Introduction to

st
Information Systems, 1
Edition
⬥ Authors: Rainer, Turban and
Potter
⬥ Publisher: John Wiley & Sons,
Inc.

Chapter 3 1
 Chapter 3

Ethics, Privacy and

Information Security

Chapter 3 2
 Chapter Outline

⬥ 3.1 Ethical Issues

⬥ 3.2 Threats to Information Security
⬥ 3.3 Protecting Information Resources

Chapter 3 3
 Learning Objectives

⬥ Describe the major ethical issues related to

information technology and identify
situations in which they occur.
⬥ Describe the many threats to information
security.
⬥ Understand the various defense
mechanisms used to protect information
systems.
⬥ Explain IT auditing and planning for
disaster recovery. Chapter 3 4
 3.1 Ethical Issues

⬥ Ethics. A branch of philosophy that

deals with what is considered to be
right and wrong.
⬥ A Code of Ethics is a collection of
principles that are intended to guide
decision making by members of an
organization.

Chapter 3 5
 The Four Categories of
Ethical Issues
⬥ Privacy Issues involves collecting, storing
and disseminating information about
individuals.
⬥ Accuracy Issues involves the authenticity,
fidelity and accuracy of information that is
collected and processed.
⬥ Property Issues involves the ownership
and value of information.
⬥ Accessibility Issues revolve around who
should have access to information and
whether they should have to pay for this
access.
Chapter 3 6
 Protecting Privacy

⬥ Privacy. The right to be left alone

and to be free of unreasonable
personal intrusions.
⬥ Two rules have been followed fairly
closely in past court decision in many
countries:
▪ The right of privacy is not absolutes.
Privacy must be balanced against the
needs of society
▪ The public’s right to know is superior to
Chapter 3 7
 Protecting Privacy
(Continued)
⬥ Electronic Surveillance. The
tracking of people‘s activities, online
or offline, with the aid of computers.
⬥ Personal Information in Databases.
Information about individuals is
being kept in many databases: banks,
utilities co., govt. agencies, …etc.; the
most visible locations are credit-
reporting agencies.
Chapter 3 8
 3.2 Threats to Information
Security
⬥ A threat to an information resource is any
danger to which a system may be exposed.
⬥ The exposure of an information resources
is the harm, loss or damage that can result
if a threat compromises that resource.
⬥ A system’s vulnerability is the possibility
that the system will suffer harm by a
threat.
⬥ Information system controls are the
procedures, devices, or software aimed at
preventing a compromise to the system.
Chapter 3 9
 Unintentional Threats

⬥ Human errors can occur in the design

of the hardware and/or information
system.
⬥ Also can occur in programming,
testing, data collection, data entry,
authorization and procedures.

Chapter 3 10
 Unintentional Threats
(Continued)

⬥ Environmental hazards include

earthquakes, severe storms, floods,
power failures or strong fluctuations,
fires (most common hazard),
explosions, …etc.
⬥ Computer system failures can occur
as the result of poor manufacturing
or defective materials.
Chapter 3 11
 Intentional Threats

⬥ Typically, criminal in nature.

⬥ Cybercrimes are fraudulent
activities committed using computers
and communications networks,
particularly the Internet.
⬥ Average cybercrime involves about
$600,000 according to FBI.

Chapter 3 12
 Intentional Threats
(Continued)
⬥ Hacker. An outside person who has
penetrated a computer system,
usually with no criminal intent.

Chapter 3 13
 Information Extortion

⬥ When an attacker or formerly trusted

employee steal information from a
computer system and then demands
compensation for its return or an
agreement not to disclose it.
⬥ Theft is the illegal taking of property
that belongs to another individual or
organization.
Chapter 3 14
 Software Attacks

⬥ Malicious software (malware)

designed to damage, destroy, or deny
service to the targeted systems.
⬥ Most common types of software
attacks are viruses, worms, Trojan
horses, logic bombs, back doors,
denial-of-service, alien software,
phishing and pharming.
Chapter 3 15
 Software Attacks
(Continued)
⬥ Viruses. Segments of computer code that
performs unintended actions ranging from
merely annoying to destructive.
⬥ Worms. Destructive programs that
replicate themselves without requiring
another program to provide a safe
environment for replication.
⬥ Trojan horses. Software progams that
hide in other computer programs and
reveal their designed behavior only when
they are activated.
Chapter 3 16
 Software Attacks
(Continued)
⬥ Logic bombs. Designed to activate and
perform a destructive action at a certain
time.
⬥ Back doors or trap doors. Typically a
password, known only to the attacker, that
allows access to the system without having
to go through any security.
⬥ Denial-of-service. An attacker sends so
many information requests to a target
system that the target cannot handle them
successfully and can crash the entire
Chapter 3 17
 Compromises to Intellectual
Property
⬥ Intellectual property. Property created by
individuals or corporations which is
protected under trade secret, patent, and
copyright laws.
⬥ Trade secret. Intellectual work, such as a
business plan, that is a company secret and
is not based on public information.
⬥ Patent. Document that grants the holder
exclusive rights on an invention.
Chapter 3 18
 Compromises to Intellectual
Property (Continued)

⬥ Copyright. Statutory grant that

provides creators of intellectual
property with ownership of the
property for life of the creator plus
70 years.
⬥ Piracy. Copying a software program
without making payment to the
owner.
Chapter 3 19
 3.3 Protecting Information
Resources
⬥ Risk. The probability that a threat will
impact an information resource.
⬥ Risk management. To identify, control
and minimize the impact of threats.
⬥ Risk analysis. To assess the value of each
asset being protected, estimate the
probability it might be compromised, and
compare the probable costs of it being
compromised with the cost of protecting it.
Chapter 3 20
 Protecting Information
Resources (Continued)

⬥ Risk mitigation is when the

organization takes concrete actions
against risk. It has two functions:
■ (1) implement controls to prevent
identified threats from occurring, and
■ (2) developing a means of recovery
should the threat become a reality.

Chapter 3 21
 Risk Mitigation Strategies

⬥ Risk Acceptance. Accept the potential risk,

continue operating with no controls, and
absorb any damages that occur.
⬥ Risk limitation. Limit the risk by
implementing controls that minimize the
impact of threat.
⬥ Risk transference. Transfer the risk by
using other means to compensate for the
loss, such as purchasing insurance.
Chapter 3 22
 Controls

⬥ Controls evaluation. Identifies security

deficiencies and calculates the costs of
implementing adequate control measures.
⬥ General controls. Established to protect
the system regardless of their application.
■ Physical controls. Physical protection of
computer facilities and resources.
■ Access controls. Restriction of unauthorized
user access to computer resources; use
biometrics and passwords controls for user
identification.

Chapter 3 23
 Controls (Continued)

⬥ Communications (networks) controls. To

protect the movement of data across
networks and include border security
controls, authentication and authorization.
■ Firewalls. System that enforces access-control
policy between two networks.
■ Encryption. Process of converting an original
message into a form that cannot be read by
anyone except the intended receiver.

Chapter 3 24
 Disaster Recovery
Planning
⬥ Disaster recovery. The chain of events
linking planning to protection to recovery,
disaster recovery plan.
⬥ Disaster avoidance. Oriented towards
prevention, uninterrupted power supply
(UPS).
⬥ Hot sites. External data center that is fully
configured and has copies of the
organization’s data and programs.
Chapter 3 25