CHAPTER 9
Information
Ethics, Privacy, and
Security
Opening Case:
Embracing Privacy at the
City of Hamilton
McGraw-Hill-Ryerson
©2011 The McGraw-Hill Companies, All Rights Reserved
9-2
Chapter Nine Overview
• SECTION 9.1 – INFORMATION ETHICS AND
INFORMATION PRIVACY
– Information Ethics
– Information Privacy
– Developing Policies for Information Ethics and Information
Privacy
• SECTION 9.2 - INFORMATION SECURITY
–
–
–
–
How Much Will Down Time Cost Your Business?
Protecting Information
The First Line of Defence - People
The Second Line of Defence - Technology
Copyright © 2011 McGraw-Hill Ryerson Limited
9-3
LEARNING OUTCOMES
1.
Explain what information ethics is and its importance
in the workplace.
2.
Describe what information privacy is and the
differences in privacy legislation around the world.
3.
Identify the differences between various information
ethics and privacy policies in the workplace.
Copyright © 2011 McGraw-Hill Ryerson Limited
9-4
LEARNING OUTCOMES
4.
Understand information security, and explain why
people are the first line of defence in terms of
protecting information.
5.
Describe how information technologies can be used
to enhance information security.
Copyright © 2011 McGraw-Hill Ryerson Limited
SECTION 9.1
INFORMATION ETHICS
AND INFORMATION
PRIVACY
McGraw-Hill-Ryerson
©2011 The McGraw-Hill Companies, All Rights Reserved
9-6
INFORMATION ETHICS
• Ethics – the principles and standards that
guide our behaviour towards other people
• Issues affected by technology advances
– Intellectual property
– Copyright
– Fair use dealing
– Pirated software
– Counterfeit software
Copyright © 2011 McGraw-Hill Ryerson Limited
9-7
INFORMATION ETHICS
• Privacy is a major ethical issue
– Privacy – the right to be left alone when you
want to be, to have control over your own
personal possessions, and not to be
observed without your consent
– Confidentiality – the assurance that
messages and information are available only
to those who are authorized to view them
Copyright © 2011 McGraw-Hill Ryerson Limited
9-8
INFORMATION ETHICS
• One of the main ingredients in trust is privacy
Copyright © 2011 McGraw-Hill Ryerson Limited
9-9
INFORMATION ETHICS
• Information ethics - concerns the ethical
and moral issues arising from the
development and use of information
technologies, as well as the creation,
collection, duplication, distribution, and
processing of information itself (with or
without the aid of computer technologies).
• Individuals form the only ethical
component of IS
Copyright © 2011 McGraw-Hill Ryerson Limited
9-10
INFORMATION ETHICS
Copyright © 2011 McGraw-Hill Ryerson Limited
9-11
INFORMATION ETHICS
• Acting ethically and legally are not always
the same
Copyright © 2011 McGraw-Hill Ryerson Limited
9-12
Information Has No Ethics
• Information does not care how it is used
• Information will not stop itself from
sending spam, viruses, or highly-sensitive
information
• Information cannot delete or preserve
itself
Copyright © 2011 McGraw-Hill Ryerson Limited
9-13
Information Ethics In The
Workplace
• Systems that don’t respect human dignity
• Workplace monitoring is a concern for many
employees
• Organizations can be held financially
responsible for their employees’ actions
• The dilemma surrounding employee monitoring
in the workplace is that an organization is
placing itself at risk if it fails to monitor its
employees. However, some people feel that
monitoring employees is unethical
Copyright © 2011 McGraw-Hill Ryerson Limited
9-14
Monitoring Technologies
• Monitoring – tracking people’s activities by
such measures as number of keystrokes, error
rate, and number of transactions processed
Copyright © 2011 McGraw-Hill Ryerson Limited
9-15
Monitoring Technologies
Copyright © 2011 McGraw-Hill Ryerson Limited
9-16
Monitoring Technologies
Copyright © 2011 McGraw-Hill Ryerson Limited
9-17
Information Privacy
• Information privacy - concerns the legal right
or general expectation of individuals, groups, or
institutions to determine for themselves when,
and to what extent, information about them is
communicated to others.
• Information privacy legislation varies widely
– Europe
– The United States
– Canada
Copyright © 2011 McGraw-Hill Ryerson Limited
9-18
Canada
• Personal Information Protection and Electronic
Documents Act (PIPEDA) is a Federal act that
applies to all organizations
• Types of personal information covered:
–
–
–
–
–
–
pension and employment insurance files
medical records
tax records
security clearances
student loan applications
military records
Copyright © 2011 McGraw-Hill Ryerson Limited
9-19
Canada
Exceptions to PIPEDA:
• Journalistic, artistic, or literary purposes
• Actions clearly of benefit to the individual, or if
obtaining permission could infringe on the
information’s accuracy
• Information, or the disclosure of information aids
a legal investigation, or an emergency where
lives and safety are at stake
• Information disclosure facilitates the
conservation of historically important records.
Copyright © 2011 McGraw-Hill Ryerson Limited
9-20
Canada
• PIPEDA’s 10 guiding principles
Principle
Description
Accountability
An organization is responsible for personal
information under its control
Identifying Purposes
The purposes for which personal information is collected
shall be identified
Consent
The knowledge and consent of the individual are required
Limiting Collection
The collection of personal information shall be limited to
that which is necessary for the purposes identified
Limiting Use, Disclosure,
and Retention
Personal information shall not be used or disclosed for
purposes other than those for which it was collected
Copyright © 2011 McGraw-Hill Ryerson Limited
9-21
Canada
• PIPEDA’s 10 guiding principles continued
Principle
Description
Accuracy
Personal information shall be as accurate, complete, and up
to-date as is necessary for the purposes for which it is to be
used
Safeguards
Personal information shall be protected by security safeguards
Openness
An organization shall make readily available specific
information about its policies and practices
Individual Access
Upon request, an individual shall be informed of the
existence, use and disclosure of his or her personal
information and shall be given access to that information.
Challenging
Compliance
An individual shall be able to address a challenge concerning
compliance
Copyright © 2011 McGraw-Hill Ryerson Limited
9-22
DEVELOPING POLICIES FOR INFORMATION
ETHICS AND INFORMATION PRIVACY
Copyright © 2011 McGraw-Hill Ryerson Limited
9-23
DEVELOPING INFORMATION
MANAGEMENT POLICIES
• Organizations strive to build a corporate culture
based on ethical principles that employees can
understand and implement
• ePolicies typically include:
–
–
–
–
–
–
–
Ethical computer use policy
Information privacy policy
Acceptable use policy
E-mail privacy policy
Internet use policy
Anti-spam policy
Employee monitoring policy
Copyright © 2011 McGraw-Hill Ryerson Limited
9-24
Ethical Computer Use Policy
• Ethical computer use policy – contains
general principles to guide computer user
behaviour
• The ethical computer user policy ensures
all users are informed of the rules and, by
agreeing to use the system on that basis,
consent to abide by the rules
Copyright © 2011 McGraw-Hill Ryerson Limited
9-25
Information Privacy Policy
• The unethical use of information typically
occurs “unintentionally” when it is used for
new purposes
– For example, in the U.S. social security
numbers started as a way to identify
government retirement benefits and are now
used as a sort of universal personal ID
• Information privacy policy - contains
general principles regarding information
privacy
Copyright © 2011 McGraw-Hill Ryerson Limited
9-26
Information Privacy Policy
•
Information privacy policy guidelines
1. Adoption and implementation of a privacy
policy
2. Notice and disclosure
3. Choice and consent
4. Information security
5. Information quality and access
Copyright © 2011 McGraw-Hill Ryerson Limited
9-27
Acceptable Use Policy
• Acceptable use policy (AUP) – a policy that a
user must agree to follow in order to be
provided access to a network or to the Internet
• An AUP usually contains a nonrepudiation
clause
– Nonrepudiation – a contractual stipulation to ensure
that e-business participants do not deny (repudiate)
their online actions
Copyright © 2011 McGraw-Hill Ryerson Limited
9-28
Acceptable Use Policy
Copyright © 2011 McGraw-Hill Ryerson Limited
9-29
E-Mail Privacy Policy
• Organizations can mitigate the risks of email and instant messaging
communication tools by implementing and
adhering to an e-mail privacy policy
• E-mail privacy policy – details the extent
to which e-mail messages may be read by
others
Copyright © 2011 McGraw-Hill Ryerson Limited
9-30
E-Mail Privacy Policy
Copyright © 2011 McGraw-Hill Ryerson Limited
9-31
E-Mail Privacy Policy
Copyright © 2011 McGraw-Hill Ryerson Limited
9-32
Internet Use Policy
• Internet use policy – contains general principles
to guide the proper use of the Internet
Copyright © 2011 McGraw-Hill Ryerson Limited
9-33
Anti-Spam Policy
• Spam – unsolicited e-mail
• Spam accounts for 40% to 60% of most
organizations’ e-mail and cost U.S.
businesses over $14 billion in 2005
• Anti-spam policy – simply states that email users will not send unsolicited emails (or spam)
Copyright © 2011 McGraw-Hill Ryerson Limited
9-34
Employee Monitoring Policies
• Employee monitoring policies – explicitly state how,
when, and where the company monitors its employees
Copyright © 2011 McGraw-Hill Ryerson Limited
9-35
OPENING CASE QUESTIONS
Embracing Privacy at the City of Hamilton
1.
2.
3.
4.
5.
Why is protecting information privacy in the best interests
of both Hamiltonians and the City of Hamilton?
What steps did the City of Hamilton take to address privacy
concerns in the McMaster University research project?
What policies could the City of Hamilton implement
internally to protect citizen information privacy?
What lessons can be learned from the opening case study
that will help other organizations better protect the personal
information they collect?
How does the recent trend of city governments allowing
free public access to municipal data raise awareness of the
need for governments to embrace privacy planning as part
of normal, everyday practice?
Copyright © 2011 McGraw-Hill Ryerson Limited
SECTION 9.2
INFORMATION
SECURITY
McGraw-Hill-Ryerson
©2011 The McGraw-Hill Companies, All Rights Reserved
9-37
HOW MUCH WILL DOWNTIME COST
YOUR BUSINESS?
Copyright © 2011 McGraw-Hill Ryerson Limited
9-38
HOW MUCH WILL DOWNTIME COST
YOUR BUSINESS?
Copyright © 2011 McGraw-Hill Ryerson Limited
9-39
PROTECTING INFORMATION
• Organizational information is intellectual capital
- it must be protected
• Information security – the protection of
information from accidental or intentional
misuse by persons inside or outside an
organization
• E-business automatically creates tremendous
information security risks for organizations
Copyright © 2011 McGraw-Hill Ryerson Limited
9-40
PROTECTING INFORMATION
Copyright © 2011 McGraw-Hill Ryerson Limited
9-41
THE FIRST LINE OF DEFENCE PEOPLE
Copyright © 2011 McGraw-Hill Ryerson Limited
9-42
THE FIRST LINE OF DEFENCE PEOPLE
• Organizations must enable employees, customers,
and partners to access information electronically
• The biggest issue surrounding information security
is not a technical issue, but a people issue
• 38% of security incidents originate within the
organization
– Insiders – legitimate users who purposely or
accidentally misuse their access to the environment and
cause some kind of business-affecting incident
Copyright © 2011 McGraw-Hill Ryerson Limited
9-43
THE FIRST LINE OF DEFENCE PEOPLE
•
Hackers frequently use “social
engineering” to obtain password
– Social engineering – using one’s social skills
to trick people into revealing access
credentials or other information valuable to the
attacker
Copyright © 2011 McGraw-Hill Ryerson Limited
9-44
THE FIRST LINE OF DEFENCE PEOPLE
• The first line of defence an organization
should follow to help combat insider issues
is to develop information security policies
and an information security plan
– Information security policies – identify the
rules required to maintain information security
– Information security plan – details how an
organization will implement the information
security policies
Copyright © 2011 McGraw-Hill Ryerson Limited
9-45
THE FIRST LINE OF DEFENCE PEOPLE
•
Five steps to creating an information
security plan:
1. Develop the information security policies
2. Communicate the information security
policies
3. Identify critical information assets and risks
4. Test and reevaluate risks
5. Obtain stakeholder support
Copyright © 2011 McGraw-Hill Ryerson Limited
9-46
THE FIRST LINE OF DEFENCE PEOPLE
Copyright © 2011 McGraw-Hill Ryerson Limited
9-47
THE SECOND LINE OF DEFENCE TECHNOLOGY
•
There are three primary information
technology security areas
1. Authentication and authorization
2. Prevention and resistance
3. Detection and response
Copyright © 2011 McGraw-Hill Ryerson Limited
9-48
Authentication and Authorization
•
•
•
Authentication – a method for confirming
users’ identities
Authorization – the process of giving someone
permission to do or have something
The most secure type of authentication
involves:
1. Something the user knows such as a user ID and
password
2. Something the user has such as a smart card or
token
3. Something that is part of the user such as a
fingerprint or voice signature
Copyright © 2011 McGraw-Hill Ryerson Limited
9-49
Something the User Knows Such As a User
ID and Password
•
This is the most common way to identify
individual users and typically contains a
user ID and a password
•
This is also the most ineffective form of
authentication
•
Over 50 percent of help-desk calls are
password related
Copyright © 2011 McGraw-Hill Ryerson Limited
9-50
Something the User Knows Such As a User
ID and Password
•
Identity theft – the forging of someone’s
identity for the purpose of fraud
•
Phishing – a technique to gain personal
information for the purpose of identity
theft, usually by means of fraudulent email
Copyright © 2011 McGraw-Hill Ryerson Limited
9-51
Something the User Has Such As a Smart
Card or Token
•
Smart cards and tokens are more
effective than a user ID and a password
– Tokens – small electronic devices that
change user passwords automatically
– Smart card – a device that is around the
same size as a credit card, containing
embedded technologies that can store
information and small amounts of software
to perform some limited processing
Copyright © 2011 McGraw-Hill Ryerson Limited
9-52
Something That Is Part Of The User Such As
a Fingerprint or Voice Signature
•
This is by far the best and most effective
way to manage authentication
– Biometrics – the identification of a user
based on a physical characteristic, such as
a fingerprint, iris, face, voice, or handwriting
•
Unfortunately, this method can be costly
and intrusive
Copyright © 2011 McGraw-Hill Ryerson Limited
9-53
Prevention and Resistance
•
•
Downtime can cost an organization
anywhere from $100 to $1 million per
hour
Technologies available to help prevent
and build resistance to attacks include:
1. Content filtering
2. Encryption
3. Firewalls
Copyright © 2011 McGraw-Hill Ryerson Limited
9-54
Content Filtering
•
Organizations can use content filtering
technologies to filter e-mail and prevent emails containing sensitive information from
transmitting and stop spam and viruses from
spreading.
–
–
Content filtering – occurs when organizations use
software that filters content to prevent the
transmission of unauthorized information
Spam – a form of unsolicited e-mail
Copyright © 2011 McGraw-Hill Ryerson Limited
9-55
Encryption
•
If there is an information security breach
and the information was encrypted, the
person stealing the information would be
unable to read it
– Encryption – scrambles information into an
alternative form that requires a key or
password to decrypt the information
– Public key encryption (PKE) – an
encryption system that uses two keys: a
public key for everyone and a private key
for the recipient
Copyright © 2011 McGraw-Hill Ryerson Limited
9-56
Encryption
Copyright © 2011 McGraw-Hill Ryerson Limited
9-57
Firewalls
•
One of the most common defences for
preventing a security breach is a firewall
– Firewall – hardware and/or software that
guards a private network by analyzing the
information leaving and entering the
network
Copyright © 2011 McGraw-Hill Ryerson Limited
9-58
Firewalls
•
Sample firewall architecture connecting
systems located in Toronto, New York,
and Munich
Copyright © 2011 McGraw-Hill Ryerson Limited
9-59
Detection and Response
•
•
If prevention and resistance strategies
fail and there is a security breach, an
organization can use detection and
response technologies to mitigate the
damage
Antivirus software is the most common
type of detection and response
technology
Copyright © 2011 McGraw-Hill Ryerson Limited
9-60
Detection and Response
•
Hacker - people very knowledgeable about
computers who use their knowledge to invade
other people’s computers
–
–
–
–
–
–
White-hat hacker
Black-hat hacker
Hactivist
Script kiddies or script bunnies
Cracker
Cyberterrorist
Copyright © 2011 McGraw-Hill Ryerson Limited
9-61
Detection and Response
•
Virus - software written with malicious
intent to cause annoyance or damage
–
–
–
–
–
–
Worm
Denial-of-service attack (DoS)
Distributed denial-of-service attack (DDoS)
Trojan-horse virus
Backdoor program
Polymorphic virus and worm
Copyright © 2011 McGraw-Hill Ryerson Limited
9-62
Detection and Response
• Security threats to e-business include:
– Elevation of privilege
– Hoaxes
– Malicious code
– Spoofing
– Spyware
– Sniffer
– Packet tampering
Copyright © 2011 McGraw-Hill Ryerson Limited
9-63
OPENING CASE QUESTIONS
Embracing Privacy at the City of Hamilton
6.
7.
8.
9.
In the City of Hamilton example, how can the City’s
embracement of privacy mitigate future information security
problems?
What is the biggest information security roadblock facing
organizations, like the City of Hamilton, attempting to
achieve compliance with privacy legislation?
Can technology alone at the City of Hamilton guarantee
information is kept secure? Why or why not?
Privacy and security breaches, like the City of Hamilton’s
dog-license incident, are unfortunately a common
occurrence in organizations today. What recent privacy and
security breaches have been in the media lately? Do you
think things will get worse before getting better? How can
organizations better prepare themselves against future
privacy and security breaches?
Copyright © 2011 McGraw-Hill Ryerson Limited
9-64
CLOSING CASE ONE
WestJet Accepts Blame About Spying On Air Canada Rival
1.
2.
3.
4.
5.
Was WestJet’s access to Air Canada’s Web site
information ethical? Legal? Explain.
To what extent do you think unauthorized access to private
competitor information is commonplace in organizations?
Does Air Canada have any responsibility in WestJet’s
ability to access Air Canada’s private information? Explain.
What people-measures could Air Canada implement to
prevent future unauthorized access to private information?
What technology-measures could Air Canada implement to
prevent future unauthorized access to private information?
Copyright © 2011 McGraw-Hill Ryerson Limited
9-65
CLOSING CASE TWO
Information Ethics and Privacy Issues with Facebook Makes
Headlines
1.
2.
3.
4.
5.
Was Nationale Swisse justified in its online monitoring of
the employee who called in sick? If companies want to
conduct such monitoring activities, what steps can they
take to lessen negative backlash from the public and their
employees? What steps can employees take?
Do you think the Privacy Commissioner of Canada went
too far in its demands? Is this a bit of “much ado about
nothing”?
Will the new changes that Facebook implements to
address the Privacy Commissioner’s concerns negatively
impact the site in any way? What do you think the average
Facebook user will think of these new features?
Do you know of any other examples in the popular press
that showcase information ethics or privacy issues with the
use of social networking sites like Facebook?
Will the above case make you change how you use
Facebook in any way?
Copyright © 2011 McGraw-Hill Ryerson Limited
9-66
CLOSING CASE THREE
Thinking Like the Enemy
1.
2.
3.
4.
How could an organization benefit from attending one of
the courses offered at the Intense School?
What are the two primary line of security defence and how
can organizational employees use the information taught
by the Intense School when drafting an information security
plan.
If your employer sent you to take a course at the Intense
School, which type of course would interest you and why?
What are the ethical dilemmas involved with having such a
course offered by a private company?
Copyright © 2011 McGraw-Hill Ryerson Limited