a privacy policy, or a content code of conduct that summarizes key legal aspects regarding use of the platform. Typically, the terms state that the platform has the right to delete material and terminate user accounts that violate its policies. These policies can be difficult to enforce. Inappropriate material posted online includes nonconsensual posts that include intimate photos or videos of people without their permission; such posts are often referred to as “revenge porn.” This type of content is often uploaded by ex-partners with an intention to shame, embarrass, and/or harass their former partner. The First Amendment of the U.S. Constitution protects the right of freedom of expression from government interference, however, it does not prohibit free speech interference by private employers. Organizations should put in place a social media policy to avoid legal issues and set clear guidelines and expectations for employees. The increased risk of accidents associated with social media interaction while driving, the tendency of many social media users to become narcissist in their postings, and the ability to perform self-image manipulation are additional social media issues. Chapter 10 summary: Ethics of IT Organizations What key legal and ethical issues are associated with the use of contingent workers, H-1B visa holders, and offshore outsourcing companies? Contingent work is a job situation in which an individual does not have an explicit or implicit contract for long-term employment. Organizations can obtain contingent workers through temporary staffing firms, employee leasing organizations, and professional employment organizations. Temporary staffing firms recruit, train, and test job seekers in a wide range of job categories and skill levels, and then assign them to clients as needed. In employee leasing, the subscribing firm transfers all or part of its workforce to the leasing firm, which handles all human- resource-related activities and costs such as payroll, training, and the administration of employee benefits. The subscribing firm leases these workers, but they remain employees of the leasing firm. A coemployment relationship is one in which two employers have actual or potential legal rights and duties with respect to the same employee or group of employees. A PEO is a business entity that hires the employees of its clients and then assumes all responsibility for all human resource management functions, including administration of benefits. The client company remains responsible for directing and controlling the daily activities of the employees. The client maintains a long-term investment and commitment to the employees, but uses the PEO as a means to outsource the human resource activities. The gig economy refers to a work environment in which temporary positions are common and organizations contract with independent workers for short-term engagements. An independent contractor is an individual who provides services to another individual or organization according to terms defined in a written contract or within a verbal agreement. Organizations that use contingent workers must be extremely careful how they pay and treat these workers, or run the risk of getting dragged into a class action lawsuit over mis- classification of workers. When a firm employs a contingent worker, it does not usually have to provide benefits, can easily adjust the number of workers to meet its business needs, and does not incur training costs. Contingent workers may have a low level of commitment to the company and its projects. The skills and knowledge a contingent worker gains while working for a particular are lost when the worker departs at a project's completion. An H-1B is a temporary work visa granted by the U.S. Citizenship and Immigration Services (USCIS) for people who work in specialty occupations—jobs that require at least a four- year bachelor's degree in a specific field, or equivalent experience. Employers hire H-1B workers to meet critical business needs or to obtain essential technical skills or knowledge that cannot be readily found in the United States. H-1B workers may also be used when there are temporary shortages of needed skills. Congress sets an annual cap on the number of H-1B visas to be granted—although the number of visas issued often varies greatly from this cap due to various exceptions. Companies applying for H-1B visas must offer a wage that is at least 95 percent of the average salary for the occupation. Because wages in the IT field vary substantially, unethical companies can get around the average salary requirement. Companies that employ H-1B workers are required to declare that they will not displace American workers; however, they are exempt from that requirement if 15 percent of more of their workers are on H-1B visas and the H-1B workers are paid at least $60,000 a year. Many U.S. companies complain they have trouble finding enough qualified workers and urge that the cap on visas be raised. Unemployed and displaced IT workers challenge whether the United States needs to continue importing tens of thousands of H-1B workers each year. The number of degrees awarded in the field of computer and information sciences at post-secondary institutions in the United States reached 130,000 in 2015. The Bureau of Labor Statistics has projected an increase of 53,000 new U.S. tech jobs per year from 2014 to 2024. Opinions vary as to whether or not the hiring of H-1B workers affects job opportunities and wages. Outsourcing is a long-term business arrangement in which a company contracts for services with an outside organization that has expertise in providing a specific function. Offshore outsourcing is a form of outsourcing in which the services are provided by an organization whose employees are in a foreign country. Outsourcing and offshore outsourcing are used to meet staffing needs while potentially reducing costs and speeding up project schedules. Many of the same ethical issues that arise when considering whether to hire H-1B and contingent workers apply to outsourcing and offshore outsourcing. Successful offshoring projects require day-to-day interaction between software development and business teams, so it is essential for the hiring company to take a hands-on approach to project management. What is whistle-blowing, and what ethical issues are associated with it? Whistle-blowing is an effort to attract public attention to a negligent, illegal, unethical, abusive, or dangerous act by a company or some other organization. Whistle-blower protection laws allow employees to alert the proper authorities to employer actions that are unethical, illegal, or unsafe, or that violate specific public policies. Unfortunately, no comprehensive federal law protects all whistle-blowers from retaliatory acts. A potential whistle-blower must consider many ethical implications prior to going public with his or her allegations, including whether the high price of whistle-blowing is worth it; whether all other means of dealing with the problem have been exhausted; whether whistle-blowing violates the obligation of loyalty that the employee owes to his or her employer; and whether public exposure of the problem will actually correct its underlying cause and protect others from harm. An effective whistle-blowing process includes the following steps: (1) assess the seriousness of the situation, (2) begin documentation, (3) attempt to address the situation internally, (4) consider escalating the situation within the company, (5) assess the implications of becoming a whistle-blower, (6) use experienced resources to develop an action plan, (7) execute the action plan, and (8) live with the consequences. What is green computing, and what are organizations doing to support this initiative? Green computing is concerned with the efficient and environmentally responsible design, manufacture, operation, and disposal of IT-related products. Green computing has three goals: (1) reduce the use of hazardous material, (2) allow companies to lower their power- related costs, and (3) enable the safe disposal or recycling of computers and computer-related equipment. Electronic Product Environmental Assessment Tool (EPEAT) is a system that enables purchasers to evaluate, compare, and select electronic products based on 51 environmental criteria. The European Union passed the Restriction of Hazardous Substances Directive to restrict the use of many hazardous materials in computer manufacturing, require manufacturers to use at least 65 percent reusable or recyclable components, implement a plan to manage products at the end of their life cycle in an environmentally safe manner, and reduce or eliminate toxic material in their packaging.