See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/237344283

Information Security and Ethics: Concepts, Methodologies, Tools, and

Applications

Article · January 2007

CITATIONS READS

13 47,833

1 author:

Hamid Nemati
University of North Carolina at Greensboro
157 PUBLICATIONS   1,338 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Heath IT View project

All content following this page was uploaded by Hamid Nemati on 23 February 2015.

The user has requested enhancement of the downloaded file.

 xxxix

Introductory Chapter:
Information Security and Ethics

Hamid Nemati
The University of North Carolina at Greensboro, USA

This book is dedicated to those whose ethics transcend their security fears.

Hamid R. Nemati

ABSTRACT

Information security and ethics has been viewed as one of the foremost areas of concern and interest
by academic researchers and industry practitioners. Information security and ethics is defined as an all
encompassing term that refers to all activities needed to secure information and systems that support
it in order to facilitate its ethical use. In this introductory chapter, this very important field of study is
introduced and the fundamental concepts and theories are discussed. A broad discussion of tools and
technologies used to achieve the goals of information security and ethics is followed by a discussion of
guidelines for the design and development of such tools and technologies. Managerial, organizational
and societal implications of information security and ethics are then evaluated. The chapter concludes
after an assessment of a number of future developments and activities on the horizon that will have an
impact on this field.

INTRODUCTION

Information defines us. It defines the age we live in and the societies we inhabit. Information is the output
of our human intellectual endeavors which inherently defines who we are as humans and how we con-
duct our lives. We speak of the age we live in as the “information age” and our society as “information
society.” The emergence of the society based on information signals a transition toward a new society
based on the production and exchange of information as opposed to physical goods (Stephanidis et al.,
1984). Information society refers to the new socioeconomic and technological paradigms that affect
our human activities, individual behaviors, our collective consciousness, and our economic and social
environments. The information age has important consequences for our lives as well. Essentially, it has
ushered a new range of emerging computer-mediated activities that have revolutionized the way we
live and interact with one another (Mesthene, 1968; Nardi, 1996; Stephanidis et al., 1984). More people
xl

are employed generating, collecting, handling, processing and distributing information than any other
profession and in any other time (Mason 1986). New technology makes possible what was not possible
before. This alters our old value clusters whose hierarchies were determined by a range of possibili-
ties open to us at the time. By making available new options, new technologies can and will lead to a
restructuring of the hierarchy of values (Mesthene, 1968). Mason argues that unique challenges facing
our information society are the result of the evolving nature of information itself. Our modern notion of
who we are and how we interact with information is based on the works of Greek philosopher Aristotle.
Aristotle’s theory of animal behavior treats animals as information-processing entities. Bynum (2006)
states “that the physiology of an animal, according to Aristotle determines: (1) the kinds of perceptual
information that the animal can take in, (2) how this information is processed within the animal’s body,
and (3) what the resulting animal behavior will be.” Bynum goes on to say that according to Aristotle,
the most sophisticated information processing occurs in human beings. This human capacity to process
information and to engage in rational thinking is what Aristotle refers to as intellect. This intellect is the
foundation by which humans can engage in complex activities such as “concept formation”, “reasoning”,
and “decision making” (Bynum, 2006). Therefore to facilitate information and its processing is akin to
enhancing human intellectual activities which uniquely distinguishes us from other beings.
We are the first generation of humans where the capabilities of the technologies that support our in-
formation processing activities are truly revolutionary and far exceed those of our forefathers. Although
this technological revolution has brought us closer and has made our lives easier and more productive,
paradoxically, it has also made us more capable of harming one another and more vulnerable to be harmed
by each other. Our vulnerabilities are the consequence of our capabilities. Mason argues that in this age
of information, a new form of social contract is needed in order to deal with the potential threats to the
information which defines us. Mason (1986) states “Our moral imperative is clear. We must insure that
information technology, and the information it handles, are used to enhance the dignity of mankind.
To achieve these goals we much formulate a new social contract, one that ensures everyone the right
to fulfill his or her own human potential” (Mason, 1986, p 26). In light of the Aristotelian notion of
the intellect, this new social contract has a profound implication in the way our society views informa-
tion and the technologies that support them. For information technology (IT) to enhance the “human
dignity,” it should assist humans in exercising their intellects ethically. But is it possible to achieve this
without assuring the trustworthiness of information and the integrity of the technologies we are using?
Without security that guarantees the trustworthiness of information and the integrity our technologies,
ethical uses of the information cannot be realized. This implies that securing information and its ethical
uses are inherently intertwined and should be viewed synergistically. Therefore, we define information
security and ethics as an all encompassing term that refers to all activities needed to secure information
and systems that support it in order to facilitate its ethical use.
Until recently, information security was exclusively discussed in terms of mitigating risks associated
with data and the organizational and technical infrastructure that supported it. With the emergence of
the new paradigm in information technology, the role of information security and ethics has evolved. As
Information Technology and the Internet become more and more ubiquitous and pervasive in our daily
lives, a more thorough understanding of issues and concerns over the information security and ethics is
becoming one of the hottest trends in the whirlwind of research and practice of information technology.
This is chiefly due to the recognition that whilst advances in information technology have made it pos-
sible for generation, collection, storage, processing and transmission of data at a staggering rate from
various sources by government, organizations and other groups for a variety of purposes, concerns over
security of what is collected and the potential harm from personal privacy violations resulting from their
unethical uses have also skyrocketed. Therefore, understanding of pertinent issues in information security
 xli

and ethics vis-à-vis technical, theoretical, managerial and regulatory aspects of generation, collection,
storage, processing, transmission and ultimately use of information are becoming increasingly important
to researchers and industry practitioners alike. Information security and ethics has been viewed as one
of the foremost areas of concern and interest by academic researchers and industry practitioners from
diverse fields such as engineering, computer science, information systems, and management. Recent
studies of major areas of interest for IT researchers and professionals point to information security and
ethics as one of the most pertinent.
We have entered an exciting period of unparallel interest and growth in research and practice of all
aspects of information security and ethics. Information security and ethics is the top IT priority facing
organizations. According to the 18th Annual Top Technology Initiatives survey produced by the American
Institute of Certified Public Accountants (AICPA, 2007) information security tops the list of ten most
important IT priorities (http://infotech.aicpa.org/Resources/). According to the survey results, for the
fifth consecutive year, information security is identified as the technology initiative expected to have
the greatest impact in the upcoming year for organizations and is thus ranked as the top IT priority for
organizations. Additionally, six out of the top ten technology initiatives discussed in this report are issues
related to information security ethics as are the top four. The interest in all aspects of information security
and ethics is also manifested by the recent plethora of books, journal articles, special issues, and confer-
ences in this area. This has resulted in a number of significant advances in technologies, methodologies,
theories and practices of information security and ethics. These advances, in turn, have fundamentally
altered the landscape of research in a wide variety of disciplines, ranging from information systems,
computer science and engineering to social and behavioral sciences and the law. This confirms what
information security and ethics professionals and researchers have known for a long time that informa-
tion security and ethics is not just a “technology” issue any more. It impacts and permeates almost all
aspects of business and the economy.
In this introductory chapter, we will introduce the topic of information security and ethics and discuss
the fundamental concepts and theories. We will broadly discuss tools and technologies used in achieving
the goals of information security and ethics, and provide guidelines for the design and development of
such tools and technologies. We will consider the managerial, organizational and societal implications
of information security and ethics and conclude by discussing a number of future developments and
activities in information security and ethics on the horizon that we think will have an impact on this
field. Our discussion in this chapter in not meant to be an exhaustive literature review of the research in
information security and ethics, nor is it intended to be a comprehensive introduction to the field. The
following excellent chapters appear in this multi volume series will provide that. Our main goal here is
to describe the broad outlines of the field and provide a basic understanding of the most salient issues
for researchers and practitioners.

FUNDAMENTAL CONCEPTS AND THEORIES IN INFORMATION SECURITY

AND ETHICS

Information Security

Information security is concerned with the identification of an organization’s electronic information as-
sets and the development and implementation of tools, techniques, policies, standards, procedures and
guidelines to ensure the confidentiality, integrity and availability of these assets. Although Information
Security can be defined in a number of ways, the most salient is set forth by the government of the
xlii

United States. The National Institute of Standards and Technology (NIST) defines Information Security
based on the 44 United States Code Section 3542(b)(2), which states “Information Security is protecting
information and information systems from unauthorized access, use, disclosure, disruption, modifica-
tion, or destruction in order to provide integrity, confidentiality, and availability.” (NIST, 2003, p3). The
Federal Information Security Management Act (FISMA, P.L. 107-296, Title X, 44 U.S.C. 3532) defines
Information Security as “protecting information and information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction” and goes on to further define Information Security
activities as those “carried out in order to identify and address the vulnerabilities of computer system,
or computer network” (17 U.S.C. 1201(e), 1202(d)). The United States’ National Information Assurance
Training and Education Center (NIATEC) defines information security as “a system of administrative
policies and procedures” for identifying, controlling and protecting information against unauthorized
access to or modification, whether in storage, processing or transit” (NIATEC, 2006).
The over all goal of information security should be to enable an organization to meet al.l of its mis-
sion critical business objectives by implementing systems, policies and procedures to mitigate IT-related
risks to the organization, its partners and customers (NIST, 2004). The Federal Information Processing
Standards Publication 199 issued by the National Institute of Standards and Technology (NIST, 2004)
defines three broad information security objectives: Confidentiality, Integrity and Availability. This trio
of objectives sometimes is referred to as the “CIA Triad”.
Confidentiality: “Preserving authorized restrictions on information access and disclosure, including
means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542]. Confi-
dentiality is the assurance that information is not disclosed to unauthorized individuals, processes, or
devices (NIST, 2003 p. 15). Confidentiality protection applies to data in storage, during processing, and
while in transit. Confidentiality is an extremely important consideration for any organization dealing
with information and is usually discussed in terms of privacy. A loss of confidentiality is the unauthor-
ized disclosure of information.
Integrity: To ensure that timely and reliable access to and use of information is possible. According
to 44 United States Code Section 3542(b)(2), integrity is defined as “guarding against improper infor-
mation modification or destruction, and includes ensuring information non-repudiation and authentic-
ity…” . Therefore, integrity is interpreted to mean protection against the unauthorized modification or
destruction of information. Integrity should be viewed both from a “data” and a “system” perspective.
Data integrity implies that data has not been altered in an unauthorized manner while in storage, during
processing, or while in transit. System integrity requires that a system is performing as intended and is
not impaired and is free from unauthorized manipulation (NIST, 2003).
Availability: Timely, reliable access to data and information services for authorized users (NIST,
2003). According to 44 United States Code Section 3542(b)(2), availability is “Ensuring timely and
reliable access to and use of information…”. Availability is frequently viewed as an organization’s
foremost information security objective. Information availability is a requirement that is intended to
assure that all systems work promptly and service is not denied to authorized users. This should protect
against the intentional or accidental attempts to either perform unauthorized access and alteration to
organizational information or otherwise cause a denial of service or attempts to use system or data for
unauthorized purposes. A loss of availability is the disruption of access to or use of information or an
information system.
In defining the objectives of information security, there are a number of extensions to the CIA
Triad. Most prominent extensions to the CIA Triad include three additional goals of information secu-
rity. They are: accountability, authentication, and nonrepudation. One such extension appears in the
National Security Agency (NSA) definition of information security as “... measures that protect and
 xliii

defend information and information systems by ensuring their availability, integrity, authentication,
confidentiality, and nonrepudiation. These measures include providing for restoration of information
systems by incorporating protection, detection, and reaction capabilities” (CNSS, 2003). This definition
is almost identical to the way “cybersecurity” was defined by the 108th US Congress. A cybersecurity
bill introduced in the 108th Congress, the Department of Homeland Security Cybersecurity Enhancement
Act — H.R. 5068/Thornberry; reintroduced in the 109th Congress as H.R. 285 where cybersecurity is
defined as …the prevention of damage to, the protection of, and the restoration of computers, electronic
communications systems, electronic communication services, wire communication, and electronic com-
munication, including information contained therein, to ensure its availability, integrity, authentication,
confidentiality, and nonrepudiation.
Accountability: Is the cornerstone of organizational information security objective in which auditing
capabilities are established to ensure that users and producers of information are accountable for their
actions and to verify that organizational security policies and due diligence are established, enforced and
care is taken to comply with any government guidelines or standards. Accountability serves as a deterrent
to improper actions and as an investigation tool for regulatory and law enforcement agencies.
Authentication: Security measure designed to establish the validity of a transmission, message, or
originator, or a means of verifying an individual’s authorization to receive specific categories of informa-
tion (CNSS, 2003. p 5). In order for a system to achieve security, it should require that all users identify
themselves before they can perform any other system actions. Once the identification is achieved the
authorization should be the next step. Authorization is process of granting permission to a subject to
access a particular object. Authentication is the process of establishing the validity of the user attempt-
ing to gain access, and is thus a basic component of access control, in which unauthorized access to the
resources, programs, processes, systems are controlled. Access control can be achieved by using a com-
bination of methods for authenticating the user. The primary methods of user authentication are: access
passwords, access tokens, something the user owns which can be based on a combination of software
or hardware that allows authorized access to that system (e.g., smart cards and smart card readers), the
use of biometrics (something the user is, such as a fingerprint, palm print or voice print), access location
(such as a particular workstation), user profiling (such as expected or acceptable behavior), and data
authentication, to verify that the integrity of data has not been compromised. (CNSS, 2003)
Nonrepudiation: Assurance the sender of data is provided with proof of delivery and the recipient
is provided with proof of the sender’s identity, so neither can later deny having processed the data.
(CNSS, 2003)
Any information security initiative aims to minimize risk by reducing or eliminating threats to vul-
nerable organizational information assets. The National Institute of Standards and Technology (NIST,
2003, p. 7) defines risk as “…a combination of: (i) the likelihood that a particular vulnerability in an
agency information system will be either intentionally or unintentionally exploited by a particular threat
resulting in a loss of confidentiality, integrity, or availability, and (ii) the potential impact or magnitude
of harm that a loss of confidentiality, integrity, or availability will have on agency operations (including
mission, functions, and public confidence in the agency), an agency’s assets, or individuals (including
privacy) should there be a threat exploitation of information system vulnerabilities.” Risks are often
characterized qualitatively as high, medium, or low. (NIST, 2003, p 8). The same publication defines
threat as “…any circumstance or event with the potential to intentionally or unintentionally exploit a
specific vulnerability in an information system resulting in a loss of confidentiality, integrity, or avail-
ability,” and vulnerability as “…a flaw or weakness in the design or implementation of an information
system (including security procedures and security controls associated with the system) that could be
intentionally or unintentionally exploited to adversely affect an agency’s operations (including missions,
xliv

functions, and public confidence in the agency), an agency’s assets, or individuals (including privacy)
through a loss of confidentiality, integrity, or availability” (NIST, 2003, 9). NetIQ (2004) discusses
five different types of vulnerabilities that have direct impact on the governance of information security
practices. They are: exposed user accounts or defaults, dangerous user behavior, configuration flaws,
missing patches and dangerous or unnecessary service. An effective management of these vulnerabilities
is critical for three basic reasons. First, an effective vulnerability management helps reduce the severity
and growth of incidence. Second, it helps in regulatory compliance. And third and the most important
reason can be summed as simply saying, it is a “good business practice” to be proactive in managing
the vulnerabilities rather than be reactive by trying to control the damage from an incidence.

Information Security and Security Attacks

Vulnerable systems can open themselves to a security attack. Security attacks are not only wide
spread, they are growing fast. Counterpane Internet Security, Inc. monitored more than 450 networks in
35 countries, in every time zone. In 2004 they reported 523 billion network events and investigated over
648,000 information security attacks. According to a report by the Internet Security Systems (http://www.
ISS.net), information security attacks jumped 80 percent from 2002 to 2003.
There are a large number of types of attacks that exploit vulnerabilities in systems. Here we describe
some of the more recent and technologically complex attacks that have plagued the information networks
and systems.

• Denial of service: The attacker tries to prevent a service from being used rather than compromis-
ing it. Numerous hosts are used to perform a denial of service attack.
• Trojan horse: A malicious software which disguises itself as a benign software.
• Computer virus: Reproduces itself by attaching to other executable files and once executed can
cause damage.
• Worm: A self-reproducing program that creates copies of itself. Worms can spread easily using
e-mail address books.
• Logic bomb: lays dormant until an event triggers it, such as a date, user action, or in some cases
may have a random trigger.
• IP spoofing: An attacker may fake its IP address so the receiver thinks it is sent from a location
that it is not viewed by the receiver as a threat.
• Man-in-the-middle attack: Sometimes referred to as session hijacking in which the attacker ac-
cesses the network though an open session and, once the network authenticates it, attacks the client
computer to disable it and uses IP spoofing to claim to be the client.
• Rootkit: A set of tools used by an attacker after gaining root-level access to a host computer in
order to conceal its activities on the host and permit the attacker to maintain root-level access to
the host through covert means.

Denial of service (DoS) attacks have become more popular in recent years. Typically, the loss of
service for the infected provider is the inability of a particular network service, such as e-mail, to be
available or the temporary loss of all network connectivity and services. A denial of service attack can
also destroy files in affected system. DoS attacks can force Web sites accessed by millions of people
to temporarily cease operation causing millions of dollars in damage. The costs of these attacks can
be monumental. Forrester, IDC, and the Yankee Group estimate that the cost of a 24-hour outage for
a large e-commerce company would approach $30 million. Twenty five percent of respondents to the
 xlv

2006 CSI/FBI Computer Crime and Security Survey performed by the Computer Security Institute
had experienced a DoS Attack (Gordon, 2006). Worldwide, as many as 10,000 such attacks occur each
day. Information Security magazine reports that since 1998, annually, about 20 percent of the surveyed
financial institutions have suffered disruptions of their information and network systems due to attacks
from hackers. The US Department of Justice’s office of cyber crime (http://www.cybercrime.gov) states
that “in the week of February 7, 2000, hackers launched distributed denial of service (DDoS) attacks on
several prominent Websites, including Yahoo!, E*Trade, Amazon.com, and eBay. In more recent years,
the have been a number of well publicized DDoS attacks that have cost business and consumers mil-
lions of dollars. In a DDoS attack, dozens or even hundreds of computers all linked to the Internet are
instructed by a rogue program to bombard the target site with nonsense data. This bombardment soon
causes the target sites’ servers to run out of memory, and thus cause it to be unresponsive to the queries
of legitimate customers.” However, attacks do not necessarily originate from outside of an organization.
There are a number of studies that show that many hackers are employees or insiders (Escamilla 1998,
Russell and Gangemi 1992).
Viruses and their associated malware have been favorite types of attacks for hackers and others intend
on harming information security. A global survey conducted by InformationWeek and Pricewaterhouse
Coopers LLP estimated that computer viruses and hacking took a $1.6 trillion toll on the worldwide
economy and a $266 billion toll in the United States alone (Denning, 2000). In the 2006 Computer Secu-
rity Institute (CSI) and FBI survey of 313 respondents on computer crime and security ranked, computer
virus contamination as the leading cause of security-related losses in 2006, resulting in a whopping
$15,691,460 in losses per surveyed organization (Gordon et al., 2006). Computer Economics estimates
(Computer economics, 2007), the ILOVEYOU virus that struck in 2000 and its variants caused $6.7
billion in damage in the first 5 days alone. The Melissa virus first appeared on the Internet in March of
1999. It spread rapidly throughout computer systems in the United States and Europe. On December 9,
1999, David Smith, the creator of this virus, pleaded guilty to state and federal charges associated with
his creation of the Melissa virus. The US Department of Justice’s Office of Cyber Crime (http://www.
cybercrime.gov) estimates that the virus caused $800 million in damages to computers worldwide and in
the United States alone, the virus made its way through 1.2 million computers in one-fifth of the country’s
largest businesses. The US Department of Justice’s office of cyber crime (http://www.cybercrime.gov)
reports on the indictment of the Loverspy spyware which was designed and marketed by Mr. Perez for
people to use to spy on others. According to the indictment, “prospective purchasers, after paying $89
through a Web site in Texas, were electronically redirected to Perez’s computers in San Diego, where
the “members” area of Loverspy was located. Purchasers would then select from a menu an electronic
greeting card to send to up to five different victims or email addresses. The purchaser would draft an
email sending the card and use a true or fake email address for the sender. Unbeknownst to the victims,
once the email greeting card was opened, Loverspy secretly installed itself on their computer. From
that point on, all activities on the computer, including emails sent and received, Web sites visited, and
passwords entered were intercepted, collected and sent to the purchaser directly or through Mr. Perez’s
computers in San Diego. Loverspy also gave the purchaser the ability remotely to control the victim’s
computer, including accessing, changing and deleting files, and turning on Web-enabled cameras con-
nected to the victim computers. Over 1,000 purchasers from the United States and the rest of the world
purchased Loverspy and used it against more than 2,000 victims. Mr. Perez’s operations were shut down
by a federal search warrant executed in October 2003.”
Identity theft is another major problem. In recent months there have been a number of high profile
data breaches that have brought forth the potential great losses to organizations. One major problem
associated with data breaches is the identity theft. How prevalent is identity theft? It is estimated that
xlvi

27 million victims in us over past five years. In 2003 alone, 10 million Americans were the victims. The
U.S. Department of Justice estimates that 36% of the identity thefts were related to credit cards and other
bank cards and 45% related to non-financial use. The financial impact of identity theft for the U.S. busi-
nesses is estimated to be $48 billions for 2003 and for consumers/victims, is estimated to be around $5
billions. On July 15, 2004, President Bush signed the Identity Theft Penalty Enhancement Act of 2004.
In his signing remarks, the President said: “We’re taking an important step today to combat the problem
of identity theft, one of the fastest growing financial crimes in our nation. Last year alone, nearly 10
million Americans had their identities stolen by criminals who rob them and the nation’s businesses of
nearly $50 billion through fraudulent transactions.”
There are number of highly publicized identity thefts. In late 2006, the U.S. Department of Veterans
Affairs lost personal records of an estimated 26.5 million veterans in a data breach. A coalition of veterans
groups filed a class action seeking $1,000 in damages for each person, a payout that could eventually
reach $26.5 billion. Another high profile security breach case occurred in December 2006 when the TJX,
a US retailing giant, detected a hacker intrusion against its credit card transaction processing system.
Hackers stole personal information from 45.7 million customer credit and debit cards. It is estimated that
this security breach will cost TJX nearly $1.7 billion (http://www.protegrity.com/). Another estimate puts
the cost of this data breach at $100 per record, and for 45.7 million records, the total cost could reach as
high as $4.5 billion. In addition, TJX is currently facing a number of law suites and legal claims from
customers and shareholders who were impacted by this security breach. The costs and losses associated
with data breaches are not just financial. In 2005, ChoicePoint, a leading provider of data to the industry,
revealed that criminals had stolen personal information on over 163,000 consumers. On the day that the
breach was reported, ChoicePoint’s stock value fell 3.1 percent and it continued to slide by as much as
9 percent. Currently and nearly two years after the reported data breach, ChoicePoint stock is about 20
percent of its all time high.
Other types of security breaches that can be proven very costly to organizations are losses from com-
puters, laptop or mobile hardware theft and destructions. The same CSI/FBI report shows total losses
among 313 respondents due to the theft of computer and mobile hardware containing customer information
amounted to $6,642,660 in 2006 (Gordon, 2006). The report also shows that the cost per respond from
2005 to 2006 has skyrocketed from $19,562 per respondent in 2005 to $30,057 per respondent in 2006.
Although the actual costs of these security breaches are very high, the true damage can be intangible
costs associated with a tarnished reputation and the high price of earning back a customer’s trust. Not
only is this a serious problem, it is getting worse. For example, the percentage of companies that stated
they were the victims of hacking grew from 36% in 1996 to 74% in 2002 (Power, 2002). Computer
Emergency Response Team (CERT) Coordination Center estimates that the number of information at-
tacks on businesses has almost doubled every year since 1997 (CERT, 2004). The number of computer
intrusion cases filed with the Department of Justice jumped from 547 in 1998 to 1,154 in 1999 (Good-
man and Brenner 2002). In 1999, according to reports by the Computer Security Institute (CSI) and FBI
survey the losses from computer crime incidents $124 million (Gordon, 2006). The losses jumped to a
reported $266 million in 2000 and $456 million in 2002 (Power, 2002).
The losses from computer crime incidents reported by the Computer Security Institute (CSI)/Federal
Bureau of Investigation (FBI) surveys were $456 million in 2002, in contrast to $378 million in 2000 and
$266 million in 1999 (Power, 2002). According to a recent study by the Ponemon Institute, the average
cost of a consumer data breach is $182 per record. Ponemon’s analysis of 31 different incidents showed
that the total costs for each ranging from $226,000 to more than $22 million. These costs are typically
incurred from legal, investigative, administrative expenses; drops in stock prices, customer defections,
opportunity loss, reputation management and costs associated with customer support such as informa-
 xlvii

tional hotlines and credit monitoring subscriptions. This is alarming when considering the actual number
of breaches that are reported. According to Privacy Rights Clearinghouse, a nonprofit consumer rights
and advocacy organization, over 150 million data records of U.S. residents have been exposed due to
security breaches since January 2005. The Privacy Rights Clearinghouse findings are congruent with
the recent findings of another report by Ponemon which surveyed nearly 500 IT security professionals.
The results of the survey, entitled “Data at Risk,” showed 81 percent of respondents reported the loss
of one or more laptop computers containing sensitive information during the previous 12 months. The
same Ponemon Institute survey also showed that the cost of diverting employees from their every day
tasks to managing a data breach from $15 per record in 2005 to $30 a record in 2006.
Regardless of the types of attacks or where they originate, they can be very costly to organizations.
According to Gordon et al. (2006) findings, virus attacks continue to be the source of the greatest finan-
cial losses to the organization, followed by unauthorized access and other financial losses related to the
theft of laptops and mobile hardware and the theft of proprietary information (i.e., intellectual property).
These four categories account for more than 74 percent of the reported financial losses. Other attacks in
order of importance and according to the severity and impact to the organizations are loses that are due
to: denial of service, insider abuse of network access or e-mail, bots zombies, system penetration by
outsiders, phishing by outsiders in which organizations are fraudulently represented, abuses of wireless
networks, instant messaging misuses, misuses of public Web applications, sabotage of data or networks,
Web site defacements, and password sniffing (Gordon et al. 2006).

Ethics as Human Foundation of Information Security

The field of ethics is concerned with the understanding of the concepts of right and wrong behaviors.
ethics is the study of what human behavior ought to be. It is defined as the study of moral values in
human behavior and making sense of human experience. Ethics is concerned with the morality of our
actions. We define morality as the nature of how we treat others. Throughout the history of the mankind,
understanding ethics and morality have been constant concerns. During the past three thousand years, a
number of powerful and highly respected ethical theories have emerged within various cultures around
the globe. Some of the most influential theories are associated with great philosophers like the Buddha,
Lao Tse and Confucius in Eastern societies, and Aristotle, Aquinas, Bentham and Kant in Western societ-
ies (Bynum, 2006). The Western notion of ethics is based on the works of Aristotle. In the Aristotelian
notion of intellect, the capacity to “make decisions” is an exercise in evaluating the ethical consequences
of human behavior.
The modern field of ethics can be traced to the work of the great modern moral philosophy Thomas
Hobbes (1588-1679). Hobbes argues that the natural state of men is freedom and the concepts of good
and evil are related to human desires, needs and aversions. That is to say, Hobbes sees “good” as mani-
festation of what one desires and evil as expression what one loathes. This notion of good and evil is
based on philosophy of values rooted in a belief in self preservation and protection. Hobbes expresses
concern over this rigid notion of good and evil. In his famous 1651 book called “Leviathan” he outlines
his concept of the value of a social contract for a peaceful society. Hobbes claims that man is not natu-
rally good, but naturally a selfish hedonist and in a voluntary act of every man, the object is to bring
some good to himself. A peaceful society, he argues can not be achieved if all members of the society
lived by their own self interests and their notion of good and evil. Such a society would be in a constant
“state of war”. He refers to this as “war of every man against every man”. For a peaceful state to exist,
Hobbes argues, members of a society need to form of “social contract” which establishes a sovereign
power that would mediate all disputes among the members’ actions resulted from acting in their own
xlviii

individual self interest and preservation. Therefore Hobbes views the notion of a sovereign enforcing a
social contract that delineates the boundaries of individuals’ actions an imperative in achieving a “state
of peace” (Hobbes, 1651). The sovereign will be given a monopoly on violence and absolute authority.
In return, he promises to exercise its absolute power to maintain a state of peace.
Perhaps no other philosopher is more influential in the development of modern ethics as a distinct
philosophical field as is the German philosopher Immanuel Kant (1724-1804). Most of our understand-
ing of the ethical considerations related to information security can be directly traced to the worked
pioneered by Kant. Kant rejects the Hobbes’ notion of the monopoly of power rested with the sover-
eign for achieving a state of peace. The central principle of Kant’s ethical theory is what he calls the
categorical imperative. In describing categorical imperative, Kant wants us to act only according to an
unconditional moral law that applies to all which represents an action as unconditionally necessary. He
famously states: “Act only according to that maxim by which you can at the same time will that it should
become a universal law.” In his book The Foundations of the Metaphysics of Morals (Kant, 1785), Kant
discusses the “search for and establishment of the supreme principle of morality.” For Kant, the moral
justification for an action is not found in the consequences of that action but in the motives of one who
takes that action. Kant sees only one thing that is inherently good without qualification, and that is the
good will. Good will is our power of rational moral choice. According to Kant, what makes the good
will is the will that acts out of duty and not out of inclination. Acting out of duty is the act based on the
respect for the moral law described in the “Categorical Imperative.”
Philosophers have traditionally divided ethical theories into three general subject areas: metaethics,
normative ethics, and applied ethics. Metaethics is the study of the origin and meaning of ethical concepts.
Metaethics is the study of imperatives, genesis and the rationale for our ethical principles. Metaethical
seeks to investigate the universality of truths, the will of God and the role of reason in ethical judgments.
Normative ethics takes on a more practical approach to understanding ethics by attempting to devise
moral standards to regulate right from wrong conduct. A classic example of a normative ethical principle
is The Golden Rule: treat others as you would want to be treated. Therefore a normative approach to
ethics seeks to establish principles against which we judge all actions. This is much akin to the notion of
categorical imperative set forth by Kant. Applied ethics is the branch of ethics which applies the ethical
consideration to analyze specific controversial moral issues. In recent years applied ethical issues have
been subdivided into convenient groups such as medical ethics, business ethics, environmental ethics,
and most recently computer ethics. For an issue to be considered an “applied ethical” issue, two features
are necessary. First, the issue needs to be controversial and second, the issue must be a distinctly moral
issue. From a more practical perspective, we apply normative principles in applied ethics. Some of the
most common examples of such principles used in applied ethics are:

• Principle of benevolence: help those in need.

• Principle of honesty: do not deceive others.
• Principle of harm: do not harm others.
• Principle of paternalism: assist others in pursuing their best interests when they cannot do so
themselves.

Computer ethics, later known as information ethics or cyberethics, is the foundation by which the
ethical implications of information security are studied. Computer ethics is a branch of applied ethics
that has received considerable attention not only from ethicists but also from information technology
researchers and professional. Most of this interest is the natural consequence of the rapid development
and change in computer technology, its uses and its implications. Although the term “Computer Ethics”
 xlix

was first coined by Walter Maner (1980) as the ethical problems “aggravated, transformed or created
by computer technology,” Bynum (2007) argues that the roots, the evolution, and the intellectual foun-
dations of the field of computer ethics as distinct discipline within the realm of ethics can be directly
traced to the revolutionary works of the MIT computer scientist Norbert Wiener (Wiener, 1948, 1950,
1954 and 1964). In his seminal and profound book Cybernetics: or control and communication in the
animal and the machine published in 1948, he discusses the importance of developing a new perspec-
tive to judge good and evil in light of our new technologies. In 1950, Norbert Wiener went on to publish
another important book titled The Human Use of Human Beings where he foresees a society based on
a ubiquitous computing technology that will eventually remake the society and will radically change
everything (Bynum 2007). He refers to this as the “second industrial revolution”. Bynum sees the im-
portance of information is this second industrial revolution and recalls Wiener stating: “The needs and
the complexity of modern life make greater demands on this process of information than ever before....
To live effectively is to live with adequate information. Thus, communication and control belong to
the essence of man’s inner life, even as they belong to his life in society.” Bynum (2007) holds that the
consequence of this second industrial revolution will be that the “workers must adjust to radical changes
in the work place; governments must establish new laws and regulations; industry and businesses must
create new policies and practices; professional organizations must develop new codes of conduct for
their members; sociologists and psychologists must study and understand new social and psychological
phenomena; and philosophers must rethink and redefine old social and ethical concepts.” This has a
profound implication for the way we need and should view information security and ethics. We need to
fundamentally rethink the way we view and approach management techniques, our technologies, our
organizational policies, our societal laws and regulations, and our professional codes of conduct.

INFORMATION SECURITY AND ETHICS TOOLS AND TECHNOLOGIES

Information security and ethics is a complex, growing and dynamic field. It encompasses all aspects
of the organization. As stated earlier in this chapter, information security and ethics has received con-
siderable attention from researchers, developers and practitioners. Given the complexities of the issues
involved, and the pace of technological change, tools and technologies to support the organizational
security efforts are diverse and multifaceted. This diversity of tools and technologies available makes
it difficult, if not impossible, for even seasoned professionals to keep up with new tools, technologies,
and terminologies.
Gordon et al. (2006) presents a comprehensive and detailed description of the most widely used tools
and technologies used by organizations to secure their most precious information assets. Some of the
most important are: firewalls, malicious code detection systems (e.g., anti-virus software, anti-spyware
software), server-based access control lists, intrusion detection systems, encryption of data for storage,
encryption of data for transmission, reusable accounts and login passwords, intrusion prevention systems,
log management software, application level firewalls, smart cards, one time password tokens, forensics
tools, public key infrastructures, specialized wireless security systems, endpoint security client software,
and the use of biometrics technologies to secure and restrict access to the information and networks.
A detailed discussion of these tools, techniques and technologies is outside the scope of the current
chapter. However, given the importance of this topic, we provide the basics of five categories of such
tools and technologies for information security. Although we realize that there are number of very
important tools and technologies currently available and a number of additional promising tools and
technologies are on the horizon, we have focused our discussion here to only the five most important
l

and fundamental categories of tools and technologies. For additional discussion of tools and technolo-
gies used to achieve the goals of information security and ethics, readers are encouraged to consult other
sources. Two excellent reports that we have consulted in this chapter are National Institute of Standards
and Technology (NIST) Special Publications 800-12 (NIST, 1995), 800-36 (Grance et al., 2003), and
800-41 (Wack, Cutler, and Pole, 2002).

Identification and Authentication

(NIST, 1995) Special Publication 800-12 defines “identification as the means by which a user pro-
vides a claimed identity to the system. Authentication is the means of establishing the validity of this
claim. Authorization is the process of defining and maintaining the allowed actions. Identification and
authentication establishes the basis for accountability and the combination of all three enables the en-
forcement of identity-based access control” (NIST, 1995, p.5). The user’s identity can be authenticated
using the following mechanisms:

• Requiring the user to provide something they have (e.g., token)

• Requiring the user to provide something they alone know (e.g., password)
• Sampling a personal characteristic (e.g., fingerprint).

Access Control

Grance et al. (2003) states “access control ensures that only authorized access to resources occurs.
Access control helps protect confidentiality, integrity, and availability and supports the principles of
legitimate use, least privilege, and separation of duties. Access control simplifies the task of maintain-
ing enterprise network security by reducing the number of paths that attackers might use to penetrate
system or network defenses. Access control systems grant access to information system resources to
authorized users, programs, processes, or other systems. Access control may be managed solely by the
application, or it may use controls on files. The system may put classes of information into files with
different access privileges” (Grance et al., 2003, p. 25). Controlling access can be based on any or a
combination of the following:

• User identity
• Role memberships
• Group membership
• Other information known to the system.

Intrusion Detection

Grance et al. (2003) describes intrusion detection as “... the process of monitoring events occurring in a
computer system or network and analyzing them for signs of intrusions, defined as attempts to perform
unauthorized actions, or to bypass the security mechanisms of a computer or network. Intrusions are
caused by any of the following: attackers who access systems from the Internet, authorized system users
who attempt to gain additional privileges for which they are not authorized and authorized users who
misuse the privileges given them. Intrusion detection systems (IDS) are software or hardware products
that assist in the intrusion monitoring and analysis process” (Grance et al., 2003, p. 30).
 li

Firewall

Wack, Cutler, and Pole (2002) define firewall as: “… devices or systems that control the flow of net-
work traffic between networks or between a host and a network. A firewall acts as a protective barrier
because it is the single point through which communications pass. Internal information that is being
sent can be forced to pass through a firewall as it leaves a network or host. Incoming data can enter only
through the firewall. Network firewalls are devices or systems that control the flow of network traffic
between networks employing differing security postures. In most modern applications, firewalls and
firewall environments are discussed in the context of Internet connectivity and the TCP/IP protocol suite.
However, firewalls have applicability in network environments that do not include or require Internet
connectivity. For example, many corporate enterprise networks employ firewalls to restrict connectivity
to and from internal networks servicing more sensitive functions, such as the accounting or personnel
department. By employing firewalls to control connectivity to these areas, an organization can prevent
unauthorized access to the respective systems and resources within the more sensitive areas. The inclu-
sion of a proper firewall or firewall environment can therefore provide an additional layer of security
that would not otherwise be available. The most basic, fundamental type of firewall is called a packet
filter. Packet filter fire-walls are essentially routing devices that include access control functionality for
system addresses and communication sessions. (Wack et al., 2002, p 67)

Malicious Code Protection

“Viruses, worms and other malicious code are typically hidden in software and require a host to replicate.
Malicious code protection requires strict procedures and multiple layers of defense. Protection includes
prevention, detection, containment, and recovery. Protection hardware and access-control software can
inhibit this code as it attempts to spread. Most security products for detecting malicious code include
several programs that use different techniques” (Grance et al., 2003, p. 45).

Vulnerability Scanners

“Vulnerability scanners examine hosts such as servers, workstations, firewalls and routers for known
vulnerabilities. Each vulnerability presents a potential opportunity for attackers to gain unauthorized
access to data or other system resources. Vulnerability scanners contain a database of vulnerability in-
formation, which is used to detect vulnerabilities so that administrators can mitigate through network,
host and application-level measures before they are exploited. By running scanners on a regular basis,
administrators can also see how effectively they have mitigated vulnerabilities that were previously iden-
tified. Products use dozens of techniques to detect vulnerabilities in hosts’ operating systems, services
and applications” (Grance et al., 2003, p 48).

UTILIZATION AND APPLICATION OF INFORMATION SECURITY AND ETHICS

Information security is not just a technology issue alone. It encompasses all aspects of business from
people to processes to technology. Bruce Schneier, founder and editor of Schneier.com, states that “If
you think technology can solve your security problems, then you don’t understand the problems and
you don’t understand the technology.” Information security involves consideration of many interre-
lated fundamental issues. Among them are technological, developmental and design, and managerial
lii

considerations. The technology component of information security is perhaps the easiest to develop
and to achieve. The technological component of information security and ethics is concerned with the
development, acquisition, and implementation of hardware and software needed to achieve security. The
developmental and design component of information security deals with issues related techniques and
methodologies used to proactively development and design systems that are secure. The managerial and
personnel component focuses on the complex issues of dealing with the human elements in information
security and ethics. It deals with policies, procedures and assessments required for the management of the
operation of security activities. Undoubtedly, this is the hardest part of the information security to achieve
since it is a clear commitment to security by an organization’s leadership, assignment of appropriate roles
and responsibilities, implementation of physical and personnel security measures to control and monitor
access, training that is appropriate for the level of access and responsibility, and accountability.
In the following section we will describe these important issues further.

INFORMATION SECURITY AND ETHICS DEVELOPMENT AND DESIGN

METHODOLOGIES

The design of software can have a significant effect on its vulnerability to malware. It is a general prin-
ciple of information security regarding software design, that the more complex a piece of software is,
the more vulnerable to attack it could be. In fact, software engineers should be cognizant of the fact that
the complexities of a software design may create potential vulnerabilities that malware can exploit. Ad-
ditionally, complex software is more difficult to analyze for potential security vulnerabilities that may
have even been hidden from the developers themselves. Thompson (1984) posits that it is essentially
impossible to determine whether a piece of software is trustworthy by examining its source code, no
matter how carefully. He argues that in order to achieve trustworthiness in a software system, the entire
system must be evaluated (Thompson, 1984). Problems resulting from poor software design affect many
computer systems. Among the most notorious and the most exploited software for their weaknesses
and their vulnerabilities are computer operating systems and email programs. Specifically, since these
types of software are the most widely used by the largest segment of the users who are the least security
conscious and who may not even be security savvy, they can permit individual computer systems to
compromised or allow the download of malware to the computer systems. Consider for example the
software patches that we routinely download, whose developers may not have been aware of specific
vulnerabilities until they were discovered and exploited by attackers.
Given the complexities of systems developed for security information systems, the teams of security
specialists, security architects, systems analysts, systems programmers, and system testers and ultimately
the users of the security systems must work together to develop security systems that meet the organiza-
tional security needs. As with other large scale projects, a systematic development methodology needs
to be utilized. Among the basic and widely used development methodology models that are adopted by
many system development professional are:

A. System Development Life Cycle (SDLC) Model

B. Prototyping Model
C. Rapid Application Development Model
D. Component Assembly Model
 liii

To manage the complexities of developing such a massive system, researchers have relied on the
system development life cycle (SDLC) models to facilitate the development process. System develop-
ment life cycle (SDLC) is a development methodology used for information systems development using
planning, investigation, analysis, design, implementation and maintenance phases. SDLC is a system-
atic approach to develop information security system is made up of several phases, each comprised of
multiple steps. In this section, we will describe a SDLC approach to developing information security
systems. The SDLC presented here is based on the SDLC methodology presented by Bowen, Hash, and
Wilson (2007). The authors present a SDLC model specifically tailored to “ensure appropriate protec-
tion for the information that the system is intended to transmit, process, and store” (Bowen et al., 2007,
p. 19). This proposed SDLC is made of the following phases: Initiation, Development and Acquisition,
Implementation, Operations and Maintenance, and Disposal
In the following tables, we present the list of activities that needs to be accomplished in each phase
(Bowen et al., 2007, pp. 21-24).

SDLC
Security Activities and Definitions
Activities
A. Initiation Phase
§ Define a problem that might be solved through product acquisition. Traditional
components of needs determination are establishing a basic system idea, defining
Needs
preliminary requirements, assessing feasibility, assessing technology, and identifying
Determination
a form of approval to further investigate the problem.
§ Establish and document need and purpose of the system.
§ Identify information that will be transmitted, processed, or stored by the system and
Security define applicable levels of information categorization.
Categorization § Handling and safeguarding of personally identifiable information should be
considered.
§ Establish an initial description of the basic security needs of the system. A preliminary
Preliminary
risk assessment should define the threat environment in which the system or product
Risk
will operate.
Assessment

B. Development and Acquisition Phase

Requirements § Conduct a more in-depth study of the need that draws on and further develops the
Analysis/ work performed during the initiation phase.
Development § Develop and incorporate security requirements into specifications.
§ Analyze functional requirements that may include system security environment
(e.g., enterprise information security policy and enterprise security architecture) and
security functional requirements.
§ Analyze assurance requirements that address the acquisition and product integration
activities required and assurance evidence needed to produce the desired level
of confidence that the product will provide required information security features
correctly and effectively.
§ The analysis, based on legal, regulatory, protection, and functional security
requirements, will be used as the basis for determining how much and what kinds of
assurance are required.

Risk § Conduct formal risk assessment to identify system protection requirements. This analysis builds
Assessment on the initial risk assessment performed during the initiation phase, but will be more in-depth
and specific. Security categories derived from FIPS 199 are typically considered during the risk
assessment process to help guide the initial selection of security controls for an
liv

Cost § Determine how much of the product acquisition and integration cost can be attributed to
Considerations information security over the life cycle of the system. These costs include hardware, software,
and Reporting personnel, and training.

Security § Fully document agreed-upon security controls, planned or in place.

Planning § Develop the system security plan.
§ Develop documents supporting the organization’s information security program (e.g., CM
plan, contingency plan, incident response plan, security awareness and training plan, rules
of behavior, risk assessment, security test and evaluation results, system interconnection
agreements, security authorizations/accreditations, and plans of action and milestones.
§ Develop awareness and training requirements, including user manuals and operations/
administrative manuals.

Security § Develop, design, and implement security controls described in the respective security plans.
Control § For information systems currently in operation, the security plans for those systems that may
Development call for developing additional security controls to supplement the controls already in place or for
those that may call for modifying selected controls that are deemed to be less than effective.

Developmental § Test security controls developed for a new information system or product for proper and effective
Security Test operation. Some types of security controls (primarily those controls of a nontechnical nature)
and Evaluation cannot be tested and evaluated until the information system is deployed; these controls are
typically management and operational controls.
§ Develop test plan/script/scenarios.

Other Planning § Ensure that all necessary components of the product acquisition and integration process are
Components considered when incorporating security into the life cycle.
§ These components include selection of the appropriate contract type, participation by all
necessary functional groups within an organization, participation by the certifier and accreditor,
and development and execution of necessary contracting plans and processes.

C. Implementation Phase
§ Develop test data.
Security
§ Test unit, subsystem, and entire system.
Test and
§ Ensure system undergoes technical evaluation.
Evaluation

Inspection § Verify and validate that the functionality described in the specification is included in the
and deliverables.
Acceptance
§ Integrate the system at the operational site where it is to be deployed for operation.
System
§ Enable security control settings and switches in accordance with vendor instructions
Integration/
and proper security implementation guidance.
Installation

§ Ensure that the controls are effectively implemented through established verification
techniques and procedures and give organization officials confidence that the
appropriate safeguards and countermeasures are in place to protect the organization’s
information. Security certification also uncovers and describes the known
Security vulnerabilities in the information system.
Certification § Existing security certification may need to be updated to include acquired products.
§ The security certification determines the extent to which the security controls in the
information system are implemented correctly, operating as intended, and producing
the desired outcome with respect to meeting security requirements for the system.
 lv

§ Provide the necessary security authorization of an information system to process,

store, or transmit information that is required. This authorization is granted by a senior
organization official and is based on the verified effectiveness of security controls to
some agreed-upon level of assurance and on an identified residual risk to agency
assets or operations.
Security § This process determines whether the remaining known vulnerabilities in the
Accreditation information system pose an acceptable level of risk to agency operations, agency
assets, or individuals.
§ Upon successful completion of this phase, system owners will either have authority
to operate, interim authorization to operate, or denial of authorization to operate the
information system.

E. Disposal Phase:
§ Retain information, as necessary, to conform to current legal requirements and to
accommodate future technology changes that may render the retrieval method obsolete.
Information § Consult with agency office on retaining and archiving federal records.
Preservation § Ensure long-term storage of cryptographic keys for encrypted data.
§ Determine archive, discard or destroy information.

§ Determine sanitization level (overwrite, degauss, or destroy).

Media
§ Delete, erase, and overwrite data as necessary.
Sanitization

Hardware
and § Dispose of hardware and software as directed by governing agency policy.
Software
Disposal

D. Operations/Maintenance Phase
§ Ensure adequate consideration of the potential security impacts due to specific changes
to an information system or its surrounding environment.
§ Configuration Management and configuration control procedures are critical to
establishing an initial baseline of hardware, software, and firmware components for
the information system and for subsequently controlling and maintaining an accurate
Configuration
inventory of any changes to the system.
Management
§ Develop CM plan
and Control
o Establish baselines
o Identify configuration
o Describe configuration control process
o Identify schedule for configuration audits

§ Monitor security controls to ensure that controls continue to be effective in their

application through periodic testing and evaluation. Security control monitoring (i.e.,
verifying the continued effectiveness of those controls over time) and reporting the
security status of the information system to appropriate agency officials is an essential
activity of a comprehensive information security program.
§ Monitor to ensure system security controls are functioning as required.
§ Perform self-administered or independent security audits or other assessments
Continuous
periodically. Types: using automated tools, internal control audits, security checklists,
Monitoring
and penetration testing.
§ Monitor system and/or users. Methods: review system logs and reports, use automated
tools, review change management, monitor external sources (trade literature,
publications, electronic news, etc.), and perform periodic reaccreditation.
o POA&Ms
o Measurement and metrics
o Network monitoring
lvi

MANAGERIAL IMPACT OF INFORMATION SECURITY AND ETHICS

Information is a critical asset that supports the mission of an organization. Protecting this asset is critical
to the survivability and longevity of any organization. Maintaining and improving information security
is critical to the operations, reputation, and ultimately the success and longevity of any organization.
However, information and the systems that support it are vulnerable to many threats that can inflict seri-
ous damage to organizations resulting in significant losses. The concerns over information security risks
can originate from a number of different security threats. They can come from hacking and unauthorized
attempts to access private information, fraud, sabotage, theft and other malicious acts or they can originate
from more innocuous, but no less harmful sources, such as natural disasters or even user errors.
David Mackey, IBM’s Director of Security Intelligence, estimates that IBM recorded more than 1
billion suspicious computer security events in 2005. He estimates a higher level of malicious traffic in
2006. The damage from these “security events” can range from loss of integrity of the information to
total physical destruction or corruption of the entire infrastructure that supports it. The damages can
stem from the actions of a variety of sources, such as disgruntled employees defrauding a system, care-
less errors committed by trusted employees, or hackers gaining access to the system from outside of
the organization. Precision in estimating computer security-related losses is not possible because many
losses are never discovered, and others are “swept under the carpet” to avoid unfavorable publicity. The
effects of various threats vary considerably: some affect the confidentiality or integrity of data while
others affect the availability of a system. Broadly speaking, the main purpose of information security is
to protect an organization’s valuable resources, such as information, hardware, and software.
The importance of securing our information infrastructure is not lost to the government of the United
States. The US Department of Homeland Security (DHS) identifies a Critical Infrastructure (CI) as
“systems and assets, whether physical or virtual, so vital to the United States that the incapacity or
destruction of such systems and assets would have a debilitating impact on security, national economic
security, national public health or safety, or any combination of those matters.” According a recent report
by the DHS titled “The National Strategy for Homeland Security,” which identified thirteen CIs, disrup-
tion in any components of a CI can have catastrophic economic, social, and national security impacts.
Information security is identified as a major area of concern for the majority of the thirteen identified
CIs. For example, many government and private-sector databases contain sensitive information which
can include personally identifiable data such as medical records, financial information such as credit
card numbers, and other sensitive proprietary business information or classified security-related data.
Securing these databases which form the back bone of a number of CI’s is of paramount importance.
Losses due to electronic theft of information and other forms of cybercrime against to such databases
can result in tens of millions of dollars annually.
In addition to specific costs incurred as a result of malicious activities such as identity theft, virus
attacks, or denial of service attacks, one of the major consequences of dealing with a security attack is
the decrease in customer and investor confidence in the company. This is an area of major concern for
the management. According to an event-study analysis using market evaluations done by Cavusoglu,
Mishra, and Raghunathan (2004) to assess the impact of security breaches on the market value of breached
firms, announcing a security breach is negatively associated with the market value of the announcing
firm. The breached firms in the sample lost, on average, 2.1 percent of their market value within two
days of the announcement—an average loss in market capitalization of $1.65 billion per breach (Cavu-
soglu, Mishra, and Raghunathan, 2004). The study suggests that the cost of poor security is very high
for investors and bad for business. Financial consequences may range from fines levied by regulatory
authorities to brand erosion. As a result, organizations are spending a larger portion of their IT budget in
 lvii

information security. A study by the Forrester Research Group estimates that in 2007 businesses across
North American and Europe will spend almost 13% of their IT budgets on security related activities.
The same report shows the share of security spenditure was around 7% in 2006.
It is obvious that information security is a priority for the management, as it should be. Regardless
of the source, the impact on organizations can be severe, ranging from interruption in delivery of ser-
vices and goods, loss of physical and other assets, and loss of customer good will and confidence in the
organization to disclosure of sensitive data. Such breaches to sensitive data can be very costly to the
organization. However, recent research shows that investing in and upgrading the information security
infrastructure is a smart business practice. By doing so, an organization can reduce the frequency and
severity of losses resulted from security breaches in computer systems and infrastructures.

Information Security Risk Management Cycle

Given the complexities and challenges facing organizations contemplating developing a complete and
integrated information security program, the need for a comprehensive development framework is ap-
parent. The need for such a framework is obvious when considering the numerous policy, managerial,
technical, legal, and human resource issues that need to be integrated. In a large scale study of leading
organizations that have successfully developed an Information security program, the United States Gen-
eral Accounting Office’s Accounting and Information Management Division proposed a comprehensive
framework for developing information security programs. The report titled, “Executive Guide Information
Security Management: Learning From Leading Organizations” (GAO/AIMD-98-68 Information Security
Management) presents a comprehensive framework for information security program development based
on successful implementation of risk management principles undertaken by the leading organizations
that were studied. These principles are classified in five broad factors. They are:

• Assess risk and determine needs

• Establish a central management focal point
• Implement appropriate policies and related controls
• Promote awareness
• Monitor and evaluate policy and control effectiveness

According to (US GAO, 1998), “An important factor in effectively implementing these principles
was linking them in a cycle of activity that helped ensure that information security policies addressed
current risks on an ongoing basis. The single most important factor in prompting the establishment of an
effective security program was a general recognition and understanding among the organization’s most
senior executives of the enormous risks to business operations associated with relying on automated and
highly interconnected systems” (US GAO, 1998, p. 17).The GAO report a risk management cycle in which
successful implementation requires the coordination of all activities by a central security management
office which serves as consultants and facilitators to individual business units and senior management.
Figure 1 presents the proposed risk management cycle. United States General Accounting Office, Ac-
counting and Information Management Division, concludes that information security managers at each
organization that was studies agreed that a successful implementation of the five principles presented
in the Risk Management Cycle can be achieved using sixteen practices that are outlined in Figure 2.
These 16 practices which relate to the five risk management principles were keys to the effectiveness
of their programs (US GAO 1998).
lviii

Figure 1. Principles and practices to implement the risk management cycle (Source: GAO/AIMD-98-68
Information Security Management)

Information Security Risk Management Cycle

Access Risk
and Determine
Needs

Implement
Central Monitor and
Polices and
Focal Point Evaluate
Controls

Promote
Awareness

Lessons for the Management

A common motivation for corporations to invest in information security is to safeguard their confiden-
tial data. This motivation is based on the erroneous view of information security as a risk mitigation
activity rather than a strategic business enabler. No longer should information security be viewed solely
as a measure to reduce risk to organizational information and electronic assets, it should be viewed as
way the business needs to be conducted. To achieve success in information security goals, it should
be organization information security should support the mission of the organization. The Information
Systems Security Association (ISSA) has been developing a set of generally accepted information
security principles (GAISP). GAISP include a number of information security practices including the
need for involvement of top management, the need for customized information security solutions, need
for periodic reassessment, the need for an evolving security strategy and the need for a privacy strategy.
This implies that it should be viewed as an integral part of the organizational strategic mission and
therefore, it requires a comprehensive and integrated approach. It should be viewed as an element of
sound management in which the cost-effectiveness is not the only driver of the project. Management
should realize that information security is a smart business practice. By investing in security measures,
an organization can reduce the frequency and severity of security-related losses. Information security
requires a comprehensive approach that extends throughout the entire information life cycle. The man-
agement needs to understand that without a physical security, information security would be impossible.
As a result, it should take into considerations a variety of issues, both technical and managerial and
from within and outside of the organization. The management needs to realize that this comprehensive
approach requires that the managerial, legal, organizational policies, operational, and technical controls
 lix

Figure 2. Information security risk management cycle (Source: GAO/AIMD-98-68 Information Security
Management)

can work together synergistically. This requires that senior managers be actively involved in establishing
information security governance.
Effective information security controls often depend upon the proper functioning of other controls
but responsibilities must be assigned and carried out by appropriate functional disciplines. These inter-
dependencies often require a new understanding of the trade offs that may exist, that achieving one may
actually undermine another. The management must insist that information security responsibilities and
accountability be made explicit and the system owners have responsibilities that may exist outside their
own functional domains. An individual or work group should be designated to take the lead role in the
information security as a broad organization wide process. That requires that security policies be estab-
lished and documented and the awareness among all employees should be increased through employee
training and other incentives. This requires that information security priorities be communicated to all
stakeholders, including, customers, and employees at all levels within the organization to ensure a suc-
cessful implementation. The management should insist that information security activities be integrated
into all management activities, including strategic planning and capital planning. Management should
lx

also insist that an assessment of needs and weaknesses should be initiated and security measures and
policies should be monitored and evaluated continuously.
Information security professionals are charged with protecting organizations against their informa-
tion security vulnerabilities. Given the importance of securing information to an organization, this is an
important position with considerable responsibility. It is the responsibility of information security pro-
fessionals and management to create an environment where the technology is used in an ethical manner.
Therefore, one cannot discuss information security without discussing the ethical issues fundamental
in the development and use of the technology. According to a report by the European Commission
(EC, 1999, p. 7), “Information Technologies can be and are being used for perpetrating and facilitating
various criminal activities. In the hands of persons acting with bad faith, malice, or grave negligence,
these technologies may become tools for activities that endanger or injure the life, property or dignity of
individuals or damage the public interest.” Information technology operates in a dynamic environment.
Considerations of dynamic factors such as advances in new technologies, the dynamic nature of the user,
the information latency and value, systems’ ownerships, the emergence of a new threat and new vulner-
abilities, dynamics of external networks, changes in the environment, the changing regulatory landscape
should be viewed as important. Therefore the management should insist on an agile, comprehensive,
integrated approach to information security.

ORGANIZATIONAL AND SOCIAL IMPLICATIONS OF INFORMATION

SECURITY AND ETHICS

Professional Ethical Codes of Conduct

Most, if not all, professional organizations have adopted a set of ethical code of conducts. Parker
(Parker, 1968, p. 200) states that “… the most ancient and well known written statement of professional
ethics is the Hippocratic Oath of the medical profession. Suggestions related to the Oath date back to
Egyptian papyri of 2000 B.C. The Greek medical writings making up the Hippocratic Collection were
put together about 400 B.C. The present form of the Hippocratic Oath originated about 300 A.D. The
accelerated pace of advances in information technologies transformed computer and information ethics
from a theoretical exercise envisioned by Wiener into a reality faced by practitioners (Bynum, 2007).
As information technology became more wide spread and its practitioners developed a professional
identity of their own, the need for a professional code of ethical conduct for information technology
professionals became apparent (ACM, 1993; Barquin, 1992; Becker-Kornstaedt, 2001; Bynum, 2000,
2001, 2004, 2006; Mason 1986) .
In the mid-1960s, Donn Parker, pioneer and expert in the field of computer and information crime
and security, became the first computer scientist to set forth a set of formal rules of ethics for computer
professionals. As the chairman of the ACM Professional Standards and Practices Committee in his 1968
article, “Rules of Ethics in Information Processing” in Communications of the ACM (Parker, 1968) dis-
cussed rules of ethics for information processing, which were adopted by the ACM Council on November
11, 1966, as a set of Guidelines for Professional Conduct in Information Processing. These guidelines
later became the first Code of Professional Conduct for the Association for Computing Machinery. ACM
established in 1947 as “the world’s first educational and scientific computing society.” ACM’s code of
ethics provides specific guidelines for protecting information confidentiality, protecting others’ privacy,
causing no harm, and respecting others’ intellectual property. According to the ACM constitution, “This
Code, consisting of 24 imperatives formulated as statements of personal responsibility, identifies the
 lxi

elements of such a commitment. The Code and its supplemented Guidelines are intended to serve as a
basis for ethical decision making in the conduct of professional work. Secondarily, they may serve as a
basis for judging the merit of a formal complaint pertaining to violation of professional ethical standards”
(http://www.acm.org/constitution/code.html). This code of conduct consists of four sections: Section 1,
General Moral Imperatives, outlines fundamental ethical considerations for computing professionals;
Section 2, More Specific Professional Responsibilities, discusses additional, more specific considerations
of professional conduct; Section 3, Organizational Leadership Imperatives concerns with the code of
conducts for individuals who have a leadership role in the computing field; Section 4, Compliance with
the Code, discusses how computing professionals can become compliant with this code. Please see the full
version of the code at: http://www.acm.org/constitution/code.html. The importance of ethical conduct in
the face of changing technology is not lost to the professional organizations representing diverse groups
of information technology professionals. Most professional organizations in information technology have
developed their own codes of ethics. A sampling of some of those codes appears below.

Table 1. Ten Commandments of Computer Ethics (Created by the Computer Ethics Institute)

1. Thou Shalt Not Use A Computer To Harm Other People.

2. Thou Shalt Not Interfere With Other People’s Computer Work.
3. Thou Shalt Not Snoop Around In Other People’s Computer Files.
4. Thou Shalt Not Use A Computer To Steal.
5. Thou Shalt Not Use A Computer To Bear False Witness.
6. Thou Shalt Not Copy Or Use Proprietary Software For Which You have Not Paid.
7. Thou Shalt Not Use Other People’s Computer Resources Without Authorization Or Proper Compensation.
8. Thou Shalt Not Appropriate Other People’s Intellectual Output.
9. Thou Shalt Think About The Social Consequences Of The Program You Are Writing Or The System You Are
Designing.
10. Thou Shalt Always Use A Computer In Ways That Insure Consideration And Respect For Your Fellow Humans.

Figure 3. Code of Ethics Association of Information Technology Professionals (AITP)

 lxii

Table 2. IEEE Code of Ethics

IEEE Code of Ethics

We, the members of the IEEE, in recognition of the importance of our technologies in affecting the quality of life throughout the
world, and in accepting a personal obligation to our profession, its members and the communities we serve, do hereby commit
ourselves to the highest ethical and professional conduct and agree:

1. To accept responsibility in making decisions consistent with the safety, health and welfare of the public, and to disclose
promptly factors that might endanger the public or the environment;
2. To avoid real or perceived conflicts of interest whenever possible, and to disclose them to affected parties when they do
exist;
3. To be honest and realistic in stating claims or estimates based on available data;
4. To reject bribery in all its forms;
5. To improve the understanding of technology, its appropriate application, and potential consequences;
6. To maintain and improve our technical competence and to undertake technological tasks for others only if qualified by
training or experience, or after full disclosure of pertinent limitations;
7. To seek, accept, and offer honest criticism of technical work, to acknowledge and correct errors, and to credit properly the
contributions of others;
8. To treat fairly all persons regardless of such factors as race, religion, gender, disability, age, or national origin;
9. To avoid injuring others, their property, reputation, or employment by false or malicious action;
10. To assist colleagues and co-workers in their professional development and to support them in following this code of
ethics.

Laws, Regulations Impacting Information Security

As our societies become increasingly dependent on information technologies, effective practical legal
means will have to be employed to help manage the associated risks. Currently, there are a number of
United States Federal agencies that specifically deal with information security related issues. For ex-
ample, the US Department of Justice has an office dedicated to computer and cyber crimes (http://www.
cybercrime.gov). The National Infrastructure Protection Center (NIPC), formally of US Department of
Justice was fully integrated into the Information Analysis and Infrastructure Protection Directorate of
the Department of Homeland Security (DHS) (www.dhs.gov).
The most widely accepted principles on which many laws related to information use and security in
the United States, Canada, European Union and other parts of the world are based are the Fair Informa-
tion Practice Principles (FIPP). The Principles were first formulated by the U. S. Department of Health,
Education and Welfare in 1973 for collecting and use of information on consumers. FIPP are quoted
here from the Organization for Economic Cooperation and Development’s Guidelines on the Protection
of Privacy and Transborder Flows of Personal Data (Text here is reproduced from the report available
at http://www1.oecd.org/publications/e-book/9302011E.PDF).

Openness
There should be a general policy of openness about developments, practices and policies with respect to
personal data. Means should be readily available for establishing the existence and nature of personal data,
and the main purposes of their use, as well as the identity and usual residence of the data controller.
 lxiii

Collection Limitation
There should be limits to the collection of personal data and any such data should be obtain by lawful
and fair means and, where appropriate, with the knowledge or consent of the data subject.

Purpose Specification
The purpose for which personal data are collected should be specified not later than at the time of data
collection and the subsequent use limited to the fulfillment of those purposes or such others as are not
incompatible with those purposes and as are specified on each occasion of change of purpose.

Use Limitation
Personal data should not be disclosed, made available or otherwise used for purposes other than those
specified as described above, except with the consent of the data subject or by the authority of law.

Data Quality
Personal data should be relevant to the purposes for which they are to be used, and, to the extent neces-
sary for those purposes, should be accurate, complete, relevant and kept up-to-date.

Individual Participation
An individual should have the right to: (a) obtain from a data controller, or otherwise, confirmation of
whether or not the data controller has data relating to him; (b) have communicated to him, data relating
to him within a reasonable time; at a charge, if any, that is not excessive; in a reasonable manner; and
in a form that is readily intelligible to him; (c) be given reasons if a request is denied and to be able to
challenge such denial; and (d) challenge data relating to him and, if the challenge is successful, to have
the data erased, rectified, completed or amended.

Security Safeguards
Personal data should be protected by reasonable security safeguards against such risks as loss or unau-
thorized access, destruction, use, modification or disclosure of data.

Accountability
A data controller should be accountable for complying with measures which give effect to the principles
stated above.

The Federal Trade Commission (FTC) is the primary federal agency responsible for the enforcement
of various laws governing the privacy of an individual’s information on the Internet. The Federal Trade
Commission Act (FTCA), 15 U.S.C. § 45(a), gives the FTC investigative and enforcement authority
over businesses and organizations engaged in interstate commerce. While waiting on the enactment of
new legislation, the FTC utilizes existing laws to protect consumers from unfair and deceptive trade
practices. The FTC has allowed most businesses to self-regulate. However, the government has regulated
some industries such as healthcare and financial services. They also require Web sites to follow specific
rules when obtaining information from children.
Currently there are a number of U.S. federal laws that directly impact the information security com-
munities. These laws address different topics of information security, such as protecting confidential-
ity and privacy of information or requiring the documentation and audit trails for financial data and
transactions. Non compliance with these laws can bring significant financial and legal liability. Some
of the most significant laws are: Gramm-Leach-Bliley Act (GLB), Sarbanes-Oxley Act (SOX), Health
lxiv

Insurance Portability and Accountability Act (HIPAA), Food and Drug Administration (FDA) 21 Code
of Federal Regulations (CFR) Part 11.

Gramm-Leach-Bliley Act (GLB):

In November 1999, the Gramm-Leach-Bliley Act was passed to regulate the privacy and protection of
customer records maintained by financial organizations. GLB compliance for financial institutions became
mandatory by July 2001, including the implementation of the following security requirements:

• Access controls on customer information systems

• Encryption of electronic customer information
• Monitoring systems to perform attacks and intrusion detection into customer information sys-
tems
• Specify actions that have to be taken when unauthorized access has occurred (GLB, 1999)

To comply with GLB, institutions have to focus on administrative and technological safeguards to
ensure the confidentiality and integrity of customer records, through the implementation of security
solutions and secure systems management.

Sarbanes-Oxley Act (SOX):

The Sarbanes-Oxley Act passed the United States Congress in 2002 has caused major changes in
corporate governance, reporting the accuracy of financial reporting, financial statement disclosure, cor-
porate executive compensation and auditor independence. According to CSI/FBI 2006 report, the impact
of the Sarbanes-Oxley Act on information security continues to be substantial and overreaching. The
impact of SOX has generally been positive on information security. Compliance with the Sarbanes-Oxley
Act has raised organizational awareness and interest in information security and has changed the focus
of organizational information security concerns from technology to corporate governance. Complying
with Sarbanes-Oxley requires companies to have specific internal controls in place to protect their data
from these vulnerabilities. Section 404 of the SOX requires companies to put in place internal controls
over business operations to ensure the integrity of financial audit records within the company with a real
emphasis on computer and network security. This involves:

• Internal operational controls: Control interactions between people and applications and audit
rights and responsibilities
• Employees and business partners controls: Put in place authentication and control access to
know who can access which systems and data and what they can do with those resources
• Applications controls: Apply operational controls directly to systems that will be connected to
access each other’s data
• Auditing and reporting: Show compliance of all implementations of internal controls

Enforcing controls and making them operational are organizations’ main objectives to comply with
SOX. Another focal point of this law is the improvement of security policies and procedures to address
risks to the achievement of specific control objectives, which includes to:

• Define security standards of protection

• Create security education programs for employees
• Identify and document security exposures and policy exceptions
 lxv

• Evaluate periodically security compliance with metrics and put in place action plans to ensure
compliance of policies (SOX, 2002)

Ensuring security and integrity of systems is a key focus of complying with SOX. Organizations have
to implement new security measures to improve the integrity of their systems.

Food and Drug Administration (FDA) 21 Code of Federal Regulations (CFR) Part 11
For medical/pharmaceutical organizations, FDA regulations became effective in 1997 and enforced
in 2000. CFR part 11 established the US Food and Drug Administration requirements for electronic
records and signatures. It includes the following requirements:

• Secure audit trails must be maintained on the system

• Only authorized persons can use the system and perform specific operations
• Records must be stored in a protected database
• Identity of each user must be verified before providing them any credential.

Part 11 is very high level and does not provide strict recommendations, however this regulation
provides the basic principle for the use of computers in the pharmaceutical industry. To be compliant,
an organization must define, implement, and enforce procedures and controls to ensure the authenticity,
integrity, and the confidentiality of electronic records.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a US law which came into effect in 1996. It provides a standard for electronic health care
transactions over the Internet. As the integrity and confidentiality of patient information is critical, this
requires being able to uniquely identify and authenticate an individual. HIPAA has strict guidelines on
how healthcare organizations can manage private health information. This includes:

• Authentication: A unique identification for individuals using the health care system
• Access control: Manage accounts and restrict access to health information
• Password management: Centrally define and enforce a global password policy
• Auditing: Centralize activity logs related to the access of health information

Securing the information systems necessary for the operation of federal government is an important
national security federal government consideration and therefore a number of laws and regulations mandate
that agencies protect their computers, the information they process, telecommunications infrastructure
and other related technologies. The most important are listed below:

• The Computer Security Act of 1987 which requires government and federal agencies to identify
sensitive systems, conduct computer security training, and develop computer security plans.
• The Federal Information Resources Management Regulation (FIRMR) is the primary regulation
for the use, management, and acquisition of computer resources in the federal government.
• OMB Circular A-130 (specifically Appendix III) requires that federal agencies establish security
programs containing specified elements.
lxvi

Guidelines for the Security of Information Systems

It is safe to conclude that laws will not protect us, but can we seek the salvation in technology? The
answer is no. Technology by itself is not the solution. Technology should be viewed as an enabler. It is
the people who use the technology that are responsible to its ethical use. To illustrate, consider the fol-
lowing scenario. You are an information security professional charged with developing a security policy,
analyzing risks and vulnerabilities, developing an organization’s security infrastructure, and setting up
intrusion detection systems. Suppose you discover an unauthorized access to your network. Having done
your job correctly, you are able to identify the intruder. Now, is your work as an information security
professional done? Not by a long shot. Once an intruder is identified, what is the next step? Does your
organization have policies to deal with this intruder? Are there laws that deal specifically with this type
of crime? Given the borderless nature of the Internet, these types of crimes can be perpetrated by anyone
in any geographical location. Who has the jurisdiction over these laws? Therefore the question that you
need to answer is where do I go from here? The technology is advancing at a breath taking pace. New
technologies bring new possibilities to do harm and to commit crimes. The legal system is not capable
of keeping pace with the development of technologies. Laws are reactive. They are the reactions of the
societies to adverse events. Very seldom are laws proactive. Therefore, relying on laws and the legal system
to protect against crimes made possible by a fast moving technology is not a wise course of action.
The Organization for Economic Cooperation and Development (OECD) (http://www.oecd.org), an
international consortium of over 30 countries established to foster good governance in the public service
and in corporate activity has released its updated Guidelines for the Security of Information Systems. These
guidelines are meant to increase our understanding of the importance of good security practices and to
provide specific guidelines as how to achieve them. The Guidelines consist of nine core principles that
aim to increase public awareness, education, information sharing, and training that can lead to a better
understanding of online security and the adoption of best practices. A formal declaration from OECD
states: “These guidelines apply to all participants in the new information society and suggest the need
for a greater awareness and understanding of security issues, including the need to develop a “culture of
security”—that is, a focus on security in the development of information systems and networks, and the
adoption of new ways of thinking and behaving when using and interacting within information systems
and networks. The guidelines constitute a foundation for work towards a culture of security throughout
society (OECD, 2007).

CRITICAL ISSUES IN INFORMATION SECURITY AND ETHICS

This proclamation about data volume growth is no longer surprising, but continues to amaze even the
experts. For businesses, more data isn’t always better. Organizations must assess what data they need
to collect and how to best leverage it. Collecting, storing and managing business data and associated
databases can be costly, and expending scarce resources to acquire and manage extraneous data fuels
inefficiency and hinders optimal performance. The generation and management of business data also
loses much of its potential organizational value unless important conclusions can be extracted from it
quickly enough to influence decision making while the business opportunity is still present. Managers
must rapidly and thoroughly understand the factors driving their business in order to sustain a competi-
tive advantage. Organizational speed and agility supported by fact-based decision making are critical to
ensure an organization remains at least one step ahead of its competitors. According to Kakalik and Wright
 lxvii

Table 3. OECD’s Guidelines for the Security of Information Systems

OECD’s Guidelines for the Security of Information Systems:

• Accountability - The responsibilities and accountability of owners, providers and users of information systems
and other parties...should be explicit.
• Awareness - Owners, providers, users and other parties should readily be able, consistent with maintaining
security, to gain appropriate knowledge of and be informed about the existence and general extent of measures...
for the security of information systems.
• Ethics - The Information systems and the security of information systems should be provided and used in such a
manner that the rights and legitimate interest of others are respected.
• Multidisciplinary - Measures, practices and procedures for the security of information systems should take
account of and address all relevant considerations and viewpoints.
• Proportionality - Security levels, costs, measures, practices and procedures should be appropriate and
proportionate to the value of and degree of reliance on the information systems and to the severity, probability
and extent of potential harm....
• Integration - Measures, practices and procedures for the security of information systems should be coordinated
and integrated with each other and other measures, practices and procedures of the organization so as to create a
coherent system of security.
• Timeliness - Public and private parties, at both national and international levels, should act in a timely
coordinated manner to prevent and to respond to breaches of security of information systems.
• Reassessment - The security of information systems should be reassessed periodically, as information systems
and the requirements for their security vary over time.
• Democracy - The security of information systems should be compatible with the legitimate use and flow of data
and information in a democratic society.

(1996), a normal consumer is on more than 100 mailing lists and at least 50 databases. A survey of 10,000
Web users conducted by the Georgia Institute of Technology concludes that “Privacy now overshadows
censorship as the No. 1 most important issue facing the Internet” (Machlis 1997). Of Internet users 81
percent and of people who buy products and services on the Internet 79 percent are concerned about
threats to their personal privacy according to a Price Waterhouse survey (Merrick 1998). In the UCLA
study released on February 2003, reported that 88.8% of the respondents said that they were somewhat
or extremely concerned about when buying online. According to this report, the top five categories in
terms of number of responses identifying the major and most critical issues in information security for
their organizations for were (1) data protection, (2) regulatory compliance (including Sarbanes–Oxley),
(3) identity theft and leakage of private information (4) viruses and worms, and (5) management involve-
ment, risk management and resource allocation. Table 4 summarizes the results of the survey.

Information Privacy

As early as 1968, invasion of privacy caused by the use of computers was seen as a “serious ethical prob-
lem in the arts and sciences of information processing” (Parker, 1968). Information security and ethics
are fundamentally related to information privacy. Technological advances, decreased costs of hardware
and software, and the World Wide Web revolution have allowed for vast amounts of data to be generated,
collected, stored, processed, analyzed, distributed and used at an ever-increasing rate by organizations
and governmental agencies. Almost any activity that an organization or an individual is engaged in cre-
ates an electronic foot print that needs to be managed, processed, stored, and communicated. According
a survey by U.S. Department of Commerce, an increasing number of Americans are going online and
lxviii

Table 4. Most critical Information Security issues in next two years, CSI/FBI 2006 Computer Crime and
Security Survey 2006: 426 respondents (Source: Gordon, 2006)

Percentage of
Critical Issue for Information Security Responded ranked it as
Critical
Data protection (e.g.., data classification, identification and encryption) and
17%
application software (e.g. Web application, VoIP) vulnerability security
Policy and regulatory compliance (Sarbanes–Oxley, HIPAA) 15%
Identity theft and leakage of private information (e.g. proprietary information,
14%
intellectual property and business secrets)
Viruses and worms 12%
Management involvement, risk management, or supportive resources (human
11%
resources, capital budgeting and expenditures)
Access control (e.g. passwords) 10%
User education, training and awareness 10%
Wireless infrastructure security 10%
Internal network security (e.g. insider threat) 9%
Spyware 8%
Social engineering (e.g. phishing, pharming) 8%
Mobile (handheld) computing devices 6%
Malware or malicious code 5%
Patch management 4%
Zero-day attacks 4%
Intrusion detection systems 4%
Instant messaging 4%
E-mail attacks (e.g. spam) 4%
Employee misuse 3%
Physical security 2%
Web attacks 2%
Two-factor authentication 2%
Bots and botnets 2%
Disaster recovery (e.g. data back-up) 2%
Denial of service 2%
Endpoint security 1%
Managed cybersecurity provider 1%
PKI implementation 1%
Rootkits 1%
Sniffing 1%
Standardization, configuration management 1%
 lxix

engaging in several online activities, including online purchases and conducting banking online. The
growth in Internet usage and e-commerce has offered businesses and governmental agencies the op-
portunity to collect and analyze information in ways never previously imagined. “Enormous amounts of
consumer data have long been available through offline sources such as credit card transactions, phone
orders, warranty cards, applications and a host of other traditional methods. What the digital revolution
has done is increase the efficiency and effectiveness with which such information can be collected and
put to use” (Adkinson, Eisenach, & Lenard, 2002). The significance of privacy has not been lost to the
information security and ethics research and practitioners’ communities as was revealed in Nemati and
Barko (Nemati et al., 2001) of the major industry predictions that are expected to be key issues in the
future (Nemati et al., 2001). Chiefly among them are concerns over the security of what is collected
and the privacy violations of what is discovered (Margulis, 1977; Mason, 1986; Culnan, 1993; Smith,
1993; Milberg, Smith, & Kallman, 1995; Smith, Milberg, & Burke, 1996). About 80 percent of survey
respondents expect data mining and consumer privacy to be significant issues (Nemati et al., 2001).

Privacy Definitions and Issues

Privacy is defined as “the state of being free from unsanctioned intrusion” (Dictionary.com, 2006). Westin
(1967) defined the right to privacy as “the right of the individuals… to determine for themselves when,
how, and to what extent information about them is communicated to others.” The Forth Amendment to
the U.S. Constitution’s Bill of Rights states that “The right of the people to be secure in their persons,
houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.” This belief
carries back through history in such expressions from England, at least circa 1603, “Every man’s house
is his castle.” The Supreme Court has since ruled that “We have recognized that the principal object of
the Fourth Amendment is the protection of privacy rather than property, and have increasingly discarded
fictional and procedural barriers rested on property concepts.” Thus, because the Amendment “protects
people, not places,” the requirement of actual physical trespass is dispensed with and electronic surveil-
lance was made subject to the Amendment’s requirements (Findlaw.com, 2006). Generally the definitions
of privacy in regards to business are quite clear. On the Internet, however, privacy raises greater concerns
as consumers realize how much information can be collected without their knowledge. Companies are
facing an increasingly competitive business environment which forces them to collect vast amounts of
customer data in order to customize their offerings. Eventually, as consumers become aware of these
technologies, new privacy concerns will arise, and these concerns will gain a higher level of importance.
The security of personal data and subsequent misuse or wrongful use without prior permission of an
individual raises privacy concerns and often end up in questioning the intent behind collecting private
information in the first place (Dhillon & Moores, 2001). Privacy information holds the key to power over
the individual. When privacy information is held by organizations that have collected the information
without the knowledge or permission of the individual the rights of the individual are at risk. By 1997,
consumer privacy had become a prominent issue in the United States (Dyson, 1998).

Cost of Privacy and Why Privacy Matters

In practice, information privacy deals with an individual’s ability to control and release personal informa-
tion. The individual is in control of the release process: to whom information is released, how much is
released and for what purpose the information is to be used. “If a person considers the type and amount
of information known about them to be inappropriate, then their perceived privacy is at risk” (Roddick
& Wahlstrom, 2001). Consumers are likely to lose confidence in the online marketplace because of
lxx

these privacy concerns. Business must understand consumers’ concern about these issues and aim to
build consumer trust. It is important to note that knowledge about data collection can have a negative
influence on a customer’s trust and confidence level online.
Privacy concerns are real and have profound and undeniable implications on people’s attitude and
behavior (Sullivan, 2002). The importance of preserving customers’ privacy becomes evident when we
study the following information: In its 1998 report, the World Trade Organization projected that the
worldwide Electronic Commerce would reach a staggering $220 billion. A year later, Wharton Forum on
E-commerce revised that WTO projection down to $133 billion. What accounts for this unkept promise of
phenomenal growth? The U.S. Census Bureau, in its February 2004 report, states that “Consumer privacy
apprehensions continue to plague the Web and hinder its growth.” In a report by Forrester Research it is
stated that privacy fears will hold back roughly $15 billion in e-commerce revenue. In May 2005, Jupi-
ter Research reported that privacy and security concerns could cost online sellers almost $25 billion by
2006. Whether justifiable or not, consumers have concerns about their privacy and these concerns have
been reflected in their behavior. The chief privacy officer of Royal Bank of Canada said “Our research
shows that 80% of our customers would walk away if we mishandled their personal information.”
Privacy considerations will become more important to customers interacting electronically with busi-
nesses. As a result, privacy will become an import business driver. People (customers) feel ‘violated’
when their privacy is invaded. They respond to it differently, despite the intensity of their feelings. Given
this divergent and varied reaction to privacy violation, a lot of companies still do not appreciate the
depth of consumer feelings and the need to revamp their information practices, as well as their infra-
structure for dealing with privacy. Privacy is no longer about just staying within the letter of the latest
law or regulation. As sweeping changes in attitudes of people their privacy will fuel an intense political
debate and put once-routine business and corporate practices under the microscope. Two components
of this revolution will concern business the most, rising consumer fears and a growing patchwork of
regulations. Both are already underway. Regulatory complexity will grow as privacy concerns surface
in scattered pieces of legislation. Companies need to respond quickly and comprehensively. They must
recognize that privacy should be a core business issue. Privacy policies and procedures that cover all
operations must be enacted. Privacy preserving identity management should be viewed as a business
issue, not a compliance issue.

EMERGING TRENDS IN INFORMATION SECURITY AND ETHICS

Information security and ethics will be everyone’s business, not just the IT. This change in the way com-
panies view and approach information security will be driven primarily due to consumer demand. The
consumers will demand more security of the information about them and will insist on more ethical uses
of that information. This demand will drive business profitability measures and will ultimately manifest
itself as pressure on the government and other regulatory agencies to pass tougher and more intrusive
legislation and regulations resulting in a greater pressure to comply and to demonstrate a commitment
to information security. Therefore to succeed, organizations need to focus on information security not
just as an IT issue rather as a business imperative. They need to develop business processes that aligns
business, IT and security operations. For example, Information security consideration will play more
of a prominent role in offshoring, collaborations and outsourcing agreements consideration. In the
same vain, business partners must prove that their processes, databases and network’s are security. This
will also have an important implication for the outsourcing/off shoring agreements and collaborations.
The need for more vigilant and improved policies and practices in monitoring of insiders who may be
 lxxi

leaking or stealing confidential information will become more apparent. The black hat will become the
norm. Hacking will be increasingly become a criminal profession and will no longer be the domain of
hobbyists. The attaches will be more targeted, organized and will have a criminal intent meant to steal
information for a profit.
Regulatory and compliance requirements will continue to plague the organizations. Regulations
and laws will have direct impact on IT implementations and practices. Management teams will be held
accountable. Civil and criminal penalties may apply for noncompliance. Security audits will become
more widespread as companies are forced to comply with new regulations and laws. The regulatory
agencies and law enforcement will become more vigilant in enforcing existing laws such as HIPAA,
Sarbanes-Oxley Act.
Identity management will continue to be the sore spot of information security. The use of identity
federations will increase. With advances in technology and the need for more secure and accurate iden-
tity management, biometrics will become mainstream and widely used. Additionally, the use of feder-
ated identity management systems will become more widespread. In a federated identity management
environment, users will be able to link identity information between accounts without centrally storing
personal information. The user can control when and how their accounts and attributes are linked and
shared between domains and service providers, allowing for greater control over their personal data.
Advanced technical security measures, such as data-at-rest encryption, granular auditing, vulnerabil-
ity assessment, and intrusion detection to protect private personally identifiable data will become more
wide spread. Database security continues to be a major concern for developers, vendor and customers.
Organizations demand more secure code and vendors and developers will try to accommodate. In addi-
tion to more secure code, the demand for an explicit focus on unified application security architecture
will force vendors and developers to seek further interoperability. This is the direct result of increased
in sophistication of malware. Malware will morph and become more sophisticated than ever. The new
breed of malware will be able to take advantage of operating system and browser vulnerabilities to infect
end-user computers with malicious codes for keylogging that monitor and track end users’ behaviors
such as Web surfing habits and other behaviors. Malware sophistication will include vulnerability as-
sessment tools for scanning and penetrating corporate network defenses for looking for weaknesses.
Phishing will grow in frequency and sophistication. Phishing techniques will morph and become more
advanced. Phishing is defined as a method where private information such as social security numbers,
usernames, and passwords is collected from users under false pretense by criminals masquerading as
legitimate organizations. Malicious Web sites that are intended to violate end users’ privacy by inten-
tionally modify end users’ systems such as browser settings, bookmarks, homepage, and startup files
without their consent will gain more sophisticated codes that can infect the users’ computers simply by
visiting these sites. These infections can range from installing adware and spyware on a user’s computers,
installing dialers, keyloggers and Trojan horses on a user’s machine. Keyloggers are able to be installed
remotely by bypassing firewalls and email scanners, and in most cases may not be detected by antivirus.
The most sophisticated keyloggers will be able to capture all keystrokes, screenshots, and passwords,
encrypt them, and send this information to remote sites undetected. Malicious code such as BOTs will
grow as a problem for network administrators. BOT applications are used to capture users’ computers
and transform them into BOT networks. These BOT networks can then be used for illegal network uses
such as SPAM relay, generic traffic proxies, distributed denial of service (DDoS) attacks, and hosting
phishing and other malicious code Web sites.
The proliferation of Internet use will accelerate. People, companies, and governments will conduct
more and more of their daily business on the Internet. No only will the Internet be used for more, but it
will also be used for more complex and previously unimagined purposes. This will be partly fueled by
lxxii

advances in the Internet technologies that will be more complex and far reaching. However, the pace
of advances in security technology will be able to keep pace with the Internet’s growth and complexity.
As social computing networks such peer-to-peer, instant messaging, and chat gain more popularity and
continued adoption of these technologies, organizations will be exposed to new and more disruptive
threats. These social computing networks will drain more and more of the corporate bandwidth and will
require additional technologies to combat. For example, it is estimated that in 2007, instant messaging
will surpass e-mails as the most dominate form of electronic communication. Yet instant messaging is
not regulated in most companies and is not subject to the same level of scrutiny as the e-mail systems
are. Similarly, individuals are not as vigilant when using instant messaging tools. Therefore, these social
computing technologies are fast becoming very popular with attackers. According to a recent study the
most popular malicious use of instant messaging is to send the user a link to a malicious, a phishing or a
fraudulent Website which then installs and runs a malicious application on the user’s computer in order
to steal confidential information.

CONCLUSION

As early as July 1997, vice president Albert Gore stated in a report titled A Framework For Global
Electronic Commerce that “we are on the verge of a revolution that is just as profound as the change
in the economy that came with the industrial revolution. Soon electronic networks will allow people to
transcend the barriers of time and distance and take advantage of global markets and business opportu-
nities not even imaginable today, opening up a new world of economic possibility and progress.” It is
unmistakably apparent that the “profound revolution” that Gore was discussing has arrived. The electronic
network revolution has transformed our lives in way unimaginable only a decade ago. Yet, we are only
at the threshold of this revolution. The dizzying pace of advances in information technology promises
to transform our lives even more drastically. In order for us to take full advantage of the possibilities
offered by this new interconnectedness, organizations, governmental agencies, and individuals must find
ways to address the associated security and ethical implications. As we move forward, new security and
ethical challenges will likely to emerge. It is essential that we are prepared for these challenges.

REFERENCES

ACM Executive Council (1993). ACM code of ethics and professional conduct. Communications of the ACM,
36(2), 99-105.
Adkinson, W., Eisenach, J., & Lenard, T. (2002). Privacy online: A report on the information practices and policies
of commercial Web sites. Retrieved August 2006, from http://www.pff.org/publications/privacyonlinefinalael.pdf
American Institute of Certified Public Accountants (AICPA) information security tops the list of ten most important
IT priorities (2007). http://infotech.aicpa.org/Resources
American Psychological Association (1992). Ethical principles of psychologists and code of conduct. American
Psychologist, 47(12), 1597-1611.
Anderson, R. (1992). Social impacts of computing: Codes of professional ethics. Social Science Computing Re-
view, 10(2), 453-469.
 lxxiii

Anderson, R. D., Johnson, G., Gotterbarn, D., & Perrolle, J. (1993). Using the new ACM code of ethics in decision
making. Comm. ACM, 36(2), 98-107.
Aristotle. (n.d.). On the movement of animals; On the soul; Nicomachean ethics; and Eudemian ethics.
Barker, W., & Lee, A. (2004). Information security, Volume II: Appendices to guide for mapping types of informa-
tion and information systems to security categories. National Institute of Standards and Technology, , NIST Special
Publication 800- 60 Version II. http://csrc.nist.gov/publications/nistpubs/800-60/SP800-60V2-final.pdf
Barker, W. (2004). Guide for mapping types of information and information systems to security categories. National
Institute of Standards and Technology, NIST Special Publication 800-60 Version 1.0. http://csrc.nist.gov/publica-
tions/nistpubs/800-60/SP800-60V1-final.pdf
Barquin, R. (1992). The Ten Commandments of Computer Ethics. Computer Ethics Institute.
Becker-Kornstaedt, U. (2001). Descriptive software process modeling: How to deal with sensitive process infor-
mation. Empirical Software Eng., 6(4).
Bynum, T. (2000). The Foundation of Computer Ethics. Computers and Society, 6-13.
Bynum, T. (2001). Computer ethics: Basic concepts and historical overview. In E.N. Zalta (Ed.), The Stanford
Encyclopedia of Philosophy. http://plato.stanford.edu/entries/ethics-computer/
Bynum, T. (2004). Ethical challenges to citizens of ‘‘the automatic age’’: Norbert Wiener on the information society.
Journal of Information, Communication and Ethics in Society, 2(2), 65-74.
Bynum, T. (2006). Flourishing ethics. Ethics and Information Technology 8, 157-173.
Bynum, T. (2007). Norbert Wiener and the rise of information ethics. In W.J. van den Hoven & J. Weckert (Eds.),
Moral philosophy and information technology. Cambridge University Press.
Committee on National Security Systems (CNSS) (2003). National Security Agency, “National Information As-
surance (IA) Glossary.” CNSS Instruction No. 4009. http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf
Computer Economics. (n.d.). Trends in IT security threats: 2007 report. www.Computereconomics.com
Computer Security Division of the Information Technology Laboratory of National Institute of Standards and
Technology (2004). Standards for Security Categorization of Federal Information and Information Systems, FIPS
PUB 199. http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
Computer Security Institute (n.d.). 2005 Computer Crime and Security Survey. http://www.gocsi.com/
Culnan, M. J. (1993). How did they my name? An exploratory investigation of consumer attitudes toward second-
ary information use. MIS Quart., 17(3), 341-363.
Dhillon, G., & Moores, T. (2001). Internet privacy: Interpreting key issues. Information Resources Management
Journal, 14(4).
Dictionary.com. (2006). Retrieved July 2006, from http://dictionary.reference.com/browse/privacy
Dyson, E. (1998). Release 2.0: A design for living in the digital age. Bantam Doubleday Dell Pub.
European Commission (1999). Creating a safer information society by improving the security of information infra-
structures and combating computer-related crime. http://www.cybercrime.gov/intl/EUCommunication.0101.pdf
Findlaw.com. (2006). Findlaw Homepage. Retrieved July 2006, from http://public.findlaw.com/
Gordon, L., Loeb, M., Lucyshyn, W., & Richardson, R. (n.d.). The 2006 CSI/FBI Computer Crime And Security
Survey. http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf
lxxiv

Gotterbarn, D., Miller, K., & Rogerson, S. (1999). Software engineering code of ethics is approved. Comm. ACM,
42(10), 102-107.
Gramm-Leach-Bliley Security Requirements (1999). http://www.itsecurity.com/papers/recourse1.htm.
Grance, T., Stevens, M., & Myers, M. (2003). Guide to selecting information technology security products. Na-
tional Institute of Standards and Technology, NIST Special Publication 800-36. http://csrc.nist.gov/publications/
nistpubs/800-36/NIST-SP800-36.pdf
HIPAA Compliance and Identity & Access Management (n.d.). http://www.evidian.com/newsonline/art040901.
php
Hobbes, T. (1994). Leviathan, 1651 in ed., E. Curley., Chicago, IL: Hackett Publishing Company.
Huseyin, C., Mishra, B., & Raghunathan, S. (n.d.). The effect of Internet security breach announcements on mar-
ket value: Capital market reactions for breached firms and Internet security developers. International Journal of
Electronic Commerce, 9(1), 69-04.
Huseyin, C., Mishra, B., & Raghunathan, S. (2005). The value of intrusion detection systems in information tech-
nology security architecture. Information Systems Research, 16(1), 28-46.
IEEE Board of Directors (1990). IEEE Code of Ethics. http://www.ieee.org/about/whatiscode.html
IEEE-CS/ACM Joint Task Force on Software Engineering Ethics and Professional Practices (1998). Software
Engineering Code of Ethics and Professional Practice. http://www.acm.org/serving/secode.htm
Kant, I. (1985). Grounding for the metaphysics of morals. tr, James W. Ellington. Indianapolis: Hackett Publish-
ing Company.
Kissel, R. (2006). Glossary of key information security terms. National Institute of Standards and Technology.
Laudon, K. (1995). Ethical concepts and information technology. Communications of the ACM, 38(12).
Linares, M. (2005). Identity and access management solution. SANS Conference, Amsterdam.
Machlis, S. (1997). Web sites rush to self-regulate. Computerworld, 32, 19.
Margulis, S. T. (1977). Conceptions of privacy: Current status and next steps. J. of Social Issues, (33), 5-10.
Mason, R. (1986). Four ethical issues of the information age. MIS Quarterly, 10(1).
Mesthene, E. (1968). How technology will shape the future. Science, 135-143.
Milberg, S. J., Smith, H. J., & Kallman, E. A. (1995). Values, personal information privacy, and regulatory ap-
proaches. Comm. of the ACM, 38, 65-74.
Moor, J. (1995). What is computer ethics. In D.G. Johnson & H.Nissenbaum (Ed.), Computers, ethics & social
values. Prentice-Hall.
Morgan Stanley (2004). The Internet Banking Report. http://www.morganstanley.com
Nardi, B. (1996). Context and consciousness: Activity theory and human computer interaction. National Institute
of Standards and Technology, “Risk Management Guide for Information Technology Systems. NIST Special
Publication 800-30, October 2001, p. 25
Nemati, H., Barko, R., & Christopher, D. (2001). Issues in organizational data mining: A survey of current practices.
Journal of Data Warehousing, 6(1), 25-36.
NetIQ (2004). Controlling your controls: Security solutions for Sarbanes-Oxley. http://download.netiq.com/Li-
brary/White_Papers/NetIQ_SarbanesWP.pdf
 lxxv

NIST, Special Publication 800-12: An Introduction to Computer Security - The NIST Handbook National Institute
of Standards and Technology (1995). http://csrc.nist.gov/publications/nistpubs/800-12/800-12-html/index.html
NIST’s Generally Accepted Principles and Practices for Securing Information Technology Systems (1996).
OECD Recommendation, guidelines and explanatory memorandum for the security of information systems (1992).
Organisation for Economic Co-operation and Development.
Parker, D (1968). Rules of ethics in information processing. Communications of the ACM, 11(3).
Power, R. (2002). 2002 CSI/FBI computer crime and security survey. Computer Security Issues and Trends, 8.
Roddick, J., & Wahlstrom, K. (2001). On the impact of knowledge discovery and data mining. Australian Com-
puter Society.
Sheehan, K. B., & Hoy, M. G. (2000). Dimensions of privacy concern among online consumer. Journal of Public
Policy and Marketing, 19, 1.
Smith, H. J. (1993). Privacy policies and practices: Inside the organizational maze. Comm. of the ACM, 36, 105-
122.
SOX Achieving Sarbanes-Oxley Compliance with Oblix Management Solutions (2007). http://www.oblix.com/
resources/whitepapers/sol/wp_oblix_sarbox_compliance.pdf
Stephanidis, C., Salvendy, G., Akoumianakis, D., Bevan, N., Brewer, J., Emiliani, P. L.,& Thompson, K. (1984).
Reflections on trusting trust. Communications of the ACM, 27, 761-763.
Sullivan, B. (2002). Privacy groups debate DoubleClick settlement. Retrieved August 2006, from http://www.cnn.
com/2002/TECH/internet/05/24/doubleclick.settlement.idg/index.html
Thompson, K (1984). Reflections on trusting trust. Communications of the ACM, 27(8), 761-763.
Trevino, L., & Brown, M. (2004). Managing to be ethical: Debunking five business ethics myths. Academy of
Management Executive, 18(2), 69-82.
United States General Accounting Office, Accounting and Information Management Division, Information Security
Management: Learning From Leading Organizations (1998). http://www.gao.gov/archive/1998/ai98068.pdf
Wack, J., Cutler, K., & Pole, J. (2002). Guidelines on firewalls and firewall policy: Recommendations of the National
Institute of Standards and Technology. National Institute of Standards and Technology, NIST Special Publication
800-41. 2002. http://csrc.nist.gov/publications/nistpubs/800-41/sp800-41.pdf
Weckert, J., & Adeney, D. (1997). Computer and information ethics. Westport, CT: Greenwood Publishing.
Westin, A. (1967). Privacy and freedom. New York: Atheneum.
Wiener, N. (1948). Cybernetics or control and communication in the animal and the machine. Technology
Press.
Wiener, N. (1950). The human use of human beings: Cybernetics and society. Houghton Mifflin. (Second Edition
Revised, Doubleday Anchor, 1954).
Wiener, N. (1964). God & Golem, Inc. A comment on certain points where cybernetics impinges on religion. MIT
Press.

View publication stats