Module 3

Ethical issues and Privacy

 Ethical Issues
• Ethics refers to the principles of right and wrong that individuals use
to make choices that guide their behavior.

Ethical Frameworks:
There are many sources for ethical standards. The four widely used
standards are:
• the utilitarian approach,
• the rights approach,
• the fairness approach, and
• the common good approach.
 Ethical Frameworks
1. Utilitarian Approach:
• Ethical action is what produces the greatest good and least harm for all
stakeholders.
• Example: A company reduces pollution even if it costs more, because
it benefits society and the environment overall.

2. Rights Approach:
• Ethical action respects and protects the moral rights (truth, choice,
privacy, safety) of all affected parties.
• Example: A business does not sell customer data to others because it
respects the customers’ right to privacy.
 Ethical Frameworks
3. Fairness (Justice) Approach:
• Ethical action treats people equally, or fairly if unequally, based on a
justifiable standard.
• Example: Employees who work harder or have more skills get higher
pay, but unfair pay gaps (like huge CEO salaries compared to workers)
are questioned.

4. Common Good Approach:

• Ethical action supports the well-being of the community as a whole,
emphasizing shared systems and social conditions.
• Example: A company supports public healthcare, education, and safe
workplaces because these systems help everyone.
 Ethical Frameworks
❖ 5 Steps of Ethical Decision Making:
1. Recognize the Ethical Issue
• Could this decision hurt someone or a group?
• Is it a choice between right and wrong?
• Is it more than just about laws?

2. Get the Facts

• What do I really know about the situation?
• Do I have enough information?
• Who is affected by this decision?
• Have I talked to the right people?
 Ethical Frameworks
3. Evaluate Options (Use the 4 Approaches)
• Utilitarian: Which choice gives the most good / least harm?
• Rights: Which choice respects everyone’s rights?
• Fairness: Which choice treats people fairly?
• Common Good: Which choice helps the community as a whole?

4. Make a Decision and Test It

• Considering all approaches, which choice is the best?
• Would I be comfortable if others knew about my decision?
 Ethical Frameworks
5. Act and Reflect on the outcome of your decision
• Carry out the decision carefully.
• Look back: Did it work well? What can I learn for next time?
 Ethical Frameworks
❖ Ethics in the Corporate Environment:
• Codes of Ethics: Companies and professional groups create codes of
ethics to guide decisions. However, different codes may conflict. For
example, one organization may require obeying all laws, while another
may require refusing unjust laws.

Key Principles:
• Responsibility – accept consequences of your actions.
• Accountability – identify who is responsible for actions.
• Liability – legal right to recover damages caused by others.
 Ethics in the Corporate Environment Contd..
• Ethics vs. Law: Something legal may still be unethical (e.g., banks
foreclosing homes). Unethical decisions can harm individuals,
organizations, and society.

Examples of Ethical Failures:

• Enron, WorldCom, Tyco (2001–2002) – executives convicted of
fraud → led to Sarbanes-Oxley Act (2002) requiring strict financial
controls.
• Subprime Mortgage Crisis (2008) – unethical lending + weak
regulation → global recession.
 Ethics in the Corporate Environment Contd..
IT-Related Ethical Issues:
• Growing data storage → privacy concerns.
• Internet enables mass collection and distribution of personal
information.
• Risks to intellectual property and misuse of customer data.
• Website cloning – copying successful e-commerce sites unethically.
 Privacy
• Privacy = right to be left alone and free from unreasonable intrusions.
• Information privacy = right to control when and how your personal
data is collected and shared.
• Applies to individuals, groups, and institutions.

Two Rules of Privacy:

• Privacy is not absolute – it must be balanced with society’s needs.
• The public’s right to know can override individual privacy.
 Privacy Contd..
Impact of Technology:
• IT makes it easy to collect and integrate huge amounts of personal data
(via cameras, credit cards, calls, banking, searches, government
records).
• Creates a digital dossier (electronic profile of a person).
• Profiling = building such dossiers.

Data Aggregators: Companies like LexisNexis, ChoicePoint, Acxiom

collect public + private data (SSNs, financial, criminal, motor vehicle
records) → sell to law enforcement, employers, and businesses for
customer insights.
 Privacy Contd..
Controversial Use:
• Example: In California, donor data for Proposition 8 was mapped
using Google Maps + public records. Donors said this invaded their
privacy.
 Introduction to Information Security
• Security can be defined as the degree of protection against criminal
activity, danger, damage, and/or loss.
• Information security refers to all of the processes and policies
designed to protect an organization’s information and information
systems (IS) from unauthorized access, use, disclosure, disruption,
modification, or destruction.
• A threat to an information resource is any danger to which a system
may be exposed.
• The exposure of an information resource is the harm, loss, or damage
that can result if a threat compromises that resource.
• An information resource’s vulnerability is the possibility that the
system will be harmed by a threat.
 Introduction to Information Security Contd..
Five Factors Increasing Vulnerability of organizational information
resources :
1. Interconnected, wireless networks → expose organizations to untrusted
environments; wireless is insecure.
2. Smaller, cheaper, portable devices → easier to steal/lose sensitive data.
3. Low hacking skills needed → easy access to ready-made attack scripts
online.
4. Cybercrime by organized crime → global billion-dollar network,
exploiting software weaknesses; losses are massive compared to
traditional crimes.
5. Lack of management support → without leadership and daily
enforcement, employees neglect security rules.
 Introduction to Information Security Contd..
Five Factors Increasing Vulnerability of organizational information
resources :
1. Interconnected, wireless networks → expose organizations to untrusted
environments; wireless is insecure.
2. Smaller, cheaper, portable devices → easier to steal/lose sensitive data.
3. Low hacking skills needed → easy access to ready-made attack scripts
online.
4. Cybercrime by organized crime → global billion-dollar network,
exploiting software weaknesses; losses are massive compared to
traditional crimes.
5. Lack of management support → without leadership and daily
enforcement, employees neglect security rules.
 Threats to Information Systems
There are many types of deliberate threats to information systems.
Common types are:
• Espionage or trespass
• Information extortion
• Sabotage or vandalism
• Theft of equipment or information
• Identity theft
• Compromises to intellectual property
• Software attacks
• Alien software
• Supervisory control and data acquisition (SCADA) attacks
• Cyberterrorism and cyberwarfare
 Threats to Information Systems Contd..
1. Espionage or Trespass:
• Espionage or trespass happens when someone who is not allowed tries
to illegally access an organization’s information.
• Competitive intelligence = legal way of collecting information (like
checking a company’s website, press releases, or trade shows).
• Industrial espionage = illegal spying or stealing of secret information.

2. Information Extortion:
• Information extortion occurs when an attacker either threatens to steal,
or actually steals, information from a company.
• The perpetrator demands payment for not stealing the information, for
returning stolen information, or for agreeing not to disclose the
information
 Threats to Information Systems Contd..
3. Sabotage or Vandalism:
• Sabotage or vandalism means deliberately damaging an
organization’s website. This can hurt the company’s image and make
customers lose trust.
• Example: Hacktivists (online protestors) attack a website to show
disagreement with a company’s or government’s policies.
 Threats to Information Systems Contd..
4. Theft of Equipment or Information :
• Small devices like laptops, phones, USB drives, and cameras are easy
to steal and can hold a lot of important data.
• If stolen, it causes loss of data, property, money, and even trust.
• Dumpster diving is when someone searches trash to find sensitive
information like IDs, passwords, or credit card details.
• This information can then be misused for fraud.
 Threats to Information Systems Contd..
5. Identity Theft:
• Identity theft is when someone pretends to be another person to
steal money, information, or even commit crimes.
• Criminals can steal personal details by:
• Taking mail or digging through trash.
• Hacking into computer databases.
• Breaking into companies that store people’s data.
• Tricking people with fake emails or websites (phishing).
• It is hard, expensive, and stressful for victims to recover. They may
face problems with credit, jobs, insurance, or loans.
• Even your online searches can reveal your identity if someone
analyzes them carefully.
 Threats to Information Systems Contd..
6. Compromises to Intellectual Property:
• Intellectual property (IP) means creations of the mind, like inventions,
business ideas, books, music, or software.
• IP is protected by laws:
• Trade Secret → Secret company info (e.g., Coca-Cola recipe).
• Patent → Legal rights to an invention for 20 years.
• Copyright → Rights to creative work (books, music, software, etc.) for the creator’s
life + 70 years.
• These laws help owners earn money when others use their work.
• In IT, the biggest issue is software piracy (copying or sharing software
without paying).
• Example: Giving your friend a software disc for free = copyright violation.
• Software piracy causes companies to lose billions of dollars every year.
 Threats to Information Systems Contd..
7. Software Attacks:
In the past, hackers made viruses just to spread and cause trouble.
• Today, cybercriminals use malware mainly to make money.
• Attacks are smarter and often spread through the web.
• Types of software attacks:
• Remote attacks requiring user action → You click a link, download a file, or
open an email, and your system gets infected.
• Remote attacks requiring no user action → Hackers break into your system
directly without you doing anything.
• Attacks by programmers → Programmers secretly add harmful code while
developing software (like backdoors).
 Threats to Information Systems Contd..
8. Alien Software:
• Alien software is hidden software that secretly gets installed on your computer
without you knowing. It’s not always as harmful as a virus, but it slows down
your computer, uses your resources, and spies on your activities.

Main Types:
• Adware
• Shows annoying pop-up ads.
• Companies use it because some people actually click on those ads.
• Spyware
• Collects your personal information secretly.
• Examples:
• Keyloggers → Record everything you type (like passwords or credit card numbers).
• Screen scrapers → Record what’s happening on your screen like a movie.
• To stop bots from abusing systems, websites use CAPTCHA (distorted letters/numbers test).
 Threats to Information Systems Contd..
• Spamware
• Turns your computer into a spamming machine.
• Sends unwanted emails (spam) to others, but looks like they came from you.
• Spam also wastes time, money, and can carry viruses.

• Cookies
• Small pieces of data websites save on your computer.
• Some are useful → store your login or shopping cart.
• Some are tracking cookies → follow what you do online, build a profile of
your behavior, and use it for targeted ads.
 Threats to Information Systems Contd..
9. Supervisory Control and Data Acquisition (SCADA) Attacks:
• SCADA refers to a large-scale, distributed measurement and control
system.
• SCADA systems are used to monitor or to control chemical, physical,
and transport processes such as those used in oil refineries, water and
sewage treatment plants, electrical generators, and nuclear power
plants.
• Essentially, SCADA systems provide a link between the physical
world and the electronic world.
 Threats to Information Systems Contd..
How SCADA Works:
• Sensors → Measure things (pressure, flow, voltage, etc.) or check if a
valve/switch is open or closed.
• Master Computer → Collects data from all sensors and decides what
to do.
• Communication Network → Connects sensors to the computer, often
using the Internet.
• Control Signals → Computer can tell machines what to do (e.g., open
a valve, increase pump speed).
 Threats to Information Systems Contd..
SCADA Attacks (The Danger):
• Since sensors and systems are often connected to the Internet, hackers
can break in.
• If attackers get access, they could:
• Shut down power grids (cause blackouts in cities).
• Mess with water supply (change pressure or chemicals in treatment plants).
• Disrupt nuclear plants or oil refineries (extremely dangerous).
• Such attacks could cause huge damage, danger to people, and even
national security risks.
 Threats to Information Systems Contd..
10. Cyberterrorism and Cyberwarfare:
• Cyberterrorism → When individuals or groups use the Internet to attack
computer systems with the goal of causing fear, damage, or disruption (often for
political or ideological reasons).
• Cyberwarfare → When a country (nation-state) uses cyberattacks against
another country as part of war or conflict.
• Both use computers and the Internet to cause real-world problems.

How They Attack

• Stealing or destroying important data.
• Shutting down critical services like power, water, banking, or communications.
• Hacking into SCADA systems to cause physical damage (like stopping power
plants or changing water supplies).
 Information Security Controls
• To protect their information assets, organizations implement controls, or
defense mechanisms (also called countermeasures).
• These controls are designed to protect all of the components of an information
system, including data, software, hardware, and networks.
• Because there are so many diverse threats, organizations utilize layers of
controls, or defense-in-depth.
• Controls are intended to prevent accidental hazards, deter intentional acts,
detect problems as early as possible, enhance damage recovery, and correct
problems.
• Three major types of controls:
1. physical controls,
2. access controls, and
3. communications controls.
Information Security Controls
 Information Security Controls Contd..
1. Physical controls:
• Physical Controls are protections that stop unauthorized people from entering
a company’s buildings or touching its equipment.

Examples of Physical Controls

• Basic ones: walls, doors, locks, ID badges, security guards, alarm systems.
• Advanced ones: pressure sensors, motion detectors, temperature sensors.

Challenges with Guards

• Guards often have a boring, low-paying job.
• If they do their job properly (checking everyone carefully), other employees
may get annoyed because it slows them down.
 Information Security Controls Contd..
Other Physical Security Rules:
• Limit when and where employees can log in.
• Stop users after too many wrong login attempts.
• Require employees to log off before leaving.
• Computers automatically log out after being idle for some time.
 Information Security Controls Contd..
2. Access Controls:
• Access controls are rules that stop unauthorized people from using a
company’s computer systems and data.
They work in two steps:
• Authentication → “Who are you?”
• Authorization → “What are you allowed to do?”
 Information Security Controls Contd..
A) Authentication (Checking Identity)
• This is how a system confirms a person’s identity.
Different ways to authenticate:
• Something you are (Biometrics):
Uses your body → fingerprint, face, retina, iris, or palm scan.
• Something you have:
ID card, smart card with chip, or a token (device that shows a code).
• Something you do:
Voice recognition (your speech) or signature recognition (how you sign your name).
• Something you know:
Passwords or passphrases (long phrases that are easier to remember and harder to
guess).
• Companies often use Multifactor Authentication (MFA):
• Example: ATM = card (something you have) + PIN (something you know).
• More factors = safer, but sometimes more annoying.
 Information Security Controls Contd..
B) Authorization (Deciding Permissions)
• After the system knows who you are, it decides what you can do.
• Example:
• A student logs into a school system → can only see their own grades.
• A teacher logs in → can enter or change grades.
• This is based on the Principle of Least Privilege:
Users only get the access they need—nothing more.
 Information Security Controls Contd..
Password Rules (for Security)
• A strong password should be:
• Hard to guess.
• Long.
• Mix of uppercase, lowercase, numbers, and special symbols.
• Not personal info (like your pet’s name or birthday).
 Information Security Controls Contd..
3. Communication Controls (Network Security)
• These are methods to protect data when it moves across networks (like the
Internet or your company’s internal network).

Main Types:
A) Firewalls
• Act like a security guard at a gate.
• They check all messages going in or out of a company’s network.
• If the message follows the rules, it is allowed; if not, it is blocked.
• Companies use two firewalls: one facing the Internet, and one facing the
internal company network.
• This creates a safe middle zone (called DMZ) where public services (like
websites, email) are placed.
 Information Security Controls Contd..
B) Anti-malware (Antivirus Software)
• Like a doctor for computers.
• Finds and removes harmful programs like viruses or worms.
• Needs regular updates to recognize new types of threats.
• New systems not only react but also predict suspicious behavior to catch
unknown malware.

C) Whitelisting and Blacklisting

• Whitelisting = Only approved software can run (like an invite-only party).
• Blacklisting = Everything can run, except blocked software (like banning
certain people from entering).
• Helps stop dangerous programs or websites.
 Information Security Controls Contd..
D) Encryption
• Like writing a message in a secret code.
• Only the person with the right key can read it.
• Uses two keys:
• Public key (to lock the message).
• Private key (to unlock the message).
• Digital certificates (from trusted companies like VeriSign) prove the sender is
genuine.

E) VPN (Virtual Private Network)

• Works like a private tunnel through the Internet.
• Keeps data safe and private when employees work from home or travel.
• Encrypts (locks) data so no one else can read it.
 Information Security Controls Contd..
F) TLS / SSL (Secure Socket Layer)
• Used in online shopping, banking, or any secure website.
• You know it’s secure when the web address starts with https:// and shows
a padlock symbol.

G) Employee Monitoring Systems

• Like CCTV for employees’ computers.
• Checks if staff misuse the Internet, waste time, or visit unsafe websites.
• Helps reduce risks caused by human mistakes.