Lesson Materials

LESSON 6: Ethical & Security Issues in Information Systems

Why This Lesson

Key technological trends that are raise athical issues include:

• Doubling of computer power - More organizations depend on computer systems for critical operations
• Rapidly declining data storage costs - Organizations can easily maintain detailed databases on individuals
• Networking advances and the Internet - Copying data from one location to another and accessing personal data from remote
locations are much easier
• Advances in data analysis techniques – that allow profiling (combining data from multiple sources to create dossiers of detailed
information on individuals) and Nonobvious relationship awareness (NORA) that works by combining data from multiple
sources to find obscure hidden connections that might help identify criminals or terrorists
• Mobile device growth - Tracking of individual cell phones

The same technology, like the Internet, that can offer benefits to society through e-commerce can also be used to commit crime and
threaten cherished social values. Determining how Internet should be used in e-commerce must take into consideration the cost and
benefits to the individual and society, especially when there are no clear-cut legal or cultural guidelines. This is the ethical aspect of
information systems that will be discussed in this lesson.

Ethics is the study of principles that individuals and organizations can use to determine right and wrong courses of action. Basic
assumption in ethics is that we are free moral agents who are free to make choices in our lives. We can extend this assumption to business
organizations (in that businesses are also free moral agents, free to make choices).
There are three basic common principles in ethics:

• Responsibility - We are responsible for our actions

• Accountability - We should be held accountable to others for the consequences of our actions
• Liability - There must be a law that ensures individuals to recover the damages done to them by others. There should also be
due process where a person can appeal to a higher authority to ensure the laws have been applied correctly

Ethics do not really bother anyone unless a dilemma emerges. An ethical dilemma is a situation where there are at least two diametrically
opposed actions, each of which supports a “desirable” outcome, in which you do not know which are you supposed to choose as you do
not know which is right or wrong. For example, entertainment-based organizations believe strongly that making illegal copies of music
is wrong while many consumers believe it is not wrong to buy pirated copies of music CDs. Similarly, businesses believe that it is not
wrong to collect and analyse information on customers without their consent or knowledge while many consumers believe businesses
are violating their privacy.

The following are steps to analysing and solving ethical dilemma:

• Identify and describe clearly the facts - Find out who, when, where, why, how and what
• Define the conflict or dilemma and identify the higher-order values involved - Higher values such as freedom, privacy,
protection of property
• Identify the stakeholders - Who are affected by the dilemma, and how does it affect them
• Identify the options that you can reasonably take - Identify possible (practical) solutions
• Identify the potential consequences of your options - Find out how each possible (practical) solution affects each stakeholder

Page 1 of 7
Lesson Materials
LESSON 6: Ethical & Security Issues in Information Systems

Figure 16: The moral dimensions of the information age

The introduction of new information technology has a ripple effect, raising new ethical, social, and political issues that must be dealt
with on the individual, social, and political levels. These issues have five moral dimensions: information rights and obligations, property
rights and obligations, system quality, quality of life, and accountability and control.

TOPIC 1: Privacy issues in IT

The issue of information rights and obligations is concerned about how our personal information should be collected and managed by
businesses we are dealing with. The growth of digital business has made our information accessible to businesses as we forgo them in
exchange during commercial transactions. However, the Internet and the Web provide a very good environment for invading the personal
privacy of millions of Internet users like us. Privacy, which is defined as the moral right of individuals to be left alone, free from
surveillance or interference from other individuals or organizations, including the state (i.e. government), becomes important because it
gives us the power to choose our thoughts and feelings and who we share them with. Privacy protects our information we do not want
shared publicly (such as health or personal finances), in the same way it helps protect our physical safety (if our real time location data
is private).

Personally identifiable information (PII) is any data that can be used to identify, locate, or contact an individual, such as name, identity
card number, address, telephone number, fax number, place of employment. These information can help a company identify who we
are, where we live and how to contact us. Advertising networks track the behaviour of consumers across thousands of popular sites (not
just one site).

Most sites collect anonymous information such as demographic and behavioural information that does not include any personal
identifiers (information collected that will not identify who the individuals are). These information cannot be used to contact the
individuals (like anonymous information such as age, income level, post code, race, occupation). These information describe us without
identifying who we are.

Almost all (97%) web sites collect personally identifiable information and use cookies to track the clickstream behaviour of visitors on
the site. A majority of the most popular 10 sites allow third parties (such as advertising networks) to place cookies on a visitor’s hard
drive to engage in profiling (the creation of digital images that characterize online individual and group behaviour).

In the online advertising networks:

• Data on purchases are collected

• Data on all browsing behaviour on the web are collected
• Data collected are used to dynamically adjust what the shoppers see on the screen
• Data collected are used to build and continuously refresh (refine) behavioural profiles of customers

Page 2 of 7
Lesson Materials
LESSON 6: Ethical & Security Issues in Information Systems
In the online advertising networks, customer profiles are continuously refined without the knowledge and consent of customers. This
form of customer profiling and dynamically personalising online advertisement will:

• Ensure customers mostly view advertisements they are likely would like to see
• Benefit Businesses because advertisements are only displayed to customers who may be interested (and not sent to those who
are unlikely to be interested)
• Benefit Product engineers and entrepreneurs by sensing demand for new products and services because they are able to study
user searches and profiles

In countries like the United States, businesses can gather transaction information and use this for other marketing purposes. Online
industry promotes self-regulation over privacy legislation, however, the extent of responsibility taken varies from:

• Declaration using Statements of information use

• Utilizing opt-out models selected over opt-in
• Displaying the online “seals” of privacy principles

Apart from self-regulating, several technical solutions can also work:

• E-mail encryption
• Anonymous browsing tools
• Cookie prevention and management
• Browser features - “Private” browsing such as “Do not track” feature

For the most part, these solutions fail to prevent users from being tracked from site to site. But total protection is close to impossible as
different geographical regions in the world practice varying levels of control over information rights. For example, EU protections of
privacy are far more powerful than the United States because they require informed consent before a firm can do anything with personal
information besides support the transaction at hand. In Europe, there is no junk postal mail for instance because advertising firms are
prohibited from using personal information obtained from third parties, and without the consent of the individual.

TOPIC 2: Property issues in IT

Intellectual property encompasses all the tangible and intangible products of the human mind. The general rule is:
❑ The creator of intellectual property owns it
❑ The owner has exclusive rights to use this “property” in any law he sees fit

The goal of intellectual property law is always to balance two competing interests—public and private. However, maintaining this
balance of interests is always challenged by the invention of new technologies. Once intellectual works become digital, it becomes
difficult to control access, use, distribution, and copying. The Internet technically permits millions of people to make perfect digital
copies of various works – from music, plays, poems, and journal articles – and then distribute them nearly cost free to hundreds of
millions of web users.

Major ethical issue is how should we treat property that belongs to others? The major social issue is whether there is continued value in
protecting intellectual property in the Internet age? And the major political issue is how can Internet and e-commerce be regulated or
governed to protect intellectual property?

Three main types of protection:

• Trade secret: intellectual work or product belonging to business, not in the public domain
• Copyright: statutory grant protecting intellectual property from being copied for the life of the author, plus 70 years
• Patents: grants creator of invention an exclusive monopoly on ideas behind invention for 20 years

TOPIC 3: Accountability & Control

In the event that computer-related liability problems occur, such as if software fails, who is responsible? If seen as part of machine that
injures or harms, can software producer and operator be liable? If seen as similar to a book content about crime that led a reader to
perform a crime, would it be possible to hold its author/publisher responsible? What should liability be if software is seen as service?
These raise the issue of governance in information system deployment.

Page 3 of 7
Lesson Materials
LESSON 6: Ethical & Security Issues in Information Systems

Who do you consider to be the liable party for the incident involving Bank of America customers whose paychecks were denied due to
an operating error at the bank’s computer center? Is it the designers of the systems at the center? Is there no liability involved? This
incident alone explains the difficulty to ascribe liability to software developers for the same reason that it is difficult to ascribe a publisher
liability for the effects of a book.

TOPIC 4: System quality

System quality deals with data quality and how it should avoid system errors. But information systems are bound to have bugs in their
programming codes, so we need to think about what is an acceptable, technologically feasible level of system quality? This is another
governance issue that forces us to identify the possible party that will ensure system quality will not be compromised at the expense of
the systems’ users.

Since flawless software is economically unfeasible, there are three principal sources of poor system performance that can guide us:
• Software bugs, errors
• Hardware or facility failures
• Poor input data quality (most common source of business system failure)

Do you have any opinion about when software is “good enough?” Does it depend on the particular product? For example, distinguish
between software used by air traffic controllers and software used for word processing. Do you believe that there are different levels of
acceptable quality for these products?

TOPIC 5: Quality of life

It’s likely that you know someone who has become dependent on their computer to some extent or have even experienced something
similar first hand. These are known as the negative social consequences of information systems:

• Balancing power: although computing power decentralizing, key decision making remains centralized
• Rapidity of change: businesses may not have enough time to respond to global competition
• Maintaining boundaries: computing, Internet use lengthens work-day, infringes on family, personal time
• Dependence and vulnerability: public and private organizations ever more dependent on computer systems

Information systems usage have also contributed to the proliferation of pornography. It has been a very successful billion dollar Internet
business, being the “single biggest category of paid online content.” Major search engines, for example, offer special search engines for
pornographic materials, hence allowing people (including children under age) to access them. To combat this, protection of children
against pornography and privacy infringement are underway, although passing legislation that will survive court challenges has proved
difficult.

Besides pornography, efforts to control gambling and restrict sales of drugs and cigarettes are also faced with many complicated turns.
Legislation like Prevent All Cigarette Trafficking Act and Unlawful Internet Gambling Enforcement Act have been proposed, but there
is an increase in number of states in the US allowing online gambling.

Other than that, the digital divide is also another issue worthy of discussion. It is defined as large differences in Internet access and e-
commerce access among income, ethnic, and age groups. Lack of access to Internet and e-commerce can result in the following:

• Affect the ability of children to improve learning with educational software

• Affect adults to acquire valuable technological skills
• Affect families to get access to online health and civic information
• Rapid inclusion of Internet access of many of the population has not reduced the digital divide that separates income, ethnic,
rural, and handicapped groups, from the rest of society

Finally, we must also discuss the health risks involved in using information technology:

• Repetitive stress injury (RSI) - Largest source is computer keyboards, which leads to Carpal Tunnel Syndrome (CTS)
• Computer vision syndrome (CVS) - Eyestrain and headaches related to screen use
• Technostress - Aggravation, impatience, fatigue

Page 4 of 7
Lesson Materials
LESSON 6: Ethical & Security Issues in Information Systems
TOPIC 6: Threats to Information Security

When large amounts of data are stored digitally, on computers and servers and in databases, they are vulnerable to many more kinds of
threats than when they were stored in manual form, on paper in folders and file cabinets. When data are available over a network, there
are even more vulnerabilities. What are the reasons behind this?

• Accessibility of networks
• Hardware problems (breakdowns, configuration errors, damage from improper use or crime)
• Software problems (programming errors, installation errors, unauthorized changes)
• Disasters
• Use of networks/computers outside of firm’s control
• Loss and theft of portable devices

On the other hand, digital records are not vulnerable in ways that manual records in a file cabinet are vulnerable. For instance, you really
can’t tell who has accessed manual records, or when, in a physical file. In a database, file access is monitored (unless a hacker has found
a way to read records without leaving a digital trail). The architecture of a Web-based application typically includes a Web client, a
server, and corporate information systems linked to databases. Each of these components presents security challenges and vulnerabilities.

Figure 17: Contemporary Security Challenges and Vulnerabilities

In addition to those identified in Figure 17, digital firms are faced with additional challenges. Overall size and losses of cybercrime are
unclear due to reporting issues. In a 2016 survey, the average total cost of data breach to U.S. corporations was $4 million, mainly
perpetrated using low-cost web attack kits that range from online credit card fraud to Underground economy marketplace. To achieve
the highest degree of security, new technologies are needed. Organizational must set up proactive policies and procedures and align with
industry standards and government laws. It is quite commonly understood that security often breaks at the weakest link, and this is where
there appears to be a dichotomy. The more security measures added, the more difficult a site is to use, and the slower it becomes, hence
digital firms often compromise security with user-friendliness.

In practice, digital firms must ensure their e-commerce systems are protected based on the common security dimensions:

Page 5 of 7
Lesson Materials
LESSON 6: Ethical & Security Issues in Information Systems

Figure 18: E-Commerce secity Dimensions

Stolen credit card incidences are about 0.8% of all online card transactions. This was possible due to hacking and looting of corporate
servers. By looking into the step-by-step processes involved when a customer makes online payment, digital firms that develop e-
payment systems must devise a procedure that covers the central security issue in establishing customer identity through:

• E-signatures
• Multi-factor authentication
• Fingerprint identification

Figure 19: How an online payment is processed

Unauthorized use of another person’s personal data for illegal financial benefit are also common. In 2015 alone, 13 million U.S.
consumers suffered identity fraud. This form of identify fraud normally involves the theft of the following personal data:

• Social security number

• Driver’s license
• Credit card numbers
• Usernames/passwords

Nevertheless, when it comes to the largest threat to business institutions in terms of financial losses, it is often the result of insider
embezzlement. This normally happens because:

Page 6 of 7
Lesson Materials
LESSON 6: Ethical & Security Issues in Information Systems
• Employees have access to privileged information
• Poor security procedures
• Insiders more likely to be source of cyberattacks than outsiders

TOPIC 7: Protecting Information and Information Systems

To improve security for a firm‘s information systems, it is important to create a framework that supports security. This includes
establishing information systems controls, understanding the risks to the firm’s information systems, and establishing security policies
that are appropriate for the firm. Remember that controls are methods, policies, and organizational procedures that ensure safety of
organization’s assets; accuracy and reliability of its accounting records; and operational adherence to management standards. Controls
may be manual or automated. There are two main types of controls: general controls and application controls.

The types of general controls include:

– Software controls
– Hardware controls
– Computer operations controls
– Data security controls
– Implementation controls
– Administrative controls

The types of application controls include:

– Specific controls unique to each computerized application, such as payroll or order processing
– Include both automated and manual procedures
– Ensure that only authorized data are completely and accurately processed by that application through monitoring input,
process and output

Figure 20: Tools for Website Security

- end of lesson content –

Page 7 of 7