CHAPTER 3: ETHICS, PRIVACY AND INFORMATION SECURITY
3.1 ETHICAL ISSUES
- Ethics: refers to the principles of right and wrong that individuals use to make choices to
guide their behaviors.
- Code of Ethics: a collection of principles intended to guide decision making by members of
- Fundamental tenets of ethics include responsibility, accountability and liability
- Responsibility: you accept the consequences of your decisions and actions
- Accountability: provides for a determination of who is responsible for actions that were
- Liability: a legal concept implying that individuals have the right to recover the damages
done to them by other individuals, organizations or systems
- Diversity and ever-expanding use of IT applications have created a variety of ethical issues:
o Privacy Issues involve the collection, storage and dissemination of information about
What information about oneself should an individual be required to reveal to
What kind of surveillance can an employer use on its employee?
What types of personal information can people keep to themselves and not be
forced to reveal to others?
What information about individuals should be kept in databases, and how
secure is the information there?
o Accuracy Issues involve the authenticity, integrity and accuracy of information that is
collected and processed
Who is responsible for the authenticity, integrity and accuracy of the
How can we ensure that the information will be processed properly and
presented accurately to users?
How can we ensure that errors in databases, data transmissions and data
processing are accidental and not intentional?
Who is held accountable for errors in information?
o Property issues involve the ownership and value of information
Who owns the information?
What are the just and fair prices for its exchange?
How should one handle software piracy?
Can corporate computers be used for private purposes?
o Accessibility issues revolve around who should have access to information and
whether they should have to pay for this access
Who is allowed to access information?
How much should companies charge for permitting accessibility to information?
Who will be provided with the equipment needed for accessing information?
- Privacy: is the right to be left alone and to be free of unreasonable personal intrusion
- Information privacy is the right to determine when and to what extent information about
yourself can be gathered or communicated to others
- Rapid advances in IT have made it easier to collect, store and integrate data on individuals in
large databases. Surveillance cameras in public places and at work, credit card transactions;
telephone calls, etc.
- Digital dossier: an electronic description of a person’s habits. Process of forming a digital
dossier is called Profiling
Electronic Surveillance is rapidly increasing. Monitoring is done my employers, the government and
other institutions (URL Filtering)
Personal Information in Databases
Information on Internet Bulletin Boards, Newsgroups and Social Networking Sites Privacy Codes and Policies
- Privacy policies or Privacy codes are an organizations guidelines with respect to
protecting the privacy of customers, clients and employees
- Opt-out model: permits the company to collect personal information until the customer
specifically requests that the data not be collected
- P3P (platform for privacy preference) automatically communicates privacy policies
between an electronic commerce website and visitors to that site
- Canada’s privacy legislation is called Personal Information Protection and Electronic
Document Act (PIPEDA)
International Aspects of Privacy
- The transfer of data in and out of a nation without the knowledge of either the authorities or
the individuals involved raises a number of privacy issues
3.2 THREATS TO INFORMATION SECURITY
- A number of factors are contributing to the increasing vulnerability of organizational
o Today’s interconnected, interdependent, wirelessly networked business environment.
Trusted network vs. untrusted
o Government legislation
o Smaller, faster, cheaper computers and storage devices
o Decreasing skills necessary to be a computer hacker
o International organized crime taking over cybercrime
Cybercrime: illegal activity taking place over computer networks
Cyberextortion: occurs when individuals attack an organization’s website and
then demand money from the website owners to call of the attack
o Downstream liability
o Increased employee use of unmanaged devices
o Lack of management support
- Threat: any danger to which a system may be exposed
- Exposure: of an information resource is the harm, loss, or damage that can result if a threat
compromises that resource
- Vulnerability: the possibility that the system will suffer harm by a threat
- Risk: the likelihood that a threat will occur
- Information System Controls: are the procedures, devices or software aimed at
preventing a compromise to the system
Threats to Information Systems
1. Unintentional acts
Human Errors (Most serious)
Deviation in the quality of service from service providers
Environmental hazards: dirt, dust, humidity and static electricity, which are harmful to
the safe operation of computing equip.
2. Natural disasters
3. Technical failures: problems with hardware and software
4. Management failures: a lack of funding for information security efforts and a lack of interest
in those efforts
5. Deliberate acts
Espionage or trespass: an unauthorized person attempts to gain illegal access to
Information extortion: an attack either threatens to steal or actually steals information
from a company
Sabotage or vandalism
Theft of equipment or information: Pod slurping or dumpster diving