Chapter 5

Ethics, Privacy and

Information Security

1
 Chapter Outline
5.1 Ethical Issues
5.2 Threats to Information Security
5.3 Protecting Information Resources

2
Learning Objectives
Describe the major ethical issues related to
information technology and identify situations in
which they occur.

Describe threats to information security.

Understand the various defense mechanisms used

to protect information systems.

3
5.1 Ethical Issues
Ethics. A branch of philosophy that deals with what is
considered to be right and wrong.

A Code of Ethics is a collection of principles that are

intended to guide decision making by members of an
organization.

4
The Four Categories of Ethical Issues
1. Privacy Issues involves collecting, storing and
disseminating information about individuals.
Privacy. The right to be left alone and to be free of
unreasonable personal intrusions.
Two rules have been followed in past court decision
in many countries:
 The right of privacy is not absolute. Privacy must be
balanced against the needs of society.
 The public’s right to know is superior to the
individual’s right of privacy.

5
 Privacy Issues…contd.
Electronic Surveillance. The tracking of people‘s
activities, online or offline, with the aid of computers.

Personal Information in Databases. Information

about individuals is being kept in many databases:
banks, hospitals, govt. agencies, like credit-reporting
agencies. …etc.

6
The Four Categories of Ethical Issues…contd
2. Property Issues involves the ownership and
value of information.

Intellectual property. Property created by

individuals or corporations which is protected
under trade secret, patent, and copyright laws.

7
 Intellectual Property
i. Trade secret. Intellectual work, such as a business
plan, that is a company secret and is not based on
public information.
ii. Patent. Document that grants the holder exclusive
rights on an invention or process for 20 years.
iii. Copyright. Statutory grant that provides creators
of intellectual property with ownership of the
property for life of the creator plus 70 years.
iv. Piracy. Copying a software program without
making payment to the owner.
8
The Four Categories of Ethical Issues…contd

3. Accuracy Issues involves the authenticity and

accuracy of information that is collected and
processed.
 Publishing or distribution of obscene content in electronic
form ( false text picture, Video…)

 Defamation of individuals ( public figures)/ organizations

through E-mail, social media

9
The Four Categories of Ethical Issues… contd
4. Accessibility Issues revolve around who should
have access to information and whether they
should have to pay for this access.

Example
vacancy Announcement
Bid Announcement

10
5.2 Threats to Information Security
A threat to an information resource is any danger to which
a system may be exposed.

A system’s vulnerability is the possibility that the system

will suffer harm by a threat.

Information system controls are the procedures, devices,

or software aimed at preventing a compromise to the
system.

11
Unintentional Threats
1.Human errors
• can occur in the design of the hardware, Software ,
Database or Network of information system.
• Also can occur in programming, testing, data
collection, data entry, authorization and procedures.
• Contribute to more than 50% of control and security-
related problems in organizations.

12
Unintentional Threats (Continued)
2.Environmental hazards
include earthquakes, severe storms, floods, power failures or
strong fluctuations, fires (most common hazard), explosions,
…etc.
Security Controls
Backup Copy
Stored in remote location( like Storage Area
Networks( SAN))
Uninterrupted Power Supply( UPS)
Power Stabilizer
Fire Extinguisher
Air Conditioner (Fan)
13
 Intentional Threats
Cybercrimes are fraudulent activities committed
using computers and communications networks,
particularly the Internet.
 Publishing or distribution of obscene content in electronic
form
 Frauds using electronic documents
 Violation of copyright, trademark or patent rights
 Violation of privacy rights
 Defamation through E-mail, social media

14
Intentional Threats (Continued)
Hacker. An outside person who has penetrated a
computer system, usually with no criminal intent.
Cracker. A malicious hacker.
Social engineering. Computer criminals or corporate
spies get around security systems by building an
inappropriate trust relationship with insiders.

15
Espionage
The act of gaining access to the information an
organization is trying to protect by an
unauthorized individual.
Industrial espionage occurs in areas where
researching information about the competition
goes beyond the legal limits.
Governments practice industrial espionage against
companies in other countries.
Shoulder surfing is looking at a computer
monitor or ATM screen over another person’s
shoulder.

16
Information Extortion
When an attacker or formerly trusted employee steal
information from a computer system and then
demands compensation for its return or an
agreement not to disclose it.

17
Sabotage or Vandalism
A popular type of online vandalism is hacktivist or
cyberactivist activities.
Hacktivist or cyberactivist use technology for high-
tech civil disobedience to protest operations, policies,
or actions of an individual, an organization, or a
government agency.

18
Sabotage or Vandalism (Continued)
Cyber terrorism is a premeditated, politically
motivated attack against information, computer
systems, computer programs, and data that results
in violence against noncombatant targets by sub-
national groups or clandestine agents.

19
Theft
Theft is the illegal taking of property that belongs to
another individual or organization.
Identity Theft:
Crime in which someone uses the personal
information of others, usually obtained from the
Internet, to create a false identity and then commits
fraud.
Fastest growing white-collar crime.

20
Software Attacks
Malicious software (malware) designed to damage,
destroy, or deny service to the targeted systems.
Most common types of software attacks are viruses,
worms, Trojan horses, logic bombs, back doors,
denial-of-service.

21
Software Attacks (Continued)
Viruses. Segments of computer code that
performs unintended actions ranging from merely
annoying to destructive.

Denial-of-service. An attacker sends so many

information requests to a target system that the
target cannot handle them successfully and can
crash the entire system

22
5.3 Protecting Information Resources
Risk. The probability that a threat will impact an
information resource.
Risk management. To identify, control and
minimize the impact of threats.
Risk analysis. To assess the value of each asset
being protected, estimate the probability it might
be compromised, and compare the probable costs
of it being compromised with the cost of
protecting it.

23
Protecting Information Resources
(Continued)
Risk mitigation is when the organization takes
concrete actions against risk. It has two functions:
(1) implement controls to prevent identified threats
from occurring, and
(2) developing a means of recovery should the threat
become a reality.

24
Risk Mitigation Strategies
Risk Acceptance. Accept the potential risk,
continue operating with no controls, and absorb
any damages that occur.
Risk limitation. Limit the risk by implementing
controls that minimize the impact of threat.
Risk transference. Transfer the risk by using
other means to compensate for the loss, such as
purchasing insurance.

25
Controls
• Controls evaluation. Identifies security
deficiencies and calculates the costs of
implementing adequate control measures.
1.General controls. Established to protect the
system regardless of their application.
– Physical controls. Physical protection of computer
facilities and resources.
– Access controls. Restriction of unauthorized user
access to computer resources; use biometrics and
passwords controls for user identification.

26
Controls (Continued)
2. Communications (networks) controls. To
protect the movement of data across networks and
include border security controls, authentication and
authorization.
Firewalls. System that enforces access-control policy
between two networks.
Encryption. Process of converting an original message
into a form that cannot be read by anyone except the
intended receiver.

27
Controls (Continued)
3. Virtual Private Networking. Uses the Internet to
carry information within a company and among
business partners but with increased security by uses of
encryption, authentication and access control.
4. Application controls. Controls that protect specific
applications and include: input, processing and output
controls.

28