ETHICS, PRIVACY, AND INFORMATION SECURITY
Abstract:
Ethics, privacy, and information security has been viewed as one of the foremost areas of concern and interest by academic researchers and industry practitioners. Information security and ethics is defined as an all encompassing term that refers to all activities needed to secure information and systems that support it in order to facilitate its ethical use. In this introductory chapter, this very important field of study is introduced and the fundamental concepts and theories are discussed. A broad discussion of tools and technologies used to achieve the goals of information security and ethics is followed by a discussion of guidelines for the design and development of such tools and technologies. Managerial, organizational and societal implications of information security and ethics are then evaluated. The chapter concludes after an assessment of a number of future developments and activities on the horizon that will have an impact on this field.
Key words:
Ethics, ethics tools, ethics development, privacy, information privacy, information security, security concept, security mechanism, security attacks.
INTRODUCTION
Until recently, information security was exclusively discussed in terms of mitigating risks associated with data and the organizational and technical infrastructure that supported it. With the emergence of the new paradigm in information technology, the role of ethics, privacy, and information security has evolved. As Information Technology and the Internet become more and more ubiquitous and pervasive in our daily lives, a more thorough understanding of issues and concerns over the information security and ethics is becoming one of the hottest trends in the whirlwind of research and practice of information technology. This is chiefly due to the recognition that whilst advances in information technology have made it possible for generation, collection, storage, processing and transmission of data at a staggering rate from various sources by government, organizations and other groups for a variety of purposes, concerns over security of what is collected and the potential harm from personal privacy violations resulting from their unethical uses have also skyrocketed. Therefore, understanding of pertinent issues in ethics, privacy, and information security are becoming increasingly important to researchers and industry practitioners alike. Ethics, privacy, and information security has been viewed as one of the foremost areas of concern and interest by academic researchers and industry practitioners from diverse fields such as engineering, computer science, information systems, and management. Recent studies of major areas of interest for IT researchers and professionals point to information security and ethics as one of the most pertinent.
DEFINITION, CONCEPTS, AND THEORIES
Information Security
Information security is the security of the computers that process and store information. The goal of information security is the confidentiality, integrity, availability, non-repudiation, accountability, authenticity, and reliability of information
resources. Information security used to be purely technical, however has evolved over time to keep pace with changes to computers and networks. The goal of information security involves preserving the confidentiality, integrity and availability of business information (McCumber 1991; Posthumus and von Solms 2004).
Security Attacks
There are a large number of types of attacks that exploit vulnerabilities in systems. It describes some of the more recent and technologically complex attacks that have plagued the information networks and systems.
· Denial of service: The attacker tries to prevent a service from being used rather than compromising it. Numerous hosts are used to perform a denial of service attack.
· Trojan horse: A malicious software which disguises itself as a benign software.
· Computer virus: Reproduces itself by attaching to other executable files and once executed can cause damage.
· Worm: A self-reproducing program that creates copies of itself. Worms can spread easily using e-mail address books.
· Rootkit: A set of tools used by an attacker after gaining root-level access to a host computer in order to conceal its activities on the host and permit the attacker to maintain root-level access to the host through covert means.
· Man-in-the-middle attack: Sometimes referred to as session hijacking in which the attacker accesses the network though an open session and, once the network authenticates it, attacks the client computer to disable it and uses IP spoofing to claim to be the client.
· IP spoofing: An attacker may fake its IP address so the receiver thinks it is sent from a location that it is not viewed by the receiver as a threat.
· Logic bomb: lays dormant until an event triggers it, such as a date, user action, or in some cases may have a random trigger.
Ethics as Human Foundation of Information Security
The field of ethics is concerned with the understanding of the concepts of right and wrong behaviors. ethics is the study of what human behavior ought to be. It is defined as the study of moral values in human behavior and making sense of human experience. Ethics is concerned with the morality of our actions. We define morality as the nature of how we treat others. Information ethics (cyberethics), is the foundation by which the ethical implications of information security are studied. Information ethics is a branch of applied ethics that has received considerable attention not only from ethicists but also from information technology researchers and professional.
INFORMATION SECURITY AND ETHICS TOOLS AND TECHNOLOGIES
Information security and ethics is a complex, growing and dynamic field. It encompasses all aspects of the organization. As stated earlier in this chapter, information security and ethics has received considerable attention from researchers, developers and practitioners. Given the complexities of the issues involved, and the pace of technological change, tools and technologies to support
the organizational security efforts are diverse and multifaceted. This diversity of tools and technologies available makes it difficult, if not impossible, for even seasoned professionals to keep up with new tools, technologies, and terminologies.
Identification and Authentication
The user’s identity can be authenticated using the following mechanisms:
· Requiring the user to provide something they have (e.g., token)
· Requiring the user to provide something they alone know (e.g., password)
· Sampling a personal characteristic (e.g., fingerprint).
Access Control
Controlling access can be based on any or a combination of the following:
· User identity
· Role memberships
· Group membership
· Other information known to the system.
Intrusion Detection
Intrusion Detection is devices or softwares that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management system.
Firewall
Firewall is devices or systems that control the flow of network traffic between networks or between a host and a network. A firewall acts as a protective barrier because it is the single point through which communications pass. Internal information that is being sent can be forced to pass through a firewall as it leaves a network or host. Incoming data can enter only through the firewall. Network firewalls are devices or systems that control the flow of network traffic between networks employing differing security postures.
Malicious Code Protection
Malicious code is the term used to describe any code in any part of a software system or script that is intended to cause undesired effects, security breaches or damage to a system. Malicious code is an application security threat that cannot be efficiently controlled by conventional antivirus software alone. Malicious code describes a broad category of system security terms that includes attack scripts, viruses, worms, Trojan horses, backdoors and malicious active content. Malicious code can take the form of:
· Java Applets
· ActiveX Controls
· Scripting languages
· Browser plug-ins
· Pushed content
Vulnerability Scanners
A vulnerability scanner is a computer program designed to assess computers, networks or applications for known weaknesses. In plain words, these scanners are used to discover the weaknesses of a given system. By running scanners on a regular basis, administrators can also see how effectively they have mitigated
vulnerabilities that were previously identified. Products use dozens of techniques to detect vulnerabilities in hosts’ operating systems, services and applications
CRITICAL ISSUES IN INFORMATION SECURITY AND ETHICS
Information security and ethics are fundamentally related to information privacy. Technological advances, decreased costs of hardware and software, and the World Wide Web revolution have allowed for vast amounts of data to be generated, collected, stored, processed, analyzed, distributed and used at an ever-increasing rate by organizations and governmental agencies. Almost any activity that an organization or an individual is engaged in creates an electronic foot print that needs to be managed, processed, stored, and communicated.
Most critical Information Security issues in next two years, CSI/FBI 2006 Computer Crime and Security Survey 2006: 426 respondents (Source: Gordon, 2006).
Privacy Definition
Data privacy or information privacy is a branch of data security concerned with the proper handling of data – consent, notice, and regulatory obligations. More specifically, practical data privacy concerns often revolve around:
1. Whether or how data is shared with third parties.
2. How data is legally collected or stored.
3. Regulatory restrictions such as GDPR, HIPAA, GLBA, or CCPA.
CONCLUSION
As a conclusion, information security is importance to the development of an organization that keep the data or information about their customers or company. The development of modern organizations are depends on the availability, confidentiality and integrity to ensure information security. Other than that, the extensive use of information technology had improves the efficiency of the business, but exposes the organization to additional risks and challenges such as failure to understand about information security, mobile workforce and wireless computing, shortage of information security staff and information security attacks. The implementation of the information security is a process that is by far more complex than the implementation of the other management due to the large number of factors that may affect its effectiveness. To ensure information security, the organization should understand that information security is not solely a technological issue. The organization should also consider the non-technical aspect of information security while developing the information security.
SOURCES AND REFERENCES
o Wiener, N. (1964). God & Golem, Inc. A comment on certain points where cybernetics impinges on religion. MIT Press.
o Wiener, N. (1950). The human use of human beings: Cybernetics and society. Houghton Mifflin. (Second Edition Revised, Doubleday Anchor, 1954).
o Wiener, N. (1948). Cybernetics or control and communication in the animal and the machine. Technology Press.
o Westin, A. (1967). Privacy and freedom. New York: Atheneum
o Gotterbarn, D., Miller, K., & Rogerson, S. (1999). Software engineering code of ethics is approved. Comm. ACM, 42(10), 102-107. o http://www.itsecurity.com/papers/recourse1.htm.
o Grance, T., Stevens, M., & Myers, M. (2003). Guide to selecting information technology security products. National Institute of Standards and Technology, NIST Special Publication 800-36
o Hobbes, T. (1994). Leviathan, 1651 in ed., E. Curley., Chicago, IL: Hackett Publishing Company.