Module - III

Ethical issues and Privacy

Key Definitions:

Ethics The principles of right and wrong that individuals use to make choices to guide their
behaviours.

Information privacy The right to determine when, and to what extent, personal information can be
gathered by and/or communicated to others.

Accountability A tenet of ethics that refers to determining who is responsible for actions that were
taken.

Liability A legal concept that gives individuals the right to recover the damages done to them by
other individuals, organizations, or systems.

Encryption The process of converting an original message into a form that cannot be read by
anyone except the intended receiver.

Firewall A system (either hardware, software, or a combination of both) that prevents a specific
type of information from moving between un-trusted networks, such as the Internet, and private
networks, such as your company‘s network.

Information security Protecting an organization‘s information and information systems from

unauthorized access, use, disclosure, disruption, modification, or destruction.

Vulnerability The possibility that an information resource will be harmed by a threat.

Security can be defined as the degree of protection against criminal activity, danger, damage, and/or loss.

Following this broad definition, information security refers to all of the processes and policies designed to
protect an organization ‘s information and information systems (IS) from unauthorized access, use,
disclosure, disruption, modification, or destruction.

Organizations collect huge amounts of information and employ numerous information systems that are
subject to myriad threats. A threat to an information resource is any danger to which a system may be
exposed.

The exposure of an information resource is the harm, loss, or damage that can result if a threat compromises
that resource. An information resource‘s vulnerability is the possibility that the system will be harmed by a
threat.

Today, five key factors are contributing to the increasing vulnerability of organizational
information resources, making it much more difficult to secure them:
 ● Today‘s interconnected, interdependent, wirelessly networked business environment;
Smaller, faster, cheaper computers and storage devices;
● Decreasing skills necessary to be a computer hacker;
● International organized crime taking over cybercrime;
● Lack of management support.

Ethical Issues and Privacy

o Accuracy: Ensuring customer data is correct. Wrong credit score data could unfairly affect
loan approvals.
o Property: Who owns customer-generated data? Example: disputes over Facebook’s
ownership of user posts.
o Accessibility: Who should be allowed to access sensitive data? Example: in healthcare, only
authorized doctors can access patient records.
o Accountability: Organizations must take responsibility for misuse of information. Example:
Equifax data breach (2017) where sensitive personal data of 147 million users was leaked.
Privacy Concerns:
o With the rise of big data, user privacy is at risk. Companies track browsing habits, locations,
and social media activities.
o Governments enforce regulations like GDPR in Europe and IT Act in India to safeguard
user data.
Example:
o Apple emphasizes privacy as a feature by restricting apps from tracking user data without
permission.
o Cambridge Analytica scandal (Facebook) showed how misuse of personal data can influence
political decisions.

Ethical Issues and Privacy

Ethical Issues in Information Systems

Definition: Ethics are principles that define right and wrong behavior. In IS, it means how fairly and
responsibly technology is used.

Three Fundamental Tenets:

Responsibility → Accepting the consequences of one’s decisions.

Example: A software company releases an update that accidentally deletes user files. The company must take
responsibility by compensating or fixing it.

Accountability → A mechanism to identify who is responsible for an action.

Example: If sensitive medical records are leaked, the hospital’s IT administrator who failed to secure the
database is accountable.

Liability → Legal framework that allows victims to seek compensation.

Example: A credit card company can be held legally liable if they fail to protect customer data from hackers.
Privacy Concerns

Definition: Privacy is the right of individuals to control when, how, and to what extent their personal data is
shared.

Issues:Employee Monitoring: Companies track emails and browsing history to prevent misuse, but it raises
ethical issues.

Data Collection: E-commerce sites (e.g., Amazon, Flipkart) collect customer purchase history for targeted
ads. Without user consent, it is a violation of privacy.

Social Media: Facebook faced criticism for sharing data with third-party apps (Cambridge Analytica case).

Balance: Organizations must balance business needs (security, efficiency) with user rights (consent,
transparency).

Information Security
Definition: Protecting organizational data and systems from unauthorized access, modification, or
destruction.
Core Objectives (CIA Triad):
o Confidentiality – Only authorized users can access data. (e.g., banking apps with two-factor
authentication).
o Integrity – Data remains accurate and unchanged. (e.g., preventing tampering with stock
trading systems).
o Availability – Systems and data must be accessible when needed. (e.g., 24/7 online banking
availability).
Example: Hospitals need security to protect patient health records (HIPAA compliance in the USA).

Information Security

Definition :Information Security (InfoSec) → Protecting systems from unauthorized access, disclosure,
modification, or destruction.

Goal: Ensure Confidentiality, Integrity, Availability (CIA Triad).

Why Security is Challenging?

Interconnected networks: Wi-Fi hotspots in public places are easily hacked.

Example: An attacker in a café can sniff passwords transmitted over unsecured Wi-Fi.

Portable devices: Laptops, USBs, smartphones can be lost/stolen.

Example: In 2006, a laptop containing personal data of 26 million U.S. veterans was stolen.

Hacking tools availability: Free hacking scripts allow even unskilled attackers to launch attacks.

Example: “Kali Linux” includes penetration tools widely misused by amateur hackers.
Cybercrime organizations: Criminal groups operate like businesses.

Example: Ransomware groups like “REvil” target companies for millions of dollars.

Weak management commitment: Companies often ignore security budgets until a breach happens.

Example of Cyberwarfare

Stuxnet Worm (2010) → First known cyber weapon. It targeted Iran’s nuclear centrifuges, causing them to
malfunction. This showed how cyberattacks could cripple national infrastructure.

Threats to Information Systems

Human Threats:
o Insider misuse (e.g., employees leaking trade secrets).
o Negligence (e.g., weak passwords).
Technical Threats:
o Malware (viruses, worms).
o Ransomware (attackers encrypt company data and demand ransom, e.g., WannaCry attack on
NHS, UK, 2017).
o Phishing (fraudulent emails tricking users to share credentials).
o DoS/DDoS attacks (overloading servers to make services unavailable).
Natural Threats:
o Disasters like floods, earthquakes, and fires that destroy IT infrastructure.
Example:
o In 2021, Colonial Pipeline (US) suffered a ransomware attack that disrupted fuel supply for
days.

Threats to Information Systems

A. Unintentional Threats

Human Errors: Mistakes by employees, managers, or contractors.

Example: An employee misconfigures cloud storage (Amazon S3 bucket), exposing millions of customer
records.

Vulnerable groups: IS staff → Poorly designed security settings.

HR staff → Mishandling resumes with sensitive info.

Contractors & janitors → Access to premises without strong monitoring.

B. Social Engineering

Definition: Psychological manipulation to trick people into revealing confidential data.

Examples:Phishing: Fake bank emails asking users to update passwords.

Shoulder Surfing: Observing someone enter ATM PIN.

Tailgating: Following an employee into a secure office without an ID card.

Real Case: In 2011, hackers used social engineering to access RSA Security (a top authentication provider),
leading to theft of security tokens used worldwide.

C: Deliberate Threats

Espionage/Trespass → Unauthorized access to company data.

Example: Hackers stealing design documents of iPhone prototypes.

Information Extortion → Demanding money for not releasing stolen data.

Example: Attackers threatening Netflix to release episodes of “Orange is the New Black” before air date.

Sabotage/Vandalism → Defacing websites to harm reputation.

Example: Hacktivist group Anonymous replacing company logos with protest messages.

Theft of Equipment/Data → Stolen laptops, dumpster diving.

Example: Healthcare data often stolen from discarded hospital hard drives.

Identity Theft → Stealing personal details to commit fraud.

Example: Using someone’s Aadhaar and PAN to open a fake bank account.

Compromising Intellectual Property → Pirated movies, cracked software.

Example: Bollywood movies often leaked online before release.

Software Attacks:Virus: Attaches to files, spreads when opened.

Worm: Self-replicates across networks.

Trojan: Disguised as genuine software.

Example: WannaCry ransomware in 2017 infected 200,000 computers in 150 countries.

Alien Software → Unwanted software like spyware, adware.

Example: Free toolbars secretly installing trackers on browsers.

SCADA Attacks → Industrial system disruption.

Example: Ukraine power grid hack (2015) left thousands without electricity.

Cyberterrorism/Cyberwarfare → Attacks against governments or critical infrastructure.

Example: Estonian government websites were taken down in 2007 by suspected Russian hackers.
Security Controls
Preventive Controls:
o Stop attacks before they happen.
o Examples: firewalls, encryption, antivirus software, biometric authentication.
Detective Controls:
o Detect and report incidents.
o Examples: intrusion detection systems (IDS), system monitoring, audit logs.
Corrective Controls:
o Recover from damage caused by attacks.
o Examples: backup systems, disaster recovery plans, patch management.
Example:
o Banks use multi-factor authentication (MFA) as preventive, fraud detection systems as
detective, and data backup systems as corrective measures.

Security Controls
Security controls are safeguards or countermeasures put in place to protect an organization’s information
systems from threats, reduce risks, and ensure business continuity. They can be broadly categorized into
Preventive, Detective, and Corrective Controls.

1. Preventive Controls

Definition: These controls are designed to stop attacks before they occur. They act as the first line of
defense by making it difficult for attackers to compromise systems.

Key Features:Focus on proactive protection.

Implemented at multiple levels: physical, network, application, and user access.

Reduce the attack surface.

Examples:Firewalls – Block unauthorized access from external networks.

Example: A bank uses firewalls to prevent hackers from accessing customer transaction systems.

Encryption – Protects data confidentiality during transmission and storage.

Example: End-to-end encryption in WhatsApp prevents eavesdropping.

Antivirus software – Stops malware from installing on devices.

Example: Windows Defender blocks Trojan horse downloads.

Biometric Authentication – Prevents unauthorized logins.

Example: Fingerprint recognition on smartphones prevents strangers from unlocking devices.

Real-World Case: The Equifax breach (2017) could have been prevented if timely patching (preventive
control) had been applied to fix a known vulnerability in Apache Struts.
2. Detective Controls

Definition: These controls identify and alert when a security breach or suspicious activity occurs. They
don’t prevent the incident but help in early detection so that corrective measures can be applied.

Key Features:Provide visibility into system activity.

Help in forensic analysis after incidents.

Reduce the time attackers remain undetected.

Examples:Intrusion Detection Systems (IDS) – Monitor traffic and raise alerts for abnormal behavior.

Example: Snort IDS detects unusual spikes in network traffic indicating a DDoS attack.

System Monitoring Tools – Track server health and detect anomalies.

Example: AWS CloudWatch alerts administrators when CPU usage spikes abnormally.

Audit Logs – Record activities of users and systems for later investigation.

Example: Login attempts recorded in Active Directory can detect brute-force attacks.

Real-World Case: In the Target data breach (2013), an IDS flagged suspicious activity, but the alerts were
ignored. Had they been acted upon, millions of credit card details wouldn’t have been stolen.

3. Corrective Controls

Definition: These controls focus on recovery and restoration after an attack or security incident. Their
goal is to minimize damage and bring systems back to normal functioning.

Key Features:Mitigate impact after an incident.

Ensure business continuity.

Help organizations learn from incidents to prevent recurrence.

Examples:Backup Systems – Restore lost or corrupted data.

Example: Google Drive automatic backups recover user files after ransomware attacks.

Disaster Recovery Plans (DRP) – Procedures to resume business operations after major incidents.

Example: During the 9/11 attacks, many financial institutions activated their DRP to relocate operations.

Patch Management – Fixes vulnerabilities after they are discovered.

Example: Microsoft releases Patch Tuesday updates to correct system flaws.

Real-World Case: During the WannaCry ransomware attack (2017), organizations with proper backups
and DRP were able to recover quickly, while others lost critical data.