ch12x

erosjellySecurity

Feb 23, 2014 (3 years and 7 months ago)

92 views

Managing and Using Information Systems:

A Strategic Approach


Fifth Edition

Using Information

Ethically

Keri
Pearlson

and Carol Saunders

PowerPoint
®

f
iles

by Michelle M. Ramim

Huizenga School of Business and Entrepreneurship

Nova Southeastern University

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
2

Learning Objectives


Understand how ethics should be framed in the context of business
practices and the challenges surrounding these issues.


Define and describe the three normative theories of business ethics.


List and define PAPA and why it is important.


Identify the issues related to the ethical governance of IS.


Understand organizations’ security issues and how organizations are
bolstering security.


Describe how security can be best enacted.


Define the Sarbanes
-
Oxley Act and the COBIT framework.

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
3

Real World Example


TJX Co. experienced the largest computer system security breach

in
the history of retailing.


As many as 94 million customers were affected.


TJX had to decide between notifying their customers immediately or
waiting the 45 days allowed by the jurisdictions.

o
If they waited, their customers might be further compromised by the
breach.

o
If they notified them immediately, they might lose customer confidence
and face punishment from Wall Street.

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
4

Responsible Computing


Companies encounter
ethical

dilemmas

as they try to use their IS to create
and exploit competitive advantages.

o
They occur when there is no one clear way to deal with the ethical issue.


Managers:

o
must assess initiatives from an ethical view.

o
are used to the overriding ethical norms present in their traditional businesses.

o
need to translate their current ethical norms into terms meaningful for the new
electronic corporation in the information age.


Information

ethics

are the “ethical issues associated with the
development and application of information technologies.” (
Martinsons

and Ma)

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
5

Stockholder Theory


Stockholders

advance capital to corporate managers, who act as agents in
advancing the stockholders’ ends.

o
Managers are bound to the interests of the shareholders (i.e., maximizing shareholder
value).

o
As Milton Friedman said:


“There is one and only one social responsibility of business: to use its resources
and engage in activities designed to increase its profits so long as it stays within
the rules of the game, which is to say, engages in open and free competition,
without deception or fraud.”


Stockholder theory says the manager’s duties are to:

o
employ others by legal, non
-
fraudulent means.

o
take a long view of shareholder interest (i.e. forego short
-
term gains in favor
of long
-
term value).

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
6

Stockholder Theory (Cont.)


The
stockholder

theory provides a limited framework for moral
argument.

o
It assumes the free market has the ability to fully promote the interests of
society at large.

o
The singular pursuit of profit on the part of individuals or corporations
does not maximize social welfare.

o
Free markets can lead to monopolies and other circumstances that limit
society members’ abilities to secure the common good.


(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
7

Stakeholder Theory


Stakeholder theory states:

o
Managers are entrusted with a responsibility

fiduciary or otherwise

to all
those who hold a stake in or a claim on the firm.

o
Management must enact and follow policies that balance the rights of all
stakeholders without impinging upon the rights of any one particular
stakeholder.


Stakeholders

are
:

o
any group that vitally affects the corporation’s survival and success.

o
any group whose interests the corporation vitally affects.

o
stockholders, customers, employees, suppliers, and the local community.


Other groups may also be considered stakeholders depending on the
circumstances.

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
8

Stakeholder Theory (Cont.)


Stakeholders

can stop participating if they feel that their interests
haven't been considered

by management.

o
Examples include:


Customers can stop buying the company’s products.


Stockholders can sell their stock.


Employees may need to continue working for the corporation
even though they dislike practices of their employers or
experience considerable stress due to their jobs.



(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
9

Social Contract Theory


Social

contract

theory

places social responsibilities on corporate managers to
consider the needs of a society.

o
What conditions would have to be met for the members of a society to agree to
allow a corporation to be formed?

o
Corporations are expected to add

more value to society that it consumes.


The

s
ocial

contract has

two components:

o
Social welfare.


Corporations must provide greater benefits than their associated costs,
or society would not allow their creation.


Managers are obligated to pursue profits in ways that are compatible
with the well
-
being of society as a whole.

o
Justice
.


Corporations must pursue profits legally, without fraud or deception,
and avoid actions that harm society.

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
10

Social Contract Theory (Cont.)


In the absence of a real contract whose terms subordinate profit maximization to
social welfare, most critics find it hard to imagine corporations losing
profitability in the name of altruism.


The three normative theories of
business

ethics

offer useful
metrics

for
defining
ethical

behavior

in profit
-
seeking enterprises under free market
conditions (Figure 12.1).

o
The three theories are represented by concentric circles.


Stockholder theory is the narrowest in scope and is in the center circle.


Stakeholder theory encompasses stockholder theory and expands on it.


Social contract theory covers the broadest area and is in the outer ring.

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
11

Figure
12.1 Three normative theories of business ethics.

Theory

Definition

Metrics

Stockholder

Maximize stockholder wealth in
legal and non
-
fraudulent
manners.

Will this action maximize stockholder value?
Can goals be accomplished without
compromising company standards and without
breaking laws?

Stakeholder

Maximize benefits to all
stakeholders while weighing
costs to competing interests.

Does the proposed action maximize collective
benefits to the company? Does this action
treat one of the corporate stakeholders
unfairly?

Social contract

Create value for society in a
manner that is just and
nondiscriminatory.

Does this action create a “net” benefit for
society? Does the proposed action
discriminate against any group in particular,
and is its implementation socially just?

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
12

Corporate Social Responsibility


The application of social contract theory helps companies adopt a
broader perspective.


A “
big

picture


view considers two types of corporate social
responsibility:

o
Green

computing
.



Green computing is a new way of doing business.

o
Ethical

dilemmas

with governments.


More and more corporations are facing

ethical dilemmas in
our flattening world.

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
13

Green Computing


Gartner put
Green

computing

at the top of the list of upcoming strategic
technologies.


Green computing is:

o
concerned with using computing resources efficiently.

o
needed due to increasing energy demands to run IT infrastructure.


The 5 largest search companies use more power than what is generated by
Hoover Dam.


Companies are working to adopt more
socially

responsible

approaches to energy
consumption by:

o
replacing older systems with more energy
-
efficient ones.

o
moving workloads based on energy efficiency.

o
using most power
-
inefficient servers only at peak usage times.

o
improving data center air flows.

o
turning to cloud computing and virtualization.


By reducing our total energy consumption, we can be both sustainable and
profitable.

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
14

Green Computing (Cont.)


Green programs can have a
triple

bottom

line

(TBL)

economic,
environmental, and social.

o
Green programs create economic value while being socially responsible and
sustaining the environment.

o
A triple bottom line is also known as “3BL” or “People, Planet, Profit.”


A
social

contract

theory perspective:

o
Managers benefit society by conserving global resources when they make
green, energy
-
related decisions about their computer operations.


A
stockholder

theory perspective:

o
Energy
-
efficient computers reduce:


the direct costs of running the computing
-
related infrastructure.


the costs of complementary utilities such as cooling systems for the
infrastructure components.

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
15

Ethical Tensions with Governments


Organizations also face
dilemma
s

reconciling their corporate
policies with regulations in countries where they want to operate.


“Managers may need to adopt much different approaches across
nationalities to counter the effects of what they perceive as unethical
behaviors.” (
Leidner

and
Kayworth
)

o
Research in Motion (RIM)

was

threatened by the United Arab Emirates
government.

o
Censorship posed an ethical dilemma for Google.



(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
16

Papa: Privacy, Accuracy, Property,

and Accessibility


In an economy that is rapidly becoming dominated by
knowledge

workers
, the value of information is tremendous.


Collecting and storing information is becoming easier and more cost
-
effective.


Richard O. Mason identified areas of information ethics in which the
control of information is crucial; these are summarized by the acronym
PAPA

(Figure 12.2).

o
privacy


o
accuracy


o
property

o
accessibility

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
17

Figure
12.2 Mason’s areas of managerial control.

Area

Critical Questions

Privacy

What information must a person reveal about oneself to others?

What information should others be able to access about you

with or without your
permission?

What safeguards exist for your protection?

Accuracy

Who is responsible for the reliability and accuracy of information?

Who will be accountable for errors?

Property

Who owns information?

Who owns the channels of distribution, and how should they be regulated?

Accessibility

What information does a person or an organization have a right to obtain? Under
what conditions? With what safeguards?

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
18

Privacy


Privacy

has long been considered:

o
“the right to be left alone.” (Warren and Brandeis)

o
“protections from intrusion and information

gathering by others.” (Stone et. Al)


Individuals have control to manage their privacy through choice, consent, and correction.

o
Choice:


Individuals can select the desired level of access to their information, ranging
from “total privacy to unabashed publicity.” (
Tavani

and Moore)

o
Consent:


Individuals may exert control when they manage their privacy through
consent
.


They can grant access to otherwise restricted information.

o
Control:


Individuals have
control

in managing their privacy through the ability to
access their personal information.


They can correct errors and update their information.

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
19

Privacy (Cont.)


The tension between the proper use of personal information and
information privacy is a serious ethical debate.

o
Surveillance of employees (e.g. monitoring e
-
mail and computer
utilization) challenges privacy.

o
Individuals’ surfing behaviors are traced via cookies, beacons, flash
cookies, and
supercookies
.


A
cookie

is a text message given to a web browser by a web server.


Using cookies to gather information was ruled as legal by U.S. courts.

o
Websites are used to create rich databases of consumer profiles that can
be sold.

o
Managers must be aware of regulations that are in place regarding the
authorized collection, disclosure, and use of personal information.

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
20

The Right for Privacy


Courts have decided that customers do not have a right to
privacy

while
searching the Internet.

o
This includes monitoring phone usage, location, e
-
mailing behaviors, and a
myriad of other behaviors.

o
Customers give up privacy because:


they can receive personalized services in return.


they receive payment for the information at a price that exceeds what
they are giving up.


they see providing information as something that everybody is doing
(e.g. Facebook pages).


What is posted on the web is there forever.

o
It may be fun to share it now, but there could be potential unintended consequences in
the future.






(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
21

Privacy Legislation: United States


U.S. privacy legislation relies on a mix of
legislation
,
regulation
, and
self

regulation
.

o
Privacy legislation is based on a legal tradition with a strong emphasis on free
trade.


The
1974 Privacy Act
regulates the U.S. government’s collection and use of
personal information.


The
1998 Children’s Online Privacy Protection Act
regulates the online
collection and use of children’s personal information.


The
Gramm

Leach

Bliley Act of 1999
applies to financial institutions selling
sensitive information

including account information, Social Security numbers,
credit card purchase histories, and so forth

to telemarketing companies.

o
The act allows the customer to
opt
-
out
, or specifically tell the institution that his
or her personal information cannot be used or distributed.

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
22

Additional Privacy Legislation


The
Health Insurance Portability and Accountability Act
(HIPAA) of
1996 safeguards the electronic exchange of privacy and information security in
the health care industry.


The
Fair Credit Reporting
A
ct
limits the use of consumer reports provided
by consumer reporting agencies to “permissible purposes” and grants
individuals the right to access their reports and correct errors in them.


The European Union differs from the U.S. by relying on:

o
omnibus legislation that requires creation of
government

data protection
agencies.

o
registration of databases with those agencies.

o
prior approval before processing personal data in some cases.

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
23

U.S. and European Legislation


U.S. companies were concerned that they would be unable to meet the European
“adequacy” standard for privacy protection specified in the
European

Commission’s

Directive
.

o
Directive 9
5/46/EC

on
Data Protection:


was established in 1998.


sets standards for the collection, storage, and processing of personal
information.


prohibits the transfer of personal data to non
-
European Union nations
that do not meet the European privacy standards.


The U.S. Department of Commerce (DOC) developed a “
safe harbor

framework in 2000 that:

o
allows U.S. companies to be placed on a list maintained by the DOC.

o
requires companies to demonstrate through a self
-
certification process that
they are enforcing privacy at a level practiced in the European Union.

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
24

Accuracy


The
accuracy
, or the correctness of information, dominates in corporate
record
-
keeping activities.

o
Accuracy requires

better controls over the bank’s internal processes.

o
Risks

can be attributed to inaccurate information retained in corporate
systems.


Managers must establish controls to ensure that information is accurate.

o
Data entry errors must be controlled and managed carefully.

o
Data must be accurate and up
-
to
-
date (
i.e.,
addresses and phone numbers).


The European Union Directive on Data Protection:

o
requires accurate and
up
-
to
-
date

data.

o
makes sure that data is kept no longer than necessary to fulfill its stated purpose.

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
25

Property


Vast amounts of data about clients are collected and stored.

o
Data is:


shared with others.


used to create a more accurate profile of clients.


stored in a data warehouse.


“mined” to create a profile for something completely different.


Who owns the data and has rights to it?


Who owns the images that are posted in cyberspace?


Managers must understand the legal rights and duties accorded to proper
ownership
.


Information, which is costly to produce in the first place, can be easily
reproduced and sold without the individual who produced it even knowing what
is happening or being reimbursed for its use (Mason).


(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
26

Accessibility


Accessibility
, or the ability to obtain data, has become paramount.

o
Users must gain:


the physical ability to access online information resources, or computational
systems.


access to information itself.


Managers’ challenges include:

o
deciding how to create and maintain access to information for society at large.

o
avoiding harming individuals who have provided the information.

o
ensuring access to information about employees and customers is restricted.

o
actively ensuring that adequate security and control measures are in place.

o
ensuring adequate safeguards in the companies of their key trading partners.

o
avoiding a surge in identity theft incidents

both true name and account
takeover.

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
27

A Manager’s
Role in Ethical

Information Control


Managers must work to:

o
implement controls over information highlighted by the
PAPA

principles.

o
deter identity theft by limiting inappropriate access to customer information.

o
respect the customers’ privacy.

o
Implement the following
b
est practices
:


Create a culture of moral responsibility.


Top
-
level executives should promote responsibility for protecting
both personal information and the organization’s IS.


Internet companies should post their policies.


Implement governance processes for information control.


COBIT and ITIL can help identify risks.


Avoid decoupling.

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
28

Security and Controls


The PAPA principles work hand
-
in hand with security.


Organizations appear to rely on luck rather than on proven IS controls.


Emphasis is placed on using technology to protect organizational data from
unauthorized hackers and undesirable viruses.

o
E.g., antivirus countermeasures, spam
-
filtering software, intrusion detection
systems.


Managers and IT staff must go to great lengths to protect the organization’s
computers and infrastructure from

unauthorized access

or external threats such as:

o
hackers who seek to enter a computer for sport or for malicious intent.

o
telecommunications failures.

o
service provider failures.

o
spamming.

o
d
istributed denial of service
(
DDoS
) attacks.

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
29

Security and Controls (Cont.)


Inside

threats

to security include:


current and former employees seeking to sabotage the IS infrastructure and
integrity of data.


unintentional human error or operational errors.


hardware or software failure.


natural disasters.


Figure 12.3 summarizes three types of tools employed to manage the security
and control: firewalls, passwords, and filtering tools.


Additional technological approaches to security and privacy may include a
combination of software and hardware (e.g., fingerprint
-
based
biometric
).



(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
30

(c) 2013 John Wiley & Sons, Inc.

Security
Category

Security
Tools

Definition

Hardware
system
security and
controls

Firewalls

A computer set up with both an internal network card and an
external network card. This computer is set up to control access
to the internal network and only lets authorized traffic pass the
barrier.

Encryption
and decryption

Cryptography or secure writing ensures that information is
transformed into unintelligible forms before transmission and
intelligible forms when it arrives at its destination to protect the
informational content of messages.

Anonymizing

tools and
Pseudonym
agents

Tools that enable the user to navigate the Internet either
anonymously or pseudonymously to protect the identity of
individuals.

Network and
software
security
controls

Network
operating
system
software

The core set of programs that manage the resources of the
computer or network often have functionality such as
authentication, access control, and cryptology.

Security
information
management

A management scheme to synchronize all mechanisms and
protocols built into network and computer operating systems and
protect the systems from unauthorized access.

Server and
browser
software

Mechanisms to ensure that errors in programming do not create
holes or trapdoors that can compromise websites.

Figure
12.3 Security and control tools.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
31

(c) 2013 John Wiley & Sons, Inc.

Security
Category

Security Tools

Definition

Broadcast medium
security and
controls

Labeling and rating
software

The software industry incorporates Platform for
Internet Content Selection (PICS) technology, a
mechanism of labeling web pages based on
content. These labels can be used by filtering
software to manage access. Also, online privacy
seal programs such as
Truste

that inform users
of online vendor’s privacy policies and ensures
that policies are backed and enforced by
reputable third parties.

Filtering/blocking software

Software that rates documents and web sites
that have been rated and contain content on a
designated filter’s “black list” and keeps them
from being displayed on the user’s computer.

Figure
12.3 (Cont.)

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
32

Approaches to Reduce Threats


Efforts to
reduce

threats

include:

o
top management support.

o
training and awareness programs for employees, customers, and other
stakeholders.

o
development of security procedures and policies.

o
frequent security audits.

o
r
isk

management

programs.

(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
33

Chapter 12
-

Key Terms

Accessibility

(p. 365)
-

the ability to obtain the data.

Accuracy

(p. 364)
-

the correctness of information; assumes real

importance for society as computers come to dominate in corporate record
-

keeping activities.

Cookie

(p. 361)
-

a text message given to a web browser by a web server.

Green

computing

(p. 357)
-

concerned with using computing resources

efficiently.

Identity theft
(p. 366)
-

crime in which the thief uses the victim’s

personal information

such as driver’s license number or Social Security

number

to impersonate the victim.



(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
34

Chapter 12
-

Key Terms (Cont.)

Information ethics
(p. 352)
-

the “ethical issues associated with the

development and application of information technologies.”
(
Martinsons

and Ma
)

Privacy

(p. 359)
-

“the right to be left alone.”
(Warren and Brandeis
)

Property

(p. 365)
-

who owns the data.

Social contract theory
(p. 354)
-

places social responsibilities on corporate

managers to consider the needs of a society.

Stakeholder theory
(p. 352)
-

managers, although bound by their relation to

stockholders, are entrusted also with a responsibility

fiduciary or otherwise

to

all those who hold a stake in or a claim on the firm.

Stockholder theory
(p. 353)
-

stockholders advance capital to corporate

managers, who act as agents in furthering the stockholders’ ends.



(c) 2013 John Wiley & Sons, Inc.

Pearlson and Saunders


5
th

Ed.


Chapter 12

12
-
35

Copyright 2013 John Wiley & Sons, Inc.

A
ll rights reserved. Reproduction or translation of this work beyond that
named in Section 117 of the 1976 United States Copyright Act without
the express written consent of the copyright owner is unlawful. Request
for further information should be addressed to the Permissions
Department, John Wiley & Sons, Inc. The purchaser may make back
-
up
copies for his/her own use only and not for distribution or resale. The
Publisher assumes no responsibility for errors, omissions, or damages,
caused by the use of these programs or from the use of the information
contained herein.


(c) 2013 John Wiley & Sons, Inc.