USA: +1(669)289-8683 
Sign in
|
The credit card data theft at TJX Companies is considered one of the worst ever. The case is significant because of a lack of appropriate security and control.
Resources: Ch. 7 & 12 of Essentials of Management Information Systems Answer the following questions in 200 to 300 words:
· List and describe the security controls in place. Where are the weaknesses? · What tools and technologies could have been used to fix the weaknesses? · What was the business effect of TJX’s data loss on TJX, consumers, and banks? · Which moral dimensions may be applied in this situation? How? |
S T U D E N T L E A R N I N G O B J E C T I V E S
After completing this chapter, you will be able to answer the
following questions:
1. Why are information systems vulnerable to destruction, error,
and abuse?
2. What is the business value of security and control?
3. What are the components of an organizational framework for
security and control?
4. What are the most important tools and technologies for
safeguarding information resources?
Securing
Information Systems
L E A R N I N G O B J E C T I V E S 7C H A P T E R
232
IS
B
N
1-256-42913-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
233
CHAPTER OUTLINE
Chapter-Opening Case: Boston Celtics Score Big Points Against
Spyware
7.1 System Vulnerability and Abuse
7.2 Business Value of Security and Control
7.3 Establishing a Framework for Security and Control
7.4 Technologies and Tools for Protecting Information Resources
7.5 Hands-on MIS Projects
Business Problem-Solving Case:
Are We Ready for Cyberwarfare?
BOSTON CELTICS SCORE BIG POINTS AGAINST SPYWARE
While the Boston Celtics were fighting for a spot in the playoffs several years ago,
another fierce battle was being waged by its information systems. Jay Wessel, the team’s
vice president of technology, was trying to score points against computer spyware.
Wessel and his IT staff manage about 100 laptops issued to coaches and scouts, and
sales, marketing, and finance employees, and these machines were being overwhelmed
by malware (malicious software).
Like any sports franchise, the Celtics are on the road a great deal of time during the
playing season. Coaches, recruiters, and other staff members are at away games 40 or
more times each season, using their mobile laptop computers to review plays and update
the status of players. They continually sign onto the Internet and connect to the Celtics’
internal network from airports, hotels, and other public places. According to Wessel,
“Hotel Internet connections are a hotbed for spyware activity.” People would bring
laptops that had been infected on the road back to team headquarters in Boston and clog
up the network. Moreover, the spyware was affecting the accessibility and performance
of the Celtics’ proprietary statistical database created with Microsoft SQL Server,
IS
B
N
1-
25
6-
42
91
3-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
234 Part II: Information Technology Infrastructure
which the coaches use to prepare for each game. Wessel and his staff were overwhelmed
spending too much time trying to rid the machines and the network of infections.
During one playoff battle, a torrent of spyware poured into the laptops via a bad Internet
connection in an Indiana hotel. At that point, Wessel decided to take a more aggressive
stance toward spyware. His options were limited because his staff is small and the company
does not have many resources for dealing with security. The security software solutions that
the Celtics had been using (Aladdin eSafe Security Gateway and Webroot Spy Sweeper)
were too unwieldy. The only way the Celtics could run a video-editing suite used for
scouting new players was to temporarily remove these products.
Wessel decided to use Mi5 Networks’ Webgate security appliance as a solution. The tool
sits between the Celtics’ corporate firewall and network, where it stops spyware from
entering the Celtics’ corporate network and prevents machines that have already been
infected from connecting to the network. Webgate also prevents machines infected with
spyware from transmitting data back to the source of the spyware.
Infected machines are quarantined and cleaned up by Wessel’s staff. Webgate provides
an executive summary screen for Wessel to review a list of infected machines, internal
botnet activity, remote attacks, and spyware attempts to surreptitiously communicate with
its authors. To supplement Webgate, the Celtics use SurfControl (now part of Websense) to
filter e-mail and Web surfing activity, Trend Micro antivirus software, SonicWALL firewall
and intrusion detection technology, and Aladdin eSafe for additional malware detection.
Since installing Webgate and these other tools, the Celtics’ network has been spyware-
free. Laptop performance, which used to be slowed down by malicious software, has
improved, the corporate network runs much faster, and calls are down to the Celtics’ IT help
desk. Wessel is quick to point out that this security system would not work without user
education. Employees are required to sign an acceptable use policy that states what they are
allowed to do on their work machines, and they are explicitly discouraged from visiting Web
sites that could transmit more malware to the Celtics’ network.
Sources: Mi5 Networks, “Boston Celtics Shut Out Spyware with Mi5 Webgate Appliance,” www.mi5networks.com,
accessed September 19, 2009; Doug Bartholomew, “The Boston Celtics’ New Malware Point Guard,” Baseline
Magazine, January 2008; and Bill Brenner, “Boston Celtics Face Off Against Spyware,” SearchSecurity.com, accessed
June 23, 2008.
The problems created by spyware for the Boston Celtics illustrate some of the reasons why
businesses need to pay special attention to information system security. Malicious spyware
that had infected coaches’ and employees’ laptops when they were on the road impaired
performance of the company’s internal systems, making it difficult for employees to obtain
the information they needed to perform their jobs.
The chapter-opening diagram calls attention to important points raised by this case and
this chapter. The Boston Celtics coaches and other staff members need to use their laptops to
connect to the company’s internal systems while they are traveling with the team. Linking to
public Wi-Fi networks at hotels and airports exposed the laptops to malicious spyware,
which the laptops then transmitted to corporate systems. The company was spending too
much time and money ridding its systems of malware. Management decided to invest in new
security technology to provide additional layers of protection. It also revised security
procedures requiring infected laptops to be quarantined so they could not infect corporate
systems. The chosen solution has kept the Celtics’ systems free of spyware and speeded up
system performance.
IS
B
N
1-256-42913-9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
Chapter 7: Securing Information Systems 235
7.1 System Vulnerability and Abuse
Can you imagine what would happen if you tried to link to the Internet without a firewall or
antivirus software? Your computer would be disabled in a few seconds, and it might take you
many days to recover. If you used the computer to run your business, you might not be able
to sell to your customers or place orders with your suppliers while it was down. And you
might find that your computer system had been penetrated by outsiders, who perhaps stole
or destroyed valuable data, including confidential payment data from your customers. If too
much data were destroyed or divulged, your business might never be able to operate!
In short, if you operate a business today, you need to make security and control a top
priority. Security refers to the policies, procedures, and technical measures used to prevent
unauthorized access, alteration, theft, or physical damage to information systems. Controls
are methods, policies, and organizational procedures that ensure the safety of the organiza-
tion’s assets; the accuracy and reliability of its records; and operational adherence to
management standards.
WHY SYSTEMS ARE VULNERABLE
When large amounts of data are stored in electronic form, they are vulnerable to many more
kinds of threats than when they existed in manual form. Through communications networks,
information systems in different locations are interconnected. The potential for unautho-
rized access, abuse, or fraud is not limited to a single location but can occur at any access
point in the network. Figure 7-1 illustrates the most common threats against contemporary
information systems. They can stem from technical, organizational, and environmental
factors compounded by poor management decisions. In the multi-tier client/server comput-
ing environment illustrated here, vulnerabilities exist at each layer and in the communica-
tions between the layers. Users at the client layer can cause harm by introducing errors or by
accessing systems without authorization. It is possible to access data flowing over networks,
steal valuable data during transmission, or alter messages without authorization. Radiation
may disrupt a network at various points as well. Intruders can launch denial-of-service
attacks or malicious software to disrupt the operation of Web sites. Those capable of pene-
trating corporate systems can destroy or alter corporate data stored in databases or files.
Systems malfunction if computer hardware breaks down, is not configured properly, or
is damaged by improper use or criminal acts. Errors in programming, improper installation,
or unauthorized changes cause computer software to fail. Power failures, floods, fires, or
other natural disasters can also disrupt computer systems.IS
B
N
1-
25
6-
42
91
3-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
236 Part II: Information Technology Infrastructure
Domestic or offshore partnering with another company adds to system vulnerability if
valuable information resides on networks and computers outside the organization’s control.
Without strong safeguards, valuable data could be lost, destroyed, or could fall into the
wrong hands, revealing important trade secrets or information that violates personal privacy.
The growing use of mobile devices for business computing adds to these woes.
Portability makes cell phones and smartphones easy to lose or steal, and their networks are
vulnerable to access by outsiders. Smartphones used by corporate executives may contain
sensitive data such as sales figures, customer names, phone numbers, and e-mail addresses.
Intruders may be able to access internal corporate networks through these devices.
Unauthorized downloads may introduce disabling software.
Internet Vulnerabilities
Large public networks, such as the Internet, are more vulnerable than internal networks
because they are virtually open to anyone. The Internet is so huge that when abuses do
occur, they can have an enormously widespread impact. When the Internet becomes part of
the corporate network, the organization’s information systems are even more vulnerable to
actions from outsiders.
Computers that are constantly connected to the Internet by cable modems or digital
subscriber line (DSL) are more open to penetration by outsiders because they use fixed
Internet addresses where they can be easily identified. (With dial-up service, a temporary
Internet address is assigned for each session.) A fixed Internet address creates a fixed target
for hackers.
Telephone service based on Internet technology (see Chapter 6) is more vulnerable than
the switched voice network if it does not run over a secure private network. Voice over IP
(VoIP) traffic over the public Internet is not encrypted, so anyone with a network can listen
in on conversations. Hackers can intercept conversations or shut down voice service by
flooding servers supporting VoIP with bogus traffic.
Vulnerability has also increased from widespread use of e-mail, instant messaging (IM),
and peer-to-peer (P2P) file-sharing programs. E-mail may contain attachments that serve as
springboards for malicious software or unauthorized access to internal corporate systems.
Employees may use e-mail messages to transmit valuable trade secrets, financial data, or
confidential customer information to unauthorized recipients. Popular instant messaging
applications for consumers do not use a secure layer for text messages, so they can be
intercepted and read by outsiders during transmission over the public Internet. IM activity
over the Internet can in some cases be used as a back door to an otherwise secure network.
Sharing files over P2P networks, such as those for illegal music sharing, may also transmit
Figure 7-1
Contemporary
Security Challenges
and Vulnerabilities
The architecture of a
Web-based application
typically includes a Web
client, a server, and
corporate information
systems linked to data-
bases. Each of these
components presents
security challenges and
vulnerabilities. Floods,
fires, power failures, and
other electrical problems
can cause disruptions at
any point in the network.
IS
B
N
1-256-42913-9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
Chapter 7: Securing Information Systems 237
alicious software or expose information on either individual or corporate computers to out-
siders.
Wireless Security Challenges
Is it safe to log onto a wireless network at an airport, library, or other public location? It
depends on how vigilant you are. Even the wireless network in your home is vulnerable
because Wi-Fi radio transmissions are easy to scan. Both Bluetooth and Wi-Fi networks are
susceptible to hacking by eavesdroppers. Although the range of Wi-Fi networks is only
several hundred feet, it can be extended up to one-fourth of a mile using external antennae.
Local-area networks (LANs) using the 802.11 standard can be easily penetrated by outsiders
armed with laptops, wireless cards, external antennae, and hacking software. Hackers use
these tools to detect unprotected networks, monitor network traffic, and, in some cases, gain
access to the Internet or to corporate networks.
Wi-Fi transmission technology was designed to make it easy for stations to find and hear
one another. The service set identifiers (SSIDs) identifying the access points in a Wi-Fi
network are broadcast multiple times and can be picked up fairly easily by intruders’ sniffer
programs (see Figure 7-2). Wireless networks in many locations do not have basic protec-
tions against war driving, in which eavesdroppers drive by buildings or park outside and try
to intercept wireless network traffic.
A hacker can employ an 802.11 analysis tool to identify the SSID. (Windows XP, Vista ,
and Windows 7 have capabilities for detecting the SSID used in a network and automatically
configuring the radio NIC within the user’s device.) An intruder that has associated with an
access point by using the correct SSID is capable of accessing other resources on the net-
work, using the Windows operating system to determine which other users are connected to
the network, access their computer hard drives, and open or copy their files.
Intruders also use the information they have gleaned to set up rogue access points on a
different radio channel in physical locations close to users to force a user’s radio NIC to
associate with the rogue access point. Once this association occurs, hackers using the rogue
access point can capture the names and passwords of unsuspecting users.
Figure 7-2
Wi-Fi Security
Challenges
Many Wi-Fi networks can
be penetrated easily by
intruders using sniffer
programs to obtain an
address to access the
resources of a network
without authorization.
IS
B
N
1-
25
6-
42
91
3-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
The initial security standard developed for Wi-Fi, called Wired Equivalent Privacy (WEP),
is not very effective. WEP is built into all standard 802.11 products, but its use is optional. Many
users neglect to use WEP security features, leaving them unprotected. The basic WEP specifi-
cation calls for an access point and all of its users to share the same 40-bit encrypted password,
which can be easily decrypted by hackers from a small amount of traffic. Stronger encryption
and authentication systems are now available, but users must be willing to install them.
MALICIOUS SOFTWARE: VIRUSES, WORMS, TROJAN HORSES,
AND SPYWARE
Malicious software programs are referred to as malware and include a variety of threats,
such as computer viruses, worms, and Trojan horses. A computer virus is a rogue software
program that attaches itself to other software programs or data files in order to be executed,
usually without user knowledge or permission. Most computer viruses deliver a “payload.”
The payload may be relatively benign, such as the instructions to display a message or
image, or it may be highly destructive—destroying programs or data, clogging computer
memory, reformatting a computer’s hard drive, or causing programs to run improperly.
Viruses typically spread from computer to computer when humans take an action, such as
sending an e-mail attachment or copying an infected file.
Most recent attacks have come from worms, which are independent computer programs
that copy themselves from one computer to other computers over a network. (Unlike
viruses, they can operate on their own without attaching to other computer program files and
rely less on human behavior in order to spread from computer to computer. This explains
why computer worms spread much more rapidly than computer viruses.) Worms destroy
data and programs as well as disrupt or even halt the operation of computer networks.
Worms and viruses are often spread over the Internet from files of downloaded software,
from files attached to e-mail transmissions, or from compromised e-mail messages or instant
messaging. Viruses have also invaded computerized information systems from “infected”
disks or infected machines. E-mail worms are currently the most problematic.
There are now more than 200 viruses and worms targeting mobile phones, such as Cabir,
Commwarrior, and Frontal.A. Frontal.A, for example, installs a corrupted file that causes
phone failure and prevents the user from rebooting. Mobile device viruses could pose seri-
ous threats to enterprise computing because so many wireless devices are now linked to cor-
porate information systems.
Web 2.0 applications, such as blogs, wikis, and social networking sites such as Facebook
and MySpace, have emerged as new conduits for malware or spyware. These applications
allow users to post software code as part of the permissible content, and such code can be
launched automatically as soon as a Web page is viewed. For example, in August 2008, mali-
cious hackers targeted unsuspecting Facebook users via postings on the site’s Wall feature,
which is used by members to leave each other messages. Impersonating members’ friends,
malicious hackers posted messages urging users to click on a link to view a video that trans-
ported them to a rogue Web page where they were told to download a new version of Adobe’s
Flash player in order to view the video. If users authorized the download, the site would
install a Trojan horse, Troj/Dloadr-BPL, that funneled other malicious code to their PCs. In
July 2009, hackers exploited vulnerabilities in the popular TwitPic add-on service to Twitter.
They stole Britney Spears’ Twitter log-on and then sent “tweets” (short text messages)
claiming to the singer’s followers that Spears had died (Acohido, 2009; Perez, 2008).
Table 7.1 describes the characteristics of some of the most harmful worms and viruses
that have appeared to date.
Over the past decade, worms and viruses have cause billions of dollars of damage to
corporate networks, e-mail systems, and data. According to Consumer Reports’ State of the
Net 2009 survey, U.S. consumers lost $7.5 billion because of malware and online scams,
and the majority of these losses came from malware (Consumer Reports, 2009).
A Trojan horse is a software program that appears to be benign but then does something
other than expected. The Trojan horse is not itself a virus because it does not replicate but is
238 Part II: Information Technology Infrastructure
IS
B
N
1-256-42913-9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
Chapter 7: Securing Information Systems 239
Name Type Description
Conficker (aka Worm First detected in November 2008. Uses flaws
Downadup, in Windows software to take over machines and link them
Downup) into a virtual computer that can be commanded remotely. Has
more than 5 million computers worldwide under its control.
Difficult to eradicate.
Storm Worm/ First identified in January 2007. Spreads via e-mail spam with
Trojan horse a fake attachment. Infected up to 10 million computers,
causing them to join its zombie network of computers
engaged in criminal activity.
Sasser.ftp Worm First appeared in May 2004. Spread over the Internet by
attacking random IP addresses. Causes computers to
continually crash and reboot, and infected computers to
search for more victims. Affected millions of computers
worldwide, disrupting British Airways flight check-ins,
operations of British coast guard stations, Hong Kong
hospitals, Taiwan post office branches, and Australia’s Westpac
Bank. Sasser and its variants caused an estimated $14.8 billion
to $18.6 billion in damages worldwide.
Mydoom.A Worm First appeared on January 26, 2004. Spreads as an e-mail
attachment. Sends e-mail to addresses harvested from
infected machines, forging the sender’s address. At its peak,
this worm lowered global Internet performance by 10 percent
and Web page loading times by as much as 50 percent. Was
programmed to stop spreading after February 12, 2004.
Sobig.F Worm First detected on August 19, 2003. Spreads via e-mail
attachments and sends massive amounts of mail with forged
sender information. Deactivated itself on September 10, 2003,
after infecting more than 1 million PCs and doing $5 to $10
billion in damage.
ILOVEYOU Virus First detected on May 3, 2000. Script virus written in Visual
Basic script and transmitted as an attachment to e-mail with
the subject line ILOVEYOU. Overwrites music, image, and
other files with a copy of itself and did an estimated $10
billion to $15 billion in damage.
Melissa Macro virus/ First appeared in March 1999. Word macro script mailed
worm infected Word files to first 50 entries in user’s Microsoft
Outlook address book. Infected 15 to 29 percent of all
business PCs, causing $300 million to $600 million in damage.
TABLE 7.1
Examples of Malicious
Code
often a way for viruses or other malicious code to be introduced into a computer system. The
term Trojan horse is based on the huge wooden horse used by the Greeks to trick the Trojans
into opening the gates to their fortified city during the Trojan War. Once inside the city walls,
Greek soldiers hidden in the horse revealed themselves and captured the city.
Another example of a modern-day Trojan horse is Pushdo Trojan, which uses electronic
greeting-card lures in e-mail to trick Windows users into launching an executable program.
Once the Trojan is executed, it pretends to be an Apache Web server and tries to deliver exe-
cutable malware programs to the infected Windows machines.
At the moment, SQL injection attacks are the largest malware threat. SQL injection
attacks take advantage of vulnerabilities in poorly coded Web application software to intro-IS
B
N
1-
25
6-
42
91
3-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
duce malicious program code into a company’s systems and networks. These vulnerabilities
occur when a Web application fails to properly validate or filter data entered by a user on a
Web page, which might occur when ordering something online. An attacker uses this input
validation error to send a rogue SQL query to the underlying database to access the data-
base, plant malicious code, or access other systems on the network. Large Web applications
have hundreds of places for inputting user data, each of which creates an opportunity for an
SQL injection attack.
A large number of Web-facing applications are believed to have SQL injection vulnera-
bilities, and tools are available for hackers to check Web applications for these vulnerabili-
ties. Such tools are able to locate a data entry field on a Web page form, enter data into it,
and check the response to see if shows vulnerability to a SQL injection.
Some types of spyware also act as malicious software. These small programs install
themselves surreptitiously on computers to monitor user Web surfing activity and serve up
advertising. Thousands of forms of spyware have been documented.
Many users find such spyware annoying and some critics worry about its infringement
on computer users’ privacy. Some forms of spyware are especially nefarious. Keyloggers
record every keystroke made on a computer to steal serial numbers for software, to launch
Internet attacks, to gain access to e-mail accounts, to obtain passwords to protected
computer systems, or to pick up personal information such as credit card numbers. Other
spyware programs reset Web browser home pages, redirect search requests, or slow
performance by taking up too much memory.
HACKERS AND COMPUTER CRIME
A hacker is an individual who intends to gain unauthorized access to a computer system.
Within the hacking community, the term cracker is typically used to denote a hacker with
criminal intent, although in the public press, the terms hacker and cracker are used inter-
changeably. Hackers and crackers gain unauthorized access by finding weaknesses in the
security protections employed by Web sites and computer systems, often taking advantage
of various features of the Internet that make it an open system that is easy to use.
Hacker activities have broadened beyond mere system intrusion to include theft of
goods and information, as well as system damage and cybervandalism, the intentional
disruption, defacement, or even destruction of a Web site or corporate information system.
For example, cybervandals have turned many of the MySpace “group” sites, which are
dedicated to interests such as home beer brewing or animal welfare, into cyber-graffiti walls,
filled with offensive comments and photographs.
Spoofing and Sniffing
Hackers attempting to hide their true identities often spoof, or misrepresent, themselves by
using fake e-mail addresses or masquerading as someone else. Spoofing also may involve
redirecting a Web link to an address different from the intended one, with the site
masquerading as the intended destination. For example, if hackers redirect customers to a
fake Web site that looks almost exactly like the true site, they can then collect and process
orders, effectively stealing business as well as sensitive customer information from the true
site. We provide more detail on other forms of spoofing in our discussion of computer crime.
A sniffer is a type of eavesdropping program that monitors information traveling over a
network. When used legitimately, sniffers help identify potential network trouble spots or
criminal activity on networks, but when used for criminal purposes, they can be damaging
and very difficult to detect. Sniffers enable hackers to steal proprietary information from
anywhere on a network, including e-mail messages, company files, and confidential reports.
Denial-of-Service Attacks
In a denial-of-service (DoS) attack, hackers flood a network server or Web server with
many thousands of false communications or requests for services to crash the network. The
network receives so many queries that it cannot keep up with them and is thus unavailable to
240 Part II: Information Technology Infrastructure
IS
B
N
1-256-42913-9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
service legitimate requests. A distributed denial-of-service (DDoS) attack uses numerous
computers to inundate and overwhelm the network from numerous launch points.
For example, during the 2009 Iranian election protests, foreign activists trying to help the
opposition engaged in DDoS attacks against Iran’s government. The official Web site of the
Iranian government (ahmedinejad.ir) was rendered inaccessible on several occasions.
Although DoS attacks do not destroy information or access restricted areas of a
company’s information systems, they often cause a Web site to shut down, making it impos-
sible for legitimate users to access the site. For busy e-commerce sites, these attacks are
costly; while the site is shut down, customers cannot make purchases. Especially vulnerable
are small and midsize businesses whose networks tend to be less protected than those of
large corporations.
Perpetrators of DoS attacks often use thousands of “zombie” PCs infected with
malicious software without their owners’ knowledge and organized into a botnet. Hackers
create these botnets by infecting other people’s computers with bot malware that opens a
back door through which an attacker can give instructions. The infected computer then
becomes a slave, or zombie, serving a master computer belonging to someone else. Once a
hacker infects enough computers, her or she can use the amassed resources of the botnet to
launch DDos attacks, phishing campaigns, or unsolicited “spam” e-mail.
The chapter-ending case study describes multiple waves of DDoS attacks targeting a
number of Web sites of government agencies and other organizations in South Korea and the
United States in July 2009. The attacker used a botnet that took control of 65,000 computers
and was able to cripple some of these sites for several days. Most of the bots originated from
China and North Korea. Botnet attacks thought to have originated in Russia were responsi-
ble for crippling the Web sites of the Estonian government in April 2007 and the Georgian
government in July 2008.
Computer Crime
Most hacker activities are criminal offenses, and the vulnerabilities of systems we have just
described make them targets for other types of computer crime as well. For example, in
early July 2009, U.S. federal agents arrested Sergey Aleynikov, a computer programmer at
investment banking firm Goldman Sachs, for stealing proprietary computer programs used
in making lucrative rapid-fire trades in the financial markets. The software brought Goldman
many millions of dollars of profits per year and, in the wrong hands, could have been used to
manipulate financial markets in unfair ways. Computer crime is defined by the U.S.
Department of Justice as “any violations of criminal law that involve a knowledge of
computer technology for their perpetration, investigation, or prosecution.” Table 7.2
provides examples of the computer as a target of crime and as an instrument of crime.
No one knows the magnitude of the computer crime problem—how many systems are
invaded, how many people engage in the practice, or the total economic damage. According
to the 2008 CSI Computer Crime and Security Survey of 522 companies, participants’
average annual loss from computer crime and security attacks was close to $500,000
(Richardson, 2008). Many companies are reluctant to report computer crimes because the
crimes may involve employees, or the company fears that publicizing its vulnerability will
hurt its reputation. The most economically damaging kinds of computer crime are DoS
attacks, introducing viruses, theft of services, and disruption of computer systems.
IDENTITY THEFT
With the growth of the Internet and electronic commerce, identity theft has become
especially troubling. Identity theft is a crime in which an imposter obtains key pieces of
personal information, such as social security identification numbers, driver’s license
numbers, or credit card numbers, to impersonate someone else. The information may be used
to obtain credit, merchandise, or services in the name of the victim or to provide the thief with
false credentials. According to Javelin Strategy and Research, 4.7 percent of Americans were
victims of identity theft in 2008 and they suffered losses totaling $48 billion (Javelin, 2009).
Chapter 7: Securing Information Systems 241
IS
B
N
1-
25
6-
42
91
3-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
Identify theft has flourished on the Internet, with credit card files a major target of Web
site hackers. Moreover, e-commerce sites are wonderful sources of customer personal
information—name, address, and phone number. Armed with this information, criminals are
able to assume new identities and establish new credit for their own purposes.
One increasingly popular tactic is a form of spoofing called phishing. Phishing involves
setting up fake Web sites or sending e-mail or text messages that look like those of legitimate
businesses to ask users for confidential personal data. The message instructs recipients to
update or confirm records by providing social security numbers, bank and credit card infor-
mation, and other confidential data either by responding to the e-mail message, by entering
the information at a bogus Web site, or by calling a telephone number. EBay, PayPal,
Amazon, Wal-Mart, and a variety of banks, are among the top spoofed companies.
New phishing techniques called evil twins and pharming are harder to detect. Evil twins
are wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet,
such as those in airport lounges, hotels, or coffee shops. The bogus network looks identical
to a legitimate public network. Fraudsters try to capture passwords or credit card numbers of
unwitting users who log on to the network.
Pharming redirects users to a bogus Web page, even when the individual types the
correct Web page address into his or her browser. This is possible if pharming perpetrators
gain access to the Internet address information stored by Internet service providers to speed
up Web browsing and the ISP companies have flawed software on their servers that allows
the fraudsters to hack in and change those addresses.
The Interactive Session on Organizations describes the largest instance of identity theft
to date in which hackers penetrated the corporate systems of TJX Corporation, Hannaford
Brothers, 7-Eleven, and other major retailers and stole over 130 million credit and debit card
numbers. As you read this case, pay attention to the people, organizational, and technology
issues raised by this problem and whether these companies implemented effective solutions.
The U.S. Congress addressed the threat of computer crime in 1986 with the Computer
Fraud and Abuse Act. This act makes it illegal to access a computer system without
242 Part II: Information Technology Infrastructure
Computers as Targets of Crime
Breaching the confidentiality of protected computerized data
Accessing a computer system without authority
Knowingly accessing a protected computer to commit fraud
Intentionally accessing a protected computer and causing damage, negligently or deliberately
Knowingly transmitting a program, program code, or command that intentionally causes damage
to a protected computer
Threatening to cause damage to a protected computer
Computers as Instruments of Crime
Theft of trade secrets
Unauthorized copying of software or copyrighted intellectual property, such as articles, books,
music, and video
Schemes to defraud
Using e-mail for threats or harassment
Intentionally attempting to intercept electronic communication
Illegally accessing stored electronic communications, including e-mail and voice mail
Transmitting or possessing child pornography using a computer
TABLE 7.2
Examples of
Computer Crime
IS
B
N
1-256-42913-9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
INTERACTIVE SESSION: ORGANIZATIONS The Worst Data Theft Ever
On August 17, 2009, 28-year-old Alberto Gonzalez of
Miami was charged along with two Russian accom-
plices with carrying out the largest hacking and iden-
tity-theft crime in U.S. history. Federal prosecutors
alleged that the three had masterminded a global
scheme to steal more than 130 million credit and debit
card numbers between 2006 and 2008 by hacking into
the computer systems of companies that included the
Hannaford Bros. supermarket chain, 7-Eleven, and
Heartland Payment Systems, a credit card processing
company.
The group used a network of computers in New
Jersey, California, Illinois, Latvia, the Netherlands,
and the Ukraine to infiltrate the computer systems of
targeted companies, using sophisticated techniques to
evade detection by antivirus software. They planted
software programs in these companies’ computer net-
works that enabled them to steal more data in the
future as well as “sniffer” programs to capture card
data while they were being transmitted between com-
puter systems. An unspecified number of the stolen
credit and debit card numbers were sold online and
used to make unauthorized purchases and withdrawals
from banks.
Gonzalez and his group have been responsible for
other major data thefts as well. On September 18,
2009, Gonzalez pleaded guilty to 19 counts of crimi-
nal activity and credit card fraud in attacks against
Barnes and Noble, OfficeMax, Boston Market, and
Sports Authority. Gonzalez was also responsible for
stealing 40 million credit and debit card numbers from
TJX Cos., the parent company of T.J. Maxx.
The data thefts at Hannaford, Heartland, and
7-Eleven Stores were carried out using SQL injection
attacks, which we defined earlier in this chapter. SQL
injection attacks are well understood, and security
experts have warned retailers about them for years.
Nevertheless, many companies still use older versions
of Microsoft SQL Server database management
software that allow attackers to take control of the
database with a SQL injection.
Gonzalez and his ring started using SQL injection
attacks around August 2007. Before that time, they
penetrated corporate systems by exploiting weak wire-
less security. The thieves drove around and scanned
retailers’ wireless networks to identify network vul-
nerabilities and then installed sniffer programs that
tapped into the networks for processing credit cards,
intercepting customers’ debit and credit card numbers
and PINs (personal identification numbers).
These techniques enabled the group to siphon off
more than 40 million credit and debit-card numbers
from TJX in July 2005. Gonzalez’s team identified a
vulnerable network at a Marshall’s department store in
Miami and used it to install a sniffer program on the
computers of the chain’s parent company, TJX. The
group was then able to access the central TJX data-
base, which stored customer transactions for T.J.
Maxx, Marshalls, HomeGoods, and A.J. Wright stores
in the United States and Puerto Rico, and for Winners
and HomeSense stores in Canada.
TJX was still using the old Wired Equivalent
Privacy (WEP) encryption system, which is relatively
easy for hackers to crack. Other companies had
switched to the more secure Wi-Fi Protected Access
(WPA) standard with more complex encryption, but
TJX at that time had not made the change. An auditor
later found that TJX had also neglected to install fire-
walls and data encryption on many of the computers
using the wireless network, and didn’t properly install
another layer of security software it had purchased.
TJX acknowledged in a Securities and Exchange
Commission filing that it transmitted credit card data
to banks without encryption, violating credit card
company guidelines. TJX also retained cardholder
data in its systems much longer than stipulated by
industry rules for storing such data.
In March 2008, TJX management agreed to
strengthen the company’s information system security.
It also agreed to have third-party auditors review secu-
rity measures every 2 years for the next 20 years. TJX
has already spent over $202 million to deal with its
data theft, including legal settlements. Forrester
Research estimates that the cost to TJX for the data
breach could surpass $1 billion over five years, includ-
ing costs for consultants, security upgrades, attorney
fees, and additional marketing to reassure customers.
Hannaford Bros. also started implementing
additional security safeguards. It updated firewalls,
installed a round-the-clock security monitoring and
detection service from IBM, and also began encrypt-
ing traffic flowing over a private network from its store
registers to its credit card processor. (The existing
Payment Card Industry Data Security Standard [PCI
DSS] guidelines, which apply to all companies
processing credit cards, only require encryption of
data transmitted over public networks.)
Sources: Jaikumar Vijayan, “SQL Injection Attacks Led to Hartland, Hannaford
Breaches,” Chief Security Officer, August 19, 2009; Dan Kaplan, “After Breach,
Hannaford Details IT Security Remodel,” SC Magazine, April 23, 2009; Brad Stone,
“3 Indicted in Theft of 130 Million Card Numbers,” The New York Times, August 18,
2009 and “11 Charged in Theft of 41 Million Card Numbers,” The New York Times,
August 6, 2008; Siobhan Gorman, “Arrest in Epic Cyber Swindle,” The Wall Street
Journal, August 19, 2009; Andrew Conry-Murray, Dan Berthiaume, “Data Breaches
Cause Concern,” eWeek, April 7, 2008; and “T.J. Maxx Probe Reveals Data Brach
Worse Than Originally Thought,” Information Week, February 21, 2007.
Chapter 7: Securing Information Systems 243
IS
B
N
1-
25
6-
42
91
3-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
1. List and describe the security control weaknesses
at Hannaford Bros. and TJX Companies.
2. What people, organization, and technology factors
contributed to these problems?
3. What was the business impact of the TJX and
Hannaford data losses on these companies and
consumers?
4. Were the solutions adopted by TJX and
Hannaford effective? Why or why not?
5. Who should be held liable for the losses caused
by the use of fraudulent credit cards in this case?
TJX and Hannaford? The banks issuing the credit
cards? The consumers? Justify your answer.
6. What solutions would you suggest to prevent the
problems?
Explore the Web site of the PCI Security Standards
Council (www.pcisecuritystandards.org) and review
the PCI Data Security Standard (PCI DSS).
1. Based on the details in this case study, how well
was TJX complying with the PCI DSS. What
requirements did it fail to meet?
2. Would complying with this standard have pre-
vented the theft of credit card data from TJX?
Why or why not?
CASE STUDY QUESTIONS MIS IN ACTION
244 Part II: Information Technology Infrastructure
authorization. Most states have similar laws, and nations in Europe have comparable
legislation. Congress also passed the National Information Infrastructure Protection Act in
1996 to make virus distribution and hacker attacks that disable Web sites federal crimes.
U.S. legislation, such as the Wiretap Act, Wire Fraud Act, Economic Espionage Act,
Electronic Communications Privacy Act, E-Mail Threats and Harassment Act, and Child
Pornography Act, covers computer crimes involving intercepting electronic communication,
using electronic communication to defraud, stealing trade secrets, illegally accessing stored
electronic communications, using e-mail for threats or harassment, and transmitting or
possessing child pornography.
Click Fraud
When you click on an ad displayed by a search engine, the advertiser typically pays a fee for
each click, which is supposed to direct potential buyers to its products. Click fraud occurs
when an individual or computer program fraudulently clicks on an online ad without any
intention of learning more about the advertiser or making a purchase. Click fraud has
become a serious problem at Google and other Web sites that feature pay-per-click online
advertising.
Some companies hire third parties (typically from low-wage countries) to fraudulently
click on a competitor’s ads to weaken them by driving up their marketing costs. Click fraud
can also be perpetrated with software programs doing the clicking, and botnets are often
used for this purpose. Search engines such as Google attempt to monitor click fraud but have
been reluctant to publicize their efforts to deal with the problem.
Global Threats: Cyberterrorism and Cyberwarfare
The cybercriminal activities we have described—launching malware, denial-of- service
attacks, and phishing probes—are borderless. Computer security firm Sophos reported that
37 percent of the malware it identified in 2008 originated in the United States, while 28
percent came from China, and 9 percent from Russia (Sophos, 2009). The global nature of
the Internet makes it possible for cybercriminals to operate—and to do harm—anywhere in
the world.
IS
B
N
1-256-42913-9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
Concern is mounting that the vulnerabilities of the Internet or other networks make dig-
ital networks easy targets for digital attacks by terrorists, foreign intelligence services, or
other groups seeking to create widespread disruption and harm. Such cyberattacks might
target the software that runs electrical power grids, air traffic control systems, or networks of
major banks and financial institutions. At least 20 countries, including China, Russia, and
the United States, are believed to be developing offensive and defensive cyberwarfare capa-
bilities. The chapter-ending case study discusses this problem in greater detail.
INTERNAL THREATS: EMPLOYEES
We tend to think the security threats to a business originate outside the organization. In fact,
company insiders pose serious security problems. Employees have access to privileged
information, and in the presence of sloppy internal security procedures, they are often able
to roam throughout an organization’s systems without leaving a trace.
Studies have found that user lack of knowledge is the single greatest cause of network
security breaches. Many employees forget their passwords to access computer systems or
allow co-workers to use them, which compromises the system. Malicious intruders seeking
system access sometimes trick employees into revealing their passwords by pretending to be
legitimate members of the company in need of information. This practice is called social
engineering.
Both end users and information systems specialists are also a major source of errors
introduced into information systems. End users introduce errors by entering faulty data or
by not following the proper instructions for processing data and using computer equipment.
Information systems specialists may create software errors as they design and develop new
software or maintain existing programs.
SOFTWARE VULNERABILITY
Software errors pose a constant threat to information systems, causing untold losses in
productivity. Growing complexity and size of software programs, coupled with demands for
timely delivery to markets, have contributed to an increase in software flaws or vulnerabili-
ties. For example, a computer programming error at the New York City Housing Authority
was responsible for miscalculating rents for hundreds of welfare families between
September 2008 and May 2009. The affected families were billed an average of $183 more
for rent than what was supposed to be charged and threatened with eviction for failing to pay
the higher amount (Fernandez, 2009).
A major problem with software is the presence of hidden bugs or program code defects.
Studies have shown that it is virtually impossible to eliminate all bugs from large programs.
The main source of bugs is the complexity of decision-making code. A relatively small
program of several hundred lines will contain tens of decisions leading to hundreds or even
thousands of different paths. Important programs within most corporations are usually much
larger, containing tens of thousands or even millions of lines of code, each with many times
the choices and paths of the smaller programs.
Zero defects cannot be achieved in larger programs. Complete testing simply is not
possible. Fully testing programs that contain thousands of choices and millions of paths
would require thousands of years. Even with rigorous testing, you would not know for sure
that a piece of software was dependable until the product proved itself after much opera-
tional use.
Flaws in commercial software not only impede performance but also create security
vulnerabilities that open networks to intruders. Each year security firms identify about 5,000
software vulnerabilities in Internet and PC software. For instance, in 2008, Symantec
identified 47 vulnerabilities in Microsoft Internet Explorer, 99 in Mozilla browsers, and 40
in Apple Safari. Some of these vulnerabilities are critical (Symantec, 2009).
To correct software flaws once they are identified, the software vendor creates small
pieces of software called patches to repair the flaws without disturbing the proper opera-
tion of the software. An example is Microsoft’s Windows Vista Service Pack 2, released in
Chapter 7: Securing Information Systems 245
IS
B
N
1-
25
6-
42
91
3-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
April 2009, which includes some security enhancements to counter malware and hackers.
It is up to users of the software to track these vulnerabilities, test, and apply all patches.
This process is called patch management.
Because a company’s IT infrastructure is typically laden with multiple business applica-
tions, operating system installations, and other system services, maintaining patches on all
devices and services used by a company is often time-consuming and costly. Malware is
being created so rapidly that companies have very little time to respond between the time a
vulnerability and a patch are announced and the time malicious software appears to exploit
the vulnerability.
7.2 Business Value of Security and Control
Many firms are reluctant to spend heavily on security because it is not directly related to
sales revenue. However, protecting information systems is so critical to the operation of the
business that it deserves a second look.
Companies have very valuable information assets to protect. Systems often house
confidential information about individuals’ taxes, financial assets, medical records, and job
performance reviews. They also can contain information on corporate operations, including
trade secrets, new product development plans, and marketing strategies. Government systems
may store information on weapons systems, intelligence operations, and military targets.
These information assets have tremendous value, and the repercussions can be devastating if
they are lost, destroyed, or placed in the wrong hands. One study estimated that when the
security of a large firm is compromised, the company loses approximately 2.1 percent of its
market value within two days of the security breach, which translates into an average loss of
$1.65 billion in stock market value per incident (Cavusoglu, Mishra, and Raghunathan, 2004).
Inadequate security and control may result in serious legal liability. Businesses must
protect not only their own information assets but also those of customers, employees, and
business partners. Failure to do so may open the firm to costly litigation for data exposure or
theft. An organization can be held liable for needless risk and harm created if the organiza-
tion fails to take appropriate protective action to prevent loss of confidential information,
data corruption, or breach of privacy. For example, BJ’s Wholesale Club was sued by the
U.S. Federal Trade Commission for allowing hackers to access its systems and steal credit
and debit card data for fraudulent purchases. Banks that issued the cards with the stolen data
sought $13 million from BJ’s to compensate them for reimbursing card holders for the
fraudulent purchases. A sound security and control framework that protects business infor-
mation assets can thus produce a high return on investment. Strong security and control also
increase employee productivity and lower operational costs.
LEGAL AND REGULATORY REQUIREMENTS FOR ELECTRONIC
RECORDS MANAGEMENT
Recent U.S. government regulations are forcing companies to take security and control
more seriously by mandating the protection of data from abuse, exposure, and unauthorized
access. Firms face new legal obligations for the retention and storage of electronic records
as well as for privacy protection.
If you work in the healthcare industry, your firm will need to comply with the Health
Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA outlines medical
security and privacy rules and procedures for simplifying the administration of healthcare
billing and automating the transfer of healthcare data between healthcare providers, payers,
and plans. It requires members of the healthcare industry to retain patient information for six
years and ensure the confidentiality of those records. It specifies privacy, security, and elec-
tronic transaction standards for healthcare providers handling patient information, providing
penalties for breaches of medical privacy, disclosure of patient records by e-mail, or unau-
thorized network access.
246 Part II: Information Technology Infrastructure
IS
B
N
1-256-42913-9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
If you work in a firm providing financial services, your firm will need to comply with the
Financial Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act
after its congressional sponsors. This act requires financial institutions to ensure the security and
confidentiality of customer data. Data must be stored on a secure medium, and special security
measures must be enforced to protect such data on storage media and during transmittal.
If you work in a publicly traded company, your company will need to comply with the
Public Company Accounting Reform and Investor Protection Act of 2002, better known as
the Sarbanes-Oxley Act after its sponsors Senator Paul Sarbanes of Maryland and
Representative Michael Oxley of Ohio. This Act was designed to protect investors after the
financial scandals at Enron, WorldCom, and other public companies. It imposes responsibil-
ity on companies and their management to safeguard the accuracy and integrity of financial
information that is used internally and released externally. One of the Learning Tracks for
this chapter discusses Sarbanes-Oxley in detail.
Sarbanes-Oxley is fundamentally about ensuring that internal controls are in place to
govern the creation and documentation of information in financial statements. Because
information systems are used to generate, store, and transport such data, the legislation
requires firms to consider information systems security and other controls required to ensure
the integrity, confidentiality, and accuracy of their data. Each system application that deals
with critical financial reporting data requires controls to make sure the data are accurate.
Controls to secure the corporate network, prevent unauthorized access to systems and data,
and ensure data integrity and availability in the event of disaster or other disruption of ser-
vice are essential as well.
ELECTRONIC EVIDENCE AND COMPUTER FORENSICS
Security, control, and electronic records management have become essential for respond-
ing to legal actions. Much of the evidence today for stock fraud, embezzlement, theft of
company trade secrets, computer crime, and many civil cases is in digital form. In
addition to information from printed or typewritten pages, legal cases today increasingly
rely on evidence represented as digital data stored on flash drives, CDs, and computer
hard disk drives, as well as in e-mail, instant messages, and e-commerce transactions
over the Internet. E-mail is currently the most common type of electronic evidence.
In a legal action, a firm is obligated to respond to a discovery request for access to
information that may be used as evidence, and the company is required by law to produce
those data. The cost of responding to a discovery request can be enormous if the company
has trouble assembling the required data or the data have been corrupted or destroyed.
Courts now impose severe financial and even criminal penalties for improper destruction of
electronic documents.
An effective electronic document retention policy ensures that electronic documents,
e-mail, and other records are well organized, accessible, and neither retained too long nor
discarded too soon. It also reflects an awareness of how to preserve potential evidence for
computer forensics. Computer forensics is the scientific collection, examination, authenti-
cation, preservation, and analysis of data held on or retrieved from computer storage media
in such a way that the information can be used as evidence in a court of law. It deals with the
following problems:
• Recovering data from computers while preserving evidential integrity
• Securely storing and handling recovered electronic data
• Finding significant information in a large volume of electronic data
• Presenting the information to a court of law
Electronic evidence may reside on computer storage media in the form of computer files
and as ambient data, which are not visible to the average user. An example might be a file
that has been deleted on a PC hard drive. Data that a computer user may have deleted on
computer storage media can be recovered through various techniques. Computer forensics
experts try to recover such hidden data for presentation as evidence.
Chapter 7: Securing Information Systems 247
IS
B
N
1-
25
6-
42
91
3-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
An awareness of computer forensics should be incorporated into a firm’s contingency
planning process. The CIO, security specialists, information systems staff, and corporate
legal counsel should all work together to have a plan in place that can be executed if a legal
need arises. You can find out more about computer forensics in the Learning Tracks for this
chapter.
7.3 Establishing a Framework for Security and Control
Even with the best security tools, your information systems won’t be reliable and secure
unless you know how and where to deploy them. You’ll need to know where your company
is at risk and what controls you must have in place to protect your information systems.
You’ll also need to develop a security policy and plans for keeping your business running if
your information systems aren’t operational.
INFORMATION SYSTEMS CONTROLS
Information systems controls are both manual and automated and consist of both general
controls and application controls. General controls govern the design, security, and use of
computer programs and the security of data files in general throughout the organization’s
information technology infrastructure. On the whole, general controls apply to all comput-
erized applications and consist of a combination of hardware, software, and manual
procedures that create an overall control environment.
General controls include software controls, physical hardware controls, computer
operations controls, data security controls, controls over implementation of system
processes, and administrative controls. Table 7.3 describes the functions of each of these
controls.
Application controls are specific controls unique to each computerized application,
such as payroll or order processing. They include both automated and manual procedures
that ensure that only authorized data are completely and accurately processed by that appli-
cation. Application controls can be classified as (1) input controls, (2) processing controls,
and (3) output controls.
Input controls check data for accuracy and completeness when they enter the system.
There are specific input controls for input authorization, data conversion, data editing, and
error handling. Processing controls establish that data are complete and accurate during
updating. Output controls ensure that the results of computer processing are accurate, com-
plete, and properly distributed. You can find more detail about application and general con-
trols in our Learning Tracks.
RISK ASSESSMENT
Before your company commits resources to security and information systems controls, it
must know which assets require protection and the extent to which these assets are vulnera-
ble. A risk assessment helps answer these questions and determine the most cost-effective
set of controls for protecting assets.
A risk assessment determines the level of risk to the firm if a specific activity or process
is not properly controlled. Not all risks can be anticipated and measured, but most
businesses will be able to acquire some understanding of the risks they face. Business
managers working with information systems specialists should try to determine the value of
information assets, points of vulnerability, the likely frequency of a problem, and the
potential for damage. For example, if an event is likely to occur no more than once a year,
with a maximum of a $1,000 loss to the organization, it is not be wise to spend $20,000 on
the design and maintenance of a control to protect against that event. However, if that same
event could occur at least once a day, with a potential loss of more than $300,000 a year,
$100,000 spent on a control might be entirely appropriate.
248 Part II: Information Technology Infrastructure
IS
B
N
1-256-42913-9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
Table 7.4 illustrates sample results of a risk assessment for an online order processing
system that processes 30,000 orders per day. The likelihood of each exposure occurring over
a one-year period is expressed as a percentage. The next column shows the highest and
lowest possible loss that could be expected each time the exposure occurred and an average
loss calculated by adding the highest and lowest figures together and dividing by two. The
expected annual loss for each exposure can be determined by multiplying the average loss
by its probability of occurrence.
This risk assessment shows that the probability of a power failure occurring in a
one-year period is 30 percent. Loss of order transactions while power is down could range
from $5,000 to $200,000 (averaging $102,500) for each occurrence, depending on how long
processing is halted. The probability of embezzlement occurring over a yearly period is
about 5 percent, with potential losses ranging from $1,000 to $50,000 (and averaging
$25,500) for each occurrence. User errors have a 98 percent chance of occurring over a
yearly period, with losses ranging from $200 to $40,000 (and averaging $20,100) for each
occurrence.
Chapter 7: Securing Information Systems 249
Type of General Control Description
Software controls Monitor the use of system software and prevent
unauthorized access of software programs, system software,
and computer programs.
Hardware controls Ensure that computer hardware is physically secure, and
check for equipment malfunction. Organizations that are
critically dependent on their computers also must make
provisions for backup or continued operation to maintain
constant service.
Computer operations controls Oversee the work of the computer department to ensure that
programmed procedures are consistently and correctly applied
to the storage and processing of data. They include controls
over the setup of computer processing jobs and backup and
recovery procedures for processing that ends abnormally.
Data security controls Ensure that valuable business data files on either disk or tape
are not subject to unauthorized access, change, or
destruction while they are in use or in storage.
Implementation controls Audit the systems development process at various points to
ensure that the process is properly controlled and managed.
Administrative controls Formalize standards, rules, procedures, and control
disciplines to ensure that the organization’s general and
application controls are properly executed and enforced.
TABLE 7.3
General Controls
Probability of Loss Range/ Expected
Exposure Occurrence (%) Average ($) Annual Loss ($)
Power failure 30% $5,000–$200,000 ($102,500) $30,750
Embezzlement 5% $1,000–$50,000 ($25,500) $1,275
User error 98% $200–$40,000 ($20,100) $19,698
TABLE 7.4
Online Order
Processing Risk
Assessment
IS
B
N
1-
25
6-
42
91
3-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
Once the risks have been assessed, system builders will concentrate on the control points
with the greatest vulnerability and potential for loss. In this case, controls should focus on
ways to minimize the risk of power failures and user errors because anticipated annual
losses are highest for these areas.
SECURITY POLICY
Once you’ve identified the main risks to your systems, your company will need to develop a
security policy for protecting the company’s assets. A security policy consists of statements
ranking information risks, identifying acceptable security goals, and identifying the mecha-
nisms for achieving these goals. What are the firm’s most important information assets?
Who generates and controls this information in the firm? What existing security policies are
in place to protect the information? What level of risk is management willing to accept for
each of these assets? Is it willing, for instance, to lose customer credit data once every 10
years? Or will it build a security system for credit card data that can withstand the once-in-
a-hundred-year disaster? Management must estimate how much it will cost to achieve this
level of acceptable risk.
The security policy drives policies determining acceptable use of the firm’s information
resources and which members of the company have access to its information assets. An
acceptable use policy (AUP) defines acceptable uses of the firm’s information resources
and computing equipment, including desktop and laptop computers, wireless devices,
telephones, and the Internet. The policy should clarify company policy regarding privacy,
user responsibility, and personal use of company equipment and networks. A good AUP
defines unacceptable and acceptable actions for every user and specifies consequences for
noncompliance. For example, security policy at Unilever, the giant multinational consumer
goods company, requires every employee equipped with a laptop mobile handheld device to
use a company-specified device and employ a password or other method of identification
when logging onto the corporate network.
Authorization policies determine differing levels of access to information assets for
different levels of users. Authorization management systems establish where and when a
user is permitted to access certain parts of a Web site or a corporate database. Such systems
allow each user access only to those portions of a system that person is permitted to enter,
based on information established by a set of access rules.
The authorization management system knows exactly what information each user is
permitted to access as shown in Figure 7-3. This figure illustrates the security allowed for
two sets of users of an online personnel database containing sensitive information, such as
employees’ salaries, benefits, and medical histories. One set of users consists of all employ-
ees who perform clerical functions, such as inputting employee data into the system. All
individuals with this type of profile can update the system but can neither read nor update
sensitive fields, such as salary, medical history, or earnings data. Another profile applies to a
divisional manager, who cannot update the system but who can read all employee data fields
for his or her division, including medical history and salary. These profiles are based on
access rules supplied by business groups. The system illustrated in Figure 7-3 provides very
fine-grained security restrictions, such as allowing authorized personnel users to inquire
about all employee information except that in confidential fields, such as salary or medical
history.
DISASTER RECOVERY PLANNING AND BUSINESS CONTINUITY
PLANNING
If you run a business, you need to plan for events such as power outages, floods, earthquakes,
or terrorist attacks that will prevent your information systems and your business from operat-
ing. Disaster recovery planning devises plans for the restoration of computing and commu-
nications services after they have been disrupted. Disaster recovery plans focus primarily on
250 Part II: Information Technology Infrastructure
IS
B
N
1-256-42913-9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
the technical issues involved in keeping systems up and running, such as which files to back
up and the maintenance of backup computer systems or disaster recovery services.
For example, MasterCard maintains a duplicate computer center in Kansas City,
Missouri, to serve as an emergency backup to its primary computer center in St. Louis.
Rather than build their own backup facilities, many firms contract with disaster recovery
firms, such as Comdisco Disaster Recovery Services in Rosemont, Illinois, and SunGard
Availability Services, headquartered in Wayne, Pennsylvania. These disaster recovery firms
provide hot sites housing spare computers at locations around the country where subscribing
firms can run their critical applications in an emergency. For example, Champion
Technologies, which supplies chemicals used in oil and gas operations, is able to switch its
enterprise systems from Houston to a SunGard hot site in Scottsdale, Arizona, in two hours.
Business continuity planning focuses on how the company can restore business opera-
tions after a disaster strikes. The business continuity plan identifies critical business
processes and determines action plans for handling mission-critical functions if systems go
down. For example, Deutsche Bank, which provides investment banking and asset manage-
ment services in 74 different countries, has a well-developed business continuity plan that it
continually updates and refines. It maintains full-time teams in Singapore, Hong Kong,
Japan, India, and Australia to coordinate plans addressing loss of facilities, personnel, or
critical systems so that the company can continue to operate when a catastrophic event
occurs. Deutsche Bank’s plan distinguishes between processes critical for business survival
and those critical to crisis support and is coordinated with the company’s disaster recovery
planning for its computer centers.
Business managers and information technology specialists need to work together on
both types of plans to determine which systems and business processes are most critical to
the company. They must conduct a business impact analysis to identify the firm’s most
critical systems and the impact a systems outage would have on the business. Management
must determine the maximum amount of time the business can survive with its systems
down and which parts of the business must be restored first.
Chapter 7: Securing Information Systems 251
Figure 7-3
Security Profiles for
a Personnel System
These two examples
represent two security
profiles or data security
patterns that might be
found in a personnel
system. Depending on
the security profile, a
user would have certain
restrictions on access to
various systems, loca-
tions, or data in an
organization.
IS
B
N
1-
25
6-
42
91
3-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
THE ROLE OF AUDITING
How does management know that information systems security and controls are effective?
To answer this question, organizations must conduct comprehensive and systematic audits.
An MIS audit examines the firm’s overall security environment as well as controls govern-
ing individual information systems. The auditor should trace the flow of sample transactions
through the system and perform tests, using, if appropriate, automated audit software.
The MIS audit may also examine data quality.
Security audits review technologies, procedures, documentation, training, and person-
nel. A thorough audit will even simulate an attack or disaster to test the response of the
technology, information systems staff, and business employees.
The audit lists and ranks all control weaknesses and estimates the probability of their
occurrence. It then assesses the financial and organizational impact of each threat.
Figure 7-4 is a sample auditor’s listing of control weaknesses for a loan system. It includes
a section for notifying management of such weaknesses and for management’s response.
Management is expected to devise a plan for countering significant weaknesses in controls.
7.4 Technologies and Tools for Protecting Information
Resources
Businesses have an array of tools and technologies for protecting their information
resources. They include tools and technologies for securing systems and data, ensuring
system availability, and ensuring software quality.
ACCESS CONTROL
Access control consists of all the policies and procedures a company uses to prevent
improper access to systems by unauthorized insiders and outsiders. To gain access a
user must be authorized and authenticated. Authentication refers to the ability to
know that a person is who he or she claims to be. Access control software is designed to
252 Part II: Information Technology Infrastructure
Figure 7-4
Sample Auditor’s
List of Control
Weaknesses
This chart is a sample
page from a list of
control weaknesses that
an auditor might find in a
loan system in a local
commercial bank. This
form helps auditors
record and evaluate
control weaknesses and
shows the results of
discussing those weak-
nesses with manage-
ment, as well as any
corrective actions taken
by management.
IS
B
N
1-256-42913-9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
allow only authorized users to use systems or to access data using some method for
authentication.
Authentication is often established by using passwords known only to authorized users.
An end user uses a password to log on to a computer system and may also use passwords for
accessing specific systems and files. However, users often forget passwords, share them, or
choose poor passwords that are easy to guess, which compromises security. Password
systems that are too rigorous hinder employee productivity. When employees must change
complex passwords frequently, they often take shortcuts, such as choosing passwords that
are easy to guess or writing down their passwords at their workstations in plain view.
Passwords can also be “sniffed” if transmitted over a network or stolen through social
engineering.
New authentication technologies, such as tokens, smart cards, and biometric authentica-
tion, overcome some of these problems. A token is a physical device, similar to an identifi-
cation card, that is designed to prove the identity of a single user. Tokens are small gadgets
that typically fit on key rings and display passcodes that change frequently. A smart card is
a device about the size of a credit card that contains a chip formatted with access permission
and other data. (Smart cards are also used in electronic payment systems.) A reader device
interprets the data on the smart card and allows or denies access.
Biometric authentication uses systems that read and interpret individual human traits,
such as fingerprints, irises, and voices, in order to grant or deny access. Biometric authentication
is based on the measurement of a physical or behavioral trait that makes each individual unique.
It compares a person’s unique characteristics, such as the fingerprints, face, or retinal image,
against a stored profile of these characteristics to determine whether there are any differences
between these characteristics and the stored profile. If the two profiles match, access is granted.
Fingerprint and facial recognition technologies are just beginning to be used for security
applications. PC laptops are starting to be equipped with fingerprint identification devices.
FIREWALLS, INTRUSION DETECTION SYSTEMS, AND ANTIVIRUS
SOFTWARE
Without protection against malware and intruders, connecting to the Internet would be very
dangerous. Firewalls, intrusion detection systems, and antivirus software have become
essential business tools.
Chapter 7: Securing Information Systems 253
This PC has a biometric
fingerprint reader for fast
yet secure access to
files and networks. New
models of PCs are start-
ing to use biometric
identification to authenti-
cate users.
IS
B
N
1-
25
6-
42
91
3-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
Firewalls
Firewalls prevent unauthorized users from accessing private networks. A firewall is a
combination of hardware and software that controls the flow of incoming and outgoing
network traffic. It is generally placed between the organization’s private internal networks
and distrusted external networks, such as the Internet, although firewalls can also be used to
protect one part of a company’s network from the rest of the network (see Figure 7-5).
The firewall acts like a gatekeeper who examines each user’s credentials before access is
granted to a network. The firewall identifies names, IP addresses, applications, and other
characteristics of incoming traffic. It checks this information against the access rules that
have been programmed into the system by the network administrator. The firewall prevents
unauthorized communication into and out of the network.
In large organizations, the firewall often resides on a specially designated computer
separate from the rest of the network, so no incoming request directly accesses private
network resources. There are a number of firewall screening technologies, including static
packet filtering, stateful inspection, Network Address Translation, and application proxy
filtering. They are frequently used in combination to provide firewall protection.
Packet filtering examines selected fields in the headers of data packets flowing back and
forth between the trusted network and the Internet, examining individual packets in isola-
tion. This filtering technology can miss many types of attacks. Stateful inspection provides
additional security by determining whether packets are part of an ongoing dialogue between
a sender and a receiver. It sets up state tables to track information over multiple packets.
Packets are accepted or rejected based on whether they are part of an approved conversation
or whether they are attempting to establish a legitimate connection.
Network Address Translation (NAT) can provide another layer of protection when static
packet filtering and stateful inspection are employed. NAT conceals the IP addresses of the
254 Part II: Information Technology Infrastructure
Figure 7-5
A Corporate Firewall
The firewall is placed between the firm’s private network and the public Internet or another distrusted network to protect against
unauthorized traffic.
IS
B
N
1-256-42913-9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
organization’s internal host computer(s) to prevent sniffer programs outside the firewall
from ascertaining them and using that information to penetrate internal systems.
Application proxy filtering examines the application content of packets. A proxy
server stops data packets originating outside the organization, inspects them, and passes a
proxy to the other side of the firewall. If a user outside the company wants to communi-
cate with a user inside the organization, the outside user first “talks” to the proxy applica-
tion and the proxy application communicates with the firm’s internal computer. Likewise,
a computer user inside the organization goes through the proxy to talk with computers on
the outside.
To create a good firewall, an administrator must maintain detailed internal rules identi-
fying the people, applications, or addresses that are allowed or rejected. Firewalls can deter,
but not completely prevent, network penetration by outsiders and should be viewed as one
element in an overall security plan.
Intrusion Detection Systems
In addition to firewalls, commercial security vendors now provide intrusion detection tools
and services to protect against suspicious network traffic and attempts to access files and
databases. Intrusion detection systems feature full-time monitoring tools placed at the
most vulnerable points or “hot spots” of corporate networks to detect and deter intruders
continually. The system generates an alarm if it finds a suspicious or anomalous event.
Scanning software looks for patterns indicative of known methods of computer attacks, such
as bad passwords, checks to see if important files have been removed or modified, and sends
warnings of vandalism or system administration errors. Monitoring software examines
events as they are happening to discover security attacks in progress. The intrusion detection
tool can also be customized to shut down a particularly sensitive part of a network if it
receives unauthorized traffic.
Antivirus and Antispyware Software
Defensive technology plans for both individuals and businesses must include antivirus
protection for every computer. Antivirus software is designed to check computer systems
and drives for the presence of computer viruses. Often the software eliminates the virus
from the infected area. However, most antivirus software is effective only against viruses
already known when the software was written. To remain effective, the antivirus software
must be continually updated. Antivirus products are available for many different types of
mobile and handheld devices in addition to servers, workstations, and desktop PCs.
Leading antivirus software vendors, such as Avira, McAfee, Symantec, and Trend
Micro, have enhanced their products to include protection against spyware. Antispyware
software tools such as Ad-Aware, Spybot S&D, and Spyware Doctor are also very helpful.
Unified Threat Management Systems
To help businesses reduce costs and improve manageability, security vendors have
combined into a single appliance various security tools, including firewalls, virtual private
networks, intrusion detection systems, and Web content filtering and antispam software.
These comprehensive security management products are called unified threat manage-
ment (UTM) systems. Although initially aimed at small and medium-sized businesses,
UTM products are available for all sizes of networks. Leading UTM vendors include
Crossbeam, Fortinet, and Check Point, and networking vendors such as Cisco Systems and
Juniper Networks provide some UTM capabilities in their equipment.
SECURING WIRELESS NETWORKS
Despite its flaws, WEP provides some margin of security if Wi-Fi users remember to
activate it. A simple first step to thwart hackers is to assign a unique name to your network’s
SSID and instruct your router not to broadcast it. Corporations can further improve Wi-Fi
security by using it in conjunction with virtual private network (VPN) technology when
accessing internal corporate data.
Chapter 7: Securing Information Systems 255
IS
B
N
1-
25
6-
42
91
3-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
In June 2004, the Wi-Fi Alliance industry trade group finalized the 802.11i specification
(also referred to as Wi-Fi Protected Access 2 or WPA2) that replaces WEP with stronger
security standards. Instead of the static encryption keys used in WEP, the new standard uses
much longer keys that continually change, making them harder to crack. It also employs an
encrypted authentication system with a central authentication server to ensure that only
authorized users access the network.
ENCRYPTION AND PUBLIC KEY INFRASTRUCTURE
Many businesses use encryption to protect digital information that they store, physically
transfer, or send over the Internet. Encryption is the process of transforming plain text
or data into cipher text that cannot be read by anyone other than the sender and the
intended receiver. Data are encrypted by using a secret numerical code, called an encryp-
tion key, that transforms plain data into cipher text. The message must be decrypted by
the receiver.
Two methods for encrypting network traffic on the Web are SSL and S-HTTP. Secure
Sockets Layer (SSL) and its successor Transport Layer Security (TLS) enable client and
server computers to manage encryption and decryption activities as they communicate with
each other during a secure Web session. Secure Hypertext Transfer Protocol (S-HTTP) is
another protocol used for encrypting data flowing over the Internet, but it is limited to
individual messages, whereas SSL and TLS are designed to establish a secure connection
between two computers.
The capability to generate secure sessions is built into Internet client browser software
and servers. The client and the server negotiate what key and what level of security to use.
Once a secure session is established between the client and the server, all messages in that
session are encrypted.
There are two alternative methods of encryption: symmetric key encryption and public
key encryption. In symmetric key encryption, the sender and receiver establish a secure
Internet session by creating a single encryption key and sending it to the receiver so both the
sender and receiver share the same key. The strength of the encryption key is measured by
its bit length. Today, a typical key will be 128 bits long (a string of 128 binary digits).
The problem with all symmetric encryption schemes is that the key itself must be shared
somehow among the senders and receivers, which exposes the key to outsiders who might
just be able to intercept and decrypt the key. A more secure form of encryption called public
key encryption uses two keys: one shared (or public) and one totally private as shown in
Figure 7-6. The keys are mathematically related so that data encrypted with one key can be
decrypted using only the other key. To send and receive messages, communicators first
create separate pairs of private and public keys. The public key is kept in a directory and the
private key must be kept secret. The sender encrypts a message with the recipient’s public
key. On receiving the message, the recipient uses his or her private key to decrypt it.
Digital certificates are data files used to establish the identity of users and electronic
assets for protection of online transactions (see Figure 7-7). A digital certificate system uses
a trusted third party, known as a certificate authority (CA), to validate a user’s identity. There
are many CAs in the United States and around the world, including VeriSign, IdenTrust, and
Australia’s KeyPost.
The CA verifies a digital certificate user’s identity offline. This information is put into
a CA server, which generates an encrypted digital certificate containing owner identifica-
tion information and a copy of the owner’s public key. The certificate authenticates that
the public key belongs to the designated owner. The CA makes its own public key
available publicly either in print or perhaps on the Internet. The recipient of an encrypted
message uses the CA’s public key to decode the digital certificate attached to the message,
verifies it was issued by the CA, and then obtains the sender’s public key and identifica-
tion information contained in the certificate. Using this information, the recipient can
send an encrypted reply. The digital certificate system would enable, for example, a credit
card user and a merchant to validate that their digital certificates were issued by an
256 Part II: Information Technology Infrastructure
IS
B
N
1-256-42913-9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
authorized and trusted third party before they exchange data. Public key infrastructure
(PKI), the use of public key cryptography working with a certificate authority, is now
widely used in e-commerce.
ENSURING SYSTEM AVAILABILITY
As companies increasingly rely on digital networks for revenue and operations, they need to
take additional steps to ensure that their systems and applications are always available.
Firms such as those in the airline and financial services industries with critical applications
requiring online transaction processing have traditionally used fault-tolerant computer
systems for many years to ensure 100-percent availability. In online transaction process-
ing, transactions entered online are immediately processed by the computer. Multitudinous
changes to databases, reporting, and requests for information occur each instant.
Fault-tolerant computer systems contain redundant hardware, software, and power
supply components that create an environment that provides continuous, uninterrupted
Chapter 7: Securing Information Systems 257
Figure 7-6
Public Key Encryption
A public key encryption system can be viewed as a series of public and private keys that lock data when they are transmitted and
unlock the data when they are received. The sender locates the recipient’s public key in a directory and uses it to encrypt a mes-
sage. The message is sent in encrypted form over the Internet or a private network. When the encrypted message arrives, the
recipient uses his or her private key to decrypt the data and read the message.
Figure 7-7
Digital Certificates
Digital certificates help
establish the identity of
people or electronic
assets. They protect
online transactions by
providing secure,
encrypted, online
communication.
IS
B
N
1-
25
6-
42
91
3-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
258 Part II: Information Technology Infrastructure
service. Fault-tolerant computers use special software routines or self-checking logic built
into their circuitry to detect hardware failures and automatically switch to a backup device.
Parts from these computers can be removed and repaired without disruption to the
computer system.
Fault tolerance should be distinguished from high-availability computing. Both fault
tolerance and high-availability computing try to minimize downtime. Downtime refers to
periods of time in which a system is not operational. However, high-availability computing
helps firms recover quickly from a system crash, whereas fault tolerance promises continu-
ous availability and the elimination of recovery time altogether.
High-availability computing environments are a minimum requirement for firms with
heavy e-commerce processing or for firms that depend on digital networks for their internal
operations. High-availability computing requires backup servers, distribution of processing
across multiple servers, high-capacity storage, and good disaster recovery and business
continuity plans. The firm’s computing platform must be extremely robust with scalable
processing power, storage, and bandwidth.
Researchers are exploring ways to make computing systems recover even more rapidly
when mishaps occur, an approach called recovery-oriented computing. This work includes
designing systems that recover quickly, and implementing capabilities and tools to help opera-
tors pinpoint the sources of faults in multi-component systems and easily correct their mistakes.
Controlling Network Traffic: Deep Packet Inspection
Have you ever tried to use your campus network and found it was very slow? It may be
because your fellow students are using the network to download music or watch YouTube.
Bandwith-consuming applications such as file-sharing programs, Internet phone service,
and online video are able to clog and slow down corporate networks, degrading
performance. For example, Ball Sate University in Muncie, Indiana, found its network had
slowed because a small minority of students were using peer-to-peer file sharing programs
to download movies and music.
A technology called deep packet inspection (DPI) helps solve this problem. DPI exam-
ines data files and sorts out low-priority online material while assigning higher priority to
business-critical files. Based on the priorities established by a network’s operators, it decides
whether a specific data packet can continue to its destination or should be blocked or
delayed while more important traffic proceeds. Using a DPI system from Allot
Communications, Ball State was able to cap the amount of file-sharing traffic and assign it a
much lower priority. Ball State’s preferred network traffic speeded up.
Security Outsourcing
Many companies, especially small businesses, lack the resources or expertise to provide a
secure high-availability computing environment on their own. They can outsource many
security functions to managed security service providers (MSSPs) that monitor network
activity and perform vulnerability testing and intrusion detection. SecureWorks, BT
Counterpane, VeriSign, and Symantec are leading providers of MSSP services.
SECURITY ISSUES FOR CLOUD COMPUTING AND THE MOBILE
DIGITAL PLATFORM
Although cloud computing and the emerging mobile digital platform have the potential to
deliver powerful benefits, they pose new challenges to system security and reliability. We
now describe some of these challenges and how they should be addressed.
Security in the Cloud
When processing takes place in the cloud, accountability and responsibility for protection
of sensitive data still reside with the company owning that data. Understanding how the
IS
B
N
1-256-42913-9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
cloud computing provider organizes its services and manages the data is critical. The
Interactive Session on Technology details some of the cloud security issues that should be
addressed.
Cloud users need to confirm that regardless of where their data are stored or
transferred, they are protected at a level that meets their corporate requirements. They
should stipulate that the cloud provider store and process data in specific jurisdictions
according to the privacy rules of those jurisdictions. Cloud clients should find how the
cloud provider segregates their corporate data from those of other companies and ask for
proof that encryption mechanisms are sound. It’s also important to know how the cloud
provider will respond if a disaster strikes, whether the provider will be able to completely
restore your data, and how long this should take. Cloud users should also ask whether
cloud providers will submit to external audits and security certifications. These kinds of
controls can be written into the service level agreement (SLA) before signing with a cloud
provider.
Securing Mobile Platforms
Malware targeting mobile devices is not as extensive as that targeting computers, but is
spreading nonetheless using e-mail, text messages, Bluetooth, and file downloads from the
Web via Wi-Fi or cellular networks. If mobile devices are performing many of the functions
of PCs, they need to be secured like desktops and laptops against malware, theft, accidental
loss, unauthorized access, and hacking attempts. Mobile devices accessing corporate
systems and data require special protection.
Companies should make sure that their corporate security policy includes mobile
devices, with additional details on how mobile devices should be supported, protected, and
used. Guidelines should stipulate required software and procedures for remote access of cor-
porate systems. At this time, the security for smartphones is not as well developed as for
larger devices. These devices may not be able to fully protect sensitive information, espe-
cially data transmitted via e-mail attachments and data stored locally on the devices.
ENSURING SOFTWARE QUALITY
In addition to implementing effective security and controls, organizations can improve
system quality and reliability by employing software metrics and rigorous software
testing. Software metrics are objective assessments of the system in the form of quantified
measurements. Ongoing use of metrics allows the information systems department and
end users to jointly measure the performance of the system and identify problems as they
occur. Examples of software metrics include the number of transactions that can be
processed in a specified unit of time, online response time, the number of payroll checks
printed per hour, and the number of known bugs per hundred lines of program code. For
metrics to be successful, they must be carefully designed, formal, objective, and used
consistently.
Early, regular, and thorough testing will contribute significantly to system quality. Many
view testing as a way to prove the correctness of work they have done. In fact, we know that
all sizable software is riddled with errors, and we must test to uncover these errors.
Good testing begins before a software program is even written by using a walkthrough—
a review of a specification or design document by a small group of people carefully selected
based on the skills needed for the particular objectives being tested. Once developers start
writing software programs, coding walkthroughs also can be used to review program code.
However, code must be tested by computer runs. When errors are discovered, the source is
found and eliminated through a process called debugging. You can find out more about the
various stages of testing required to put an information system into operation in Chapter 11.
Our Learning Tracks also contain descriptions of methodologies for developing software
programs that also contribute to software quality.
Chapter 7: Securing Information Systems 259
IS
B
N
1-
25
6-
42
91
3-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
INTERACTIVE SESSION: TECHNOLOGY How Secure Is the Cloud?
New York-based investment banking and financial
services firm Cowen and Co. has moved its global
sales systems to the cloud using Salesforce.com. So
far, Cowen’s CIO Daniel Flax is pleased. Using cloud
services has helped the company lower up-front
technology costs, decrease downtime, and support
additional services. But he’s trying to come to grips
with cloud security issues. Cloud computing security
is indeed cloudy, and this lack of transparency is trou-
bling to many. One of the biggest risks of cloud com-
puting is that it is highly distributed. Cloud applica-
tions and application mashups reside in virtual
libraries in large remote data centers and server farms
that supply business services and data management to
multiple corporate clients. To save money and keep
costs low, cloud computing providers often distribute
work to data centers around the globe where work can
be accomplished most efficiently. When you use the
cloud, you may not know precisely where your data
are being hosted, and you might not even know the
country where they are being stored.
The dispersed nature of cloud computing makes it
difficult to track unauthorized activity. Virtually all
cloud providers use encryption, such as Secure Sockets
Layer (SSL) to secure the data they handle while the
data are being transmitted. But if the data are stored on
devices that also store other companies’ data, it’s
important to ensure these stored data are encrypted as
well.
Indian Harvest Specialtifoods, a Bemidji,
Minnesota-based company that distributes rice, grains,
and legumes to restaurants worldwide, relies on cloud
software provider NetSuite to ensure that its data sent
to the cloud are fully protected. Mike Mullin, Indian
Harvest’s IT director, feels that using SSL to encrypt
the data gives him some level of confidence that the
data are secure. He also points out that his company
and other users of cloud services need to pay attention
to their own security practices, especially access con-
trols. “Your side of the infrastructure is just as vulnera-
ble, if not more vulnerable, than the provider’s side,” he
observes.
One way to deal with these problems is to use a
cloud vendor that is a public company, which is
required by law to disclose how it manages informa-
tion. Salesforce.com meets this requirement, with
strict processes and guidelines for managing its data
centers. “We know our data are in the U.S. and we
have a report on the very data centers that we’re talk-
ing about,” says Flax.
Another alternative is to use a cloud provider that
give subscribers the option to choose where their cloud
computing work takes place. For example, Terremark
Worldwide Inc. is giving its subscriber Agora Games
the option to choose where its applications run.
Terremark has a Miami facility but is adding other
locations. In the past, Agora had no say over where
Terremark hosted its applications and data.
Even if your data are totally secure in the cloud,
you may not be able to prove it. Some cloud providers
don’t meet current compliance requirements regarding
security, and some of those providers, such as
Amazon, have asserted that they don’t intend to meet
those rules and won’t allow compliance auditors
on-site.
There are laws restricting where companies can
send and store some types of information—personally
identifiable information in the European Union
(EU), government work in the United States, or appli-
cations that employ certain encryption algorithms.
Companies required to meet these regulations involv-
ing protected data either in the United States or the EU
won’t be able to use public cloud providers.
Some of these regulations call for proof that sys-
tems are securely managed, which may require confir-
mation from an independent audit. Large cloud
providers are unlikely to allow another company’s
auditors to inspect their data centers. Microsoft found
a way to deal with this problem that may be helpful.
The company reduced 26 different types of audits to a
list of 200 necessary controls for meeting compliance
standards that were applied to its data center environ-
ments and services. Microsoft does not give every cus-
tomer or auditor access to its data centers, but its com-
pliance framework allows auditors to order from a
menu of tests and receive the results.
Companies expect their systems to be running 24/7,
but cloud providers haven’t always been able to provide
this level of service. Millions of customers of
Salesforce.com suffered a 38-minute outage in early
January 2009 and others several years earlier. The
January 2009 outage locked more than 900,000
subscribers out of crucial applications and data needed
to transact business with customers. Users of Amazon’s
cloud services experienced downtime several times in
2008. (In July 2008 they lost service for 8 hours.)
Agreements for services such as Amazon EC2 and
Microsoft Azure state that these companies are not going
to be held liable for data losses or fines or other legal
penalties when companies use their services. Both
vendors offer guidance on how to use their cloud
platforms securely, and they may still be able to protect
data better than some companies’ homegrown facilities.
260 Part II: Information Technology Infrastructure
IS
B
N
1-256-42913-9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
1. What security and control problems are described
in this case?
2. What people, organization, and technology factors
contribute to these problems?
3. How secure is cloud computing? Explain your
answer.
4. If you were in charge of your company’s informa-
tion systems department, what issues would you
want to clarify with prospective vendors?
5. Would you entrust your corporate systems to a
cloud computing provider? Why or why not?
Salesforce.com had been building up and
redesigning its infrastructure to ensure better
service. The company invested $50 million in
Mirrorforce technology, a mirroring system that
creates a duplicate database in a separate location
and synchronizes the data instantaneously. If one
database is disabled, the other takes over.
Salesforce.com added two data centers on the East
Go to www.trust.salesforce.com, then answer the
following questions:
1. Click on Security and describe Salesforce.com’s
security provisions. How helpful are these?
2. Click on Best Practices and describe what
subscribing companies can do to tighten security.
How helpful are these guidelines?
3. If you ran a business, would you feel confident
about using Salesforce.com’s on-demand service?
Why or why not?
and West coasts in addition to its Silicon Valley
facility. The company distributed processing for its
larger customers among these centers to balance its
database load.
Sources: John Edwards, “Cutting Through the Fog of Cloud Security,”
Computerworld, February 23, 2009; Wayne Rash, “Is Cloud Computing Secure?
Prove It,” eWeek, September 21, 2009; Robert Lemos, ,”Five Lessons from
Microsoft on Cloud Security,” Computerworld, August 25, 2009; Mike Fratto,
“Cloud Control,” Information Week, January 26, 2009.
CASE STUDY QUESTIONS MIS IN ACTION
Chapter 7: Securing Information Systems 261
7.5 Hands-On MIS Projects
The projects in this section give you hands-on experience analyzing security vulnerabilities,
using spreadsheet software for risk analysis, and using Web tools to research security
outsourcing services.
MANAGEMENT DECISION PROBLEMS
1. K2 Network operates online game sites used by about 16 million people in over 100
countries. Players are allowed to enter a game for free, but must buy digital “assets”
from K2, such as swords to fight dragons, if they want to be deeply involved. The games
can accomodate millions of players at once and are played simultaneously by people all
over the world. Prepare a security analysis for this Internet-based business. What kinds
of threats should it anticipate? What would be their impact on the business? What steps
can it take to prevent damage to its Web sites and continuing operations?
2. A survey of your firm’s information technology infrastructure has produced the
following security analysis statistics:
High-risk vulnerabilities include non-authorized users accessing applications, guessable
passwords, user names matching the password, active user accounts with missing
passwords, and the existence of unauthorized programs in application systems. Medium-
risk vulnerabilities include the ability of users to shut down the system without being logged
on, passwords and screen saver settings that were not established for PCs, and outdated ver-
sions of software still being stored on hard drives. Low-risk vulnerabilities include the
inability of users to change their passwords, user passwords that have not been changed
periodically, and passwords that were smaller than the minimum size specified by the
company.IS
B
N
1-
25
6-
42
91
3-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
262 Part II: Information Technology Infrastructure
• Calculate the total number of vulnerabilities for each platform. What is the potential
impact of the security problems for each computing platform on the organization?
• If you only have one information systems specialist in charge of security, which
platforms should you address first in trying to eliminate these vulnerabilities? Second?
Third? Last? Why?
• Identify the types of control problems illustrated by these vulnerabilities and explain the
measures that should be taken to solve them.
• What does your firm risk by ignoring the security vulnerabilities identified?
IMPROVING DECISION MAKING: USING SPREADSHEET
SOFTWARE TO PERFORM A SECURITY RISK ASSESSMENT
Software skills: Spreadsheet formulas and charts
Business skills: Risk assessment
This project uses spreadsheet software to calculate anticipated annual losses from various
security threats identified for a small company.
Mercer Paints is a small but highly regarded paint manufacturing company located in
Alabama. The company has a network in place linking many of its business operations.
Although the firm believes that its security is adequate, the recent addition of a Web site has
become an open invitation to hackers. Management requested a risk assessment. The risk
assessment identified a number of potential exposures. These exposures, their associated
probabilities, and average losses are summarized in the following table.
SECURITY VULNERABILITIES BY TYPE OF COMPUTING PLATFORM
Platform Number of High Medium Low Total
Computers Risk Risk Risk Vulnerabilities
Windows Server (corporate applications) 1 11 37 19
Windows 7 Enterprise (high-level administrators) 3 56 242 87
Linux (e-mail and printing services) 1 3 154 98
Sun Solaris (UNIX) (E-commerce and Web servers) 2 12 299 78
Windows 7 Enterprise user desktops and 195 14 16 1,237
laptops with office productivity tools that can
also be linked to the corporate network running
corporate applications and intranet
MERCER PAINTS RISK ASSESSMENT
Exposure Probability of Occurrence (%) Average Loss ($)
Malware attack 60% $75,000
Data loss 12% $70,000
Embezzlement 3% $30,000
User errors 95% $25,000
Threats from hackers 95% $90,000
Improper use by employees 5% $5,000
Power failure 15% $300,000
IS
B
N
1-256-42913-9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
Chapter 7: Securing Information Systems 263
LEARNING TRACKS
The following Learning Tracks provide content relevant to topics covered in this
chapter:
1. The Booming Job Market in IT Security
2. The Sarbanes-Oxley Act
3. Computer Forensics
4. General and Application Controls for Information Systems
5. Software Vulnerability and Reliability
6. Management Challenges of Security and Control
• In addition to the potential exposures listed, you should identify at least three other
potential threats to Mercer Paints, assign probabilities, and estimate a loss range.
• Use spreadsheet software and the risk assessment data to calculate the expected annual
loss for each exposure.
• Present your findings in the form of a chart. Which control points have the greatest
vulnerability? What recommendations would you make to Mercer Paints? Prepare a
written report that summarizes your findings and recommendations.
IMPROVING DECISION MAKING: EVALUATING SECURITY
OUTSOURCING SERVICES
Software skills: Web browser and presentation software
Business skills: Evaluating business outsourcing services
Businesses today have a choice of whether to outsource the security function or maintain
their own internal staff for this purpose. This project will help develop your Internet skills in
using the Web to research and evaluate security outsourcing services.
As an information systems expert in your firm, you have been asked to help manage-
ment decide whether to outsource security or keep the security function within the firm.
Search the Web to find information to help you decide whether to outsource security and to
locate security outsourcing services.
• Present a brief summary of the arguments for and against outsourcing computer security
for your company.
• Select two firms that offer computer security outsourcing services, and compare them
and their services.
• Prepare an electronic presentation for management summarizing your findings. Your pre-
sentation should make the case on whether or not your company should outsource com-
puter security. If you believe your company should outsource, the presentation should
identify which security outsourcing service should be selected and justify your selection.
Review Summary
1 Why are information systems vulnerable to destruction, error, and abuse? Digital data are vulnerable to destruction, misuse, error, fraud, and hardware or software
failures. The Internet is designed to be an open system and makes internal corporate systems
more vulnerable to actions from outsiders. Hackers can unleash denial-of-service (DoS)
attacks or penetrate corporate networks, causing serious system disruptions. Wi-Fi networksIS
B
N
1-
25
6-
42
91
3-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
can easily be penetrated by intruders using sniffer programs to obtain an address to access the
resources of the network. Computer viruses and worms can disable systems and Web sites.
The dispersed nature of cloud computing makes it difficult to track unauthorized activity or to
apply controls from afar. Software presents problems because software bugs may be
impossible to eliminate and because software vulnerabilities can be exploited by hackers and
malicious software. End users often introduce errors.
2 What is the business value of security and control? Lack of sound security andcontrol can cause firms relying on computer systems for their core business functions
to lose sales and productivity. Information assets, such as confidential employee records,
trade secrets, or business plans, lose much of their value if they are revealed to outsiders or
if they expose the firm to legal liability. New laws, such as HIPAA, the Sarbanes-Oxley Act,
and the Gramm-Leach-Bliley Act, require companies to practice stringent electronic records
management and adhere to strict standards for security, privacy, and control. Legal actions
requiring electronic evidence and computer forensics also require firms to pay more
attention to security and electronic records management.
3 What are the components of an organizational framework for security and con-trol? Firms need to establish a good set of both general and application controls for
their information systems. A risk assessment evaluates information assets, identifies control
points and control weaknesses, and determines the most cost-effective set of controls. Firms
must also develop a coherent corporate security policy and plans for continuing business
operations in the event of disaster or disruption. The security policy includes policies for
acceptable use and authorization. Comprehensive and systematic MIS auditing helps
organizations determine the effectiveness of security and controls for their information sys-
tems.
4 What are the most important tools and technologies for safeguarding informationresources? Firewalls prevent unauthorized users from accessing a private network
when it is linked to the Internet. Intrusion detection systems monitor private networks from
suspicious network traffic and attempts to access corporate systems. Passwords, tokens,
smart cards, and biometric authentication are used to authenticate system users. Antivirus
software checks computer systems for infections by viruses and worms and often eliminates
the malicious software, while antispyware software combats intrusive and harmful spyware
programs. Encryption, the coding and scrambling of messages, is a widely used technology
for securing electronic transmissions over unprotected networks. Digital certificates com-
bined with public key encryption provide further protection of electronic transactions by
authenticating a user’s identity. Companies can use fault-tolerant computer systems or
create high-availability computing environments to make sure that their information
systems are always available. Use of software metrics and rigorous software testing help
improve software quality and reliability.
264 Part II: Information Technology Infrastructure
Biometric authentication, 253
Botnet, 241
Bugs, 245
Business continuity
planning, 251
Click fraud, 244
Computer crime, 241
Computer forensics, 247
Computer virus, 238
Controls, 235
Cybervandalism, 240
Deep packet inspection
(DPI), 258
Denial-of-service (DoS)
attack, 240
Digital certificates, 256
Disaster recovery
planning, 250
Acceptable use policy
(AUP), 250
Access control, 252
Antivirus software, 255
Application controls, 248
Authentication, 252
Authorization management
systems, 250
Authorization policies, 250
Key Terms
IS
B
N
1-256-42913-9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
Chapter 7: Securing Information Systems 265
Review Questions
1. Why are information systems vulnerable to destruction, error, and abuse?
• List and describe the most common threats against contemporary information systems.
• Define malware and distinguish among a virus, a worm, and a Trojan horse.
• Define a hacker and explain how hackers create security problems and damage systems.
• Define computer crime. Provide two examples of crime in which computers are targets
and two examples in which computers are used as instruments of crime.
• Define identity theft and phishing and explain why identity theft is such a big problem
today.
• Describe the security and system reliability problems created by employees.
• Explain how software defects affect system reliability and security.
2. What is the business value of security and control?
• Explain how security and control provide value for businesses.
• Describe the relationship between security and control and recent U.S. government
regulatory requirements and computer forensics.
3. What are the components of an organizational framework for security and control?
• Define general controls and describe each type of general control.
• Define application controls and describe each type of application control.
• Describe the function of risk assessment and explain how it is conducted for information
systems.
• Define and describe the following: security policy, acceptable use policy, authorization
policy.
• Explain how MIS auditing promotes security and control.
4. What are the most important tools and technologies for safeguarding information
resources?
• Name and describe three authentication methods.
• Describe the roles of firewalls, intrusion detection systems, and antivirus software in
promoting security.
• Explain how encryption protects information.
• Describe the role of encryption and digital certificates in a public key infrastructure.
• Distinguish between fault-tolerant and high-availability computing, and between
disaster recovery planning and business continuity planning.
• Identify and describe the security problems posed by cloud computing.
• Describe measures for improving software quality and reliability
Keyloggers, 240
Malware, 238
Managed security service
providers (MSSPs), 258
MIS audit, 252
Online transaction
processing, 257
Patches, 246
Pharming, 242
Phishing, 242
Public key encryption, 256
Public key infrastructure
(PKI), 257
Recovery-oriented
computing, 258
Risk assessment, 248
Sarbanes-Oxley Act, 247
Secure Hypertext Transfer
Protocol (S-HTTP), 256
Secure Sockets Layer
(SSL), 256
Security, 235
Security policy, 250
SQL injection attack, 239
Smart card, 253
Sniffer, 240
Social engineering, 245
Spoofing, 240
Spyware, 240
Token, 253
Trojan horse, 238
Unified threat management
(UTM), 255
War driving, 237
Worms, 238
Distributed denial-of-service
(DDoS) attack, 241
Downtime, 258
Encryption, 256
Evil twin, 242
Fault-tolerant computer
systems, 257
Firewall, 254
General controls, 248
Gramm-Leach-Bliley Act,
247
Hacker, 240
High-availability
computing, 258
HIPAA, 246
Identity theft, 241
Intrusion detection
systems, 255
IS
B
N
1-
25
6-
42
91
3-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
266 Part II: Information Technology Infrastructure
Discussion Questions
1. Security isn’t simply a technology issue,
it’s a business issue. Discuss.
2. If you were developing a business conti-
nuity plan for your company, where would
you start? What aspects of the business
would the plan address?
Video Cases
Video Cases and Instructional Videos illustrating some of the concepts in this chapter are
available. Contact your instructor to access these videos.
Collaboration and Teamwork
Evaluating Security Software Tools
With a group of three or four students, use the Web to research and evaluate security
products from two competing vendors, such as antivirus software, firewalls, or antispyware
software. For each product, describe its capabilities, for what types of businesses it is best
suited, and its cost to purchase and install. Which is the best product? Why? If possible, use
Google Sites to post links to Web pages, team communication announcements, and work
assignments; to brainstorm; and to work collaboratively on project documents. Try to use
Google Docs to develop a presentation of your findings for the class.
BUSINESS PROBLEM-SOLVING CASE
Are We Ready for Cyberwarfare?
compete with traditional superpowers for a fraction of
the cost of, for example, building up a nuclear arsenal.
Because more and more modern technological
infrastructure will rely on the Internet to function,
cyberwarriors will have no shortage of targets at which
to take aim.
Cyberwarfare also involves defending against these
types of attacks. That’s a major focus of U.S. intelli-
gence agencies. While the U.S. is currently at the fore-
front of cyberwarfare technologies, it’s unlikely to main-
tain technological dominance because of the relatively
low cost of the technologies needed to mount these types
of attacks.
In fact, hackers worldwide have already begun doing
so in earnest. In July 2009, 27 American and South
Korean government agencies and other organizations
were hit by a DDoS attack. An estimated 65,000
computers belonging to foreign botnets flooded the Web
sites with access requests. Affected sites included those
of the White House, the Treasury, the Federal Trade
For most of us, the Internet is a tool we use for e-mail,
news, entertainment, socializing, and shopping. But for
computer security experts affiliated with government
agencies and private contractors, as well as their hacker
counterparts from across the globe, the Internet has
become a battlefield—a war zone where cyberwarfare is
becoming more frequent and hacking techniques are
becoming more advanced. Cyberwarfare poses a unique
and daunting set of challenges for security experts, not
only in detecting and preventing intrusions but also in
tracking down perpetrators and bringing them to justice.
Cyberwarfare can take many forms. Often, hackers use
botnets, massive networks of computers that they control
thanks to spyware and other malware, to launch large-
scale DDoS attacks on their target’s servers. But other
methods exist that allow intruders to access secure
computers remotely and copy or delete e-mail and files
from the machine, or even to remotely monitor users of a
machine using more sophisticated software. For cyber-
criminals, the benefit of cyberwarfare is that they can
IS
B
N
1-256-42913-9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
Chapter 7: Securing Information Systems 267
Commission, the Defense Department, the Secret
Service, the New York Stock Exchange, and the
Washington Post, in addition to the Korean Defense
Ministry, National Assembly, the presidential Blue
House, and several others. The attacks were not sophisti-
cated, but were widespread and prolonged, succeeding in
slowing down most of the U.S. sites and forcing several
South Korean sites to stop operating. North Korea or
pro-North Korean groups were suspected to be behind
the attacks, but the Pyongyang government denied any
involvement.
The lone positive from the attacks was that only the
Web sites of these agencies were affected. However,
other intrusions suggest that hackers already have the
potential for much more damaging acts of cyberwarfare.
The Federal Aviation Administration (FAA), which
oversees the airline activity of the United States, has
already been subject to successful attacks on its systems,
including one in 2006 that partially shut down air-traffic
data systems in Alaska.
In 2007 and 2008, computer spies broke into the
Pentagon’s $300 billion Joint Strike Fighter project.
Intruders were able to copy and siphon off several
terabytes of data related to design and electronics
systems, potentially making it easier to defend against
the fighter when it’s eventually produced. The intruders
entered through vulnerabilities of two or three contrac-
tors working on the fighter jet project. Fortunately, com-
puters containing the most sensitive data were not con-
nected to the Internet, and were therefore inaccessible to
the intruders. Former U.S. officials say that this attack
originated in China, and that China had been making
steady progress in developing online-warfare techniques.
China rebutted these claims, stating that the U.S. media
was subscribing to outdated, Cold War-era thinking in
blaming them, and that Chinese hackers were not skilled
enough to perpetrate an attack of that magnitude.
In April 2009, cyberspies infiltrated the U.S. electrical
grid, using weak points where computers on the grid are
connected to the Internet, and left behind software
programs whose purpose is unclear, but which presum-
ably could be used to disrupt the system. Reports
indicated that the spies originated in computer networks
in China and Russia. Again, both nations denied the
charges. In response to these and other intrusions,
Congress is considering legislation that would require
all critical infrastructure companies to meet newer,
tougher cybersecurity standards. As of this writing,
most federal agencies get passing marks for meeting the
requirements of the Federal Information Security
Management Act, the most recent set of standards
passed into law. But as cyberwarfare technologies
develop and become more advanced, the standards
imposed by this legislation will likely be insufficient to
defend against attacks.
In each incident of cyberwarfare, the governments of
the countries suspected to be responsible have roundly
denied the charges with no repercussions. How could
this be possible? The major reason is that tracing
identities of specific attackers through cyberspace is next
to impossible, making deniability simple.
While the task is hard enough for government
agencies with the resources and expertise to tackle these
problems, two groups, the Information Warfare Monitor
(IWM) and Citizen Lab, share the goal of empowering
non-government groups with investigative tools that
have traditionally been available only to law enforce-
ment agencies. These groups have made some surprising
breakthroughs in tracking down cybercriminals and
identifying their techniques.
Nart Villeneuve, who works for both groups, found
that a Chinese equivalent to Skype was used for surveil-
lance by a major Chinese wireless carrier, and that a spy
system he and other investigators dubbed “Ghostnet”
was spying on South Asian government-owed computers
worldwide. An audit of the Dalai Lama’s office network
in Dharamsala, India, which had endured consistent
attacks from hackers, spurred the discovery. The opera-
tion was thought to be sponsored by the Chinese govern-
ment, which has traditionally been antagonistic to the
Dalai Lama and his expelled Tibetan government. The
IWM used a free program called Wireshark to capture
inbound and outbound Internet traffic from the exiled
Tibetan government’s computers. The program detected
that the Ghostnet system had installed secret surveillance
software on computers remotely and was able to access
files and e-mail.
The real worry for security experts and government
officials is an act of cyberwar against a critical resource,
such as the electric grid, financial system, or communi-
cations systems. First of all, the United States has no
clear policy about how the country would respond to that
level of a cyberattack. Although the electric grid was
accessed by hackers, it hasn’t yet actually been attacked.
A three-year study of U.S. cybersecurity recommended
that such a policy be created and made public. It also
suggested that the United States attempt to find common
ground with other nations to join forces in preventing
these attacks.
Secondly, the effects of such an attack would likely
be devastating. Mike McConnell, the former director
of national intelligence, stated that if even a single
large American bank were successfully attacked, “it
would have an order-of-magnitude greater impact on
the global economy” than the World Trade Center
attacks, and that “the ability to threaten the U.S.
money supply is the equivalent of today’s nuclear
weapon.” Such an attack would have a catastrophic
effect on the U.S. financial system, and by extension,
the world economy.IS
B
N
1-
25
6-
42
91
3-
9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
268 Part II: Information Technology Infrastructure
Lastly, many industry analysts are concerned that the
organization of our cybersecurity is messy, with no clear
leader among our intelligence agencies. Several different
agencies, including the Pentagon and the National
Security Agency (NSA), have their sights on being the
leading agency in the ongoing efforts to combat cyber-
warfare. In June 2009, Secretary of Defense Robert
Gates ordered the creation of the first headquarters
designed to coordinate government cybersecurity efforts,
tentatively called Cybercom. Cybercom’s purpose will
be to coordinate the operation and protection of military
and Pentagon computer networks in the hopes of resolv-
ing this organizational tangle.
President Obama had previously announced his inten-
tion to expand on the $17 billion program approved in
2008. Much of that sum will presumably go to
Cybercom as it coordinates efforts to restrict access to
government computers and protect systems that run the
stock exchanges, clear global banking transactions, and
manage the air traffic control system. Its ultimate goal
will be to prevent catastrophic cyberattacks against the
United States. But some insiders suggest that it might
not be able to effectively organize the governmental
agencies without direct access to the President, which it
currently lacks. Nevertheless, the first task of the office
would be to organize the various components and capa-
bilities scattered across the four armed services.
In confronting this problem, one critical question has
arisen: how much control over enforcing cybersecurity
should be given to American spy agencies, since they are
prohibited from acting on American soil? Cyberattacks
know no borders, so distinguishing between American
soil and foreign soil means domestic agencies will be
unnecessarily inhibited in their ability to fight cyber-
crime. For example, if the NSA was investigating the
source of a cyberattack on government Web sites, and
determined that the attack originated from American
servers, under our current laws, it would not be able to
investigate further.
Some experts believe that there is no effective way
for a domestic agency to conduct computer operations
without entering prohibited networks within the
United States, or even conducting investigations in
countries that are American allies. The NSA has
already come under heavy fire for its surveillance
actions after 9-11, and this has the potential to raise
similar privacy concerns. Preventing terrorist or cyber-
war attacks may require examining some e-mail mes-
sages from other countries or giving intelligence agen-
cies more access to networks or Internet service
providers. There is a need for an open debate about
what constitutes a violation of privacy and what is
acceptable during “cyber-wartime,” which is essen-
tially all the time. The law may need to be changed to
accommodate effective cybersecurity techniques, but
it’s unclear that this can be done without eroding some
privacy rights that we consider essential.
One way around this would be to entrust some of the
work to private defense contractors. Many contractors are
hoping to garner valuable government contracts to both
develop defense systems for our networks as well as to
create offensive measures to disable enemy networks.
Teams of highly skilled computer engineers at major
defense contractors are at work on this today, and might
be able to circumvent the restrictions holding
government agencies back from surveillance within the
U.S.
As for these offensive measures, it’s unclear how
strong the United States’ offensive capabilities for
cyberwarfare are. The government closely guards this
information, almost all of which is classified. But former
military and intelligence officials indicate that our cyber-
warfare capabilities have dramatically increased in
sophistication in the past year or two. And because
tracking cybercriminals has proven so difficult, it may
be that the best defense is a strong offense.
Sources: Hoover, J. Nicholas. “Cybersecurity Balancing Act.” Information Week,
April 27, 2009; David E. Sanger, John Markoff, and Thom Shanker, “U.S. Steps Up
Effort on Digital Defenses,” The New York Times, April 28, 2009; John Markoff and
Thom Shanker. “Panel Advises Clarifying U.S. Plans on Cyberwar.” The New York
Times, April 30, 2009; Siobhan Gorman and Evan Ramstad, “Cyber Blitz Hits U.S.,
Korea,” The Wall Street Journal, July 9, 2009; Lolita C. Baldor, “White House Among
Targets of Sweeping Cyber Attack,” Associated Press, July 8, 2009; Choe Sang-Hun,
“Cyberattacks Hit U.S. and South Korean Web Sites,” The New York Times, July 9,
2009; Siobhan Gorman, “FAA’s Air-Traffic Networks Breached by Hackers,” The
Wall Street Journal, May 7, 2009; Thom Shanker, “New Military Command for
Cyberspace,” The New York Times, June 24, 2009; David E. Sanger and Thom
Shanker, “Pentagon Plans New Arm to Wage Wars in Cyberspace,” The New York
Times, May 29, 2009; Lolita C. Baldor, “Obama Setting Up Better Security for
Computers,” Associated Press, May 29, 2009; Christopher Drew and John Markoff.
“Contractors Vie for Plum Work, Hacking for U.S.,” The New York Times, May 31,
2009; Thom Shanker and David E. Sanger, “Privacy May Be a Victim in
Cyberdefense Plan,” The New York Times, June 13, 2009; Siobhan Gorman, August
Cole, and Yochi Dreazen, “Computer Spies Breach Fighter-Jet Project,” The Wall
Street Journal, April 21, 2009; Carlos Tejada and Juliet Ye, “Computer Spying:
China Responds,” The Wall Street Journal, April 22, 2008; Gorman, Siobhan.
“Electricity Grid in U.S. Penetrated by Spies.” The Wall Street Journal (April 8,
2009); “Has Power Grid Been Hacked? U.S. Won’t Say.” Reuters, April 8, 2009;
Markoff, John. “Vast Spy System Loots Computers in 103 Countries.” The New York
Times (March 29, 2009); Markoff, John, “Tracking Cyberspies Through the Web
Wilderness,” The New York Times, May 12, 2009.
Case Study Questions
1. Is cyberwarfare a serious problem? Why or why not?
2. Assess the people, organization, and technology
factors that have created this problem.
3. What solutions have been proposed? Do you think
they will be effective? Why or why not?
4. Are there other solutions for this problem that should
be pursued? What are they?
IS
B
N
1-256-42913-9
Essentials of MIS, Ninth Edition, by Kenneth C. Laudon and Jane P. Laudon. Published by Prentice Hall. Copyright © 2011 by Pearson Education, Inc.
S T U D E N T L E A R N I N G O B J E C T I V E S
After completing this chapter, you will be able to answer the
following questions:
1. What ethical, social, and political issues are raised by
information systems?
2. What specific principles for conduct can be used to guide
ethical decisions?
3. Why do contemporary information systems technology and the
Internet pose challenges to the protection of individual privacy
and intellectual property?
4. How have information systems affected everyday life?
Ethical and Social Issues
in Information Systems 12C H A P T E R
416
417
CHAPTER OUTLINE
Chapter-Opening Case: Behavioral Targeting and Your
Privacy: You’re the Target
12.1 Understanding Ethical and Social Issues Related
to Systems
12.2 Ethics in an Information Society
12.3 The Moral Dimensions of Information Systems
12.4 Hands-on MIS Projects
Business Problem-Solving Case: Google, Microsoft, and
IBM: The Health of Your Medical Records’ Privacy
BEHAVIORAL TARGETING AND YOUR PRIVACY: YOU’RE THE TARGET
Ever get the feeling somebody is trailing you on the Web, watching your every
click? Wonder why you start seeing display ads and pop-ups just after you’ve been
scouring the Web for a car, a dress, or cosmetic product? Well, you’re right: your
behavior is being tracked, and you are being targeted on the Web so that you are
exposed to certain ads and not others. The Web sites you visit track the search engine
queries you enter, pages visited, Web content viewed, ads clicked, videos watched,
content shared, and the products you purchase. Google is the largest Web tracker,
monitoring thousands of Web sites. As one wag noted, Google knows more about you
than your mother does. In March 2009, Google began displaying ads on thousands of
Google-related Web sites based on their previous online activities. To parry a growing
public resentment of behavioral targeting, Google said it would give users the ability
to see and edit the information that it has compiled about their interests for the pur-
poses of behavioral targeting.
418 Part IV: Building and Managing Systems
Behavioral targeting seeks to increase the efficiency of online ads by using information
that Web visitors reveal about themselves online, and if possible, combine this with offline
identity and consumption information gathered by companies such as Acxiom. One of the
original promises of the Web has been that it can deliver a marketing message tailored to
each consumer based on this data, and then measure the results in terms of click-throughs
and purchases.
Firms are experimenting with more precise targeting methods. Snapple used behavioral
targeting methods (with the help of an online ad firm Tacoda) to identify the types of people
attracted to Snapple Green Tea. Answer: people who like the arts and literature, travel
internationally, and visit health sites. Microsoft offers MSN advertisers access to personal
data derived from 270 million worldwide Windows Live users.
The growth in the power, reach, and scope of behavioral targeting has drawn the
attention of privacy groups and the Federal Trade Commission (FTC). In November 2007,
the FTC opened hearings to consider proposals from privacy advocates to develop a “do not
track list,” to develop visual online cues to alert people to tracking, and to allow people to
opt out. In the Senate, hearings on behavioral targeting are ongoing throughout 2009. While
Google, Microsoft, and Yahoo pleaded for legislation to protect them from consumer
lawsuits, the FTC refused to consider new legislation to protect the privacy of Internet users.
Instead, the FTC proposed industry self-regulation. In 2009, a consortium of advertising
firms (the Network Advertising Initiative) responded positively to FTC proposed principles
to regulate online behavioral advertising. All of these regulatory efforts emphasize trans-
parency, user control over their information, security, and the temporal stability of privacy
promises (unannounced and sudden changes in information privacy may not be allowed).
Perhaps the central ethical and moral question is understanding what rights individuals
have in their own personally identifiable Internet profiles. Are these “ownership” rights, or
merely an “interest” in an underlying asset? How much privacy are we willing to give up in
order to receive more relevant ads? Surveys suggest that over 70 percent of Americans do
not want to receive targeted ads.
Sources: Joseph Turow, et. al. “Americans Reject Tailored Advertising,” Rose Foundation for Communities and
Development and The Annenberg School For Communication, September, 2009; Robert Mitchell, “What Google Knows
About You,” Computerworld, May 11, 2009; Stephanie Clifford, “Many See Privacy on Web as Big Issue, Survey Says,”
The New York Times, March 16, 2009; Miguel Helft, “Google to Offer Ads Based on Interests,” The New York Times,
March 11, 2009; and David Hallerman, “Behavioral Targeting: Marketing Trends,” eMarketer, June 2008.
The growing use of behavioral targeting techniques described in the chapter-opening case
shows that technology can be a double-edged sword. It can be the source of many benefits
(by showing you ads relevant to your interests) but it can also create new opportunities for
invading your privacy, and enabling the reckless use of that information in a variety of deci-
sions about you.
The chapter-opening diagram calls attention to important points raised by this case and
this chapter. Online advertising titans like Google, Microsoft, and Yahoo are all looking for
ways to monetize their huge collections of online behavioral data. While search engine
marketing is arguably the most effective form of advertising in history, banner display ad
marketing is highly inefficient because it displays ads to everyone regardless of their
interests. Hence the search engine marketers cannot charge much for display ad space.
However, by tracking the online movements of 200 million U.S. Internet users, they can
develop a very clear picture of who you are, and use that information to show you ads that
might be of interest to you. This would make the marketing process more efficient, and more
profitable for all the parties involved.
But this solution also creates an “ethical dilemma,” pitting the monetary interests of the
online advertisers and search engines against the interests of individuals to maintain a sense
of control over their personal information, their privacy. Two closely held values are in
conflict here. As a manager, you will need to be sensitive to both the negative and positive
impacts of information systems for your firm, employees, and customers. You will need to
learn how to resolve ethical dilemmas involving information systems.
Chapter 12: Ethical and Social Issues in Information Systems 419
12.1 Understanding Ethical and Social Issues Related to
Systems
In the past 10 years, we have witnessed, arguably, one of the most ethically challenging
periods for U.S. and global business. Table 12.1 provides a small sample of recent cases
demonstrating failed ethical judgment by senior and middle managers. These lapses in
management ethical and business judgment occurred across a broad spectrum of industries.
In today’s new legal environment, managers who violate the law and are convicted will
most likely spend time in prison. U.S. federal sentencing guidelines adopted in 1987
mandate that federal judges impose stiff sentences on business executives based on the
TABLE 12.1
Rcent Examples of Failed Ethical Judgment by Senior Managers
Pfizer, Eli Lilly, and Major pharmaceutical firms paid billions of dollars to settle U.S. federal charges that
AstraZeneca (2009) executives fixed clinical trials for antipsychotic and pain-killer drugs, marketed them
inappropriately to children, and claimed unsubstantiated benefits while covering up negative
outcomes.
Galleon Group (2009) The founder of the Galleon Group was criminally charged with insider trading and paying $250
million to Wall Street banks in return for market information that other investors did not get.
Bear Stearns (2009) Two hedge fund managers were indicted for criminal conspiracy, securities fraud, and wire
fraud as prosecutors contend that they misled investors about the health of their funds. They
face as many as 20 years in prison if convicted.
Siemens (2009) The world’s largest engineering firm paid over $4 billion to German and U.S. authorities for a
decades-long, worldwide bribery scheme approved by corporate executives to influence
potential customers and governments.
Mabey & Johnson Ltd. Executives of a supplier of steel bridging based in the United Kingdom, were sentenced for
(2009) offenses involving overseas bribery (in Ghana and Jamaica between 1993 and 2001) and
breaching UN sanctions against Iraq (in 2001 and 2002).
420 Part IV: Building and Managing Systems
monetary value of the crime, the presence of a conspiracy to prevent discovery of the crime,
the use of structured financial transactions to hide the crime, and failure to cooperate with
prosecutors (U.S. Sentencing Commission, 2004).
Although in the past business firms would often pay for the legal defense of their employ-
ees enmeshed in civil charges and criminal investigations, now firms are encouraged to coop-
erate with prosecutors to reduce charges against the entire firm for obstructing investigations.
These developments mean that, more than ever, as a manager or an employee, you will have
to decide for yourself what constitutes proper legal and ethical conduct.
Although these major instances of failed ethical and legal judgment were not master-
minded by information systems departments, information systems were instrumental in
many of these frauds. In many cases, the perpetrators of these crimes artfully used financial
reporting information systems to bury their decisions from public scrutiny in the vain hope
they would never be caught. We deal with the issue of control in information systems in
Chapter 7. In this chapter, we talk about the ethical dimensions of these and other actions
based on the use of information systems.
Ethics refers to the principles of right and wrong that individuals, acting as free moral
agents, use to make choices to guide their behaviors. Information systems raise new ethical
questions for both individuals and societies because they create opportunities for intense
social change, and thus threaten existing distributions of power, money, rights, and obliga-
tions. Like other technologies, such as steam engines, electricity, the telephone, and the
radio, information technology can be used to achieve social progress, but it can also be used
to commit crimes and threaten cherished social values. The development of information
technology will produce benefits for many and costs for others.
Ethical issues in information systems have been given new urgency by the rise of the
Internet and electronic commerce. Internet and digital firm technologies make it easier than
ever to assemble, integrate, and distribute information, unleashing new concerns about the
appropriate use of customer information, the protection of personal privacy, and the protec-
tion of intellectual property.
Other pressing ethical issues raised by information systems include establishing account-
ability for the consequences of information systems, setting standards to safeguard system
quality that protects the safety of the individual and society, and preserving values and
institutions considered essential to the quality of life in an information society. When using
information systems, it is essential to ask, “What is the ethical and socially responsible course
of action?”
A MODEL FOR THINKING ABOUT ETHICAL, SOCIAL, AND
POLITICAL ISSUES
Ethical, social, and political issues are closely linked. The ethical dilemma you may face as
a manager of information systems typically is reflected in social and political debate. One
way to think about these relationships is given in Figure 12-1. Imagine society as a more or
less calm pond on a summer day, a delicate ecosystem in partial equilibrium with individu-
als and with social and political institutions. Individuals know how to act in this pond
because social institutions (family, education, organizations) have developed well-honed
rules of behavior, and these are supported by laws developed in the political sector that
prescribe behavior and promise sanctions for violations. Now toss a rock into the center of
the pond. What happens? Ripples, of course.
Imagine instead that the disturbing force is a powerful shock of new information
technology and systems hitting a society more or less at rest. Suddenly, individual actors are
confronted with new situations often not covered by the old rules. Social institutions cannot
respond overnight to these ripples—it may take years to develop etiquette, expectations,
social responsibility, politically correct attitudes, or approved rules. Political institutions
also require time before developing new laws and often require the demonstration of real
harm before they act. In the meantime, you may have to act. You may be forced to act in a
legal gray area.
We can use this model to illustrate the dynamics that connect ethical, social, and political
issues. This model is also useful for identifying the main moral dimensions of the information
society, which cut across various levels of action—individual, social, and political.
FIVE MORAL DIMENSIONS OF THE INFORMATION AGE
The major ethical, social, and political issues raised by information systems include the
following moral dimensions:
• Information rights and obligations. What information rights do individuals and
organizations possess with respect to themselves? What can they protect? What obliga-
tions do individuals and organizations have concerning this information?
• Property rights and obligations. How will traditional intellectual property rights be
protected in a digital society in which tracing and accounting for ownership are difficult
and ignoring such property rights is so easy?
• Accountability and control. Who can and will be held accountable and liable for the
harm done to individual and collective information and property rights?
• System quality. What standards of data and system quality should we demand to protect
individual rights and the safety of society?
• Quality of life. What values should be preserved in an information- and knowledge-
based society? Which institutions should we protect from violation? Which cultural
values and practices are supported by the new information technology?
We explore these moral dimensions in detail in Section 12.3.
KEY TECHNOLOGY TRENDS THAT RAISE ETHICAL ISSUES
Ethical issues long preceded information technology. Nevertheless, information technology
has heightened ethical concerns, taxed existing social arrangements, and made some laws
obsolete or severely crippled. There are four key technological trends responsible for these
ethical stresses and they are summarized in Table 12.2.
The doubling of computing power every 18 months has made it possible for most
organizations to use information systems for their core production processes. As a result, our
Chapter 12: Ethical and Social Issues in Information Systems 421
Figure 12-1
The Relationship
Between Ethical,
Social, and Political
Issues in an
Information Society
The introduction of new
information technology
has a ripple effect,
raising new ethical,
social, and political
issues that must be dealt
with on the individual,
social, and political
levels. These issues have
five moral dimensions:
information rights and
obligations, property
rights and obligations,
system quality, quality of
life, and accountability
and control.
dependence on systems and our vulnerability to system errors and poor data quality have
increased. Social rules and laws have not yet adjusted to this dependence. Standards for
ensuring the accuracy and reliability of information systems (see Chapter 7) are not univer-
sally accepted or enforced.
Advances in data storage techniques and rapidly declining storage costs have been
responsible for the multiplying databases on individuals—employees, customers, and
potential customers—maintained by private and public organizations. These advances in
data storage have made the routine violation of individual privacy both cheap and effective.
Massive data storage systems are inexpensive enough for regional and even local retailing
firms to use in identifying customers.
Advances in data analysis techniques for large pools of data are another technological
trend that heightens ethical concerns because companies and government agencies are able
to find out highly detailed personal information about individuals. With contemporary data
management tools (see Chapter 5), companies can assemble and combine the myriad pieces
of information about you stored on computers much more easily than in the past.
Think of all the ways you generate computer information about yourself—credit card
purchases, telephone calls, magazine subscriptions, video rentals, mail-order purchases,
banking records, local, state, and federal government records (including court and police
records), and visits to Web sites. Put together and mined properly, this information could
reveal not only your credit information but also your driving habits, your tastes, your
associations, and your political interests.
Companies with products to sell purchase relevant information from these sources to
help them more finely target their marketing campaigns. Chapters 3 and 6 describe how
companies can analyze large pools of data from multiple sources to rapidly identify buying
patterns of customers and suggest individual responses. The use of computers to combine
data from multiple sources and create electronic dossiers of detailed information on individ-
uals is called profiling.
For example, several thousand of the most popular Web sites allow DoubleClick (owned
by Google), an Internet advertising broker, to track the activities of their visitors in exchange
for revenue from advertisements based on visitor information DoubleClick gathers.
DoubleClick uses this information to create a profile of each online visitor, adding more
detail to the profile as the visitor accesses an associated DoubleClick site. Over time,
DoubleClick can create a detailed dossier of a person’s spending and computing habits on
the Web that is sold to companies to help them target their Web ads more precisely.
ChoicePoint gathers data from police, criminal, and motor vehicle records; credit and
employment histories; current and previous addresses; professional licenses; and insurance
claims to assemble and maintain electronic dossiers on almost every adult in the United
States. The company sells this personal information to businesses and government agencies.
Demand for personal data is so enormous that data broker businesses such as ChoicePoint
are flourishing.
422 Part IV: Building and Managing Systems
TABLE 12.2
Technology Trends
That Raise Ethical
Issues
Trend Impact
Computing power doubles every More organizations depend on computer systems
18 months for critical operations
Data storage costs rapidly declining Organizations can easily maintain detailed
databases on individuals
Data analysis advances Companies can analyze vast quantities of data
gathered on individuals to develop detailed profiles
of individual behavior
Networking advances and the Internet Copying data from one location to another and
accessing personal data from remote locations are
much easier
A new data analysis technology called nonobvious relationship awareness (NORA)
has given both the government and the private sector even more powerful profiling capabil-
ities. NORA can take information about people from many disparate sources, such as
employment applications, telephone records, customer listings, and “wanted” lists, and
correlate relationships to find obscure hidden connections that might help identify criminals
or terrorists (see Figure 12-2).
Chapter 12: Ethical and Social Issues in Information Systems 423
Figure 12-2
Nonobvious
Relationship
Awareness (NORA)
NORA technology can
take information about
people from disparate
sources and find
obscure, nonobvious
relationships. It might
discover, for example,
that an applicant for a
job at a casino shares a
telephone number with a
known criminal and issue
an alert to the hiring
manager.
Credit card purchases
can make personal infor-
mation available to mar-
ket researchers, telemar-
keters, and direct mail
companies. Advances in
information technology
facilitate the invasion of
privacy.
NORA technology scans data and extracts information as the data are being generated so
that it could, for example, instantly discover a man at an airline ticket counter who shares a
phone number with a known terrorist before that person boards an airplane. The technology is
considered a valuable tool for homeland security but does have privacy implications because it
can provide such a detailed picture of the activities and associations of a single individual.
Finally, advances in networking, including the Internet, promise to greatly reduce the
costs of moving and accessing large quantities of data and open the possibility of mining
large pools of data remotely using small desktop machines, permitting an invasion of
privacy on a scale and with a precision heretofore unimaginable.
12.2 Ethics in an Information Society
Ethics is a concern of humans who have freedom of choice. Ethics is about individual
choice: When faced with alternative courses of action, what is the correct moral choice?
What are the main features of ethical choice?
BASIC CONCEPTS: RESPONSIBILITY, ACCOUNTABILITY, AND
LIABILITY
Ethical choices are decisions made by individuals who are responsible for the
consequences of their actions. Responsibility is a key element of ethical action.
Responsibility means that you accept the potential costs, duties, and obligations for the
decisions you make. Accountability is a feature of systems and social institutions:
It means that mechanisms are in place to determine who took responsible action, who is
responsible. Systems and institutions in which it is impossible to find out who took what
action are inherently incapable of ethical analysis or ethical action. Liability extends the
concept of responsibility further to the area of laws. Liability is a feature of political
systems in which a body of laws is in place that permits individuals to recover the
damages done to them by other actors, systems, or organizations. Due process is a
related feature of law-governed societies and is a process in which laws are known and
understood and there is an ability to appeal to higher authorities to ensure that the laws
are applied correctly.
These basic concepts form the underpinning of an ethical analysis of information
systems and those who manage them. First, information technologies are filtered through
social institutions, organizations, and individuals. Systems do not have impacts by
themselves. Whatever information system impacts exist are products of institutional, organi-
zational, and individual actions and behaviors. Second, responsibility for the consequences
of technology falls clearly on the institutions, organizations, and individual managers who
choose to use the technology. Using information technology in a socially responsible man-
ner means that you can and will be held accountable for the consequences of your actions.
Third, in an ethical, political society, individuals and others can recover damages done to
them through a set of laws characterized by due process.
ETHICAL ANALYSIS
When confronted with a situation that seems to present ethical issues, how should you ana-
lyze it? The following five-step process should help.
1. Identify and describe clearly the facts. Find out who did what to whom, and where,
when, and how. In many instances, you will be surprised at the errors in the initially
reported facts, and often you will find that simply getting the facts straight helps define
the solution. It also helps to get the opposing parties involved in an ethical dilemma to
agree on the facts.
2. Define the conflict or dilemma and identify the higher-order values involved. Ethical,
social, and political issues always reference higher values. The parties to a dispute all
424 Part IV: Building and Managing Systems
claim to be pursuing higher values (e.g., freedom, privacy, protection of property, and
the free enterprise system). Typically, an ethical issue involves a dilemma: two diametri-
cally opposed courses of action that support worthwhile values. For example, the
chapter-ending case study illustrates two competing values: the need to improve health-
care record keeping and the need to protect individual privacy.
3. Identify the stakeholders. Every ethical, social, and political issue has stakeholders:
players in the game who have an interest in the outcome, who have invested in the
situation, and usually who have vocal opinions. Find out the identity of these groups and
what they want. This will be useful later when designing a solution.
4. Identify the options that you can reasonably take. You may find that none of the options
satisfy all the interests involved, but that some options do a better job than others.
Sometimes arriving at a good or ethical solution may not always be a balancing of
consequences to stakeholders.
5. Identify the potential consequences of your options. Some options may be ethically
correct but disastrous from other points of view. Other options may work in one instance
but not in other similar instances. Always ask yourself, “What if I choose this option
consistently over time?”
CANDIDATE ETHICAL PRINCIPLES
Once your analysis is complete, what ethical principles or rules should you use to make a
decision? What higher-order values should inform your judgment? Although you are the
only one who can decide which among many ethical principles you will follow, and how
you will prioritize them, it is helpful to consider some ethical principles with deep roots in
many cultures that have survived throughout recorded history.
1. Do unto others as you would have them do unto you (the Golden Rule). Putting yourself
into the place of others, and thinking of yourself as the object of the decision, can help
you think about fairness in decision making.
2. If an action is not right for everyone to take, it is not right for anyone (Immanuel
Kant’s Categorical Imperative). Ask yourself, “If everyone did this, could the
organization, or society, survive?”
3. If an action cannot be taken repeatedly, it is not right to take at all (Descartes’ rule of
change). This is the slippery-slope rule: An action may bring about a small change now
that is acceptable, but if it is repeated, it would bring unacceptable changes in the long
run. In the vernacular, it might be stated as “once started down a slippery path, you may
not be able to stop.”
4. Take the action that achieves the higher or greater value (Utilitarian Principle). This
rule assumes you can prioritize values in a rank order and understand the consequences
of various courses of action.
5. Take the action that produces the least harm or the least potential cost (Risk Aversion
Principle). Some actions have extremely high failure costs of very low probability (e.g.,
building a nuclear generating facility in an urban area) or extremely high failure costs of
moderate probability (speeding and automobile accidents). Avoid these high-failure-cost
actions, paying greater attention to high-failure-cost potential of moderate to high
probability.
6. Assume that virtually all tangible and intangible objects are owned by someone else
unless there is a specific declaration otherwise. (This is the ethical “no free lunch”
rule.) If something someone else has created is useful to you, it has value, and you
should assume the creator wants compensation for this work.
Although these ethical rules cannot be guides to action, actions that do not easily pass
these rules deserve some very close attention and a great deal of caution. The appearance of
unethical behavior may do as much harm to you and your company as actual unethical
behavior.
Chapter 12: Ethical and Social Issues in Information Systems 425
PROFESSIONAL CODES OF CONDUCT
When groups of people claim to be professionals, they take on special rights and obligations
because of their special claims to knowledge, wisdom, and respect. Professional codes of
conduct are promulgated by associations of professionals, such as the American Medical
Association (AMA), the American Bar Association (ABA), the Association of Information
Technology Professionals (AITP), and the Association of Computing Machinery (ACM).
These professional groups take responsibility for the partial regulation of their professions
by determining entrance qualifications and competence. Codes of ethics are promises by
professions to regulate themselves in the general interest of society. For example, avoiding
harm to others, honoring property rights (including intellectual property), and respecting
privacy are among the General Moral Imperatives of the ACM’s Code of Ethics and
Professional Conduct.
SOME REAL-WORLD ETHICAL DILEMMAS
Information systems have created new ethical dilemmas in which one set of interests is
pitted against another. For example, many of the large telephone companies in the United
States are using information technology to reduce the sizes of their workforces. Voice recog-
nition software reduces the need for human operators by enabling computers to recognize a
customer’s responses to a series of computerized questions. Many companies monitor what
their employees are doing on the Internet to prevent them from wasting company resources
on non-business activities (see the Chapter 7 Interactive Session on Management).
In each instance, you can find competing values at work, with groups lined up on either
side of a debate. A company may argue, for example, that it has a right to use information
systems to increase productivity and reduce the size of its workforce to lower costs and stay
in business. Employees displaced by information systems may argue that employers have
some responsibility for their welfare. Business owners might feel obligated to monitor
employee e-mail and Internet use to minimize drains on productivity. Employees might
believe they should be able to use the Internet for short personal tasks in place of the
telephone. A close analysis of the facts can sometimes produce compromised solutions that
give each side “half a loaf.” Try to apply some of the principles of ethical analysis described
to each of these cases. What is the right thing to do?
12.3 The Moral Dimensions of Information Systems
In this section, we take a closer look at the five moral dimensions of information systems
first described in Figure 12-1. In each dimension we identify the ethical, social, and political
levels of analysis and use real-world examples to illustrate the values involved, the
stakeholders, and the options chosen.
INFORMATION RIGHTS: PRIVACY AND FREEDOM IN THE
INTERNET AGE
Privacy is the claim of individuals to be left alone, free from surveillance or interference
from other individuals or organizations, including the state. Claims to privacy are also
involved at the workplace: Millions of employees are subject to electronic and other forms
of high-tech surveillance (Ball, 2001). Information technology and systems threaten
individual claims to privacy by making the invasion of privacy cheap, profitable, and
effective.
The claim to privacy is protected in the U.S., Canadian, and German constitutions in a
variety of different ways and in other countries through various statutes. In the United
States, the claim to privacy is protected primarily by the First Amendment guarantees of
freedom of speech and association, the Fourth Amendment protections against unreasonable
search and seizure of one’s personal documents or home, and the guarantee of due process.
426 Part IV: Building and Managing Systems
Table 12.3 describes the major U.S. federal statutes that set forth the conditions for
handling information about individuals in such areas as credit reporting, education, financial
records, newspaper records, and electronic communications. The Privacy Act of 1974 has
been the most important of these laws, regulating the federal government’s collection, use,
and disclosure of information. At present, most U.S. federal privacy laws apply only to the
federal government and regulate very few areas of the private sector.
Most American and European privacy law is based on a regime called Fair Information
Practices (FIP) first set forth in a report written in 1973 by a federal government advisory com-
mittee (U.S. Department of Health, Education, and Welfare, 1973). FIP is a set of principles
governing the collection and use of information about individuals. FIP principles are based on
the notion of a mutuality of interest between the record holder and the individual. The individ-
ual has an interest in engaging in a transaction, and the record keeper—usually a business or
government agency—requires information about the individual to support the transaction. Once
information is gathered, the individual maintains an interest in the record, and the record may
not be used to support other activities without the individual’s consent. In 1998, the FTC
restated and extended the original FIP to provide guidelines for protecting online privacy. Table
12.4 describes the FTC’s Fair Information Practice principles.
The FTC’s FIP are being used as guidelines to drive changes in privacy legislation.
In July 1998, the U.S. Congress passed the Children’s Online Privacy Protection Act
(COPPA), requiring Web sites to obtain parental permission before collecting information
on children under the age of 13. (This law is in danger of being overturned.) The FTC has
recommended additional legislation to protect online consumer privacy in advertising
networks that collect records of consumer Web activity to develop detailed profiles, which
are then used by other companies to target online ads. Other proposed Internet privacy
legislation focuses on protecting the online use of personal identification numbers, such as
social security numbers; protecting personal information collected on the Internet that deals
with individuals not covered by COPPA; and limiting the use of data mining for homeland
security.
In February 2009, the FTC began the process of extending its fair information practices
doctrine to behavioral targeting. The FTC held hearings to discuss its program for voluntary
industry principles for regulating behavioral targeting. The online advertising trade group
Network Advertising Initiative (discussed later in this section), published its own self-
Chapter 12: Ethical and Social Issues in Information Systems 427
TABLE 12.3
Federal Privacy Laws in the United States
General Federal Privacy Laws Privacy Laws Affecting Private Institutionst
Freedom of Information Act of 1966 as Amended (5 USC 552) Fair Credit Reporting Act of 1970
Privacy Act of 1974 as Amended (5 USC 552a) Family Educational Rights and Privacy Act of 1974
Electronic Communications Privacy Act of 1986 Right to Financial Privacy Act of 1978
Computer Matching and Privacy Protection Act of 1988 Privacy Protection Act of 1980
Computer Security Act of 1987 Cable Communications Policy Act of 1984
Federal Managers Financial Integrity Act of 1982 Electronic Communications Privacy Act of 1986
Driver’s Privacy Protection Act of 1994 Video Privacy Protection Act of 1988
E-Government Act of 2002 The Health Insurance Portability and Accountability Act of
1996 (HIPAA)
Children’s Online Privacy Protection Act of 1998 (COPPA)
Financial Modernization Act (Gramm–Leach-Bliley Act) of 999
regulatory principles that largely agreed with the FTC. Nevertheless, the government,
privacy groups, and the online ad industry are still at loggerheads over two issues. Privacy
advocates want both an opt-in policy at all sites and a national Do Not Track list. The
industry opposes these moves and continues to insist on an opt-out capability being the only
way to avoid tracking (Federal Trade Commission, 2009). Nevertheless, there is an emerg-
ing consensus among all parties that greater transparency and user control (especially
making opt-out of tracking the default option) is required to deal with behavioral tracking.
Privacy protections have also been added to recent laws deregulating financial services and
safeguarding the maintenance and transmission of health information about individuals. The
Gramm-Leach-Bliley Act of 1999, which repeals earlier restrictions on affiliations among
banks, securities firms, and insurance companies, includes some privacy protection for con-
sumers of financial services. All financial institutions are required to disclose their policies and
practices for protecting the privacy of nonpublic personal information and to allow customers
to opt out of information-sharing arrangements with nonaffiliated third parties.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), which took
effect on April 14, 2003, includes privacy protection for medical records. The law gives
patients access to their personal medical records maintained by healthcare providers,
hospitals, and health insurers and the right to authorize how protected information about
themselves can be used or disclosed. Doctors, hospitals, and other healthcare providers must
limit the disclosure of personal information about patients to the minimum amount
necessary to achieve a given purpose.
The European Directive on Data Protection
In Europe, privacy protection is much more stringent than in the United States. Unlike the
United States, European countries do not allow businesses to use personally identifiable
information without consumers’ prior consent. On October 25, 1998, the European
Commission’s Directive on Data Protection went into effect, broadening privacy protection
in the European Union (EU) nations. The directive requires companies to inform people
when they collect information about them and disclose how it will be stored and used.
Customers must provide their informed consent before any company can legally use data
about them, and they have the right to access that information, correct it, and request that no
further data be collected. Informed consent can be defined as consent given with
knowledge of all the facts needed to make a rational decision. EU member nations must
translate these principles into their own laws and cannot transfer personal data to countries,
such as the United States, that do not have similar privacy protection regulations.
428 Part IV: Building and Managing Systems
TABLE 12.4
Federal Trade Commission Fair Information Practice Principles
1. Notice/awareness (core principle). Web sites must disclose their information practices before collecting data. Includes
identification of collector; uses of data; other recipients of data; nature of collection (active/inactive); voluntary or required
status; consequences of refusal; and steps taken to protect confidentiality, integrity, and quality of the data.
2. Choice/consent (core principle). There must be a choice regime in place allowing consumers to choose how their
information will be used for secondary purposes other than supporting the transaction, including internal use and transfer
to third parties.
3. Access/participation. Consumers should be able to review and contest the accuracy and completeness of data collected
about them in a timely, inexpensive process.
4. Security. Data collectors must take responsible steps to assure that consumer information is accurate and secure from
unauthorized use.
5. Enforcement. There must be in place a mechanism to enforce FIP principles. This can involve self-regulation, legislation
giving consumers legal remedies for violations, or federal statutes and regulations.
Working with the European Commission, the U.S. Department of Commerce developed
a safe harbor framework for U.S. firms. A safe harbor is a private, self-regulating policy
and enforcement mechanism that meets the objectives of government regulators and legisla-
tion but does not involve government regulation or enforcement. U.S. businesses would be
allowed to use personal data from EU countries if they develop privacy protection policies
that meet EU standards. Enforcement would occur in the United States using self-policing,
regulation, and government enforcement of fair trade statutes.
Internet Challenges to Privacy
Internet technology has posed new challenges for the protection of individual privacy.
Information sent over this vast network of networks may pass through many different
computer systems before it reaches its final destination. Each of these systems is capable of
monitoring, capturing, and storing communications that pass through it.
It is possible to record many online activities, including what searches have been
conducted, which Web sites and Web pages have been visited, the online content a person
has accessed, and what items that person has inspected or purchased over the Web. Much of
this monitoring and tracking of Web site visitors occurs in the background without the
visitor’s knowledge. It is conducted not just by individual Web sites but by advertising
networks such as aQuantive, Yahoo, and DoubleClick that are capable of tracking all brows-
ing behavior at thousands of Web sites. Tools to monitor visits to the World Wide Web have
become popular because they help businesses determine who is visiting their Web sites and
how to better target their offerings. (Some firms also monitor the Internet usage of their
employees to see how they are using company network resources.) The commercial demand
for this personal information is virtually insatiable.
Web sites can learn the identities of their visitors if the visitors voluntarily register at the
site to purchase a product or service or to obtain a free service, such as information. Web sites
can also capture information about visitors without their knowledge using cookie
technology.
Cookies are small text files deposited on a computer hard drive when a user visits Web
sites. Cookies identify the visitor’s Web browser software and track visits to the Web site.
When the visitor returns to a site that has stored a cookie, the Web site software will search
the visitor’s computer, find the cookie, and know what that person has done in the past. It
may also update the cookie, depending on the activity during the visit. In this way, the site
can customize its contents for each visitor’s interests. For example, if you purchase a book
on the Amazon.com Web site and return later from the same browser, the site will welcome
you by name and recommend other books of interest based on your past purchases.
DoubleClick, described earlier in this chapter, uses cookies to build its dossiers with details
of online purchases and to examine the behavior of Web site visitors. Figure 12-3 illustrates
how cookies work.
Chapter 12: Ethical and Social Issues in Information Systems 429
Figure 12-3
How Cookies
Identify Web
Visitors
Cookies are written by a
Web site on a visitor’s
hard drive. When the visi-
tor returns to that Web
site, the Web server
requests the ID number
from the cookie and uses
it to access the data
stored by that server on
that visitor. The Web site
can then use these data
to display personalized
information.
Web sites using cookie technology cannot directly obtain visitors’ names and addresses.
However, if a person has registered at a site, that information can be combined with cookie
data to identify the visitor. Web site owners can also combine the data they have gathered
from cookies and other Web site monitoring tools with personal data from other sources,
such as offline data collected from surveys or paper catalog purchases, to develop very
detailed profiles of their visitors.
There are now even more subtle and surreptitious tools for surveillance of Internet users.
Marketers use Web bugs as another tool to monitor online behavior. Web bugs are tiny
graphic files embedded in e-mail messages and Web pages that are designed to monitor who
is reading the e-mail message or Web page and transmit that information to another
computer. Other spyware can secretly install itself on an Internet user’s computer by
piggybacking on larger applications. Once installed, the spyware calls out to Web sites to
send banner ads and other unsolicited material to the user, and it can also report the user’s
movements on the Internet to other computers. More information is available about Web
bugs, spyware, and other intrusive software in Chapter 7.
Google has started using behavioral targeting to help it display more relevant ads based
on users’ search activities. One of its programs enables advertisers to target ads based on the
search histories of Google users, along with any other information the user submits to
Google that Google can obtain, such as age, demographics, region, and other Web activities
(such as blogging). An additional program allows Google to help advertisers select
keywords and design ads for various market segments based on search histories, such as
helping a clothing Web site create and test ads targeted at teenage females.
Google has also been scanning the contents of messages received by users of its free Web-
based e-mail service called Gmail. Ads that users see when they read their e-mail are related to
the subjects of these messages. Profiles are developed on individual users based on the content
in their e-mail. Google’s Chrome Web browser, introduced in 2008, has a Suggest feature that
automatically suggests related queries and Web sites as the user enters a search. Critics pointed
out this was a key-logger device that would record every keystroke of users forever. Google
subsequently announced it would anonymize the data in 24 hours.
The United States has allowed businesses to gather transaction information generated in
the marketplace and then use that information for other marketing purposes without
obtaining the informed consent of the individual whose information is being used. U.S.
e-commerce sites are largely content to publish statements on their Web sites informing
visitors about how their information will be used. Some have added opt-out selection boxes
to these information policy statements. An opt-out model of informed consent permits the
collection of personal information until the consumer specifically requests that the data not
be collected. Privacy advocates would like to see wider use of an opt-in model of informed
consent in which a business is prohibited from collecting any personal information unless
the consumer specifically takes action to approve information collection and use.
The online industry has preferred self-regulation to privacy legislation for protecting
consumers. In 1998, the online industry formed the Online Privacy Alliance to encourage
self-regulation to develop a set of privacy guidelines for its members. The group promotes
the use of online seals, such as that of TRUSTe, certifying Web sites adhering to certain
privacy principles. Members of the advertising network industry, including DoubleClick,
have created an additional industry association called the Network Advertising Initiative
(NAI) to develop its own privacy policies to help consumers opt out of advertising network
programs and provide consumers redress from abuses.
Individual firms like AOL, Yahoo!, and Google have recently adopted policies on their
own in an effort to address public concern about tracking people online. AOL established an
opt-out policy that allows users of its site to not be tracked. Yahoo follows NAI guidelines
and also allows opt-out for tracking and Web beacons (Web bugs). Google has reduced
retention time for tracking data.
In general, most Internet businesses do little to protect the privacy of their customers,
and consumers do not do as much as they should to protect themselves. Many companies
with Web sites do not have privacy policies. Of the companies that do post privacy polices
430 Part IV: Building and Managing Systems
on their Web sites, about half do not monitor their sites to ensure they adhere to these
policies. The vast majority of online customers claim they are concerned about online pri-
vacy, but less than half read the privacy statements on Web sites (Laudon and Traver, 2009).
In one of the more insightful studies of consumer attitudes towards Internet privacy, a
group of Berkeley students conducted surveys of online users, and of complaints filed with
the Federal Trade Commission involving privacy issues. Here’s some of their results. User
concerns: people feel they have no control over the information collected about them, and
they don’t know who to complain to. Web site practices: Web sites collect all this informa-
tion, but do not let users have access; the policies are unclear; they share data with “affili-
ates” but never identify who the affiliates are and how many there are. (MySpace, owned by
NewsCorp, has over 1,500 affiliates with whom it shares online information.) Web bug
trackers: they are ubiquitous and we are not informed they are on the pages we visit. The
results of this study and others suggest that consumers are not saying “take my privacy, I
don’t care, send me the service for free.” They are saying “We want access to the informa-
tion, we want some controls on what can be collected, what is done with the information, the
ability to opt out of the entire tracking enterprise, and some clarity on what the policies
really are, and we don’t want those policies changed without our participation and permis-
sion.” (The full report is available at knowprivacy.org).
Technical Solutions
In addition to legislation, new technologies are available to protect user privacy during
interactions with Web sites. Many of these tools are used for encrypting e-mail, for making
e-mail or surfing activities appear anonymous, for preventing client computers from
accepting cookies, or for detecting and eliminating spyware.
There are now tools to help users determine the kind of personal data that can be
extracted by Web sites. The Platform for Privacy Preferences, known as P3P, enables
automatic communication of privacy policies between an e-commerce site and its visitors.
P3P provides a standard for communicating a Web site’s privacy policy to Internet users and
for comparing that policy to the user’s preferences or to other standards, such as the FTC’s
FIP guidelines or the European Directive on Data Protection. Users can use P3P to select the
level of privacy they wish to maintain when interacting with the Web site.
Chapter 12: Ethical and Social Issues in Information Systems 431
Web sites are posting
their privacy policies for
visitors to review. The
TRUSTe
seal designates Web
sites that have agreed to
adhere to TRUSTe’s
established privacy prin-
ciples of disclosure,
choice, access, and
security.
The P3P standard allows Web sites to publish privacy policies in a form that computers
can understand. Once it is codified according to P3P rules, the privacy policy becomes part
of the software for individual Web pages (see Figure 12-4). Users of Microsoft Internet
Explorer Web browsing software can access and read the P3P site’s privacy policy and a list
of all cookies coming from the site. Internet Explorer enables users to adjust their comput-
ers to screen out all cookies or let in selected cookies based on specific levels of privacy. For
example, the “Medium” level accepts cookies from first-party host sites that have opt-in or
opt-out policies but rejects third-party cookies that use personally identifiable information
without an opt-in policy.
However, P3P only works with Web sites of members of the World Wide Web
Consortium who have translated their Web site privacy policies into P3P format. The
technology will display cookies from Web sites that are not part of the consortium, but users
will not be able to obtain sender information or privacy statements. Many users may also
need to be educated about interpreting company privacy statements and P3P levels of
privacy. Critics point out that only a small percentage of the most popular Web sites use P3P,
most users do not understand their browser’s privacy settings, and there is no enforcement of
P3P standards—companies can claim anything about their privacy policies.
PROPERTY RIGHTS: INTELLECTUAL PROPERTY
Contemporary information systems have severely challenged existing laws and social
practices that protect private intellectual property. Intellectual property is considered to be
intangible property created by individuals or corporations. Information technology has
made it difficult to protect intellectual property because computerized information can be so
easily copied or distributed on networks. Intellectual property is subject to a variety of
protections under three different legal traditions: trade secrets, copyright, and patent law.
Trade Secrets
Any intellectual work product—a formula, device, pattern, or compilation of data—used for
a business purpose can be classified as a trade secret, provided it is not based on informa-
tion in the public domain. Protections for trade secrets vary from state to state. In general,
trade secret laws grant a monopoly on the ideas behind a work product, but it can be a very
tenuous monopoly.
Software that contains novel or unique elements, procedures, or compilations can be
included as a trade secret. Trade secret law protects the actual ideas in a work product, not
only their manifestation. To make this claim, the creator or owner must take care to bind
432 Part IV: Building and Managing Systems
Figure 12-4
The P3P Standard
P3P enables Web sites
to translate their privacy
policies into a standard
format that can be read
by the user’s Web
browser software. The
browser software evalu-
ates the Web site’s pri-
vacy policy to determine
whether it is compatible
with the user’s privacy
preferences.
employees and customers with nondisclosure agreements and to prevent the secret from
falling into the public domain.
The limitation of trade secret protection is that, although virtually all software programs
of any complexity contain unique elements of some sort, it is difficult to prevent the ideas in
the work from falling into the public domain when the software is widely distributed.
Copyright
Copyright is a statutory grant that protects creators of intellectual property from having
their work copied by others for any purpose during the life of the author plus an additional
70 years after the author’s death. For corporate-owned works, copyright protection lasts for
95 years after their initial creation. Congress has extended copyright protection to books,
periodicals, lectures, dramas, musical compositions, maps, drawings, artwork of any kind,
and motion pictures. The intent behind copyright laws has been to encourage creativity and
authorship by ensuring that creative people receive the financial and other benefits of their
work. Most industrial nations have their own copyright laws, and there are several interna-
tional conventions and bilateral agreements through which nations coordinate and enforce
their laws.
In the mid-1960s, the Copyright Office began registering software programs, and in
1980, Congress passed the Computer Software Copyright Act, which clearly provides
protection for software program code and for copies of the original sold in commerce, and
sets forth the rights of the purchaser to use the software while the creator retains legal title.
Copyright protects against copying of entire programs or their parts. Damages and relief
are readily obtained for infringement. The drawback to copyright protection is that the
underlying ideas behind a work are not protected, only their manifestation in a work. A com-
petitor can use your software, understand how it works, and build new software that follows
the same concepts without infringing on a copyright.
“Look and feel” copyright infringement lawsuits are precisely about the distinction
between an idea and its expression. For instance, in the early 1990s, Apple Computer sued
Microsoft Corporation and Hewlett-Packard for infringement of the expression of Apple’s
Macintosh interface, claiming that the defendants copied the expression of overlapping
windows. The defendants countered that the idea of overlapping windows can be
expressed only in a single way and, therefore, was not protectable under the merger
doctrine of copyright law. When ideas and their expression merge, the expression cannot
be copyrighted.
In general, courts appear to be following the reasoning of a 1989 case—Brown Bag
Software vs. Symantec Corp.—in which the court dissected the elements of software alleged
to be infringing. The court found that similar concept, function, general functional features
(e.g., drop-down menus), and colors are not protectable by copyright law (Brown Bag
Software vs. Symantec Corp., 1992).
Patents
A patent grants the owner an exclusive monopoly on the ideas behind an invention for 20
years. The congressional intent behind patent law was to ensure that inventors of new
machines, devices, or methods receive the full financial and other rewards of their labor and
yet make widespread use of the invention possible by providing detailed diagrams for those
wishing to use the idea under license from the patent’s owner. The granting of a patent is
determined by the United States Patent and Trademark Office and relies on court rulings.
The key concepts in patent law are originality, novelty, and invention. The Patent Office
did not accept applications for software patents routinely until a 1981 Supreme Court
decision that held that computer programs could be a part of a patentable process. Since that
time, hundreds of patents have been granted and thousands await consideration.
The strength of patent protection is that it grants a monopoly on the underlying concepts
and ideas of software. The difficulty is passing stringent criteria of nonobviousness (e.g., the
work must reflect some special understanding and contribution), originality, and novelty, as
well as years of waiting to receive protection.
Chapter 12: Ethical and Social Issues in Information Systems 433
Challenges to Intellectual Property Rights
Contemporary information technologies, especially software, pose severe challenges to
existing intellectual property regimes and, therefore, create significant ethical, social, and
political issues. Digital media differ from books, periodicals, and other media in terms of
ease of replication; ease of transmission; ease of alteration; difficulty in classifying a
software work as a program, book, or even music; compactness—making theft easy; and
difficulties in establishing uniqueness.
The proliferation of electronic networks, including the Internet, has made it even more
difficult to protect intellectual property. Before widespread use of networks, copies of
software, books, magazine articles, or films had to be stored on physical media, such as
paper, computer disks, or videotape, creating some hurdles to distribution. Using networks,
information can be more widely reproduced and distributed. The Fifth Annual Global
Software Piracy Study conducted by the International Data Corporation and the Business
Software Alliance found that 38 percent of the software installed in 2007 on PCs worldwide
was obtained illegally, representing $48 billion in global losses from software piracy.
Worldwide, for every two dollars of software purchased legitimately, one dollar’s worth was
obtained illegally (Business Software Alliance, 2008).
The Internet was designed to transmit information freely around the world, including
copyrighted information. With the World Wide Web in particular, you can easily copy and
distribute virtually anything to thousands and even millions of people around the world,
even if they are using different types of computer systems. Information can be illicitly
copied from one place and distributed through other systems and networks even though
these parties do not willingly participate in the infringement.
Individuals have been illegally copying and distributing digitized MP3 music files on
the Internet for a number of years. File-sharing services such as Napster, and later
Grokster, Kazaa, and Morpheus, sprung up to help users locate and swap digital music
files, including those protected by copyright. Illegal file sharing became so widespread that
it threatened the viability of the music recording industry. The recording industry won
some legal battles for shutting these services down, but has not been able to halt illegal file
sharing entirely. As more and more homes adopt high-speed Internet access, illegal file
sharing of videos will pose similar threats to the motion picture industry.
Mechanisms are being developed to sell and distribute books, articles, and other
intellectual property legally on the Internet, and the Digital Millennium Copyright Act
(DMCA) of 1998 is providing some copyright protection. The DMCA implemented a
World Intellectual Property Organization Treaty that makes it illegal to circumvent technol-
ogy-based protections of copyrighted materials. Internet service providers (ISPs) are
required to take down sites of copyright infringers that they are hosting once they are
notified of the problem.
Microsoft and other major software and information content firms are represented by the
Software and Information Industry Association (SIIA), which lobbies for new laws and
enforcement of existing laws to protect intellectual property around the world. The SIIA
runs an antipiracy hotline for individuals to report piracy activities, offers educational
programs to help organizations combat software piracy, and has published guidelines for
employee use of software.
ACCOUNTABILITY, LIABILITY, AND CONTROL
Along with privacy and property laws, new information technologies are challenging
existing liability laws and social practices for holding individuals and institutions account-
able. If a person is injured by a machine controlled, in part, by software, who should be held
accountable and, therefore, held liable? Should a public bulletin board or an electronic
service, such as America Online, permit the transmission of pornographic or offensive
material (as broadcasters), or should they be held harmless against any liability for what
users transmit (as is true of common carriers, such as the telephone system)? What about the
Internet? If you outsource your information processing, can you hold the external vendor
434 Part IV: Building and Managing Systems
liable for injuries done to your customers? Some real-world examples may shed light on
these questions.
Computer-Related Liability Problems
During the last week of September 2009, thousands of customers of TD Bank, one of the
largest banks in North America, scrambled to find their payroll checks, social security
checks, and savings and checking account balances. The bank’s 6.5 million customers were
temporarily out of funds because of a computer glitch. The problems were caused by a failed
effort to integrate systems of TD Bank and Commerce Bank. A spokesperson for TD Bank,
said that “while the overall integration of the systems went well, there have been some
speed-bumps in the final stages, as you might expect with a project of this size and
complexity.” (Vijayan, 2009). Who is liable for any economic harm caused to individuals or
businesses that could not access their full account balances in this period?
This case reveals the difficulties faced by information systems executives who
ultimately are responsible for any harm done by systems developed by their staffs. In
general, insofar as computer software is part of a machine, and the machine injures someone
physically or economically, the producer of the software and the operator can be held liable
for damages. Insofar as the software acts like a book, storing and displaying information,
courts have been reluctant to hold authors, publishers, and booksellers liable for contents
(the exception being instances of fraud or defamation), and hence courts have been wary of
holding software authors liable for booklike software.
In general, it is very difficult (if not impossible) to hold software producers liable for
their software products that are considered to be like books, regardless of the physical or
economic harm that results. Historically, print publishers, books, and periodicals have not
been held liable because of fears that liability claims would interfere with First Amendment
rights guaranteeing freedom of expression.
What about software as a service? ATM machines are a service provided to bank
customers. Should this service fail, customers will be inconvenienced and perhaps harmed
economically if they cannot access their funds in a timely manner. Should liability protec-
tions be extended to software publishers and operators of defective financial, accounting,
simulation, or marketing systems?
Software is very different from books. Software users may develop expectations of
infallibility about software; software is less easily inspected than a book, and it is more
difficult to compare with other software products for quality; software claims actually to
perform a task rather than describe a task, as a book does; and people come to depend on
services essentially based on software. Given the centrality of software to everyday life, the
chances are excellent that liability law will extend its reach to include software even when
the software merely provides an information service.
Telephone systems have not been held liable for the messages transmitted because
they are regulated common carriers. In return for their right to provide telephone service,
they must provide access to all, at reasonable rates, and achieve acceptable reliability.
But broadcasters and cable television stations are subject to a wide variety of federal and
local constraints on content and facilities. Organizations can be held liable for offensive
content on their Web sites, and online services, such as America Online, might be held
liable for postings by their users. Although U.S. courts have increasingly exonerated Web
sites and ISPs for posting material by third parties, the threat of legal action still has a
chilling effect on small companies or individuals who cannot afford to take their cases to
trial.
SYSTEM QUALITY: DATA QUALITY AND SYSTEM ERRORS
The debate over liability and accountability for unintentional consequences of system use
raises a related but independent moral dimension: What is an acceptable, technologically
feasible level of system quality? At what point should system managers say, “Stop testing,
we’ve done all we can to perfect this software. Ship it!” Individuals and organizations may
Chapter 12: Ethical and Social Issues in Information Systems 435
be held responsible for avoidable and foreseeable consequences, which they have a duty to
perceive and correct. And the gray area is that some system errors are foreseeable and
correctable only at very great expense, an expense so great that pursuing this level of
perfection is not feasible economically—no one could afford the product.
For example, although software companies try to debug their products before releasing
them to the marketplace, they knowingly ship buggy products because the time and cost of
fixing all minor errors would prevent these products from ever being released. What if the
product was not offered on the marketplace, would social welfare as a whole not advance
and perhaps even decline? Carrying this further, just what is the responsibility of a producer
of computer services—should it withdraw the product that can never be perfect, warn the
user, or forget about the risk (let the buyer beware)?
Three principal sources of poor system performance are (1) software bugs and errors, (2)
hardware or facility failures caused by natural or other causes, and (3) poor input data
quality. A Chapter 7 Learning Track discusses why zero defects in software code of any
complexity cannot be achieved and why the seriousness of remaining bugs cannot be
estimated. Hence, there is a technological barrier to perfect software, and users must be
aware of the potential for catastrophic failure. The software industry has not yet arrived at
testing standards for producing software of acceptable but not perfect performance.
Although software bugs and facility catastrophes are likely to be widely reported in the
press, by far the most common source of business system failure is data quality. Few
companies routinely measure the quality of their data, but individual organizations report
data error rates ranging from 0.5 to 30 percent.
QUALITY OF LIFE: EQUITY, ACCESS, AND BOUNDARIES
The negative social costs of introducing information technologies and systems are begin-
ning to mount along with the power of the technology. Many of these negative social
consequences are not violations of individual rights or property crimes. Nevertheless, these
negative consequences can be extremely harmful to individuals, societies, and political
institutions. Computers and information technologies potentially can destroy valuable
elements of our culture and society even while they bring us benefits. If there is a balance of
good and bad consequences of using information systems, who do we hold responsible for
the bad consequences? Next, we briefly examine some of the negative social consequences
of systems, considering individual, social, and political responses.
Balancing Power: Center Versus Periphery
An early fear of the computer age was that huge, centralized mainframe computers would
centralize power at corporate headquarters and in the nation’s capital, resulting in a Big
Brother society, as was suggested in George Orwell’s novel 1984. The shift toward highly
decentralized computing, coupled with an ideology of empowerment of thousands of
workers, and the decentralization of decision making to lower organizational levels, have
reduced the fears of power centralization in institutions. Yet much of the empowerment
described in popular business magazines is trivial. Lower-level employees may be empow-
ered to make minor decisions, but the key policy decisions may be as centralized as in the
past.
Rapidity of Change: Reduced Response Time to Competition
Information systems have helped to create much more efficient national and international
markets. The now-more-efficient global marketplace has reduced the normal social buffers
that permitted businesses many years to adjust to competition. Time-based competition has
an ugly side: The business you work for may not have enough time to respond to global
competitors and may be wiped out in a year, along with your job. We stand the risk of
developing a “just-in-time society” with “just-in-time jobs” and “just-in-time” workplaces,
families, and vacations.
436 Part IV: Building and Managing Systems
Maintaining Boundaries: Family, Work, and Leisure
Parts of this book were produced on trains and planes, as well as on vacations and during
what otherwise might have been “family” time. The danger to ubiquitous computing,
telecommuting, nomad computing, and the “do anything anywhere” computing environ-
ment is that it is actually coming true. The traditional boundaries that separate work from
family and just plain leisure have been weakened.
Although authors have traditionally worked just about anywhere (typewriters have been
portable for nearly a century), the advent of information systems, coupled with the growth
of knowledge-work occupations, means that more and more people will are working when
traditionally they would have been playing or communicating with family and friends. The
work umbrella now extends far beyond the eight-hour day.
Even leisure time spent on the computer threatens these close social relationships.
Extensive Internet use, even for entertainment or recreational purposes, takes people away
from their family and friends. Among middle school and teenage children, it can lead to
harmful anti-social behavior. The Interactive Session on People explores this topic.
Weakening these institutions poses clear-cut risks. Family and friends historically have
provided powerful support mechanisms for individuals, and they act as balance points in a
society by preserving private life, providing a place for people to collect their thoughts,
allowing people to think in ways contrary to their employer, and dream.
Dependence and Vulnerability
Today, our businesses, governments, schools, and private associations, such as churches, are
incredibly dependent on information systems and are, therefore, highly vulnerable if these
systems fail. With systems now as ubiquitous as the telephone system, it is startling to
remember that there are no regulatory or standard-setting forces in place that are similar to
telephone, electrical, radio, television, or other public utility technologies. The absence of
standards and the criticality of some system applications will probably call forth demands
for national standards and perhaps regulatory oversight.
Computer Crime and Abuse
New technologies, including computers, create new opportunities for committing crime by
creating new valuable items to steal, new ways to steal them, and new ways to harm others.
Chapter 12: Ethical and Social Issues in Information Systems 437
Although some people
enjoy the convenience of
working at home, the “do
anything anywhere” com-
puting environment can
blur the traditional bound-
aries between work and
family time.
438 Part IV: Building and Managing Systems
INTERACTIVE SESSION: PEOPLE The Perils of Texting: Path to Prison
In February 2009 the British Crown Court sentenced
Phillipa Curtis, 21, to 21 months in prison for killing
Victoria McBryde after plowing into her car on a
modern super highway, killing her instantly. In the
hour before the crash, Ms. Curtis had exchanged over
two dozen text messages with friends concerning her
encounter with a celebrity singer. Defense attorneys
argued Phillipa was not texting at the moment of the
crash, and had not opened the last text. But the British
rules say that “reading or composing text over a period
of time is a gross avoidable distraction,” categorized
the same way as drunken driving. Police and prosecu-
tors argued the car she hit was clearly visible from 300
yards, the lights were on, and it was a clear night. The
prosecution argued that in light of the long preceding
text conversation, with the ping of an incoming mes-
sage, Curtis was distracted from driving. The jury
agreed in 50 minutes to a guilty verdict.
Cell phones have become a staple of modern
society. Everyone has them, and people carry and use
them at all hours of the day. For the most part, this is a
good thing: the benefits of staying connected at any
time and at any location are considerable. But if you’re
like most Americans, you may regularly talk on the
phone or even text while at the wheel of a car. This
dangerous behavior has resulted in increasing numbers
of accidents and fatalities caused by cell phone usage.
The trend shows no sign of slowing down, not only
because legislation barring the use of mobile devices
while driving has been bogged down, but because
most people don’t fully understand the risks.
In 2003, a federal study of 10,000 drivers by the
National Highway Traffic Safety Administration
(NHTSA) set out to determine the effects of using cell
phones behind the wheel. The results were conclusive:
talking on the phone is equivalent to a 10-point reduc-
tion in IQ and a .08 blood alcohol level, which law
enforcement considers intoxicated. Hands-free sets
were ineffective in eliminating risk, the study found,
because the conversation itself is what distracts
drivers, not holding the phone. Cell phone use caused
955 fatalities and 240,000 accidents in 2002. Related
studies indicated that drivers who talked on the phone
while driving increased their crash risk fourfold, and
drivers who texted while driving increased their crash
risk by a whopping 23 times.
But the NHTSA study was not published immedi-
ately due to pressure from congressmen who worried
that legislation banning or restricting phone usage in
vehicles would be unpopular among voters who
regularly multitask while driving. The NHTSA was
urged to simply gather information, rather than recom-
mend policy changes. The eventually published mate-
rials consisted of stripped-down versions of the
agency’s original research. Since the study, mobile
device usage has grown by an order of magnitude,
making this already dangerous situation worse. In fact,
from 1995 to 2008, the number of wireless subscribers
in America increased by 800 percent, to 270 million,
and Americans’ usage of wireless minutes increased
by almost 6,000 percent.
This increase in cell phone usage is accompanied
by the increases you would expect in phone-related
fatalities and accidents: in 2008, it’s estimated that cell
phones caused 2,600 fatalities and 330,000 accidents,
up considerably from 2002. Studies show that drivers
know that using the phone while driving is one of the
most dangerous things you can do on the road, but
refuse to admit that it’s dangerous when they them-
selves do it. A survey by Vlingo, a developer of
voice-driven mobile phone applications, found that 26
percent of phone users admitted to texting while
driving, but 83 percent said that the practice should be
illegal, which means at least some portion of people
are engaging in a practice that they feel should be
outlawed.
Of users that text while driving, the more
youthful demographic groups, such as the 18–29 age
group, are by far the most frequent texters. About
three quarters of Americans in this age group
regularly text, compared to just 22 percent of the
35–44 age group. Correspondingly, the majority of
accidents involving mobile device use behind the
wheel involve young adults. Among this age group,
texting behind the wheel is just one of a litany of
problems raised by frequent texting: anxiety, distrac-
tion, failing grades, repetitive stress injuries, and
sleep deprivation are just some of the other problems
brought about by excessive use of mobile devices.
Teenagers are particularly prone to using cell phones
to text because they want to know what’s happening
to their friends and are anxious about being socially
isolated.
Seventy-five billion texts were sent in the United
States in June 2009, compared to 7.2 billion in June
2005. Texting is clearly here to stay, and in fact has
supplanted phone calls as the most commonly used
method of mobile communication. People are unwill-
ing to give up their mobile devices because of the pres-
sures of staying connected. Neurologists discovered
that the response to multitasking suggests that people
develop addictions to the digital devices they use most,
getting quick bursts of adrenaline, without which dri-
ving becomes boring.
Chapter 12: Ethical and Social Issues in Information Systems 439
Despite the obstacles, lawmakers are increasingly
recognizing the need for much stronger legislation bar-
ring drivers from texting behind the wheel. Though
most people aren’t willing to give up their phones
entirely, and many legislators believe that it’s not state
or federal government’s role to prohibit poor decision-
making, many states have made inroads with laws
prohibiting texting while operating vehicles. In Utah,
drivers crashing while texting can receive 15 years in
prison, by far the toughest sentence for texting while
driving in the nation. Utah’s law assumes that drivers
understand the risks of texting while driving, whereas in
other states, prosecutors must prove that the driver knew
about the risks of texting while driving before doing so.
Utah’s tough law was the result of a horrifying
accident in which a speeding college student, texting
at the wheel, rear-ended a car in front. The car lost
control, entered the opposite side of the road, and was
hit head-on by a pickup truck hauling a trailer, killing
the driver instantly. In September 2008, a train
engineer in California was texting within a minute
prior to the most fatal train accident in almost two
decades. Californian authorities responded by banning
the use of cell phones by train workers while on duty.
It’s likely that more accidents of this magnitude will
have to occur before Americans are persuaded to give
up texting while driving.
Sources: Elisabeth Rosenthal, “When Texting Kills, Britain Offers Path to
Prison,” The New York Times, November 9, 2009; Jennifer Steinhauer and Laura
M. Holson, “As Text Messages Fly, Danger Lurks,” The New York Times,
September 20, 2008; Katie Hafner, “Texting May be Taking a Toll on Teenagers,”
The New York Times, May 26, 2009; Tara Parker-Pope, “Texting Until Their
Thumbs Hurt,” The New York Times, May 26, 2009; Tom Regan, “Some Sobering
Stats on Texting While Driving,” The Christian Science Monitor, May 28, 2009;
Matt Richtel, “Drivers and Legislators Dismiss Cellphone Risks,” The New York
Times, July 19, 2009; “Matt Richtel, U.S. Withheld Data on Risks of Distracted
Driving,” The New York Times, July 21, 2009; Matt Richtel, “In Study, Texting
Lifts Crash Risk by Large Margin,” The New York Times, July 28, 2009; Matt
Richtel, “Utah Gets Tough With Texting Drivers,” The New York Times, August
29, 2009; Matt Richtel, “Driver Texting Now an Issue in the Back Seat,” The New
York Times, September 9, 2009.
1. Which of the five moral dimensions of informa-
tion systems described in the text is involved in
this case?
2. What are the ethical, social, and political issues
raised by this case?
3. Which of the ethical principles described in the
text are useful for decision making about texting
while driving?
1. Many people at state and local levels are calling
for a federal law against texting while driving.
Use a search engine to explore what steps the
federal government has taken to discourage
texting while driving.
2. Most people are not aware of the widespread
impact of texting while driving across the United
States. Do a search on “texting while driving.”
Examine all the search results for the first two
pages. Enter the information into a 2-column
table. In the left-hand column put the locality of
report and year. In the right-hand column give a
brief description of the search result, e.g. accident,
report, court judgment, etc. What can you
conclude from these search results and table?
CASE STUDY QUESTIONS MIS IN ACTION
Computer crime is the commission of illegal acts through the use of a computer or against
a computer system. Computers or computer systems can be the object of the crime (destroy-
ing a company’s computer center or a company’s computer files), as well as the instrument
of a crime (stealing computer lists by illegally gaining access to a computer system using a
home computer). Simply accessing a computer system without authorization or with intent
to do harm, even by accident, is now a federal crime.
Computer abuse is the commission of acts involving a computer that may not be illegal
but that are considered unethical. The popularity of the Internet and e-mail has turned one
form of computer abuse—spamming—into a serious problem for both individuals and
businesses. Spam is junk e-mail sent by an organization or individual to a mass audience of
Internet users who have expressed no interest in the product or service being marketed.
Spammers tend to market pornography, fraudulent deals and services, outright scams, and
other products not widely approved in most civilized societies. Some countries have passed
laws to outlaw spamming or to restrict its use. In the United States, it is still legal if it does
not involve fraud and the sender and subject of the e-mail are properly identified.
Spamming has mushroomed because it only costs a few cents to send thousands of
messages advertising wares to Internet users. According to Sophos, a leading vendor of
security software, spam accounted for 97 percent of all e-mail traffic during the first quarter
of 2009 (Sophos, 2009). Spam costs for businesses are very high (an estimated at over $50
billion per year) because of the computing and network resources consumed by billions of
unwanted e-mail messages and the time required to deal with them.
Internet service providers and individuals can combat spam by using spam filtering
software to block suspicious e-mail before it enters a recipient’s e-mail inbox. However,
spam filters may block legitimate messages. Spammers know how to skirt around filters by
continually changing their e-mail accounts, by incorporating spam messages in images, by
embedding spam in e-mail attachments and electronic greeting cards, and by using other
people’s computers that have been hijacked by botnets (see Chapter 7). Many spam
messages are sent from one country while another country hosts the spam Web site.
Spamming is more tightly regulated in Europe than in the United States. On May 30,
2002, the European Parliament passed a ban on unsolicited commercial messaging.
Electronic marketing can be targeted only to people who have given prior consent.
The U.S. CAN-SPAM Act of 2003, which went into effect on January 1, 2004, does not
outlaw spamming but does ban deceptive e-mail practices by requiring commercial e-mail
messages to display accurate subject lines, identify the true senders, and offer recipients an
easy way to remove their names from e-mail lists. It also prohibits the use of fake return
addresses. A few people have been prosecuted under the law, but it has had a negligible
impact on spamming. Although Facebook and MySpace have won judgments against
spammers, most critics argue the law has too many loopholes and is not effectively enforced
(Associated Press, 2009).
Employment: Trickle-Down Technology and Reengineering Job Loss
Reengineering work is typically hailed in the information systems community as a major
benefit of new information technology. It is much less frequently noted that redesigning
business processes could potentially cause millions of middle-level managers and clerical
workers to lose their jobs. One economist has raised the possibility that we will create a
society run by a small “high tech elite of corporate professionals . . . in a nation of the
permanently unemployed” (Rifkin, 1993).
Other economists are much more sanguine about the potential job losses. They believe
relieving bright, educated workers from reengineered jobs will result in these workers
moving to better jobs in fast-growth industries. Missing from this equation are unskilled,
blue-collar workers and older, less well-educated middle managers. It is not clear that these
groups can be retrained easily for high-quality (high-paying) jobs. Careful planning and
sensitivity to employee needs can help companies redesign work to minimize job losses.
The Interactive Session on Organizations explores another consequence of reengineered
jobs. In this case, Wal-Mart’s changes in job scheduling for more efficient use of its employ-
ees did not cause employees to lose their jobs directly. But it did impact their personal lives
and forced them to accept more irregular part-time work. As you read this case, try to
identify the problem this company is facing, what alternative solutions are available to
management, and whether the chosen solution was the best way to address this problem.
Equity and Access: Increasing Racial and Social Class Cleavages
Does everyone have an equal opportunity to participate in the digital age?
Will the social, economic, and cultural gaps that exist in the United States and other
societies be reduced by information systems technology? Or will the cleavages be increased,
permitting the better off to become even more better off relative to others?
These questions have not yet been fully answered because the impact of systems technology
on various groups in society has not been thoroughly studied. What is known is that information,
knowledge, computers, and access to these resources through educational institutions and public
440 Part IV: Building and Managing Systems
Chapter 12: Ethical and Social Issues in Information Systems 441
INTERACTIVE SESSION: ORGANIZATIONS Flexible Scheduling Good or Bad for Employees?
With nearly 1.4 million workers domestically,
Wal-Mart is the largest private employer in the United
States. Wal-Mart is also the nation’s number one
retailer in terms of sales, registering nearly $379
billion in sales revenue for the fiscal year ending
January 31, 2008. Wal-Mart achieved its lofty status
through a combination of low prices and low opera-
tional costs, enabled by a superb continuous inventory
replenishment system.
Now Wal-Mart is trying to lower costs further by
changing its methods for scheduling the work shifts
of its employees. In early 2007, Wal-Mart revealed
that it was adopting a computerized scheduling
system, a move that has been roundly criticized by
workers’ rights advocates for the impact it may have
on employees’ lives.
Traditionally, scheduling employee shifts at big
box stores such as Wal-Mart was the domain of store
managers who arranged schedules manually.
They based their decisions in part on current store
promotions as well as on weekly sales data from the
previous year. Typically, the process required a full
day of effort for a store manager. Multiply that labor
intensity by the number of stores in a chain and you
have an expensive task with results that are margin-
ally beneficial to the company.
By using a computerized scheduling system, such
as the system from Kronos that Wal-Mart adopted, a
retail enterprise can produce work schedules for every
store in its chain in a matter of hours. Meanwhile,
store managers can devote their time to running their
individual stores more effectively.
The Kronos scheduling system tracks individual
store sales, transactions, units sold, and customer
traffic. The system logs these metrics over 15-minute
increments for seven weeks at a time, and then
measures them against the same data from the
previous year. It can also integrate data such as the
number of in-store customers at certain hours or the
average time required to sell a television set or unload
a truck and predict the number of workers needed at
any given hour.
A typical result of this type of scheduling might
call for a sparse staff early in the day, a significant
increase for the midday rush, scaling back toward
the end of the afternoon, and then fortifying the staff
once again for an evening crowd. However, for a
chain like Wal-Mart, which operates thousands of
24-hour stores and has also run into trouble
previously for its labor practices, the transition to a
computerized scheduling system has resulted in
controversy.
For Wal-Mart, using Kronos translates to
improved productivity and customer satisfaction.
Management reported a 12-percent gain in labor
productivity in the quarter ending January 31, 2008.
For Wal-Mart employees, known to the company
as associates, the change may decrease the stability of
their jobs and, possibly, create financial hardship.
The scheduling generated by Kronos can be
unpredictable, requiring associates to be more flexi-
ble with their work hours. Stores may ask them to be
on call in case of a rush, or to go home during a slow
spell. Irregular hours, and inconsistent paychecks,
make it more difficult for employees to organize their
lives, from scheduling babysitters to paying bills.
Alerts from the system may also enable store
managers to avoid paying overtime or full-time wages
by cutting back the hours of associates who are
approaching the thresholds that cause extra benefits to
kick in. Associates are almost always people who
need all the work they can get.
According to Paul Blank of the Web site
WakeUpWalMart.com, which is supported by the
United Food and Commercial Workers union, “What
the computer is trying to optimize is the most number
of part-time and least number of full-time workers at
lower labor costs, with no regard for the effect that it
has on workers’ lives.” Sarah Clark, speaking on
behalf of Wal-Mart, insists the system’s goal is simply
to improve customer service by shortening checkout
lines and better meeting the needs of shoppers.
To assist in the deployment of its computerized
scheduling system in all of its stores, Wal-Mart
requests that its associates submit “personal avail-
ability” forms. Language on the form instructs
associates that “Limiting your personal availability
may restrict the number of hours you are scheduled.”
Anecdotal evidence suggests that some workers have
indeed seen their hours cut and their shifts bounced
around. Experienced associates with high pay rates
have expressed concern that the system enables
managers to pressure them into quitting. If they are
unwilling to work nights and weekends, managers
have a justification for replacing them with new
workers who will make much less per hour. Sarah
Clark denies that the system is used in this manner.
Critics of the system can cite the Clayton Antitrust
Act of 1914, which states, “The labor of a human being
is not a commodity or article of commerce.” Wal-mart
employees writing on blogs complain that the flexible
scheduling system does not allow them time to have a
second job because they have to be available for their
Wal-mart job. But flexible scheduling when done right
442 Part IV: Building and Managing Systems
1. What is the ethical dilemma facing Wal-Mart in
this case? Do Wal-Mart’s associates also face an
ethical dilemma? If so, what is it?
2. What ethical principles apply to this case? How
do they apply?
3. What are the potential effects of computerized
scheduling on employee morale? What are the
consequences of these effects for Wal-Mart?
4. For what kinds of workers is flexible scheduling a
positive benefit, and why?
by taking into account the outside demands on employ-
ees can be very helpful. For instance, flexible schedul-
ing can allow two parents to share a job, or allow
women with young children a schedule that fits in with
raising children. No legal battles over computerized
scheduling appear imminent, so interpreting whether
Wal-Mart’s strategy equals treating its labor force as a
commodity will have to wait.
In the meantime, Wal-Mart is once again at the
forefront of technology trends in its industry. Ann
Visit the Web site at www.WakeUpWalMart.com and
then answer the following questions:
1. What are this group’s major points of contention
with Wal-Mart?
2. How well does the Web site serve their cause?
Does the site help their cause or hurt it?
3. What other approach could the organization take
to bring about change?
Using Wal-Mart’s Web site and Google for research,
answer the following questions:
4. How does Wal-Mart address the issues raised by
organizations such as WakeUpWalMart.com?
5. Are the company’s methods effective?
6. If you were a public relations expert advising
Wal-Mart, what suggestions would you make for
handling criticism?
Taylor Stores, Limited Brands, Gap, Williams-
Sonoma, and GameStop have all installed similar
workforce scheduling systems.
Sources: Vanessa O’Connell, “Retailers Reprogram Workers in Efficiency Push,”
Jennifer Turano, “Two Workers, Wearing One Hat,” The New York Times, October
4, 2009; The Wall Street Journal, September 10, 2008; Kris Maher, “Wal-Mart
Seeks New Flexibility in Worker Shifts,” The Wall Street Journal, January 3,
2007; www.kronos.com, accessed July 15, 2008; Bob Evans, “Wal-Mart’s Latest
‘Orwellian’ Technology Move: Get Over It,” InformationWeek, April 6, 2007; and
“More Opinions on Wal-Mart’s Flexible Scheduling,” InformationWeek, April 17,
2007.
CASE STUDY QUESTIONS MIS IN ACTION
libraries are inequitably distributed along ethnic and social class lines, as are many other infor-
mation resources. Several studies have found that certain ethnic and income groups in the United
States are less likely to have computers or online Internet access even though computer owner-
ship and Internet access have soared in the past five years. Although the gap is narrowing, higher-
income families in each ethnic group are still more likely to have home computers and Internet
access than lower-income families in the same group.
A similar digital divide exists in U.S. schools, with schools in high-poverty areas less
likely to have computers, high-quality educational technology programs, or Internet access
availability for their students. Left uncorrected, the digital divide could lead to a society of
information haves, computer literate and skilled, versus a large group of information
have-nots, computer illiterate and unskilled. Public interest groups want to narrow this
digital divide by making digital information services—including the Internet—available to
virtually everyone, just as basic telephone service is now.
Health Risks: RSI, CVS, and Technostress
The most common occupational disease today is repetitive stress injury (RSI). RSI occurs
when muscle groups are forced through repetitive actions often with high-impact loads
(such as tennis) or tens of thousands of repetitions under low-impact loads (such as working
at a computer keyboard).
The single largest source of RSI is computer keyboards. The most common kind of
computer-related RSI is carpal tunnel syndrome (CTS), in which pressure on the median
nerve through the wrist’s bony structure, called a carpal tunnel, produces pain. The pressure
is caused by constant repetition of keystrokes: in a single shift, a word processor may
perform 23,000 keystrokes. Symptoms of carpal tunnel syndrome include numbness, shoot-
ing pain, inability to grasp objects, and tingling. Millions of workers have been diagnosed
with carpal tunnel syndrome.
RSI is avoidable. Designing workstations for a neutral wrist position (using a wrist rest
to support the wrist), proper monitor stands, and footrests all contribute to proper posture
and reduced RSI. Ergonomically correct keyboards are also an option. These measures
should be supported by frequent rest breaks and rotation of employees to different jobs.
RSI is not the only occupational illness computers cause. Back and neck pain, leg stress,
and foot pain also result from poor ergonomic designs of workstations. Computer vision
syndrome (CVS) refers to any eyestrain condition related to computer display screen use.
Its symptoms, which are usually temporary, include headaches, blurred vision, and dry and
irritated eyes.
The newest computer-related malady is technostress, which is stress induced by
computer use. Its symptoms include aggravation, hostility toward humans, impatience, and
fatigue. According to experts, humans working continuously with computers come to expect
other humans and human institutions to behave like computers, providing instant responses,
attentiveness, and an absence of emotion. Technostress is thought to be related to high levels
of job turnover in the computer industry, high levels of early retirement from computer-
intense occupations, and elevated levels of drug and alcohol abuse.
The incidence of technostress is not known but is thought to be in the millions and
growing rapidly in the United States. Computer-related jobs now top the list of stressful
occupations based on health statistics in several industrialized countries.
To date, the role of radiation from computer display screens in occupational disease has
not been proved. Video display terminals (VDTs) emit nonionizing electric and magnetic
fields at low frequencies. These rays enter the body and have unknown effects on enzymes,
molecules, chromosomes, and cell membranes. Long-term studies are investigating low-
level electromagnetic fields and birth defects, stress, low birth weight, and other diseases.
All manufacturers have reduced display screen emissions since the early 1980s, and
European countries, such as Sweden, have adopted stiff radiation emission standards.
Chapter 12: Ethical and Social Issues in Information Systems 443
Repetitive stress injury
(RSI) is the leading occu-
pational disease today.
The single largest cause
of RSI is computer key-
board work.
The computer has become a part of our lives—personally as well as socially, culturally,
and politically. It is unlikely that the issues and our choices will become easier as informa-
tion technology continues to transform our world. The growth of the Internet and the infor-
mation economy suggests that all the ethical and social issues we have described will be
heightened further as we move into the first digital century.
12.4 Hands-On MIS Projects
The projects in this section give you hands-on experience in analyzing the privacy implications
of using online data brokers, developing a corporate policy for employee Web usage, using
blog creation tools to create a simple blog, and using Internet newsgroups for market research.
MANAGEMENT DECISION PROBLEMS
1. USAData’s Web site is linked to massive databases that consolidate personal data on
millions of people. Anyone with a credit card can purchase marketing lists of consumers
broken down by location, age, income level, and interests. If you click on Consumer
Leads to order a consumer mailing list, you can find the names, addresses, and
sometimes phone numbers of potential sales leads residing in a specific location and
purchase the list of those names. One could use this capability to obtain a list, for
example, of everyone in Peekskill, New York, making $150,000 or more per year. Do
data brokers such as USAData raise privacy issues? Why or why not? If your name and
other personal information were in this database, what limitations on access would you
want in order to preserve your privacy? Consider the following data users: government
agencies, your employer, private business firms, other individuals.
2. As the head of a small insurance company with six employees, you are concerned about
how effectively your company is using its networking and human resources. Budgets are
tight, and you are struggling to meet payrolls because employees are reporting many
overtime hours. You do not believe that the employees have a sufficiently heavy work
load to warrant working longer hours and are looking into the amount of time they spend
on the Internet.
444 Part IV: Building and Managing Systems
WEB USAGE REPORT FOR THE WEEK ENDING JANUARY 9, 2009
User Name Minutes Online Web Site Visited
Kelleher, Claire 45 www.doubleclick.net
Kelleher, Claire 107 www.yahoo.com
Kelleher, Claire 96 www.insweb.com
McMahon, Patricia 83 www.itunes.com
McMahon, Patricia 44 www.insweb.com
Milligan, Robert 112 www.youtube.com
Milligan, Robert 43 www.travelocity.com
Olivera, Ernesto 40 www.CNN.com
Talbot, Helen 125 www.etrade.com
Talbot, Helen 27 www.nordstrom.com
Talbot, Helen 35 www.yahoo.com
Talbot, Helen 73 www.ebay.com
Wright, Steven 23 www.facebook.com
Wright, Steven 15 www.autobytel.com
Each employee uses a computer with Internet access on the job. You requested the pre-
ceding weekly report of employee Web usage from your information systems department.
• Calculate the total amount of time each employee spent on the Web for the week and the
total amount of time that company computers were used for this purpose. Rank the
employees in the order of the amount of time each spent online.
• Do your findings and the contents of the report indicate any ethical problems employees
are creating? Is the company creating an ethical problem by monitoring its employees’
use of the Internet?
• Use the guidelines for ethical analysis presented in this chapter to develop a solution to
the problems you have identified.
ACHIEVING OPERATIONAL EXCELLENCE: CREATING A SIMPLE
BLOG
Software skills: Blog creation
Business skills: Blog and Web page design
In this project, you’ll learn how to build a simple blog of your own design using the online
blog creation software available at Blogger.com. Pick a sport, hobby, or topic of interest as the
theme for your blog. Name the blog, give it a title, and choose a template for the blog. Post at
least four entries to the blog, adding a label for each posting. Edit your posts, if necessary.
Upload an image, such as a photo from your hard drive or the Web to your blog. (Google rec-
ommends Open Photo, Flickr: Creative Commons, or Creative Commons Search as sources
for photos. Be sure to credit the source for your image.) Add capabilities for other registered
users, such as team members, to comment on your blog. Briefly describe how your blog could
be useful to a company selling products or services related to the theme of your blog. List the
tools available to Blogger (including Gadgets) that would make your blog more useful for
business and describe the business uses of each. Save your blog and show it to your instructor.
IMPROVING DECISION MAKING: USING INTERNET
NEWSGROUPS FOR ONLINE MARKET RESEARCH
Software Skills: Web browser software and Internet newsgroups
Business Skills: Using Internet newsgroups to identify potential customers
This project will help develop your Internet skills in using newsgroups for marketing. It will
also ask you to think about the ethical implications of using information in online discussion
groups for business purposes.
You are producing hiking boots that you sell through a few stores at this time. You think
your boots are more comfortable than those of your competition. You believe you can under-
sell many of your competitors if you can significantly increase your production and sales.
You would like to use Internet discussion groups interested in hiking, climbing, and camp-
ing both to sell your boots and to make them well known. Visit groups.google.com, which
stores discussion postings from many thousands of newsgroups. Through this site you can
locate all relevant newsgroups and search them by keyword, author’s name, forum, date, and
subject. Choose a message and examine it carefully, noting all the information you can
obtain, including information about the author.
• How could you use these newsgroups to market your boots?
• What ethical principles might you be violating if you use these messages to sell your
boots? Do you think there are ethical problems in using newsgroups this way? Explain
your answer.
• Next use Google or Yahoo.com to search the hiking boots industry and locate sites that
will help you develop other new ideas for contacting potential customers.
• Given what you have learned in this and previous chapters, prepare a plan to use
newsgroups and other alternative methods to begin attracting visitors to your site.
Chapter 12: Ethical and Social Issues in Information Systems 445
446 Part IV: Building and Managing Systems
Review Summary
1
What ethical, social, and political issues are raised by information systems?
Information technology is introducing changes for which laws and rules of accept-
able conduct have not yet been developed. Increasing computing power, storage, and net-
working capabilities—including the Internet—expand the reach of individual and organi-
zational actions and magnify their impacts. The ease and anonymity with which
information is now communicated, copied, and manipulated in online environments pose
new challenges to the protection of privacy and intellectual property. The main ethical,
social, and political issues raised by information systems center around information rights
and obligations, property rights and obligations, accountability and control, system qual-
ity, and quality of life.
2
What specific principles for conduct can be used to guide ethical decisions? Six
ethical principles for judging conduct include the Golden Rule, Immanuel Kant’s
Categorical Imperative, Descartes’ rule of change, the Utilitarian Principle, the Risk
Aversion Principle, and the ethical “no free lunch” rule. These principles should be used in
conjunction with an ethical analysis.
3
Why do contemporary information systems technology and the Internet pose
challenges to the protection of individual privacy and intellectual property?
Contemporary data storage and data analysis technology enables companies to easily gather
personal data about individuals from many different sources and analyze these data to create
detailed electronic profiles about individuals and their behaviors. Data flowing over the
Internet can be monitored at many points. Cookies and other Web monitoring tools closely
track the activities of Web site visitors. Not all Web sites have strong privacy protection poli-
cies, and they do not always allow for informed consent regarding the use of personal infor-
mation. Traditional copyright laws are insufficient to protect against software piracy because
digital material can be copied so easily and transmitted to many different locations simulta-
neously over the Internet.
4
How have information systems affected everyday life? Although computer systems
have been sources of efficiency and wealth, they have some negative impacts.
Computer errors can cause serious harm to individuals and organizations. Poor data quality
is also responsible for disruptions and losses for businesses. Jobs can be lost when comput-
ers replace workers or tasks become unnecessary in reengineered business processes. The
ability to own and use a computer may be exacerbating socioeconomic disparities among
different racial groups and social classes. Widespread use of computers increases opportuni-
ties for computer crime and computer abuse. Computers can also create health problems,
such as RSI, computer vision syndrome, and technostress.
LEARNING TRACKS
The following Learning Tracks provide content relevant to the topics covered in
this chapter:
1. Developing a Corporate Code of Ethics for Information Systems
2. Creating a Web Page
Chapter 12: Ethical and Social Issues in Information Systems 447
Review Questions
1. What ethical, social, and political issues are raised by information systems?
• Explain how ethical, social, and political issues are connected and give some examples.
• List and describe the key technological trends that heighten ethical concerns.
• Differentiate between responsibility, accountability, and liability.
2. What specific principles for conduct can be used to guide ethical decisions?
• List and describe the five steps in an ethical analysis.
• Identify and describe six ethical principles.
3. Why do contemporary information systems technology and the Internet pose challenges
to the protection of individual privacy and intellectual property?
• Define privacy and fair information practices.
• Explain how the Internet challenges the protection of individual privacy and intellectual
property.
• Explain how informed consent, legislation, industry self-regulation, and technology
tools help protect the individual privacy of Internet users.
• List and define the three different regimes that protect intellectual property rights.
4. How have information systems affected everyday life?
• Explain why it is so difficult to hold software services liable for failure or injury.
• List and describe the principal causes of system quality problems.
• Name and describe four quality-of-life impacts of computers and information systems.
• Define and describe technostress and RSI and explain their relationship to information
technology.
Ethical “no free lunch” rule,
425
Ethics, 420
Fair Information Practices
(FIP), 427
Golden Rule, 425
Immanuel Kant’s Categorical
Imperative, 425
Information rights, 421
Informed consent, 428
Intellectual property, 432
Liability, 424
Nonobvious relationship
awareness (NORA), 423
Opt-in, 430
Opt-out, 430
P3P, 431
Patent, 433
Privacy, 426
Profiling, 422
Repetitive stress injury (RSI),
432
Responsibility, 424
Risk Aversion Principle, 425
Safe harbor, 429
Spam, 439
Spyware, 430
Technostress, 443
Trade secret, 432
Utilitarian Principle, 425
Web bugs, 430
Accountability, 424
Carpal tunnel syndrome
(CTS), 443
Computer abuse, 439
Computer crime, 439
Computer vision syndrome
(CVS), 443
Cookies, 429
Copyright, 433
Descartes’ rule of change,
425
Digital divide, 442
Digital Millennium
Copyright Act
(DMCA), 434
Due process, 424
Key Terms
448 Part IV: Building and Managing Systems
Collaboration and Teamwork
Developing a Corporate Ethics Code
With three or four of your classmates, develop a corporate ethics code on privacy that
addresses both employee privacy and the privacy of customers and users of the corporate
Web site. Be sure to consider e-mail privacy and employer monitoring of worksites, as well
as corporate use of information about employees concerning their off-the-job behavior
(e.g., lifestyle, marital arrangements, and so forth). If possible, use Google Sites to post
links to Web pages, team communication announcements, and work assignments; to brain-
storm; and to work collaboratively on project documents. Try to use Google Docs to develop
your solution and presentation for the class.
Video Cases
Video Cases and Instructional Videos illustrating some of the concepts in this chapter are
available. Contact your instructor to access these videos.
Discussion Questions
1. Should producers of software-based ser-
vices, such as ATMs, be held liable for eco-
nomic injuries suffered when their systems
fail?
2. Should companies be responsible for
unemployment caused by their information
systems? Why or why not?
Chapter 12: Ethical and Social Issues in Information Systems 449
BUSINESS PROBLEM-SOLVING CASE
Google, Microsoft, and IBM: The Health of Your Medical Records’ Privacy
tors to be sent automatically to Google Health
(Google’s online medical record system) or other per-
sonal health records systems online. It’s a broad-
reaching software platform that will bring data porta-
bility and medical records interoperability in direct
conflict with a huge industry entrenched in siloed
data.
Estimates are that the Health Information Technology
initiative will create over 200,000 jobs in MIS and
systems, and the 10-year cost is $75–$100 billion. The
project should pay for itself with an estimated savings of
$175–$200 billion a year. The Health Information
Technology initiative is arguably the largest manage-
ment information systems project in the history of the
United States since the computerization of the Social
Security System records in the 1950s. What’s involved is
not just dropping PCs on doctors’ desktops and operat-
ing tables. Instead, a massive investment in organization
and management, cultural change, software, and
interface design is required. In short, the skills you learn
in this book will be highly valued!
The bad news is that the health of your personal
privacy will probably decline, significantly. You will
most likely lose control over what private medical
information about you is distributed, and you will not
be able to restrict its distribution. Your medical records
will be a very efficient, instantly accessible, “semi
public” document accessible by millions of health care
workers whom you will never meet or know about.
And you won’t ever really know who has access to
your records, or understand how they are or might be
used.
The health-care industry is notoriously bad at keep-
ing medical records private. Georgia Blue-Cross intro-
duced a change in its medical information system
without testing, and sent thousands of patient records
to the wrong fax machine in a neighboring state. A
former billing clerk at Cedars-Sinai Medical Center in
Los Angeles was arrested in November 2008 and
charged with stealing patient records and using the
identities to steal from insurers. In 2009, the Kaiser
Permanente Bellflower Medical Center in Los Angeles
was hit with a $187,500 fine for failing to prevent
unauthorized access to confidential patient informa-
tion—employees were improperly accessing the med-
ical records of Nadya Suleman and her eight children.
This is the second penalty against the hospital. Even
Britney Spears has not been spared: UCLA Medical
Center was embarrassed to disclose that employees
had sifted through the medical files of more than 30
During a typical trip to the doctor, you will see shelves
full of folders and papers devoted to the storage of med-
ical records. Every time you visit, your records are cre-
ated or modified, and often duplicate copies are gener-
ated throughout the course of a visit to the doctor or a
hospital. Take a look at your doctor’s office and chances
are you’ll see a bevy of clerks bent over desks filled with
paper forms, mostly insurance claim documents. The
majority of medical records are currently paper-based,
making effective communication and access to the
records difficult: only 8 percent of the nation’s 5,000
hospitals and 17 percent of the nation’s 800,000 doctors
use computerized health care records of any kind.
Americans made well over a billion visits to doctors and
hospitals over the past year, with each American making
approximately four visits on average. As a result, there
are millions of paper medical records lining the corridors
of thousands of local medical practices, and for the most
part, they cannot be systematically examined, and they
are difficult to share.
Now for some good news: the administrative waste
could be largely eliminated by a massive investment in a
nationwide health care record system based on standard-
ized record formats, and the participation of all elements
in the health care provider industry.
The United States spends about $2 trillion on health-
care, and about $700 billion or one-third is “waste,”
loosely defined as costs that could be shed if the health-
care industry followed best practices. This waste is a
major reason why the United States has the highest-cost
medical system per capita in the world. Among the many
sources of waste are fraud, duplicate tests, unnecessary
care, medical mistakes, administrative inefficiency,
redundant paperwork, and a paper-based health records
system. The outdated administrative procedures and
records situation causes an estimated 25 percent of the
total “waste,” or about $175 billion a year.
There’s more good news about medical records: the
new Obama administration in February 2009 set aside
$19 billion to fund a Health Information Technology
program as a part of the American Recovery and
Reinvestment Act of 2009. The goal: computerize all
health records by 2014. And the major technology
companies are banding together and offering up solu-
tions, responding to the opportunity of billions of dol-
lars of government contracts. IBM, Google, Microsoft,
and a consortium of medical device makers and other
companies have formed an alliance to create a software
platform that will allow medical data from at-home
devices like glucose meters and blood pressure moni-
450 Part IV: Building and Managing Systems
“health profile” for medications, conditions, and
allergies; reminder messages for prescription refills or
doctor visits; directories for nearby doctors; and person-
alized health advice. The application will also be able to
accept information from many different record keeping
technologies currently in use by hospitals and other
institutions. The intent of the system is to make patients’
records easily accessible and more complete and to
streamline record keeping.
Google has proven that it is very good at what it does.
It is, among other things, one of the largest advertising
firms in the world, and the largest Web tracker of
individuals in the United States. But what if Google
were seeking personal information about you? You
might not feel as good about Google’s quest to organize
the world’s information when you consider that some of
that information is information you’d prefer remain pri-
vate. Google’s development of its Google Health appli-
cation illustrates the conflict between its
self-avowed mission and the individual’s right to privacy.
Would you trust Google with your health records know-
ing that a potential employer, or current employer, might
be able to access those records?
Proponents of electronic health records argue that
computer technology, once fully implemented, would
enhance security rather than threaten it. They also
believe that it is more important to first get the system
up and running than to worry about privacy matters.
Congressional Representative Joe Barton of Texas, an
advocate of legislation that would speed the develop-
ment of such records, said that “privacy is an important
issue, but more important is that we get a health
information system in place.” Lawmakers like Barton
feel that the benefits of systems like Google Health
outweigh the privacy risks, and that further legislation
to impose privacy controls can be added after the fact.
Some experts disagree with that stance, saying that
unless an electronic system has sufficient privacy
controls from the outset, it is less likely to become
universally used. Even if the system’s security controls
are sufficient, it is important that consumers are aware
of those controls and confident that they can use the
system without fear of their records being accessed by
unauthorized parties. Creating an electronic health
system without the proper security controls would not
only be an unacceptable privacy risk, but would be
doomed to failure because potential users would be
unwilling to cooperate with the information
requirements of the system.
Google is not the only company to set its sights on
online medical records. Microsoft and Revolution Health
Group LLC, founded by AOL co-founder Steve Case,
among others, are also launching similar sites where
users can maintain online health profiles. As of yet it is
too early to tell whether any of these ventures will be
celebrities, including singer Britney Spears, actress
Farah Fawcett, and California First Lady Maria
Shriver. There are occasional horror stories like those
of Patricia Galvin that reinforce the worries many peo-
ple have about the privacy of their medical records.
Galvin attempted to acquire disability benefits for her
chronic back pain but was turned down on the basis of
her psychologist’s notes, which were supposed to be
confidential. The number of monthly medical privacy
complaints received by the Department of Health and
Human Services has been steadily approaching 750
per month over the past several years, up from 150 in
2003. People fear that a switch to electronic medical
records could be even more vulnerable to security
breaches and privacy violations.
Privacy advocacy group Privacyrights.org documented
248 serious personal data record breaches in 2009, and
about 24 percent of those involved medical service
providers—doctors, hospitals, and insurance companies.
In October 2009, the New York Times published a table
illustrating 32 different groups who have “legitimate”
access to your medical records, a staggering array of
doctors, business associates, government agencies, and
data miners (including pharmaceutical companies and
their sales staffs). It is conceivable that over a million
people have direct access to medical records throughout
the United States.
These privacy concerns are far from unfounded.
HIPAA—the Health Insurance Portability and
Accountability Act of 1996—provides very limited
protections for personal medical records. HIPAA basi-
cally legitimizes rather than constrains the near unlim-
ited flow of information between healthcare providers,
health insurers, and clearinghouses for payment process-
ing. HIPAA makes it all legal and then asks you to sign
off on it as a condition of receiving medical treatment!
There are no federal privacy protections for patients who
set up personal health records online, say at Google or
other Web sites offering medical record services. Even
hospitals and practices that currently use electronic
storage formats report a high incidence of security
breaches, with a quarter of healthcare technology
professionals reporting at least one security breach in the
past year. According to a 2006 Federal Trade
Commission study, about 249,000 Americans had their
personal information misused for the purpose of
obtaining medical treatment, supplies, or services.
Google has put itself center stage in the health records
arena. In March 2008, Google announced an application
that it hopes will alleviate the inefficiency of the current
medical record storage system: Google Health.
Google Health will allow consumers to enter their basic
medical data into an online repository and invite doctors
to send relevant information to Google electronically.
The service is free to users. Features will include a
Chapter 12: Ethical and Social Issues in Information Systems 451
successful in the long term. The federal office in charge
of creating a national network of electronic health
records, the Office of the Coordinator of Health
Information Technology, announced in March of 2008
that it plans to integrate its system with both Google and
Microsoft’s healthcare databases, among others.
One way or another, private industry and government
will likely move forward slowly towards a national
medical record information system. The ethical and
moral dilemma posed by this national system involves
an inherent conflict between two closely held values:
medical care efficiency and effectiveness versus the
privacy of your personal medical information.
Sources: Amalia R. Miller and Catherine E. Tucker, “Electronic Discovery and
Electronic Medical Records: Does the Threat of Litigation Affect Firm Decisions to
Adopt Technology?” FTC Seminar, April 27, 2009; Natasha Singer, “When 2+2 Equals
A Privacy Question,” The New York Times, October 18, 2009. David Pogue.
“Computerized Health Records,” The New York Times, October 15, 2009; and Reuters
News. “Healthcare In the U.S. Wastes Up to $800 Billion A Year,” The New York Times,
October 26, 2009.
Case Study Questions
1. What concepts in the chapter are illustrated in this
case? Who are the stakeholders in this case?
2. What are the problems with America’s current med-
ical record keeping system? How would electronic
medical records alleviate these problems?
3. What management, organization, and technology fac-
tors are most critical to the creation and development
of electronic medical records?
4. What are the pros and cons of electronic patient
records? Do you think the concerns over digitizing
our medical records are valid? Why or why not?
5. Should people entrust Google with their electronic
medical records? Why or why not?
6. If you were in charge of designing an electronic med-
ical record keeping system, what are some features
you would include? What are features you would
avoid?
