Chapter 4 Ethics PDF

Summary

This document covers information ethics, describing principles and standards for behavior toward others. It also discusses business issues related to information ethics, such as intellectual property, copyright, privacy, and confidentiality. The document includes policies related to computer use, internet use, and social media.

Full Transcript

Chapter 4 Section 4.1 Ethics Information Ethics Ethics: The principles and standards that guide our behavior toward other people. Information Ethics - govern the ethical and moral issues arising from the development and use of information technologies, as well as the creation, collection, duplication, distribution, and processing of information itself. Business issues related to information ethics ○ Intellectual property ○ Copyright ○ Pirated software ○ Counterfeit software ○ Digital rights management Privacy is a major ethical issue Privacy - The right to be left alone when you want to be, to have control over your own personal possessions, and not to be observed without your consent. Confidentiality - the assurance that messages and information are available only to those who are authorized to view them. INFORMATION DOES NOT HAVE ETHICS, PEOPLE DO Tools to prevent information misuse ○ Information management ○ Information governance ○ Information compliance ○ Information Secrecy ○ Information Property OVERVIEW OF EPOLICIES Organizations strive to build a corporate culture based on ethical principles that employees can understand and implement EPolicies - Policies and procedures that adress information management, along with the ethical use of computers and the internet in the business environment Ethical Computer Use Policy Contains general principles to guide computer user behavior. The ethical computer user policy ensures that all users are informed of the rules by agreeing to the use of the system on the basis of consent to abide by the rules. Information Privacy Policy Contains general principles regarding information privacy Acceptable Use Policy (AUP) Requires a user to agree to follow it to be provided access to corporate email, information systems, and the internet Nonrepudiation A contractual stipulation to ensure that ebusiness participants do not deny their online actions Internet Use Policy Contains general principles to guide the proper use of the internet Email Privacy Policy Details the extent to which email messages may be read by others Social Media Policy Outlines the corporate guidelines or principles governing employee online communications Ethical Computer Use Policy Click-fraud - The abuse of pay-per-click and pay-per-call-, and pay-per-conversion revenue models by repeatedly clicking to a link to increase charges or costs for the advisor Competitive Click-fraud - A computer crime in which a competitor or disgruntled employee increases a company’s search advertising costs by repeatedly clicking the adviser link. Cyberbullying - Includes threats, negative remarks, or defamatory comments transmitted through the internet or posted on the website Threat - An act or object that poses a danger to assets Bring your own device (BYOD) Policy allows employees to use their personal mobile devices and computers to access enterprise data and applications Byod policies offer four basic optionns: ○ Unlimited access for personal device ○ Access only to nonsensitive systems and data ○ Access but with IT control over personal devices, apps, and stored data ○ Access but preventing local storage of data on personal devices. Information Privacy Policy Information privacy policy: Contains general principles regarding information privacy Fair information practices (FIPs) - A general term for a set of standards governing the collection nad use of personal data and addressing issues of privacy and accuracy. General Data Protection Regulation (GDPR) A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU. Acceptable Use Policy Acceptable Use Policy - Requires a user to agree to follow it to be provided access to corporate email, information systems, and the internet Nonrepudiation - A contractual stipulation to ensure that ebusiness participants do not deny their online actions User agree to the following in a typical acceptable use policy ○ Not using the service as part of violating any law ○ Not attempting to break the security of any computer network or user. ○ Not posting commercial messages to groups without prior permission. ○ Not performing any rnonepudiation Internet Use Policy - Contains general principles to guide the proper use of the internet. ○ Due to the large amounts of computing resources that Internet users can expend, it is essential for such use to be legitimate. In addition, the Internet contains numerous materials that some believe are offensive, making regulation in the workplace a requirement. ○ Generally, an Internet use policy: Describes the Internet services available to users. Defines the organization's position on the purpose of Internet access and what restrictions, if any, are placed on that access. Describes user responsibility for citing sources, properly handling offensive material, and protecting the organization's good name. States the ramifications if the policy is violated. ○ unacceptable Internet use: Cybervandalism: The electronic defacing of an existing website. Typosquatting: A problem that occurs when someone registers purposely misspelled variations of well-known domain names. These variants sometimes lure consumers who make typographical errors when entering a URL. Website name stealing: The theft of a website's name that occurs when someone, posing as a site’s administrator, changes the ownership of the domain name assigned to the website owner. Internet censorship - The government attempts to control internet traffic, thus preventing some material from being viewed by a country’s citizens. Emails Privacy Policy - Details the extent to which email messages may be read by others ○ A typical email privacy policy does the following: Defines legitimate email users and explains what happens to accounts after a person leav the organization. Explains backup procedure so users will know that, at some point, even if a message is deleted from their computer, it is still stored by the company. Describes the legitimate grounds for reading email and the process required before such action is performed. Discourages sending junk email or spam to anyone who does not want to receive it. Prohibits attempting to mail bomb a site. ○ Mail bomb: Sends a massive amount of email to a spechic person or system that can cause that user's server to stop functioning. Informs users that the organization has no control over email once it has been transmitted outside the organization. ○ Spam is an unsolicited email. It plagues employees at all levels within an organization, from receptionist to CEO, and clogs email systems and siphons MIS resources away from legitimate business projects. Anti-spam policy: Simply states that email users will not send unsolicited emails (or spam). ○ Opt out: A user can stop receiving emails by choosing to deny permission to incoming emails. ○ Opt in: A user can receive emails by choosing to allow permissions to incoming emails. ○ Teergrubing: An anti-spamming approach by which the receiving computer launches a return attack against the spammer, sending email messages back to the computer that originated the suspected spam. Social Media Policy - Outlines the corporate guidelines or principles governing employee online communications ○ Employee online communication policy detailing brand communication. ○ Employee blog and personal blog policies. ○ Employee social network and personal social network policies. ○ Employee Twitter, corporate Twitter, and personal Twitter policies. ○ Employee LinkedIn policy. ○ Employee Facebook usage and brand usage policy. ○ Corporate YouTube policy. The right to be forgotten: allows individuals to request to have all content that violates privacy removed. WORKING MONITORING POLICY The dilemma surrounding employee monitoring in the workplace is that an organization places itself at risk if it fails to monitor is employees. However, some people feel that monitoring employees is unethical. Physical Security - is tangible protection such as alarms, guards, fireproof doors, fences, and vaults Information technology monitoring (MIS)- Tracks people’s activities by such measures as number of keystrokes, error rate, and number of transactions processed. Employee monitoring Policy - Explicitly state how, when, and where the company monitors its employees. PROTECTING INTELLECTUAL ASSETS Organizational information is intellectual capital - it must be protected. Information security - The protection of information from accidental or intentional misuse by persons inside or outside the organization Downtime - Refers to a period of time when a system is unavailable. The cost of downtime Financial Performance ○ Revenue recognition ○ Cash flow ○ Payment guarantees ○ Credit rating ○ Stock price Revenue ○ Direct loss ○ Compensatory payments ○ Lost future revenue ○ Billing losses ○ Investment losses ○ Lost productivity Damaged Reputation ○ Customers ○ Suppliers ○ Financial markets ○ Banks ○ Business partners Other expenses ○ Temporary employees ○ Equipment details ○ Overtime costs ○ Extra shipping charges ○ Travel expenses ○ Legal obligations Security Threats Caused by Hackers and Viruses Hacker - Experts in technology who use their knowledge to break into computers and computer networks, either for profit or just motivated by the challenge. ○ Black-hat hacker - steal, destroy or do nothing ○ Cracker - with criminal intent ○ Cyberterrorist - destroy crticial systems or information ○ White-hat hacker - work at the request of system owner to find system vulnerabilities and fix them. Virus - software written with malicious intent to cause annoyance or damage ○ Worm - a type of virus that spreads itself form file to file, but also from computer to computer. ○ Malware - software that is intended to damage or disable computers and computer systems ○ Adware - allows the internet advertisers to display advertisements without the consent of the computer users. ○ Spyware - a special class of adware that collects data about the user and transmits it over the internet without the user’s knowledge or permission. ○ Ransomware - a form of malicious software that infects your computer and ask for money ○ Scareware - a type of malware designed to trick victims into giving up personal information to purchase or download useless and potentially dangerous software. Security THREATS TO EBUSINESS INCLUDE Elevation of privilege - grants authorized rights. Hoaxes - transmits a virus hoax with a real virus attached. Sniffer - a program or device that can monitor data traveling over a network. Spoofing - forging of the return address on an email so that the email message appears to come from someone other than the actual sender. Spyware - comes hidden in free downloadable software and tracks online movements, mines the information stored on a computer. The First line of defense - People Organizations must enable employees, customers, and partners to access information electronically. The biggest issue surrounding information security is not a technical issue but a people issue. The first line of defense an organization should follow to help combat insider issues is to develop information security policies and an information security plan. ○ Information security policies Identify the rules required to maintain information security ○ Information security plan Details how an organization will implement the information security policies. Three Areas of Information Security 1. People - Authentication and authorization 2. Data - Prevention and Resistance 3. Attacks - Detection and Response Authentication and Authorization Identity theft - The forging of someone’s identity for the purpose of fraud. ○ Phishing - technique to gain personal information for the purpose of identity theft. ○ Pharming - reroutes requests for legitimate websites to false websites ○ Sock puppet marketing - the use of a false identity to artificially stimulate demand for a product, brand, or service. ○ Astroturfing - the practice of artificially stimulating online conversation and positive reviews about a product, service, or brand. Authentication - A method for confirming users’ identities. Authorization - The process of giving someone permission to do or have something. The most secure type of authentication ○ Something the user knows ○ Something the user has ○ Something that is part of the user Three Categories of Authentication Techniques 1. Something the user knows, such as a user ID and password 2. Something the user has, such as a smart card or token Tokens - Small electronic devices that change user passwords automatically Smart card - A device that is around the same size as a credit card, containing embedded technologies that can store information and small amounts of software to perform some limited processing. 3. Something that is part of the user, such as fingerprints or voice (biometrics). Prevention and Resistance Prevention and resistance technologies stop intruders from accessing and reading data. Privilege escalation - A network intrusion attack that takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications. ○ Vertical privilege escalation - Attackers grant themselves a higher access level, such as administrator ○ Horizontal privilege escalation - attackers grant themselves the same levels that they already have but assume the identity of another user. Technology available to help prevent and build resistance to attacks include 1. Content filtering - use of software that filters content to prevent the transmission of unauthorized information. 2. Encryption - scrambles information into an alternative from that requires a key or password to decrypt. 3. Firewalls - a hardware and/or software that guard a private network by analyzing incoming and outgoing information for the correct markings. Detection and Response If prevention and resistance strategies fail and there is a security breach, an organization can use detection and response technologies to mitigate the damage. Intrusion detection software - Features full-time monitoring tools that search for patterns in network traffic to identify intruders. Spam management Tips from information week To avoid ending up on a spammer’s mailing list when you post to a web forum or a newsgroup, you can obscure your email address by inserting something obvious into it. So if your email address is [email protected], change it to xyz@yah[delete_this]oo.com. Or, try something like this: "xyz at yahoo dot com." Don't reply to spam messages, not even to reply to be "removed." Often the instructions are fake, or they're a way to collect more addresses. Replying confirms to the spammers that your email address is active, and you may receive even more junk mail. Remove your email address from your Website's pages and offer a Web-based mail form instead. That prevents spammers' robots from harvesting email addresses and putting them on their mailing lists. Contact-Us-Online.com can provide you with such a script free of charge.