ABSTRACT are beginning to address the ethical side

Posted on

ABSTRACT are beginning to address the ethical side

ABSTRACT

Information Technology is changing the face of contemporary World.
The IT has not only connected the World at one single platform but it is also
helping in the integration of various traditional societies into modern
societies. Information systems raise new and often perplexing security and
ethical problems. This is truer today than ever because of the challenges posed
by the Internet and electronic commerce to the protection of privacy and
intellectual property. Information technology has raised new possibilities for
behavior for which laws and rules of acceptable conduct have not yet been
developed. Information technology is introducing changes that create new
security and ethical issues for societies to debate and resolve. Increasing
computing power, storage, and networking capabilities— including the
Internet—can expand the reach of individual and organizational actions and
magnify their impacts. The ease and anonymity with which information can be
communicated, copied, and manipulated in online environments are challenging
traditional rules of right and wrong behavior. Ethical issues confront
individuals who must choose a course of action, often in a situation in which
two or more ethical principles are in conflict. This paper argues that we must
reconsider our approach to information security from the ground up if we are to
deal effectively with the problem of information risk

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!


order now

IT security personnel often have access to
confidential data and knowledge about individuals’ and companies’ networks and
systems that give them a great deal of power. That power can be abused, either
deliberately or inadvertently. But there are no standardized training
requirements for hanging out your shingle as an IT security consultant or
in-house security specialist. Associations and organizations for IT pros are
beginning to address the ethical side of the job, but again, there is no
requirement for IT security personnel to belong to those organizations.

Why are ethical guidelines needed?

The education and training of IT professionals,
including security specialists, usually focuses on technical knowledge and
skills. You learn how to perform tasks, but with little consideration of how
those abilities can be misused. In fact, many IT professionals approach their
work with a hacker’s perspective: whatever you can do, you’re entitled to do.
(Note: In this article, we’re using the word hacker in the
current common meaning, pertaining to “black hat” hackers who use
their skills to break into systems and access data and programs without the
permission of the owners. We’re well aware that the term originally referred to
anyone with advanced programming skills, and that there are “white hat
hackers” who use their skills to help companies and individuals protect
against the black hats.)

In fact,
many IT pros don’t even realize that their jobs involve ethical issues. Yet we
make decisions on a daily basis that raise ethical questions.

What
are the ethical issues?

Many
of the ethical issues that face IT professionals involve privacy. For example:

·        
Should you read the private e-mail of your network users just
because you can? Is it OK to read employees’ e-mail as a security measure to
ensure that sensitive company information isn’t being disclosed? Is it OK to
read employees’ e-mail to ensure that company rules (for instance, against
personal use of the e-mail system) aren’t being violated? If you do read
employees’ e-mail, should you disclose that policy to them? Before or after the
fact?

·        
Is it OK to monitor the Web sites visited by your network users?
Should you routinely keep logs of visited sites? Is it negligent to not monitor
such Internet usage, to prevent the possibility of pornography in the workplace
that could create a hostile work environment?

·        
Is it OK to place key loggers on machines on the network to
capture everything the user types? What about screen capture programs so you
can see everything that’s displayed? Should users be informed that they’re
being watched in this way?

·        
Is it OK to read the documents and look at the graphics files that
are stored on users’ computers or in their directories on the file server?

Remember
that we’re not talking about legal questions here. A company may very well have
the legal right to monitor everything an employee does with its computer
equipment. We’re talking about the ethical aspects of having the ability to do
so.

As a
network administrator or security professional, you have rights and privileges
that allow you to access most of the data on the systems on your network.

You
may even be able to access encrypted data if you have access to the recovery
agent account. What you do with those abilities depends in part on your
particular job duties (for example, if monitoring employee mail is a part of
your official job description) and in part on your personal ethical beliefs
about these issues.

The
slippery slope

A
common concept in any ethics discussion is the “slippery slope.” This
pertains to the ease with which a person can go from doing something that
doesn’t really seem unethical, such as scanning employees’ e-mail “just
for fun,” to doing things that are increasingly unethical, such as making
little changes in their mail messages or diverting messages to the wrong
recipient.

In
looking at the list of privacy issues above, it’s easy to justify each of the
actions described. But it’s also easy to see how each of those actions could
“morph” into much less justifiable actions. For example, the
information you gained from reading someone’s e-mail could be used to embarrass
that person, to gain a political advantage within the company, to get him/her
disciplined or fired, or even for blackmail.

The
slippery slope concept can also go beyond using your IT skills. If it’s OK to
read other employees’ e-mail, is it also OK to go through their desk drawers
when they aren’t there? To open their briefcases or purses?

 

Real
world ethical dilemmas

What
if your perusal of random documents reveals company trade secrets? What if you
later leave the company and go to work for a competitor? Is it wrong to use
that knowledge in your new job? Would it be “more wrong” if you
printed out those documents and took them with you, than if you just relied on
your memory?

What
if the documents you read showed that the company was violating government
regulations or laws? Do you have a moral obligation to turn them in, or are you
ethically bound to respect your employer’s privacy? Would it make a difference
if you signed a nondisclosure agreement when you accepted the job?

IT
and security consultants who do work for multiple companies have even more
ethical issues to deal with. If you learn things about one of your clients that
might affect your other client(s), where does your loyalty lie?

Then
there are money issues. The proliferation of network attacks, hacks, viruses
and other threats to their IT infrastructures have caused many companies to
“be afraid, be very afraid.” As a security consultant, it may be very
easy to play on that fear to convince companies to spend far more money than
they really need to. Is it wrong for you to charge hundreds or even thousands
of dollars per hour for your services, or is it a case of “whatever the
market will bear?”

Is it
wrong for you to mark up the equipment and software that you get for the
customer when you pass the cost through? What about kickbacks from equipment
manufacturers? Is it wrong to accept “commissions” from them for
persuading your clients to go with their products? Or what if the connection is
more subtle? Is it wrong to steer your clients toward the products of companies
in which you hold stock?

Another
ethical issue involves promising more than you can deliver, or manipulating
data to obtain higher fees. You can install technologies and configure settings
to make a client’s network more secure, but you can never make it completely
secure. Is it wrong to talk a client into replacing their current firewalls
with those of a different manufacturer, or switching to an open source
operating system – which changes, coincidentally, will result in many more
billable hours for you – on the premise that this is the answer to their
security problems?

Here’s
another scenario: What if a client asks you to save money by cutting out some
of the security measures that you recommended, yet your analysis of the
client’s security needs shows that sensitive information will be at risk if you
do so? You try to explain this to the client, but he/she is adamant. Should you
go ahead and configure the network in a less secure manner? Should you
“eat” the cost and install the extra security measures at no cost to
the client? Should you refuse to do the job? Would it make a difference if the
client’s business were in a regulated industry, and implementing the lower
security standards would constitute a violation of the Health Insurance
Portability and Accountability Act, the Graham-Leach-Bliley Act, Sarbanes-Oxley
or other laws?

 

As
we mentioned in the previous article on ethics, security used to be confined to
locking the door on the way out of the office or making sure the lock on the
safe was spun to fully engage the tumblers. Technology presents us with a whole
new set of security challenges. Networks can be breached, personal
identification information can be compromised, identities can be stolen and
potentially result in personal financial ruin, critical confidential corporate
information or classified government secrets can be stolen from online systems,
Web sites can be hacked, keystroke loggers can be surreptitiously installed,
and a host of others. (It’s interesting to note at this point that statistics still
show that more than 80 percent of stolen data is the result of low tech
“dumpster diving,” and approximately the same percentage of
oranizational crime is the result of an inside job.)

How
far can—and should—management go in determining the security risks inherent in
systems? What level of addressing those risks can be considered reasonable?

Can
system owners be held personally liable when security is compromised? When an
organization holds stewardship of data on external entities—customers, individuals,
other organizations—and that data is compromised, to what extent is the
victimized corporation liable to the secondary victims, those whose data was
stolen?

Organizations
generally have internal policies for dealing with security breaches, but not many
yet have specific policies to address this area. Managers who do not secure the
systems for which they’re responsible, employees who cavalierly use information
to which they should not have access, and system users who find shortcuts
around established security procedures are dealt with in the same fashion as
anyone who doesn’t meet the fundamental job requirements, anything from
transfer or demotion to termination. Should compromised or ineffective security
be held to a higher standard

Ethical challenges facing the tech industry include issues in
areas such as security, privacy, ownership, accuracy and control; for example,
the question of whether a tech company has a duty to protect its customers’
identities and personal information is an example of an ethical challenge
relating to security and privacy. Some
of these ethical issues are defined by laws relating to information security,
intellectual property and financial transactions but, as with ethics relating
to other areas of the human experience, the law is not necessarily the same
thing as a set of ethics. Some information technology professionals feel that
ethical behavior is essential for the industry regardless of how that behavior
adheres to the law.

The
wide availability of personal information thanks to the Internet, data
collection and cloud storage presents a set of ethical challenges for the tech
sector and IT professionals. A recent scandal involving the “hacking”
of personal photographs from celebrities’ iCloud accounts highlights the ease
with which personal information can be accessed and distributed with a modicum
of IT knowledge. Issues like this one highlight the need for a set of ethical
standards within the tech industry. Are companies responsible for protecting
their users’ information? This is an ethical question that the tech industry is
working to answer as data security becomes increasingly important.

Information Security can only be
managed properly if, on a macro level, an internationally accepted reference
framework (code of practice) is used, and if on a micro level, physical
measurements can be made. All this must be accompanied by an international
information security certificate, and a comprehensive corporate information
security culture. There are plenty of tools to enforce security in information
system. Information being a vital resource for organization must be kept secure
from unauthorized access. Security tools minimize errors, fraud, and losses in
the e-business systems that interconnect businesses with their customers,
suppliers, and other stakeholders. Encrypted passwords, messages, files, and
other data is transmitted in scrambled form and unscrambled for authorized
users. It involves using special mathematical algorithms to transform digital
data in scrambled code. Most widely used method uses a pair of public and
private keys unique to each individual. Firewalls serve as a “gatekeeper”
system that protects a company’s intranets and other computer networks from
intrusion. Firewalls provide a filter and safe transfer point. It prevents
malicious agents by screening all network traffic for proper passwords or other
security codes. The development of information security over the last 40 to 50
years can probably be described in many ways. One way, which divides the development
into three waves, and which does seem to provide a good representation of the
development of the field. The ‘First Wave’, up to about the early eighties, can
be seen as the ‘Technical Wave’, mainly characterized by a very technical
approach to information security. The ‘Second Wave’, from about early eighties
to middle nineties, can be seen as the ‘Management Wave’, characterized by a
growing management realization of and involvement with the importance of
information security, supplementing the Technical Wave. These two waves were
well established by the end of the nineties. From the last few years of the
nineties, a third wave started. This ‘Third Wave’ we call the ‘Institutional
Wave’. This wave is characterized by aspects like best practices and codes of
practice for information security management, international information
security certification, cultivating information security as a corporate
culture, and dynamic and continuous information security management.

 

Information Security can only be
managed properly if, on a macro level, an internationally accepted reference
framework (code of practice) is used, and if on a micro level, physical
measurements can be made. All this must be accompanied by an international
information International Journal of Enterprise Computing and B International
Journal of Enterprise Computing and Business usiness Systems Systems ISSN
(Online) : 2230- ISSN (Online) : 2230-8849 http://www.ijecbs.com Vol. 1 Issue 2
July 2011 security certificate, and a comprehensive corporate information
security culture. There are plenty of tools to enforce security in information
system. Information being a vital resource for organization must be kept secure
from unauthorized access. Security tools minimize errors, fraud, and losses in
the e-business systems that interconnect businesses with their customers,
suppliers, and other stakeholders. Encrypted passwords, messages, files, and
other data is transmitted in scrambled form and unscrambled for authorized
users. It involves using special mathematical algorithms to transform digital
data in scrambled code. Most widely used method uses a pair of public and
private keys unique to each individual. Firewalls serve as a “gatekeeper”
system that protects a company’s intranets and other computer networks from
intrusion. Firewalls provide a filter and safe transfer point. It prevents
malicious agents by screening all network traffic for proper passwords or other
security codes. The development of information security over the last 40 to 50
years can probably be described in many ways. One way, which divides the
development into three waves, and which does seem to provide a good
representation of the development of the field. The ‘First Wave’, up to about
the early eighties, can be seen as the ‘Technical Wave’, mainly characterized
by a very technical approach to information security. The ‘Second Wave’, from
about early eighties to middle nineties, can be seen as the ‘Management Wave’,
characterized by a growing management realization of and involvement with the
importance of information security, supplementing the Technical Wave. These two
waves were well established by the end of the nineties. From the last few years
of the nineties, a third wave started. This ‘Third Wave’ we call the ‘Institutional
Wave’. This wave is characterized by aspects like best practices and codes of
practice for information security management, international information
security certification, cultivating information security as a corporate
culture, and dynamic and continuous information security management.

Issues of IT Ethics have recently
become immensely more complex. The capacity to place material on the World Wide
Web has been acquired by a very large number of people. As evolving software
has gently hidden the complexities and frustrations that were involved in
writing HTML, more and more web sites are being created by people with a
relatively modest amount of computer literacy. At the same time, once the
initial reluctance to use the Internet and the World Wide Web for commercial
purposes had been overcome, sites devoted to doing business on the Internet
mushroomed and e-commerce became a term permanently to be considered part of
common usage. The assimilation of new technology is almost never smooth. As the
Internet begins to grow out of its abbreviated infancy, a multitude of new
issues surface continually, and a large proportion of these issues remain
unresolved. Many of these issues contain strong ethics content. As the ability
to reach millions of people instantly and simultaneously has passed into the
hands of the average person, the rapid emergence of thorny ethical issues is
likely to continue unabated. An organization has to cope with major types of
ethical issues. These are: Privacy and personal information, Freedom of speech
in cyberspace, Intellectual property and Cyber crime. Privacy is the claim of
individuals to be left alone, free from surveillance or interference from other
individuals or organizations, including the state. Claims to privacy are also involved
at the workplace: Millions of employees are subject to electronic and other
forms of high-tech surveillance. Information technology and systems threaten
individual claims to privacy by making the invasion of privacy cheap,
profitable, and effective. Internet technology has posed new challenges for the
protection of individual privacy. Information sent over this vast network of
networks may pass through many different computer systems before it reaches its
final destination. Each of these systems is capable of monitoring, capturing,
and storing communications that pass through it. Within the organization
personal privacy is violated. Below are some facts how individual privacy is
broken at workplace 1 . 62% of employers monitor employees’ email and Internet
use. 68% cite legal liability as the primary reason to monitor. 87% of
companies that monitor have a written email Policy, 83.1% an Internet Policy,
68% a Software Policy. 51% of employers have disciplined or terminated
employees for violating ePolicy. 35% of organizations have email retention
& deletion policies in place. 10% of companies have been ordered by courts
to turn over employee email related to workplace lawsuits. 8.3% of
organizations have battled sexual harassment and/or sexual discrimination
claims stemming from employee e-mail and/or Internet use. Much is discussed
about privacy laws in developed economies such as the US, EU, Japan, Canada,
and Australia. However, not many studies have focused on privacy laws that are
evolving in emerging economies such as India. As the economy becomes global and
companies resort to global outsourcing, much of the data of clients, customers
and common citizens are slowly being dispersed around the world for processing,
analyzing and simple storage. Therefore, developing countries that handle such
data are no longer exempt from the privacy concerns associated with them.

Computer crime refers to the
unauthorized use, access, modification, and destruction of hardware, software,
data, or network resources, unauthorized release of information, unauthorized
copying of software. There are no precise, reliable statistics on the amount of
computer crime and the economic loss to victims, partly because many of these
crimes are apparently not detected by victims, many of these crimes are never
reported to authorities, and partly because the losses are often difficult to
calculate. Nevertheless, there is a consensus among both law enforcement
personnel and computer scientists who specialize in security that both the number
of computer crime incidents and the sophistication of computer criminals are
increasing rapidly. Experts in computer security, who are not attorneys, speak
of “information warfare”. While such “information warfare”
is just another name for computer crime, the word “warfare” does
fairly denote the amount of damage inflicted on society.

This
article has raised a lot of questions, but has not attempted to provide set
answers. That’s because, ultimately, the answer to the question “Is it
ethical?” must be answered by each individual IT professional.

Unlike
older, more established professions such as medicine and law, most ethical
issues that IT and security professionals confront have not been codified into
law, nor is there a standard mandatory oversight body, such as the national or
state medical association or bar association, that has established a detailed
code of ethics.

However,
the question of ethical behavior in the IT professions is beginning to be
addressed. Voluntary professional associations such as the Association for
Computing Machinery (ACM) have developed their own codes of ethics and
professional conduct, which can serve as a guideline for individuals and other
organizations.

 

Conclusion:

 It is a myth that black hat
hackers cause most security breaches but in reality, 80% of data loss is caused
by insiders. To design a security solution that truly protects data,
organization must understand the security requirements relevant to its business
process, and the scope of current threats to data. A business, using IT tools
heavily, depends on providing customers, partners, and employees with access to
information, in a way that is controlled and secure. Managing such types of
business security is a multifaceted challenge and requires the coordination of
business policy and practice with appropriate technology. In addition to
deploying standards bases, flexible and interoperable systems, the technology
must provide assurance of the security provided in the products. As technology
matures and secure information systems are deployed, companies will be better
positioned to manage the risks associated with disintermediation of data
access. Through this process businesses will enhance their competitive edge
while also working to protect critical business infrastructures from
malefactors like hackers, disgruntled employees, criminals and corporate spies.
It is probably not possible to develop comprehensive ethical guidelines to
cover every possible situation of IT misuse in inside or outside the
organization. It is possible, however, to realize the pervasiveness and the
magnitude of the problem. It is also possible to develop ethical guidelines on
an ongoing basis to keep pace with changes in the issues. Codes of ethics and
professional conduct vary from one professional organization to the next and
are incomplete or obsolete.

References:

 1 Anthony D. Miyazaki and
Ana Fernandez, “Consumer Perceptions of Privacy and Security Risks for Online
Shopping”, 2006. 2 ACM Code of Ethics and Professional Conduct (1992).
Communications of the ACM, 35(5), 94-99.Computer Security Institute ~ US FBI,
“Computer 3 Beynon-Davies P., Business Information Systems. Palgrave,
Basingstoke, 2009.

 

 

admin
Author

x

Hi!
I'm James!

Would you like to get a custom essay? How about receiving a customized one?

Check it out