Wa0002.
Wa0002.
Wa0002.
1
Leena Ladge
Chapter 3: Ethical Issues and Privacy
2
Leena Ladge
Lecture No 20:
Leena Ladge
Assistant Professor
Dept. of Information Technology,
SIES Graduate School of Technology
3
Leena Ladge
Learning Objectives:
4
Leena Ladge
Introduction
• In 1998 when hackers took control
of the U.S.-German ROSAT X-ray
satellite.
• Hacking into computers at the
Goddard Space Flight Center in
Maryland.
• Instructed the satellite to aim its
solar panels directly at the sun.
• This effectively fried its batteries
and rendered the satellite useless.
https://cdn.mos.cms.futurecdn.net/m67APYunbhKcsLvNwhPezh-970-80.jpg
5
Leena Ladge
Introduction
• In 2002, attackers penetrated the computer network at the Marshall
Space Flight Center and stole secret data on rocket engine designs.
• In 2004, attackers compromised computers at NASA’s Ames
Research Center in Silicon Valley. The attackers had apparently
cracked an employee’s password at the Goddard Center in Maryland
and used it to hack into the Ames Research Center.
• In April 2005, an intruder installed a malignant software program
inside the digital network of NASA’s Kennedy Space Center and
gathered data from computers in the Vehicle Assembly Building
where the Space Shuttle is maintained.
6
Leena Ladge
Introduction
The lessons learned
7
Leena Ladge
Introduction
The lessons learned
8
Leena Ladge
Ethical Issues
Ethical Frameworks
There are many sources for ethical standards. The four major standards
are as below.
1. The utilitarian approach- An ethical action provides the most
good or does the least harm to customers, employees, shareholders,
the community, and the physical environment.
2. The rights approach- An ethical action best protects and respects
the moral rights of the of customers, employees, shareholders,
business partners, and even competitors. (Moral rights - the rights
to make one’s own choices about what kind of life to lead, to be
told the truth, not to be injured, and to enjoy a degree of privacy)
9
Leena Ladge
Ethical Issues
Ethical Frameworks
3. The fairness approach- The ethical actions treat all human beings
equally, or, if unequally, then fairly, based on some defensible
standard. For example, most people might believe it is fair to pay
people.
4. The common good approach- Believes that Respect and
compassion for all others is the basis for ethical actions. It
emphasizes the common conditions like a system of laws, effective
police and fire departments, healthcare, a public educational
system, and even public recreation areas, which are important to
the welfare of everyone.
10
Leena Ladge
Ethical Issues
Ethical Frameworks
11
Leena Ladge
Ethical Issues
Ethical Frameworks
12
Leena Ladge
Ethical Issues
Ethical Frameworks
13
Leena Ladge
Ethical Issues
Ethics in the Corporate Environment
14
Leena Ladge
Ethical Issues
Ethics
17
Leena Ladge
Ethical Issues
Ethics and Information Technology
Ethical Issues
A variety of ethical issues exists due to the diversity and ever-expanding use of
IT applications.
Four general categories: privacy, accuracy, property, and accessibility.
1. Privacy issues involve collecting, storing, and disseminating information
about individuals.
2. Accuracy issues involve the authenticity, fidelity, and accuracy of
information that is collected and processed.
3. Property issues involve the ownership and value of information.
4. Accessibility issues revolve around who should have access to information
and whether they should have to pay for this access.
18
Leena Ladge
Ethical Issues
Ethics and Information Technology
19
Leena Ladge
Ethical Issues
Ethics and Information Technology
20
Leena Ladge
Ethical Issues
Ethics and Information Technology
21
Leena Ladge
Ethical Issues
Ethics and Information Technology
22
Leena Ladge
Lecture No 21:
Leena Ladge
Assistant Professor
Dept. of Information Technology,
SIES Graduate School of Technology
23
Leena Ladge
Learning Objectives:
24
Leena Ladge
Privacy
• Privacy- It is the right to be left alone and to be free of unreasonable
personal intrusions.
• Information Privacy is the right to determine when, and to what
extent, information about you can be gathered and/or communicated
to others.
• Privacy rights apply to individuals, groups, and institutions.
• Court decisions in many countries have followed two rules:
1. The right of privacy is not absolute. Privacy must be
balanced against the needs of society.
2. The public’s right to know supersedes the individual’s right
of privacy.
25
Leena Ladge
Privacy
• On an average day, one generates data about oneself in many ways:
surveillance cameras on toll roads, in public places, and at work;
credit card transactions; telephone calls; banking transactions;
queries to search engines; and government records.
• These data can be integrated to produce a Digital Dossier, which is
an electronic description of a person and his/her habits.
• The process of forming a digital dossier is called Profiling.
• Data aggregators, such as LexisNexis, ChoicePoint and Acxiom are
good examples of profiling.
• These companies sell these dossiers to law enforcement agencies
and companies conducting background checks on potential
employees and also to companies that want to know their customers
better.
26
Leena Ladge
Privacy
Electronic Surveillance
27
Leena Ladge
Privacy
Electronic Surveillance
https://pbs.twimg.com/media/DZZ7ngwXkAAOU90?format=jpg&name=large
28
Leena Ladge
Privacy
Electronic Surveillance- Geotagging
https://static.bhphotovideo.com/explora/sites/default/files/styles/top_shot/public/25359-ts.jpg?itok=Ek5slJbD
29
Leena Ladge
Privacy
Electronic Surveillance- Facial Recognition Technology
https://2oqz471sa19h3vbwa53m33yj-wpengine.netdna-ssl.com/wp-content/uploads/2020/05/Facial-Recognition-World-Map-1200px.jpg
30
Leena Ladge
Privacy
Electronic Surveillance- Photo Tagging (Why important?)
https://www.androidpolice.com/wp-content/themes/ap2/ap_resize/ap_resize.php?src=https%3A%2F%2Fwww.androidpolice.com%2Fwp-
content%2Fuploads%2F2019%2F11%2Fgoogle-photos-manual-tagging.png&w=728
31
Leena Ladge
Privacy
Electronic Surveillance- URL Filtering
https://www.gajshield.com/images/urlflitering.png
Why it is needed?
To stop the users of an organization from accessing those websites during working hours that:
Leena Ladge
Assistant Professor
Dept. of Information Technology,
SIES Graduate School of Technology
33
Leena Ladge
Learning Objectives:
• Discuss how combining Big Data with open data was useful in
reducing the impact of Ebola Virus in West African nations.
34
Leena Ladge
Lecture No 23:
Leena Ladge
Assistant Professor
Dept. of Information Technology,
SIES Graduate School of Technology
35
Leena Ladge
Learning Objectives:
36
Leena Ladge
Personal Information in Databases
Institutions storing personal information- Banks & financial sectors;
cable TV, telephone, and utilities companies; employers; mortgage
companies; hospitals; schools and universities; retail establishments;
government agencies and many others.
Some of the major concerns about the information you provide are as follows:
• Do you know where the records are?
• Are the records accurate?
• Can you change inaccurate data?
• How long will it take to make a change?
• Under what circumstances will the personal data be released?
• How are the data used?
• To whom are the data given or sold?
• How secure are the data against access by unauthorized people?
37
Leena Ladge
Information on Internet Bulletin Boards,
Newsgroups, and Social Networking Sites
• We find electronic bulletin boards, newsgroups, electronic
discussions such as chat rooms, and social networking sites.
• A blog, short for “Weblog,” is an informal, personal journal that is
frequently updated and is intended for general public reading.
• Blogs may involve disseminating information that may be offensive
to readers or simply untrue.
• This is a difficult problem involving the conflict between freedom of
speech and privacy.
• Many Web sites contain anonymous, derogatory information on
individuals, who typically have little recourse in the matter.
38
Leena Ladge
Information on Internet Bulletin Boards,
Newsgroups, and Social Networking Sites
• The vast majority of the U.S. firms use the Internet in examining job
applications, including searching on Google and on social
networking sites.
• Consequently, derogatory information contained on the Internet can
harm a person’s chances of being hired.
39
Leena Ladge
Privacy Codes and Policies
• Privacy policies or Privacy codes are an organization’s guidelines
for protecting the privacy of its customers, clients, and employees.
• Senior management has started to understand that they must protect
the personal information.
• Many organizations provide customers with opt-out choices,
(informed consent) which permits the company to collect personal
information until the customer specifically requests not to collect it.
• Privacy advocates prefer the opt-in model of informed consent,
which prohibits an organization from collecting any personal
information unless the customer specifically authorizes it.
40
Leena Ladge
Privacy Codes and Policies
• One privacy tool available to consumers is the Platform for Privacy
Preferences (P3P), a protocol that automatically communicates
privacy policies between an electronic commerce Web site and
visitors to that site.
• P3P enables visitors to determine the types of personal data that can
be extracted by the sites they visit. It also allows visitors to compare
a site’s privacy policy to the visitors’ preferences or to other
standards, such as the Federal Trade Commission’s (FTC) Fair
Information Practices Standard or the European Directive on Data
Protection.
• Despite privacy codes & policies, and opt-out and opt-in models,
guarding whatever is left of one’s privacy is becoming increasingly
difficult.
41
Leena Ladge
Privacy Codes and Policies
Privacy Policy Guidelines
Data Collection
- Data should be collected on individuals only for the purpose of
accomplishing a legitimate business objective.
- Data should be adequate, relevant, and not excessive in relation to
the business objective.
- Individuals must give their consent before data pertaining to them
can be gathered.
- Such consent may be implied from the individual’s actions (e.g.,
applications for credit, insurance, or employment).
42
Leena Ladge
Privacy Codes and Policies
Privacy Policy Guidelines
Data Accuracy
- Sensitive data gathered on individuals should be verified before they
are entered into the database.
- Data should be kept current, where and when necessary.
- The file should be made available so that the individual can ensure
that the data are correct.
- In any disagreement about the accuracy of the data, the individual’s
version should be noted and
- included with any disclosure of the file.
43
Leena Ladge
Privacy Codes and Policies
Privacy Policy Guidelines
Data Confidentiality
- Computer security procedures should be implemented to ensure
against unauthorized disclosure of data. These procedures should
include physical, technical, and administrative security measures.
- Third parties should not be given access to data without the
individual’s knowledge or permission, except as required by law.
- Disclosures of data, other than the most routine, should be noted and
maintained for as long as the data are maintained.
- Data should not be disclosed for reasons incompatible with the
business objective for which they are collected.
44
Leena Ladge
International Aspects of Privacy
• As the number of online users has increased globally, governments
throughout the world have enacted a large number of inconsistent
privacy and security laws.
• Approximately 80-100 countries have some form of data protection
laws, but these laws conflict with those of other countries, or they
require specific security measures. Other countries have no privacy
laws at all.
• The absence of consistent or uniform standards for privacy and
security obstructs the flow of information among countries
(transborder data flows).
45
Leena Ladge
International Aspects of Privacy
• In 1998 the European Community Commission (ECC) issued
guidelines to all of its member countries regarding the rights of
individuals to access information about themselves. The EU data
protection laws are stricter than the U.S. laws and therefore could
create problems for the U.S.-based multinational corporations,
which could face lawsuits for privacy violations.
• To bridge the different privacy approaches, the U.S. Department of
Commerce, in consultation with the European Union, developed a
“safe harbor” framework to regulate the way that the U.S.
companies export and handle the personal data (e.g., names and
addresses) of European citizens.
46
Leena Ladge
Lecture No 25:
Leena Ladge
Assistant Professor
Dept. of Information Technology,
SIES Graduate School of Technology
47
Leena Ladge
Learning Objectives:
48
Leena Ladge
Information Security
• It is difficult, if not impossible, for organizations to provide perfect
security for their data.
• There is a growing danger that countries are engaging in economic
cyberwarfare among themselves.
• It appears that it is impossible to secure the Internet. (our personally
identifiable, private data is not secure)
• Large organizations have greater resources to resolve and survive
the problem.
• But small businesses have fewer resources and therefore can be
destroyed by a data breach.
49
Leena Ladge
Information Security
• For large companies, the average cost of a data breach was almost
$4 million in 2015.
• The annual global cost of cybercrime is estimated to be
approximately $400 billion.
• Employee negligence causes many of the data breaches.
50
Leena Ladge
Introduction to Information Security
• Security can be defined as the degree of protection against criminal
activity, danger, damage, and/or loss.
• Information Security refers to all of the processes and policies
designed to protect an organization’s information and information
systems (IS) from unauthorized access, use, disclosure, disruption,
modification, or destruction.
• Threat to an information resource is any danger to which a system
may be exposed.
• Exposure of an information resource is the harm, loss, or damage
that can result if a threat compromises that resource.
• An information resource’s vulnerability is the possibility that the
system will be harmed by a threat.
51
Leena Ladge
Introduction to Information Security
Key factors contributing to the increasing vulnerability of
organizational information resources
1. Today’s interconnected, interdependent, wirelessly networked
business environment
2. Smaller, faster, cheaper computers and storage devices.
3. Decreasing skills necessary to be a computer hacker.
4. International organized crime taking over cybercrime.
5. Lack of management support
52
Leena Ladge
Categories of Threats
1. Unintentional Threats - acts performed without malicious
intent that nevertheless represent a serious threat to
information security.
53
Leena Ladge
Unintentional
Threats to
Information Systems
http://docshare01.docshare.tips/files/31709/317098453.pdf
54
Leena Ladge
Types of Unintentional Threats
1. Human Errors
55
Leena Ladge
Types of Unintentional Threats
1. Human Errors
56
Leena Ladge
Types of Unintentional Threats
1. Human Errors
57
Leena Ladge
Types of Unintentional Threats
1. Human Errors
http://docshare01.docshare.tips/files/31709/317098453.pdf
58
Leena Ladge
Types of Unintentional Threats
2. Social Engineering
59
Leena Ladge
Types of Unintentional Threats
2. Social
Engineering
Tailgating is a technique
designed to allow the
perpetrator to enter
restricted areas that are
controlled with locks or
card entry.
https://image.slidesharecdn.com/piggybacking-180501121540/95/piggy-backing-tailgating-security-24-
638.jpg?cb=1525177000
60
Leena Ladge
Types of Unintentional Threats
2. Social Engineering
https://www.noidentitytheft.com/wp-content/uploads/2016/02/shoulder-surfing.png
61
Leena Ladge
https://www.verisign.com/
62
Leena Ladge
Lecture No 26:
Deliberate Threats
Leena Ladge
Assistant Professor
Dept. of Information Technology,
SIES Graduate School of Technology
63
Leena Ladge
Learning Objectives:
64
Leena Ladge
Deliberate Threats to Information Systems
Top 10 Deliberate Threats are as below.
1. Espionage or trespass
2. Information extortion
3. Sabotage or vandalism
4. Theft of equipment or information
5. Identity theft
6. Compromises to intellectual property
7. Software attacks
8. Alien software
9. Supervisory Control And Data Acquisition (SCADA)
attacks
10. Cyberterrorism and cyberwarfare
65
Leena Ladge
Types of Deliberate Threats
1. Espionage or trespass
66
Leena Ladge
Types of Deliberate Threats
2. Information Extortion
https://blog.malwarebytes.com/wp-content/uploads/2020/04/Extortion-email-scaled.jpg
67
Leena Ladge
Types of Deliberate Threats
3. Sabotage or Vandalism
https://3.bp.blogspot.com/-xNR6d_-
hZX8/Tf0OHHQHNHI/AAAAAAAAAB0/x5X9CAZdp7o/w1200-h630-p-k-no-nu/hackers11.jpg
68
Leena Ladge
Types of Deliberate Threats
4. Theft of Equipment or Information
69
Leena Ladge
Types of Deliberate Threats
5. Identity Theft
70
Leena Ladge
Types of Deliberate Threats
5. Identity Theft
71
Leena Ladge
Types of Deliberate Threats
6. Compromises to Intellectual Property
72
Leena Ladge
Types of Deliberate Threats
7. Software Attacks
73
Leena Ladge
Types of Deliberate Threats
7. Software Attacks
http://docshare01.docshare.tips/files/31709/317098453.pdf
74
Leena Ladge
Types of Deliberate Threats
7. Software Attacks
http://docshare01.docshare.tips/files/31709/317098453.pdf
75
Leena Ladge
Types of Deliberate Threats
8. Alien Software (Pestware)
76
Leena Ladge
Types of Deliberate Threats
8. Alien Soft ware (Pestware)
77
Leena Ladge
Types of Deliberate Threats
8. Alien Soft ware (Pestware)
78
Leena Ladge
Types of Deliberate Threats
8. Alien Soft ware (Pestware)
79
Leena Ladge
Types of Deliberate Threats
9. Supervisory Control and Data Acquisition Attacks
(SCADA)
81
Leena Ladge
What Organizations Are Doing to Protect
Information Resources
• Difficulties in Protecting Information Resources
http://docshare01.docshare.tips/files/31709/317098453.pdf
82
Leena Ladge
Lecture No 27:
Leena Ladge
Assistant Professor
Dept. of Information Technology,
SIES Graduate School of Technology
83
Leena Ladge
Learning Objectives:
84
Leena Ladge
What Organizations Are Doing to Protect
Information Resources
• Another reason is that the online commerce industry is not
particularly willing to install safeguards that would make
completing transactions more difficult or complicated.
• It is extremely difficult to catch perpetrators.
• Organizing an appropriate defense system is one of the major
responsibilities of any sensible CIO as well as of the functional
managers who control information resources.
• Organizations spend much time and money protecting their
information resources after performing Risk Management.
85
Leena Ladge
What Organizations Are Doing to Protect
Information Resources
About Risk
• Who does it ?
- every one involved in the process.
• Importance
- being prepared to avoid or manage risks is a key of good
project management
• Strategies – Reactive and Proactive
87
Leena Ladge
What Organizations Are Doing to Protect
Information Resources
Risk Management
88
Leena Ladge
What Organizations Are Doing to Protect
Information Resources
Risk Management
89
Leena Ladge
What Organizations Are Doing to Protect
Information Resources
Risk Management
• In Risk Mitigation, the organization takes concrete actions against
risks and it has following two functions.
1. implementing controls to prevent identified threats from occurring
2. developing a means of recovery if the threat becomes a reality.
• There are several risk mitigation strategies that organizations can
adopt.
a. Risk acceptance: Accept the potential risk, continue operating with no
controls, and absorb any damages that occur.
b. Risk limitation: Limit the risk by implementing controls that minimize the
impact of the threat.
c. Risk transference: Transfer the risk by using other means to compensate
for the loss, such as by purchasing insurance.
90
Leena Ladge
What Organizations Are Doing to Protect
Information Resources
Risk Management
91
Leena Ladge
Information Security Controls
92
Leena Ladge
Information Security Controls
http://docshare01.docshare.tips/files/31709/317098453.pdf
93
Leena Ladge
Information Security Controls
1. Physical Controls
• Prevent unauthorized individuals from gaining access to a
company’s facilities.
• Common physical controls include walls, doors, fencing, gates,
locks, badges, guards, and alarm systems.
• Pressure sensors, temperature sensors, and motion detectors.
• Guards have very difficult jobs, - boring and repetitive and not well
paid job. Also some employees harass them.
• Limit computer users to acceptable login times and locations., limit
the number of unsuccessful login attempts, and they require all
employees to log off their computers when they leave for a day.
94
Leena Ladge
Information Security Controls
2. Access Controls
95
Leena Ladge
Information Security Controls
2. Access Controls
Authentication
• Something the user is, also known as Biometrics, examines a
person’s distinctive physical characteristics.
• Common biometric applications are fingerprint scans, palm scans,
retina scans, iris recognition, and facial recognition.
• Unique Identification Project, also known as Aadhaar, which means
“the foundation” was instituted by Indian Govt. (reason??)
96
Leena Ladge
Information Security Controls
2. Access Controls
Authentication
• Something the user has is an authentication mechanism that includes
regular identification (ID) cards, smart ID cards, and tokens.
97
Leena Ladge
Information Security Controls
2. Access Controls
Authentication
• Something the user knows is an authentication mechanism that
includes Passwords and Passphrases. Passwords present a huge
information security problem in all organizations.(???)
• In reality, however, passwords by themselves can no longer protect
us, regardless of how unique or complex we make them.
98
Leena Ladge
Information Security Controls
2. Access Controls
Authentication
• To identify authorized users more efficiently and effectively,
organizations are implementing a strategy known as multifactor
authentication.
• This system is particularly important when users log in from remote
locations.
• Single-factor authentication - simply a password.
• Two-factor authentication - a password plus one type of biometric
identification.
• Three-factor authentication combination of 3 authentication methods.
99
Leena Ladge
Information Security Controls
2. Access Controls
Authentication
Fast Identity Online (FIDO) Alliance
• Here identifiers such as a person’s fingerprint, iris scan will not be
sent over the Internet.
• Rather, they will be checked locally. The only data that will be
transferred over the Internet are cryptographic keys.
• Eg.
100
Leena Ladge
Information Security Controls
2. Access Controls
Authentication
The basic guidelines for creating strong passwords are:
• They should be difficult to guess.
• They should be long rather than short.
• They should have uppercase letters, lowercase letters, numbers, and special
characters.
• They should not be recognizable words.
• They should not be the name of anything or anyone familiar, such as family
names or names of pets.
• They should not be a recognizable string of numbers, such as a Social
Security number or a birthday.
101
Leena Ladge
Information Security Controls
2. Access Controls
Authentication
• Passphrase is a series of characters that is longer than a password
but is still easy to memorize.
• Examples of passphrases are “maytheforcebewithyoualways” and
“goaheadmakemyday.”
• It can help you create a strong password.
• You will have “gammd.”
• Then, “GaMmD.”
• Finally, “9GaMmD//*.”
• You now have a strong password that you can remember.
102
Leena Ladge
Lecture No 28:
Leena Ladge
Assistant Professor
Dept. of Information Technology,
SIES Graduate School of Technology
103
Leena Ladge
Learning Objectives:
104
Leena Ladge
Information Security Controls
2. Access Controls
Authorization.
• A process where in authenticated person is given the rights and
privileges of an organization’s systems.
• A privilege is a collection of related computer system operations
that a user is authorized to perform.
• Users can be granted the privilege for an activity only if there is a
justifiable need for them to perform that activity.
105
Leena Ladge
Information Security Controls
Firewalls.
• It is a system that prevents a specific type of information from
moving between untrusted networks, like Internet, and private
networks.
• All messages entering or leaving your company’s network pass
through a firewall. The firewall examines each message and blocks
those that do not meet specified security rules.
Leena Ladge
106
Information Security Controls
http://docshare01.docshare.tips/files/31709/317098453.pdf
107
Leena Ladge
Information Security Controls
110
Leena Ladge
Information Security Controls
http://docshare01.docshare.tips/files/31709/317098453.pdf
111
Leena Ladge
Information Security Controls
http://docshare01.docshare.tips/files/31709/317098453.pdf
113
Leena Ladge
Information Security Controls
114
Leena Ladge
Information Security Controls
http://docshare01.docshare.tips/files/31709/317098453.pdf
115
Leena Ladge
Information Security Controls
117
Leena Ladge
Information Security Controls
118
Leena Ladge
Information Security Controls
119
Leena Ladge
Information Security Controls
123
Leena Ladge