Because learning changes everything.

CHAPTER FOUR

© McGraw Hill LLC. All rights reserved. No reproduction or distribution without the prior written consent of McGraw Hill LLC.
 SECTION 4.1 – Ethics.
• Information Ethics.
• Developing Information Management Policies.

SECTION 4.2 – Information Security.

• Protecting Intellectual Assets.
• The First Line of Defense - People. CHAPTER FOUR
• The Second Line of Defense - Technology. OVERVIEW

© McGraw Hill LLC 2

 SECTION 4.1:
ETHICS

© McGraw Hill LLC 3

 1. Explain the ethical issues in the use of the
information age

2. Identify the six epolicies an organization should

implement to protect themselves LEARNING
OUTCOMES 1

© McGraw Hill LLC 4

 INFORMATION ETHICS 1

• Ethics – The principles and

standards that guide our behavior
toward other people.

© McGraw Hill LLC 5

 INFORMATIO
N ETHICS 2

Access the text alternative for slide images.

© McGraw Hill LLC 6
 INFORMATION ETHICS 3

Business issues related to information ethics.

• Copyright.
• Counterfeit software.
• Digital rights management.
• Intellectual property.
• Patent.
• Pirated software.

© McGraw Hill LLC 7

 LEGAL VS. ETHICAL 1
Individuals form the only ethical component
of MIS.

• Individuals copy, use , and distribute

software.
• Search organizational databases for
sensitive and personal information.
• Individuals create and spread viruses.
• Individuals hack into computer systems to
steal information.
• Employees destroy and steal information.

© McGraw Hill LLC 8

 LEGAL VS. ETHICAL 2

• Acting ethically and legally are not

always the same.

• Information does not care how it is used,

it will not stop itself from sending spam,
viruses, or highly-sensitive information.

Access the text alternative for slide images.

© McGraw Hill LLC 9
 INFORMATION DOES NOT HAVE ETHICS, PEOPLE
DO 1
• Data scraping - The process of extracting
large amounts of data from a website and
saving it to a spreadsheet or computer.

• Digital trust - The measure of consumer,

partner, and employee confidence in an
organization's ability to protect and secure
data and the privacy of individuals.

© McGraw Hill LLC 10

 INFORMATIO
N DOES NOT
HAVE ETHICS,
PEOPLE DO 2

Access the text alternative for slide images.

© McGraw Hill LLC 11
 DEVELOPING INFORMATION MANAGEMENT
POLICIES

• Organizations strive to build a

corporate culture based on ethical
principles that employees can
understand and implement.

Access the text alternative for slide images.

© McGraw Hill LLC 12
 ETHICAL COMPUTER USE POLICY 1

Ethical computer use policy – Contains general

principles to guide computer user behavior.

The ethical computer user policy ensures all users are:

• Informed of the rules and, by agreeing to use the

system on that basis.
• Consent to abide by the rules.

© McGraw Hill LLC 13

 ETHICAL COMPUTER USE POLICY 2
• Click-fraud - The abuse of pay-per-click, pay-per-call,
and pay-per-conversion revenue models by repeatedly
clicking a link to increase charges or costs for the
advertiser.

• Competitive click-fraud - A computer crime in which a

competitor or disgruntled employee increases a company’s
search advertising costs by repeatedly clicking the
advertiser’s link.

• Cyberbullying - Includes threats, negative remarks, or

defamatory comments transmitted through the Internet or
posted on the website.

• Threat - An act or object that poses a danger to assets.

© McGraw Hill LLC 14

 INFORMATION PRIVACY POLICY
• Information privacy policy - Contains general principles
regarding information privacy.

• Fair information practices (FIPs) - A general term for a

set of standards governing the collection and use of
personal data and addressing issues of privacy and
accuracy.

• General Data Protection Regulation (GDPR) - A legal

framework that sets guidelines for the collection and
processing of personal information of individuals within
the European Union (EU).

© McGraw Hill LLC 15

 ACCEPTABLE USE POLICY
• Acceptable use policy (AUP) – Requires a
user to agree to follow it to be provided
access to corporate email, information
systems, and the Internet.

• Nonrepudiation – A contractual stipulation

to ensure that ebusiness participants do not
deny their online actions.

• Internet use policy – Contains general

principles to guide the proper use of the
Internet.

© McGraw Hill LLC 16

 EMAIL PRIVACY POLICY 1

• Organizations can mitigate the risks of email and

instant messaging communication tools by
implementing and adhering to an email privacy
policy.

• Email privacy policy – Details the extent to

which email messages may be read by others.

Access the text alternative for slide images.

© McGraw Hill LLC 17
 EMAIL PRIVACY POLICY 2
• Spam – Unsolicited email.

• Anti-spam policy – Simply states that email users will

not send unsolicited emails (or spam).

• Opt out - A user can stop receiving emails by choosing

to deny permission to incoming emails.

• Opt in - A user can receive emails by choosing to

allow permissions to incoming emails.

© McGraw Hill LLC 18

 SOCIAL MEDIA PRIVACY POLICY
• Social media policy – Outlines the corporate guidelines or principles
governing employee online communications.
• The right to be forgotten - Allows individuals to request to have all
content that violates their privacy removed.
• Social media monitoring - The process of monitoring and
responding to what is being said about a company, individual,
product, or brand.
• Social media manager - A person within the organization who is
trusted to monitor, contribute, filter, and guide the social media
presence of a company, individual, product, or brand.

© McGraw Hill LLC 19

 WORKPLACE MONITORING POLICY
• Workplace monitoring is a concern for
many employees.

• Organizations can be held financially

responsible for their employees’ actions.

• The dilemma surrounding employee

monitoring in the workplace is that an
organization is placing itself at risk if it
fails to monitor its employees, however,
some people feel that monitoring
employees is unethical.

© McGraw Hill LLC 20

 WORKPLACE MIS MONITORING POLICY 1
• Workplace MIS monitoring – Tracks
people’s activities by such measures as
number of keystrokes, error rate, and
number of transactions processed.

• Employee monitoring policy –

Explicitly state how, when, and where
the company monitors its employees.

© McGraw Hill LLC 21

 WORKPLACE MIS MONITORING POLICY 2

Common monitoring technologies include:

• Key logger or key trapper software.
• Hardware key logger.
• Cookie.
• Adware.
• Spyware.
• Web log.
• Clickstream.

© McGraw Hill LLC 22

 SECTION 4.2:
INFORMATION
SECURITY

© McGraw Hill LLC 23

 3. Describe the relationships and differences between
hackers and viruses

4. Describe the relationship between information security

policies and an information security plan

5. Provide an example of each of the three primary LEARNING

security areas: (1) authentication and authorization, (2) OUTCOMES 2
prevention and resistance, and (3) detection and
response

© McGraw Hill LLC 24

 PROTECTING INTELLECTUAL ASSETS 1
Organizational information is intellectual capital - it must be protected.

• Information security – The protection of information from accidental or

intentional misuse by persons inside or outside an organization.
• Downtime – Refers to a period of time when a system is unavailable.
• Cybersecurity - Involves prevention, detection, and response to
cyberattacks that can have wide-ranging effects on individuals,
organizations, communities, and nations.
• Cyberattacks - Malicious attempts to access or damage a computer
system.

© McGraw Hill LLC 25

 PROTECTING INTELLECTUAL ASSETS 2
Bomb threat Frozen pipe Smoke damage

• Sources of Burst pipe Hacker Snowstorm

Chemical spill Hail Sprinkler malfunction
Unplanned Construction Hurricane Static electricity
Downtime. Corrupted data Ice storm Strike
Earthquake Insects Terrorism
Electrical short Lightning Theft
Epidemic Network failure Tornado
Equipment failure Plane crash Train derailment
Evacuation Power outage Vandalism
Explosion Power surge Vehicle crash
Fire Rodents Virus
Flood Sabotage Water damage (various)
Fraud Shredded data Wind

© McGraw Hill LLC 26

 PROTECTING
INTELLECTUAL ASSETS
3

• How Much Will

Downtime Cost Your
Business?

Access the text alternative for slide images.

© McGraw Hill LLC 27
 HACKERS: A DANGEROUS THREAT TO BUSINESS 1

Hacker – Experts in technology who use their

knowledge to break into computers and computer
networks, either for profit or just motivated by the
challenge.
• Black-hat hacker.
• Cracker.
• Cyberterrorist.
• Hactivist.
• Script kiddies or script bunnies.
• White-hat hacker.

© McGraw Hill LLC 28

 HACKERS: A DANGEROUS THREAT TO BUSINESS 2

Virus - Software written with malicious intent to cause annoyance or

damage.
• Adware.
• Malware.
• Ransomware.
• Scareware.
• Spyware.
• Worm.

© McGraw Hill LLC 29

 VIRUSES: A DANGEROUS THREAT TO BUSINESS 1
Virus - Software written with malicious intent to cause
annoyance or damage.
• Backdoor program.
• Denial-of-service attack (DoS).
• Distributed denial-of-service attack (DDoS).
• Polymorphic virus.
• Trojan-horse virus.

© McGraw Hill LLC 30

 VIRUSES: A DANGEROUS THREAT TO BUSINESS 2

• How
Computer
Viruses
Spread.

Access the text alternative for slide images.

© McGraw Hill LLC 31
 VIRUSES: A DANGEROUS THREAT TO BUSINESS 3
Security threats to ebusiness include.
• Elevation of privilege.
• Hoaxes.
• Malicious code.
• Packet tampering.
• Sniffer.
• Spoofing.
• Splogs.
• Spyware.

© McGraw Hill LLC 32

 THE FIRST LINE OF DEFENSE - PEOPLE 1
Organizations must enable employees,
customers, and partners to access
information electronically.

The biggest issue surrounding information

security is not a technical issue, but a
people issue.

• Insiders.
• Social engineering.
• Dumpster diving.
• Pretexting.

© McGraw Hill LLC 33

 THE FIRST LINE OF DEFENSE - PEOPLE 2
The first line of defense an organization should follow to help
combat insider issues is to develop information security policies
and an information security plan.

• Information security policies - Identify the rules required

to maintain information security, such as requiring users to
log off before leaving for lunch or meetings, never sharing
passwords with anyone, and changing passwords every 30
days.

• Information security plan - Details how an organization

will implement the information security policies.

© McGraw Hill LLC 34

 THE SECOND LINE OF DEFENSE - TECHNOLOGY

• There are three primary

information technology
security areas.

Access the text alternative for slide images.

© McGraw Hill LLC 35
 AUTHENTICATION AND AUTHORIZATION 1
Identity theft – The forging of someone’s identity for the purpose
of fraud.

• Phishing - A technique to gain personal information for the

purpose of identity theft, usually by means of fraudulent email.
• Phishing expedition - A masquerading attack that combines
spam with spoofing. The perpetrator sends millions of spam
emails that appear to be from a respectable company.
• Pharming - Reroutes requests for legitimate websites to false
websites.
• Pharming attack - A zombie farm, often by an organized
crime association, to launch a massive phishing attack.

© McGraw Hill LLC 36

 AUTHENTICATION AND AUTHORIZATION 2
Authentication – A method for confirming users’
identities.

Authorization – The process of giving someone

permission to do or have something.

The most secure type of authentication involves.

• Something the user knows.
• Something the user has.
• Something that is part of the user.

© McGraw Hill LLC 37

 SOMETHING THE USER KNOWS
SUCH AS A USER ID AND
PASSWORD 1
• This is the most common way to identify
individual users and typically contains a
user ID and a password.

• This is also the most ineffective form of

authentication.

• Over 50 percent of help-desk calls are

password related.

© McGraw Hill LLC 38

 SOMETHING THE USER KNOWS
SUCH AS A USER ID AND
PASSWORD 2
Smart cards and tokens are more effective than a user ID and
a password.

• Tokens – Small electronic devices that change user

passwords automatically.

• Smart card – A device that is around the same size as a

credit card, containing embedded technologies that can
store information and small amounts of software to
perform some limited processing.

© McGraw Hill LLC 39

 SOMETHING THAT IS PART OF THE USER SUCH
AS A FINGERPRINT OR VOICE SIGNATURE
This is by far the best and most effective way to
manage authentication.

• Biometrics – The identification of a user

based on a physical characteristic, such as a
fingerprint, iris, face, voice, or handwriting.

Unfortunately, this method can be costly and

intrusive.

© McGraw Hill LLC 40

 PREVENTION AND RESISTANCE 1
Privilege escalation - A network intrusion attack that takes
advantage of programming errors or design flaws to grant the
attacker elevated access to the network and its associated data and
applications.

• Vertical privilege escalation - Attackers grant themselves a

higher access level such as administrator, allowing the
attacker to perform illegal actions such as running
unauthorized code or deleting data.

• Horizontal privilege escalation - Attackers grant themselves

the same access levels they already have but assume the
identity of another user.

© McGraw Hill LLC 41

 PREVENTION AND RESISTANCE 2
• Downtime can cost an organization anywhere from
$100 to $1 million per hour.

• Technologies available to help prevent and build

resistance to attacks include.

1. Content filtering.

2. Encryption.

3. Firewalls.

© McGraw Hill LLC 42

 PREVENTION AND RESISTANCE 3
• Spam – A form of unsolicited email.

• Content filtering - Prevents emails

containing sensitive information from
transmitting and stops spam and viruses
from spreading.

© McGraw Hill LLC 43

 PREVENTION AND RESISTANCE 4
Personally identifiable information (PII)
- Any data that could potentially identify a
specific individual

• Sensitive PII.

• Nonsensitive PII.

© McGraw Hill LLC 44

 PREVENTION AND RESISTANCE 5
If there is an information security breach and the
information was encrypted, the person stealing
the information would be unable to read it.

• Encryption.
• Public key encryption (PKE).
• Certificate authority.
• Digital certificate.

© McGraw Hill LLC 45

 PREVENTION AND RESISTANCE 6
One of the most common defenses for
preventing a security breach is a
firewall.
• Firewall – Hardware and/or software
that guards a private network by
analyzing the information leaving
and entering the network.

© McGraw Hill LLC 46

 PREVENTION AND RESISTANCE 7
• Sample firewall architecture connecting systems located in Chicago,
New York, and Boston.

Access the text alternative for slide images.

© McGraw Hill LLC 47
 DETECTION AND RESPONSE
• If prevention and resistance strategies
fail and there is a security breach, an
organization can use detection and
response technologies to mitigate the
damage.

• Intrusion detection software – Features

full-time monitoring tools that search for
patterns in network traffic to identify
intruders.

© McGraw Hill LLC 48

 • Now that you have finished the chapter, please review
the learning outcomes in your text. LEARNING
OUTCOME
REVIEW

© McGraw Hill LLC 49

 End of Main Content

Because learning changes everything. ®

www.mheducation.com

© McGraw Hill LLC. All rights reserved. No reproduction or distribution without the prior written consent of McGraw Hill LLC.