CHAPTER 5

Security and Ethical

Challenges of E-Business
Why Study Challenges of IT?
 Information technology in business present
major security challenges, poses serious
ethical questions, and affects society in
significant ways.
IT Security, Ethics and Society
Employment

Health Privacy

Business/ IT
Security
Ethics and
Society

Individuality Crime

Work
Conditions
Ethical Responsibility
 Business professionals have a responsibility
to promote ethical uses of information
technology in the workplace.
Business Ethics
Definition:
 Questions that managers must confront as part of

their daily business decision making including:

 Equity
 Rights
 Honesty
 Exercise of Corporate Power
 Ethical Business Issues
Categories
Equity Right Honesty Exercise of Corporate
Power
Executive Salaries Corporate Due Employee Conflicts Product Safety
Comparable Worth Process Of Interest Environmental Issues
Product Pricing Employee Health Security of Company Disinvestment
Intellectual Screening Information Corporate Contributions
Property Customer Privacy Inappropriate Gifts Social Issues Raised by
Rights Employee Privacy Advertising Content Religions Organizations
Noncompetitive Sexual Harassment Government Contract Plant/Facility Closures and
Agreements Affirmative Action Issues Downsizing
Equal Employment Financial and Cash Political Action Committees
Opportunity Management Workplace Safety
Shareholder Interests Procedures
Employment at Will Questionable Business
Whistle-Blowing Practices in
Foreign
Countries
Corporate Social Responsibility
Theories

 Stockholder Theory - managers are agents of the

stockholders, and their only ethical responsibility is to
increase the profits of the business without violating
the law or engaging in fraudulent practices

 Social Contract Theory – companies have ethical

responsibilities to all members of society, which
allow corporations to exist based on a social contract
Corporate Social Responsibility
Theories (cont’d)

 Stockholder Theory – managers have an ethical

responsibility to manage a firm for the benefit of all
its stakeholders which are all individuals and groups
that have a stake in or claim on a company
Principles of Technology Ethics
 Proportionality - the good achieved by the technology must
outweigh the harm or risk

 Informed Consent - those affected by the technology

should understand and accept the risks

 Justice - the benefits and burdens of the technology should

be distributed fairly

 Minimized Risk - even if judged acceptable by the other

three guidelines, the technology must be implemented so
as to avoid all unnecessary risk
Ethical Guidelines
 Acting with integrity

 Increasing professional competence

 Setting high standards of personal performance

 Accepting responsibility for one’s own work

 Advancing the health, privacy, and general welfare of

the public
 Computer Crime
 The unauthorized use, access, modification, and destruction of
hardware, software, data, or network resources

 The unauthorized release of information

 The unauthorized copying or software

 Denying an end user access to his or her own hardware,

software, data, or network resources

 Using or conspiring to use computer or network resources

illegally to obtain information or tangible property
Cyber Crime Safeguards
Security technology used Security management
Antivirus 96% Security is about 6 to 8% of the IT budget
in developed countries.
Virtual private network 86% 63% currently have or plan to establish in

the next two years the position of chief

Intrusion-detection system 85% security officer or chief information security
officer.
Content filtering/monitoring 77% 40% have a chief privacy officer, and

another 6% intend to appoint one within

Public-key infrastructure 45% the next two years.
39% acknowledged that their systems had

Smart cards 43% been compromised in some way within the

past year.
Biometrics 19% 24% have cyber risk insurance, and

another 5% intend to acquire such

coverage
Hacking
Definition:
 The obsessive use of computers, or the
unauthorized access and use of networked
computer systems
Common Hacking Tactics
 Denial of Service – hammering a website’s
equipment with too many requests for
information, effectively clogging the system,
slowing performance or even crashing the
site

 Scans – widespread probes of the internet to

determine types of computers, services, and
connections
Common Hacking Tactics (cont’d)
 Sniffer – programs that covertly search
individual packets of data as they pass
through the internet, capturing passwords or
entire contents

 Spoofing – faking an e-mail address or Web

page to trick users into passing along critical
information like passwords or credit card
numbers
Common Hacking Tactics (cont’d)
 Trojan Horse – a program that, unknown to the user,
contains instructions that exploit a known
vulnerability in some software

 Back Door – a point hidden point of entry to be used

in case the original entry point has been detected or
blocked
Common Hacking Tactics (cont’d)
 Malicious Applets – tiny programs that misuse
your computer’s resources, modify files on
the hard disk, send fake e-mail, or steal
passwords

 War Dialing – program that automatically dial

thousands of telephone numbers in search of
a way in through a modem connection
Common Hacking Tactics (cont’d)
 Logic Bombs – an instruction in computer program
that triggers a malicious act

 Buffer Overflow – a technique for crashing or gaining

control of a computer by sending too much data to
the buffer in a computer’s memory

 Password Crackers – software that can guess

passwords
Common Hacking Tactics (cont’d)
 Social Engineering – a tactic used to gain access to
computer systems by talking unsuspecting company
employees out of valuable information such as
passwords

 Dumpster Diving - sifting through a company’s

garbage to find information to help break into their
computers
 Cyber Theft
Definition:
 Computer crime involving the theft of money
Unauthorized Use
Definition:
 Time and resource theft may range from doing
private consulting or personal finances, or playing
video games, to unauthorized use of Internet on
company networks
Internet Abuses in the Workplace
Internet Abuses Activity

General e-mail Abuses Include spamming, harassments, chain letters, solicitations, spoofing,
propagations of viruses/worms, and defamatory statement.
Unauthorized Usage and Sharing of password and access into networks without permission.
Access
Copyright Using illegal or pirated software that costs organizations millions of
Infringement/Plagiarism dollars because of copyright infringements. Copying of website and
copyrighted.
Newsgroup Postings Posting of messages on various non-work-related topics from sex to
lawn care advice.
Transmission of Using the internet to display or transmit trade secrets.
Confidential Data
Pornography Accessing sexually explicit sites from workplace as well as the display,
distribution, and surfing of these offensive site
Hacking Hacking of websites, ranging from denial-of-service attacks to accessing
organizational databases.
Non-Work-Related Propagation of software that ties up office bandwidth. Use of programs
Download/Upload that allows the transmission of movies, music, and graphical materials.

Leisure Use of the Internet Loafing around the Internet, which includes shopping, sending e-cards
and personal e-mail, gambling online, chatting, game playing,
auctioning, stock trading, and doing other personal activities.
Usage of External ISPs Using an external ISP to connect to the internet to avoid detection.
Moonlighting Using office resources such as networks and computers to organize and
conduct personal business (side jobs).
Piracy
 Software Piracy – unauthorized copying of
computer programs

 Piracy of Intellectual Property - unauthorized

copying of copyrighted material, such as
music, video, images, articles, books, and
other written works especially vulnerable to
copyright infringement
Virus vs. Worm
 Computer Virus – a program code that cannot work
without being inserted into another program

 Worm – distinct program that can run unaided

Privacy Issues
 Accessing individuals’ private e-mail
conversations and computer records, and
collecting and sharing information about
individuals gained from their visits to internet
websites and newsgroups

 Always knowing where a person is, especially

as mobile and paging services become more
closely associated with people rather than
places
Privacy Issues (cont’d)
 Using customer information gained from many
sources to market additional business services

 Collecting telephone numbers, e-mail addresses,

credit card numbers, and other personal information
to build individual customer profiles
Privacy on the Internet
 E-mail can be encrypted

 Newsgroup postings can be sent though anonymous

remailers

 ISP can be asked not to sell your name and personal

information to mailing list providers and other marketers

 Decline to reveal personal data and interests on online

service and website user profiles
Computer Matching
Definition:
 Using physical profiles or personal data profiling

software to match individuals with data

Privacy Laws
Definition:
 Rules that regulate the collection and use of personal

data by businesses
Censorship
 Spamming – indiscriminate sending of unsolicited e-
mail messages to many internet users

 Flaming – sending extremely critical, derogatory, and

often vulgar e-mail messages or newsgroup postings
to other users on the internets or online services
 Other Challenges
 Employment – significant reductions in job opportunities
as well as different types of skills required for new jobs

 Computer Monitoring – computers used to monitor the

productivity and behavior of employees as they work

 Working Conductions – jobs requiring a skilled craftsman

have been replaced by jobs requiring routine, repetitive
tasks or standby roles

 Individuality – dehumanize and depersonalize activities

because computers eliminate human relationships
Ergonomics
Definition:
 Designing healthy work environments that are safe,
comfortable, and pleasant for people to work in, thus
increasing employee morale and productivity
Ergonomics Factors Biomechanical
Physical

The Tools
(Computer,
Hardware, and
Software)

The
User/
Opera
The tor
Tasks
The Workstation and
(Job
Environment
Software Design Content Biomechanical
and Anthropometric
Change Training
Context)
Job Satisfaction Lighting
Support Systems Work Surfaces
Rest Breaks Furniture
Shift Work Climate
Management Systems
 Security Management
 The goals of security Virtual
Firewalls
Network
management is the Private
Networks
Security
Protocols
accuracy, integrity, and
safety of all information Security

system processes and

Encryption Software
Security Tools

resources
Management

Access Intrusion
Control Detection

Proxy
Authentication
Agent/Systems
Internetworked Security Defenses
 Encryption – data transmitted in scrambled from and
unscrambled by computer systems for authorized
users only

 Firewalls – a gatekeeper system that protects a

company’s intranets and other computer networks
from intrusion by providing a filter and safe transfer
point for access to and from the internet and
networks
Public/Private Key Encryption
1. With your encryption software, you create a “key” with two part – one public,
one private. You distribute a file containing the public part of the key to those
you want to communicate with. Only you can use you private key.

2. You write an e-mail message then use the recipient’s public key to encrypt it.

3. The encryption process puts a kind of digital lock on the message. Even if
someone intercepts it en route, the message’s contents are inaccessible.

4. When the message arrives, the recipient types a test phrase. Than the
software uses the private key to verify that the recipient’s public key was used
for encryption.

5. Using the private key, the software unlocks the unique encryption scheme,
decoding the message.
 Internet and Intranet Firewalls 1. External firewalls keeps out
3 5 5
unauthorized internet users

2. Internal firewall prevents users from

accessing sensitive human resources
Internet or financial data.
server
3. Passwords and browser security
features control access to specific
intranet resources.
Firewall
4. Intranet server features provide
authentication and encryption where
applicable.
1
Router Router
5. Network interface software is carefully
crafted to avoid creating security holes
2 to back end resources.

Firewall Internet

3
4

Router
Internet
Server
Denial of Service Defenses
 At the zombie machines – set and enforce security
policies

 At the ISP – monitor and block traffic spikes

 At the victim’s website – create backup servers and

network connections
Internetworked Security defenses
 E-mail monitoring – use of content monitoring
software that scans for troublesome words
that might compromise corporate security

 Virus Defenses – centralize the distribution

and updating of antivirus software
Internetworked Security defenses
 E-mail monitoring – use of content monitoring
software that scans for troublesome words
that might compromise corporate security

 Virus Defenses – centralize the distribution

and updating of antivirus software
Other Security Measures
 Security Codes – multilevel password system used to
gain access into the system

 Backup Files – duplicate files of data or programs

 Security Monitors – software that monitors the use of

computer systems and networks and protects them
from unauthorized use, fraud, and destuction
Other Security Measures (cont’d)
 Biometrics – computer devices that measure physical
traits that make each individual unique

 Computer Failure Control – devices used to prevent

computer failure or minimize its effects
Other Security Measures (cont’d)
 Systems that have redundant processors,
peripherals, and software that provide a:

 Fail-over capability to back up components in the event of

system failure

 Fail-safe capability where the computer system continues to

operate at the same level even if there is a major hardware
or software failure
Disaster Recover
 Formalized procedures to follow in the event a
disaster occurs including:

 Which employees will participate

 What their duties will be
 What hardware, software, and facilities will be used
 Priority of applications that will be processed
 Use of alternative facilities
 Offsite storage of an organization’s databases
Information Systems Controls
Definition:
 Methods and devices that attempt to ensure the

accuracy, validity, and propriety of information

system activities
Information Systems Controls
Processing
Controls

Input Software Controls Output

Controls Controls
Hardware Controls
Firewalls
Checkpoints

Security Codes Security Codes

Encryption
Encryption
Data Entry Screens
Control Totals
Error Signals
Storage
Control Totals Control Listings
Controls
End User Feedback

Security Codes
Encryption
Backup Files
Library Procedures
Database Administration
 Security Management for Internet
Users
Security for Internet Users
Management
1. Use antivirus and Firewall software 6. Use the most up-to-date version of
and update it often to keep your Web browser, e-mail software,
destructive programs off your and other programs
computer. 7. Send credit card numbers only to
2. Don’t allow online merchants to store secure sites; look for a padlock or key
your credit card information for future icons at the bottom of the browser.
purchases. 8. Use a security program that gives you
3. Use a hard-to-guess password that control over “cookies” that send
contains a mix of numbers and information back to websites.
letters, and change it frequently. 9. Install firewall software to screen
4. Use different passwords for different traffic if you use DSL or a cable
websites and applications to keep modem to connect to the Net.
hackers guessing. 10. Don’t open e-mail attachments unless
5. Install all operating system patches you know the source of the incoming
and upgrades. message.
Auditing IT Security
 IT security audits review and evaluate whether
proper and adequate security measures and
management policies have been developed and
implemented.

 This typically involves verifying the accuracy and

integrity of the software used, as well as the input of
data and output produced by business applications.
END OF LESSON