Security, Privacy, and Ethics

Why and what managers need to know

about IT risk management, privacy, and
information systems ethics.

© Gabriele Piccoli
 Course Roadmap

• Part I: Foundations
• Part II: Competing in the Internet Age
• Part III: The Strategic use of Information Systems
• Part IV: Getting IT Done
– Chapter 10: Funding Information Systems
– Chapter 11: Creating Information Systems
– Chapter 12: Information System Trends
– Chapter 13: Security, Privacy and Ethics

© Gabriele Piccoli
 Learning Objectives
1. Learn to make the case that information systems security, privacy, and
ethics are issues of interest to general and functional managers, and why
it is a grave mistake to delegate them exclusively to IT professionals.

2. Understand the basic IT risk management processes, including risk

assessment, risk analysis, and risk mitigation.

3. Understand the principal security threats to modern organizations, both

internal and external, and the principal safeguards available to mitigate
these risks.

4. Be able to identify the nature of privacy concerns that modern

organizations face and be able to articulate how general and functional
managers can safeguard the privacy of their customers and employees.

5. Define ethics, apply the concept of ethical behavior to information

systems decisions, and be able to articulate how general and functional
managers can help ensure that their organization behaves ethically.

© Gabriele Piccoli
 Why to Safeguard Customer Data

© Gabriele Piccoli
 IT Risk Management and Security
• IT Risk Management
– The process of identifying and measuring
information systems security risks
– Objective: To devise the optimal risk
mitigation strategy
• Security
– The set of defenses put in place to mitigate
threats to technology infrastructure and data
resources

© Gabriele Piccoli
 Security: Not an IT Problem
• Security should be a management priority, not
an IT problem
• Security is a negative deliverable
– Produces no revenues
– Creates no efficiencies
• Security is difficult to fund
– IT departments have limited budgets
– They should not be left to fund security measures
• The Trade-off:
– Purchase more security or accept higher risks?

© Gabriele Piccoli
 Risk Assessment
• Audit the current resources
• Map the current state of information
systems security in the organization
• The audit will:
– Expose vulnerabilities
– Provide the basis for risk analysis
• Risk Analysis:
– The process of quantifying the risks identifies
in the audit

© Gabriele Piccoli
 Risk Mitigation

• The process of matching the appropriate

response to the security threats your firm
identified
• Designed to help manage the trade-off
between the degree of desired security
and the investment necessary to achieve it

© Gabriele Piccoli
 Three Risk Mitigation Strategies
• Risk Acceptance
– Not investing in countermeasures and not reducing
the security risk
– Consciously taking the risk of security breach
• Risk Reduction
– Actively investing in the safeguards designed to
mitigate security threats
– Consciously paying for security protection
• Risk Transference
– Passing a potion (or all) of the risks associated with
security to a third party
– Consciously paying for someone else to assume the
risk

© Gabriele Piccoli
 Cost/Security Trade-Offs
Total Cost

Anticipation
Cost
Cost

Failure Cost

Degree of security
© Gabriele Piccoli
 Internal Threats
• Intentional Malicious Behavior
– Typically associated with disgruntled or ill-
willed employees
– Example: A marketing employee selling
customers’ e-mail addresses to spammers
• Careless Behavior
– Associated with ignorance of or disinterest in
security problems
– Example: Failing to destroy sensitive data
according to planned schedules

© Gabriele Piccoli
 The External Threats
• Intrusion Threat
– An unauthorized attacker gains access to
organizational IT resources
• Social Engineering
– Lying to and deceiving legitimate users so that they
divulge restricted or private information
• Phishing
– Sending official sounding spam from known
institutions and asking individuals to confirm private
data in an effort to capture the data

© Gabriele Piccoli
 The External Threats
• Security Weaknesses
– Exploiting weaknesses in the software
infrastructure of the organization under attack
– Example: Bugs that enable unauthorized
access
• Backdoors
– Code expressly designed into software
programs to allow access to the application by
circumventing password protection

© Gabriele Piccoli
 The External Threats
• Malicious Code
– Any software code expressly designed to
cause damage to IT assets.
• Viruses
– Malicious code that spreads by attaching itself
to other, legitimate, executable programs.
– After infecting a machine, a harmful set of
actions, know as the payload, are performed

© Gabriele Piccoli
 Malicious Code
• Trojan Horses
– A computer program that claims to, and sometimes
does, deliver useful functionality
– Delivers a hidden, malicious payload, after installation
• Worms
– Malicious code that exploits security holes in network
software to self-replicate
– Does not deliver a payload
– Generates enough network traffic to slow or bring a
network down

© Gabriele Piccoli
 Malicious Code
• Spyware
– Software that, unbeknownst to the owner of
the computer:
• Monitors behavior
• Collects information
• Either transfers this information to a third party or
• Performs unwanted operations
– Diverts resources and often slow down a
user’s legitimate work

© Gabriele Piccoli
 The External Threats
• Denial-of-Service Attack
– A digital assault carried out over a computer
network with the objective of overwhelming an
online service so as to force it offline.
– Can be used to divert attention allowing the
intruder to create a backdoor to be exploited
later

© Gabriele Piccoli
 Responding to Security Threats
• Internal Security Threats
– Security Policies
• Spell out what the organization believes are the
behaviors that individual employees within the firm
should follow in order to minimize security risks
• They should specify:
– Password standards
– User right
– Legitimate uses of portable devices
– The firm should audit the policies to ensure
compliance

© Gabriele Piccoli
 Responding to Security Threats
• External Security Threats
– Intrusion
• The cornerstone of securing against intrusion is
the use of passwords
• Firewalls can be used to screen and manage
traffic in and out of a computer network
– Only as strong as the weakest link
• The Encryption process scrambles content so
that it is rendered unreadable

© Gabriele Piccoli
 Responding to Security Threats
– Malware
• Safeguarding against malware requires that the
firm’s IT professionals install detection software
• Training and Policies are also necessary
– Denial-of-Service Attacks
• Preventing a denial-of-service attack is very
difficult
• It is difficult to identify the location of the attack

© Gabriele Piccoli
 Managing Security:
Overall Guidelines
• Have a plan and specify responsibilities
– Who should be contacted in an emergency?
– What should the first reaction measures be?
• Revisit often
– New technologies should be proactively addressed
• Develop a mitigation plan
– Determine how the attack took place
– Assess the damage
• Waiting for a crisis to take these decisions and
develop policy is too late!
© Gabriele Piccoli
 Privacy
• The ability of individuals to control the
terms and conditions under which their
personal information is collected,
managed, and utilized.
• Private information can be traced back to
the individual
• Privacy subsumes security

© Gabriele Piccoli
 Privacy Risks
• Function Creep
– Occurs when data collected for a stated or
implied purpose are then reused for other,
unrelated objectives.
• Proliferating Data Sources
– New technological advances and devices
generate more data than ever
– This proliferation creates opportunities but
also many risks

© Gabriele Piccoli
 Privacy Risks
• Data Management Risks
– It is increasingly simple, and cost effective, to merge
data repositories
– IT creates pressure for, and the risk of, function creep
if not managed carefully
• The Legal Landscape
– Currently, technology evolution outpaces legal
development
– The internet has all but destroyed traditional
geographical boundaries
• Privacy management is not an IT job
© Gabriele Piccoli
 Managing Privacy
• Fair Information Practice Principles
– Notice
• The right of individuals to be informed when their
personal data is being collected
• The right of individuals to be informed about how
their data is or will be used.
– Choice
• The ability of individuals to be informed of, and
object to, function creep whether within one firm or
across firms who share information.

© Gabriele Piccoli
 Fair Information Practice Principles
• Fair Information Practice Principles
– Access
• The right of individuals to be able to access their information
• The right of individuals to correct any errors that may have
occurred in their records.
– Security
• The responsibility of the firm that houses private information
to ensure its safekeeping and to protect it from unauthorized
access.
– Enforcement
• The responsibility of the organizations that collect and use
private information to develop enforceable procedure to
ensure that the above principals are upheld.

© Gabriele Piccoli
 Protecting Privacy

• Say What You Do

• Do What You Say

• Be Able to Prove It

© Gabriele Piccoli
 Ethics
• The discipline dealing with what is good
and bad and with moral duty and
obligation
• The problem:
– Ethical choices are rarely straightforward
– Ethical choices typically engender multiple
sub-optimal options

© Gabriele Piccoli
 Enabling IS Ethics
• Developing a culture of ethical decision
making is critical
• Establish an information systems ethics
code of conduct that:
– Identifies the principles of ethical information
system use for your organization
– Identifies the firm’s formal stance on ethics
• Apply the principle of harm minimization

© Gabriele Piccoli
 What did we Learned
1. Learn to make the case that information systems security, privacy, and
ethics are issues of interest to general and functional managers, and why
it is a grave mistake to delegate them exclusively to IT professionals.

2. Understand the basic IT risk management processes, including risk

assessment, risk analysis, and risk mitigation.

3. Understand the principal security threats to modern organizations, both

internal and external, and the principal safeguards available to mitigate
these risks.

4. Be able to identify the nature of privacy concerns that modern

organizations face and be able to articulate how general and functional
managers can safeguard the privacy of their customers and employees.

5. Define ethics, apply the concept of ethical behavior to information

systems decisions, and be able to articulate how general and functional
managers can help ensure that their organization behaves ethically.

© Gabriele Piccoli