Chapter 13Security, Privacy, and EthicsWhy and what managers need to know about IT risk management,

privacy, and information systems ethics.

Chapter 13

1

Course Roadmap

• Part I: Foundations• Part II: Competing in the Internet Age• Part III: The Strategic use of Information Systems• Part IV: Getting IT Done– Chapter 10: Funding Information Systems– Chapter 11: Creating Information Systems– Chapter 12: Information System Trends– Chapter 13: Security, Privacy and Ethics

2

Learning Objectives1. Learn to make the case that information systems security, privacy, and ethics are

issues of interest to general and functional managers, and why it is a grave mistake to delegate them exclusively to IT professionals.

2. Understand the basic IT risk management processes, including risk assessment, risk analysis, and risk mitigation.

3. Understand the principal security threats, both internal and external, and the principal safeguards that have been developed to mitigate these risks.

4. Be able to identify the nature of privacy concerns that modern organizations face, and be able to articulate how general and functional managers can safeguard the privacy of their customers and employees.

5. Define ethics, apply the concept of ethical behavior to information systems decisions, and be able to articulate how general and functional managers can help ensure that their organization behaves ethically.

3

Introduction• Information systems security, privacy, and ethical concerns

were born along with the introduction of computer systems and information technology in organizations

• The recent widespread adoption of the Internet and the proliferation of information for business use have dramatically amplified these threats

• A failure in security, privacy, or ethics can have dramatic repercussions on the organization, both because of its potentially damaging direct effects (e.g., computer outages, disruptions to operations) and its increasingly negative indirect effects (e.g., legal recourse, image damage)

4

Why to Safeguard Customer Data

5

IT Risk Management and Security

• IT Risk Management– The process of identifying and measuring

information systems security risks– Objective: To devise the optimal risk mitigation

strategy

• Security– The set of defenses put in place to mitigate threats

to technology infrastructure and data resources

6

Security: Not an IT Problem

• Security should be a management priority, not an IT problem

• Security is a negative deliverable– Produces no revenues – Creates no efficiencies

• Security is difficult to fund– IT departments have limited budgets – They should not be left to fund security measures

• The Trade-off:– Purchase more security or accept higher risks?

7

Risk Assessment

• Audit the current resources • Map the current state of information systems

security in the organization• The audit will:– Expose vulnerabilities– Provide the basis for risk analysis

• Risk Analysis:– The process of quantifying the risks identifies in

the audit

8

Risk Mitigation

• The process of matching the appropriate response to the security threats your firm identified

• Designed to help manage the trade-off between the degree of desired security and the investment necessary to achieve it

9

Three Risk Mitigation Strategies• Risk Acceptance– Not investing in countermeasures and not reducing the

security risk– Consciously taking the risk of security breach

• Risk Reduction– Actively investing in the safeguards designed to mitigate

security threats– Consciously paying for security protection

• Risk Transference– Passing a potion (or all) of the risks associated with

security to a third party– Consciously paying for someone else to assume the risk

10

Cost/Security Trade-Offs

Anticipation Cost

Failure Cost

Cost

Degree of security

Total Cost

11

Internal Threats

• Intentional Malicious Behavior– Typically associated with disgruntled or ill-willed

employees– Example: A marketing employee selling customers’

e-mail addresses to spammers• Careless Behavior– Associated with ignorance of or disinterest in

security problems– Example: Failing to destroy sensitive data

according to planned schedules

12

External Threats

• Intrusion Threat– An unauthorized attacker gains access to organizational IT

resources

• Social Engineering– Lying to and deceiving legitimate users so that they divulge

restricted or private information

• Phishing– Sending official sounding spam from known institutions

and asking individuals to confirm private data in an effort to capture the data

13

Have You Seen Something Like These?

14

The External Threats

• Security Weaknesses– Exploiting weaknesses in the software

infrastructure of the organization under attack– Example: Bugs that enable unauthorized access

• Backdoors– Code expressly designed into software programs

to allow access to the application by circumventing password protection

15

The External Threats

• Malicious Code– Any software code expressly designed to cause

damage to IT assets.

• Viruses– Malicious code that spreads by attaching itself to

other, legitimate, executable programs.– After infecting a machine, a harmful set of actions,

know as the payload, are performed

16

Malicious Code• Trojan Horses

– A computer program that claims to, and sometimes does, deliver useful functionality

– Delivers a hidden, malicious payload, after installation

• Worms– Malicious code that exploits

security holes in network software to self-replicate

– Does not deliver a payload– Generates enough network

traffic to slow or bring a network down

17

Malicious Code

• Spyware– Software that, unbeknownst to the owner of the

computer:• Monitors behavior• Collects information• Either transfers this information to a third party or• Performs unwanted operations

– Diverts resources and often slow down a user’s legitimate work

18

The External Threats

• Denial-of-Service Attack– A digital assault carried out over a computer

network with the objective of overwhelming an online service so as to force it offline.

– Can be used to divert attention allowing the intruder to create a backdoor to be exploited later

19

Responding to Internal Security Threats

• Security Policies– Spell out what the organization believes are the

behaviors that individual employees within the firm should follow in order to minimize security risks

– They should specify: – Password standards– User right– Legitimate uses of portable devices

– The firm should audit the policies to ensure compliance

20

Responding to External Security Threats

• Intrusion– The cornerstone of securing against intrusion is

the use of passwords– Firewalls can be used to screen and manage traffic

in and out of a computer network• Only as strong as the weakest link

– The Encryption process scrambles content so that it is rendered unreadable

21

Responding to External Security Threats

• Malware– Safeguarding against malware requires that the

firm’s IT professionals install detection software– Training and Policies are also necessary

• Denial-of-Service Attacks– Preventing a denial-of-service attack is very

difficult– It is difficult to identify the location of the attack

22

Security Threat Tools

23

Managing Security: Overall Guidelines

• Have a plan and specify responsibilities– Who should be contacted in an emergency?– What should the first reaction measures be?

• Revisit often– New technologies should be proactively addressed

• Develop a mitigation plan– Determine how the attack took place– Assess the damage

• Waiting for a crisis to take these decisions and develop policy is too late!

24

Privacy

• The ability of individuals to control the terms and conditions under which their personal information is collected, managed, and utilized.

• Private information can be traced back to the individual

• Privacy subsumes security

25

Privacy Risks

• Function Creep– Occurs when data collected for a stated or implied

purpose are then reused for other, unrelated objectives.

• Proliferating Data Sources– New technological advances and devices generate

more data than ever– This proliferation creates opportunities but also

many risks

26

Privacy Risks

• Data Management Risks– It is increasingly simple, and cost effective, to merge data

repositories– IT creates pressure for, and the risk of, function creep if not

managed carefully

• The Legal Landscape– Currently, technology evolution outpaces legal

development– The internet has all but destroyed traditional geographical

boundaries

• Privacy management is not an IT job27

Safeguarding Privacy

• Fair Information Practice Principles – Notice • The right of individuals to be informed when their

personal data is being collected • The right of individuals to be informed about how their

data is or will be used.

– Choice• The ability of individuals to be informed of, and object

to, function creep whether within one firm or across firms who share information.

28

Safeguarding Privacy• Fair Information Practice Principles (cont) – Access

• The right of individuals to be able to access their information and correct any errors that may have occurred in their records

– Security• Organizations that house individuals’ private information

must ensure its safekeeping and to protect it from unauthorized access.

– Enforcement• Organizations that collect and use private information must

develop enforceable procedures to ensure that the above principles are upheld.

29

The Greatest Breaches

30

Fair Information Practice Principles

• Fair Information Practice Principles – Access

• The right of individuals to be able to access their information • The right of individuals to correct any errors that may have

occurred in their records.– Security

• The responsibility of the firm that houses private information to ensure its safekeeping and to protect it from unauthorized access.

– Enforcement• The responsibility of the organizations that collect and use private

information to develop enforceable procedure to ensure that the above principals are upheld.

31

Protecting Privacy• Say What You Do– The firm develop a codified set of policies and

procedures for safeguarding privacy and communicates these policies to affected individuals (e.g., customers, employees)

• Do What You Say– Those who represent the firm know, understand, and

can enact the policies the firm has developed• Be Able to Prove It– The firm document its policies and the processes it

has developed to ensure privacy

32

Ethics

• The discipline dealing with what is good and bad and with moral duty and obligation

• The problem:– Ethical choices are rarely straightforward– Ethical choices typically engender multiple sub-

optimal options

33

Enabling IS Ethics

• Developing a culture of ethical decision making is critical

• Establish an information systems ethics code of conduct that:– Identifies the principles of ethical information

system use for your organization– Identifies the firm’s formal stance on ethics

• Apply the principle of harm minimization

34

The Recap

• Information systems must be secured against both internal and external threats

• Information systems security and risk management are not “IT issues”

• Privacy concerns, like security threats, need general and functional managers’ full attention.

35

The Recap• In order for the firm to safeguard the privacy of its employees and

customers, it must subscribe to fair information practices– Notice– Choice– Access– Security– Enforcement.

• The recent flurry of corporate scandals has ignited interest in business ethics

• When it comes to information systems, ethics becomes a crucial guiding light for management behavior as legislation often lags behind technology improvements

36

What did we Learned1. Learn to make the case that information systems security, privacy, and ethics are

issues of interest to general and functional managers, and why it is a grave mistake to delegate them exclusively to IT professionals.

2. Understand the basic IT risk management processes, including risk assessment, risk analysis, and risk mitigation.

3. Understand the principal security threats, both internal and external, and the principal safeguards that have been developed to mitigate these risks.

4. Be able to identify the nature of privacy concerns that modern organizations face, and be able to articulate how general and functional managers can safeguard the privacy of their customers and employees.

5. Define ethics, apply the concept of ethical behavior to information systems decisions, and be able to articulate how general and functional managers can help ensure that their organization behaves ethically.

37