Chapter 3 – Ethics, Privacy, and
ETHICAL ISSUES – Ethics are the principles of right and wrong that individuals use to make
choices to guide their behaviors. Companies develop a code of ethics to guide decision making.
Fundamentals of ethics are responsibility, accountability, and liability. Unethical does not
always mean illegal. The Sarbanes-Oxley Act was passed in 2002 after the Enron and
Worldcom incidents which requires public companies to certify financial reports.
Ethical problems are on the rise due to the computers increasing in processing speed. The
diversity of IT applications has created the following ethical issues:
1. Privacy issues – collecting, storing, and disseminating information about individuals
2. Accuracy issues – authenticity, fidelity, and accuracy of information
3. Property issues – the ownership and value of information
4. Accessibility issues – who should have access to information
Protecting privacy – privacy is the right to be left alone. Information privacy is the right to
determine what information about you is divulged. Data gathered about you is called digital
dossier. This process is called profiling.
• Electronic surveillance – employees have very little protection against surveillance from
employers. According to law, employers can read emails and track internet usage. URL
filtering can be employed to block access to sites etc.
• Personal information in databases – credit reporting agencies are example of personal
information databases. Institutions such as banks, telephone companies etc. also keep
information in databases. The privacy concern is under what circumstances and where
the information is kept and how secure is it.
• Information on internet bulletin boards, newsgroups, and social networking sites – online
blogs and social sites can contain derogatory information that can harm job applications.
Companies like Reputation Defender can destroy damaging content for clients.
• Privacy codes and policies – these are guidelines to protect customers’ information. Opt-
out model of informed consent permits companies to collect data until otherwise stated.
Opt-in model prohibits them from collecting information unless otherwise authorized. International aspects of privacy – the privacy laws are different among countries which
obstructs uniform standards for privacy among borders. EU data protection is stricter than the
THREATS TO INFORMATION SECURITY – These factors contribute to increasing vulnerability
of organizational information assets.
1. Interconnected, interdependent, wireless network business environment – due to always
being connected to the internet, the information is exposed through trusted and
untrusted networks. Wireless medium in itself is non-secure.
2. Government legislation – this may require companies to disclose their privacy policies to
customers and offer opt-out option to customers.
3. Smaller, faster, cheaper computers – things like USB sticks make it easy to steal and
move information. Technology to steal information is also becoming cheaper.
4. Decreasing skill to become a hacker – the internet contains programs called scripts that
users with limited skill can download and attack IS connected to the internet.
5. International organized crime taking over cybercrime – organized crime has taken over
cybercrime to commit non-violent but lucrative cyber-crimes. The crimes can be
committed from anywhere in the world.
6. Downstream liability – if company A’s systems are used to hack company B’s systems,
the first one will be liable for damages since company B is downstream in this attack
from company A.
7. Increased employee use of unmanaged devices – devices like mobile phones,
customers’ computers etc. can be used to invade IT breaches.
8. Lack of management support – management must ensure whether the security
guidelines are being followed properly or not.
Threats to information systems – the threats to IS can be classified under:
1. Unintentional Threats – acts with no malicious intent
a. Human errors – HR and IS employees have access to sensitive information.
Secondly, consultants, janitors, and guards also have access to IS, and
information assets. Human errors by these two categories of employees due to
laziness or lack of information can pose a huge problem.
i. Social engineering and reverse social engineering – an attack where the
perpetrator tricks a legitimate employee into providing company
information such as passwords. Practices such as loading spyware on
flash drives or changing a help desk number to collect privileged
information fall under this. In social engineering, the attacker approaches the employees. In reverse engineering, the employees approach the
ii. Deviations in the quality of service by service providers – when a product
or service is not delivered as expected, for e.g. an internet connection,
service disruptions etc.
iii. Environmental hazards – dirt, dust, humidity are harmful to safe operation
of computing equipment.
b. Natural Disasters – floods, earthquakes, hurricanes, tornadoes, lightning, and
natural fires can cause loss of data.
c. Technical Failures – problems with hardware or software. Faulty chips or Bugs in
programs are a form of technical failure.