Intro to Information Systems

Chapter 11
Concerns raised in Information
Systems
 Principles and Learning Objectives
• Policies and procedures must be established to
avoid waste and mistakes associated with
computer usage
– Describe some examples of waste and mistakes in
an IS environment, their causes, and possible
solutions
– Identify policies and procedures useful in eliminating
waste and mistakes
– Discuss the principles and limits of an individual’s
right to privacy

2
 Principles and Learning Objectives
(continued)
• Computer crime is a serious and rapidly growing
area of concern requiring management attention
– Explain the types of computer crime and their effects
– Identify specific measures to prevent computer crime

3
 Principles and Learning Objectives
(continued)
• Jobs, equipment, and working conditions must be
designed to avoid negative health effects from
computers
– List the important negative effects of computers on
the work environment
– Identify specific actions that must be taken to ensure
the health and safety of employees
 Principles and Learning Objectives
(continued)
• Practitioners in many professions subscribe to a
code of ethics that states the principles and core
values that are essential to their work
– Outline criteria for the ethical use of information
systems
 Why Learn About the Personal and
Social Impact of the Internet?
• Both opportunities and threats:
– Surround a wide range of nontechnical issues
associated with the use of information systems and
the Internet
• You need to know about the topics in this chapter:
– To help avoid becoming a victim of crime, fraud,
privacy invasion, and other potential problem
 Computer Waste and Mistakes
• Computer waste:
– Inappropriate use of computer technology and
resources
• Computer-related mistakes:
– Errors, failures, and other computer problems that
make computer output incorrect or not useful

7
 Computer Waste
• Spam
– the indiscriminate sending of unsolicited e-mail
messages (spam) to many Internet users.
– Spamming is the favorite tactic of mass mailers of
unsolicited advertisements, or junk e-mail.
– Spamming has also been used by cyber criminals to
spread computer viruses or infiltrate many computer
systems.

8
 Computer Waste
• Spam filter:
– Software that attempts to block unwanted e-mail
– Some might require first-time e-mailers to be verified
before their e-mails are accepted
• Image-based spam:
– New tactic spammers use to circumvent spam-
filtering software
– The message is turned into images, to avoid spam
filters

9
 Computer-Related Mistakes
• Common causes of computer related mistakes:
– Unclear expectations and a lack of feedback
– Program development that contains errors
– Incorrect data entry by data-entry clerk

10
 Types of computer-related mistakes
• Types of computer-related mistakes:
– Data-entry or data-capture errors
– Errors in computer programs
– Mishandling of computer output
– Inadequate planning for and control of equipment
malfunctions
– Inadequate planning for and control of environmental
difficulties
– Installing computing capacity inadequate for the level of
activity
– Failure to provide access to the most current information

11
 Preventing Computer-Related Waste
and Mistakes
• Preventing waste and mistakes involves:
– Establishing, implementing, monitoring, and
reviewing effective policies and procedures

12
Implementing Policies and Procedures
• Policies to minimize waste and mistakes:
– Changes to critical tables, HTML, and URLs should
be tightly controlled
– User manual should be available covering operating
procedures
– System should have controls to prevent invalid and
unreasonable data entry

13
 Monitoring Policies and Procedures
• Monitor routine practices and take corrective action
if necessary
• Implement internal audits to measure actual results
against established goals

14
 Reviewing Policies and Procedures
• Questions to be answered:
– Do current policies cover existing practices
adequately?
– Does the organization plan any new activities in the
future?
– Are contingencies and disasters covered?

15
 Computer Crime
• Top four categories of computer crime reported to
law enforcement organizations :
– Undelivered merchandise or nonpayment
– Identity theft
– Credit card fraud
– Auction fraud - attributable to the misrepresentation
of a product advertised for sale through an Internet
auction site or the non-delivery of product purchased
through an Internet auction site

16
 Computer Crime
• Computer crime is defined by the Association of Information
Technology Professionals (AITP) as including:
• (1) the unauthorized use, access, modification, and destruction of
hardware, software, data, or network resources;
• (2) the unauthorized release of information;
• (3) the unauthorized copying of software;
• (4) denying an end user access to his or her own hardware,
software, data, or network resources; and
• (5) using or conspiring to use computer or network resources to
obtain information or tangible property illegally.

17
 The Computer as a Tool to Commit
Crime
• Social engineering:
– Using social skills to get computer users to provide
information to access an information system
• Dumpster diving:
– Going through trash cans / decommissioned storage
devices to find secret or confidential information

18
 Cyberterrorism
– the use of information technology by terrorist groups
and individuals to further their agenda. This can
include use of information technology to organize
and execute attacks against networks, computer
systems and telecommunications infrastructures, or
for exchanging information or making threats
electronically.
• Cyberterrorist:
– Intimidates a government or organization to advance
his or her political or social objectives

19
 Identity Theft
• Imposter obtains personal identification information
in order to impersonate someone else:
– To obtain credit, merchandise, and services in the
name of the victim
– To have false credentials

20
 The Computer as a Tool to Fight
Crime
• Leads Online Web-based service system:
– Used by law enforcement to recover stolen property
– Contains more than 250 million records in its database
– Allows law enforcement officers to search the database
by item serial number

» 21
 Use of Geographic Information
Systems
• Enables law enforcement agencies to gain a quick
overview of crime risk at a given address or in a
given locale
• Common GIS systems include:
– The National Equipment Registry
– The CompStat program
– CargoNet

» 22
 The Computer as the Object of Crime
• Crimes fall into several categories:
– Illegal access and use
– Data alteration and destruction
– Information and equipment theft
– Software and Internet piracy
– Computer-related scams
– International computer crime

23
24
 Illegal Access and Use
• Criminal hacker:
– Learns about and uses computer systems to gain
unauthorized use or illegal access to computer systems
• Script bunny:
– A person who uses existing scripts, codes or other tools
illicitly to gain entry into computer systems or networks
without understanding the way the tools function or the
way the systems or networks are designed
• Insider attack:
– Employee who compromises corporate systems

25
 Illegal Access and Use (continued)
• Worm:
– A computer worm is a type of malware that spreads copies of
itself from computer to computer. A worm can replicate itself
without any human interaction, and it does not need to attach
itself to a software program in order to cause damage.
– Worms can modify and delete files, and they can even inject
additional malicious software onto a computer. Sometimes a
computer worm’s purpose is only to make copies of itself
over and over again— depleting system resources, such as
hard drive space or bandwidth, by overloading a shared
network.

» 26
 Illegal Access and Use (continued)
• Trojan horse:
– Malicious program that disguises itself as a useful
application or game and purposefully does
something the user does not expect
• Virus:
– Program file capable of attaching to disks or other
files and replicating itself repeatedly

» 27
 Illegal Access and Use (continued)
• Virus:
– A computer virus, much like a flu virus, is designed to
spread from host to host and has the ability to replicate
itself. Similarly, in the same way that flu viruses cannot
reproduce without a host cell, computer viruses cannot
reproduce and spread without programming such as a
file or document.

» 28
 Illegal Access and Use (continued)
• Virus(cont):
– In more technical terms, a computer virus is a type of
malicious code or program written to alter the way a
computer operates and is designed to spread from
one computer to another. A virus operates by inserting
or attaching itself to a legitimate program or document
that supports macros in order to execute its code. In
the process, a virus has the potential to cause
unexpected or damaging effects, such as harming the
system software by corrupting or destroying data.

» 29
 Illegal Access and Use (continued)
• Rootkit:
– Set of programs that enable its user to gain
administrator level access to a computer or network
• Logic bomb:
– Type of Trojan horse that executes when specific
conditions occur

30
 Spyware
• Software installed on a personal computer to:
– Intercept or take partial control over user’s interaction with
the computer without knowledge or permission of the user
• Similar to a Trojan horse in that:
– Users unknowingly install it when they download freeware
or shareware from the Internet

» 31
 Information and Equipment Theft
• Password sniffer:
– Small program hidden in a network that records
identification numbers and passwords
• Portable computers such as laptops and portable
storage devices are especially easy for thieves to
take:
– Data and information stored in these systems are
more valuable than the equipment

32
Safe Disposal of Personal Computers
• Deleting files and emptying the Recycle Bin does not
make it impossible for determined individuals to view
the data
• Use disk-wiping software utilities that overwrite all
sectors of your disk drive, making all data
unrecoverable

» 33
 Patent and Copyright Violations
• Software piracy:
– Act of unauthorized copying or distribution of copyrighted
software
– Penalties can be severe
• Patent infringement:
– Occurs when someone makes unauthorized use of
another’s patent

» 34
 Computer-Related Scams
• Over the past few years:
– Credit card customers of various banks have been
targeted by scam artists trying to get personal
information
• Vishing(voice+phishing):
– Similar to phishing
– Instead of using the victim’s computer, it uses the
victim’s phone
– It is a social engineering tactic by using verbal
scams to trick people into giving personal/valuable
information
35
 International Computer Crime
• Computer crime becomes more complex when it
crosses borders
• Money laundering:
– Disguising illegally gained funds so that they seem
legal

36
 Preventing Computer-Related Crime
• Efforts to curb computer crime are being made by:
– Private users
– Companies
– Employees
– Public officials

37
 Crime Prevention by Public Officials
• Computer Fraud and Abuse Act of 1986:
– Mandates punishment based on the victim’s dollar
loss
• Computer Emergency Response Team (CERT):
– Responds to network security breaches
– Monitors systems for emerging threats

38
 Computer Misuse Act 1990 (UK)
• An Act to make provision for securing computer
material against unauthorised access or modification;
and for connected purposes.

» 39
 THE CYBER LAW ACTS IN MALAYSIA

• The Malaysian Government has already passed several cyber laws to

control and reduce the Internet abuse. These cyber laws include:
– Digital Signature Act 1997
– Computer Crimes Act 1997
– Telemedicine Act 1997
– The Copyright (Amendment) Act 1997
– Communications and Multimedia Act 1998
– Payment Systems Act 2003
– Electronic Commerce Act 2006
– Electronic Government Activities Act 2007
– Personal Data Protection Act 2010
– Cyber Security Act 2024

» 40
 Digital Signature Act 1997

Why the Act exists:

• Transactions conducted via the Internet are increasing.
• As identities in cyberspace can be falsified and messages
tampered with, there is a need for transacting parties to ascertain
each other's identity and the integrity of the messages, thereby
removing doubt and the possibility of fraud when conducting
transactions online.
• In order to secure electronic communications especially on the
Internet.
• Digital Signature is an identity verification standard that uses
encryption techniques to protect against e-mail forgery. The
encrypted code consists of the user’s name and a hash of all the
parts of the message.
• By attaching the digital signature, one can ensure that nobody can
eavesdrop, or tamper with transmitted data.
» 41
 Digital Signature Act 1997

What the Act is about:

• The Act mainly provides for the licensing and regulation
of Certification Authorities (CA).
• CAs issue Digital Signatures and will certify the identity
(within certain limits) of a signor by issuing a certificate.
• The Act also makes a digital signature as legally valid
and enforceable as a traditional signature.
• The Digital Signature Act was brought into force on 1st
October 1998.
» 42
 Computer Crimes Act 1997

Why the Act exists:

– As computing becomes more central to people's life and work,
computers become both targets and tools of crime.
– This Act serves to ensure that misuse of computers is an
offense.
– Gives protection against the misuses of computers and
computer criminal activities such as unauthorized use of
programs, illegal transmission of data or messages over
computers and hacking and cracking of computer systems and
networks.
– Users can protect their rights to privacy and build trust in the
computer system.
– The government can have control at a certain level over
cyberspace to reduce cyber crime activities.
» 43
 Unauthorised Access

• Access of any kind by any person to any

program/data held in a computer is unauthorised
if:
– He is not himself entitled to control access of the kind
in question to the program/data
– He does not have consent or exceeds any right or
consent to access by him of the kind in question to
the program/data from any person who is so entitled

» 44
 Offences

• Unauthorised access to computer material

– Causes a computer to perform any function with intent to secure
access to any program/data held in any computer
– The access he intends to secure is unauthorised
– He knows at the time when he causes the computer to perform the
function that that is the case

» 45
 Offences - continued

• Unauthorised access with intent to commit or

facilitate commission of further offence:
– With intent to commit an offence involving fraud or
dishonesty or which causes injury
– Facilitate the commission of such an offence whether by
himself or by any other person
– It is immaterial whether the offence is to be committed at
the same time when the unauthorized access is secured
or on any future occasion

» 46
 Offences - continued

• Unauthorised modification of the contents of any computer:

– Knows will cause unauthorised modification of the contents on any
computer:
• Any particular program/data
– Immaterial whether the unauthorised modification was permanent
or temporary

» 47
 Offences - continued

• Wrongful communication:
– Communicates directly or indirectly a number, code,
password or other means of access to a computer to any
person other than a person to whom he is duly authorised
to communicate

» 48
 Offences - continued

• Presumption:
– A person who has in his custody/control any program,
data or other information inside a computer or retrieved
from any computer which he is not authorised to have in
his custody/control is deemed to have obtained
unauthorised access to such program, data or
information, unless proven otherwise

» 49
 Crime Prevention by
Corporations/Employees/Individuals
• Guidelines to protect your computer from criminal
hackers:
– Install the latest security patches/operating systems
patches
– Disable guest accounts and null user accounts
– Turn audit trails on (An audit trail can be defined as the presence of
documentation that allows a transaction to be traced through all stages of its
information processing)
– Install a corporate firewall between your corporate
network and the Internet
– Install a software/hardware firewall between your
home network and the Internet
50
 Crime Prevention by
Corporations/Employees/Individuals
– Install strong user authentication and encryption
capabilities on your firewall
– Use Antivirus software and keep it up to date
– Use a hard to guess password that contains a mix of
numbers & letters, and change it frequently
– Use different passwords for different websites and
applications to make it harder for hackers to
compromise all the systems
– Do not open email attachments unless you know the
source of the incoming message

51
 Using Intrusion Detection Software
• Using intrusion detection software:
– Intrusion detection system (IDS):
• Monitors system and network resources
• Notifies network security personnel when it senses a
possible intrusion
• Can provide false alarms

52
 Using Security Dashboard
• Security Dashboard:
– Provides comprehensive display on a single computer
screen of:
• All the vital data related to an organization’s security
defenses, including threats, exposures, policy
compliance, and incident alerts

» 53
54
 Using MSSPs
• Using managed security service providers
(MSSPs):
– Many are outsourcing their network security
operations to:
• Managed security service providers (MSSPs) such as
Counterpane, Guardent, IBM, Riptech, and Symantec
• Guarding against theft of equipment and data:
– Organizations need to take strong measures to
guard against the theft of computer hardware and
the data stored on it

55
 Crime Prevention for Individuals
• Install a software/hardware firewall between your
home network and the Internet
• Identity theft:
– To protect yourself, regularly check credit reports
with major credit bureaus
• Malware attacks:
– Antivirus programs run in the background to protect
your computer
– Many e-mail services and ISP providers offer free
antivirus protection

56
 Crime Prevention by Corporation -
Security Management
• Security management is the accuracy, integrity,
and safety of all information system processes and
resources.
• Effective security management can minimize
errors, fraud, and losses in the information systems
that interconnect today’s companies and their
customers, suppliers, and other stakeholders.
• Security managers must acquire and integrate a
variety of security tools and methods to protect a
company’s information system resources.

57
Important Security Measures under
Security Management of IS

58
 Privacy Issues

• Issue of privacy:
– Deals with the right to be left alone or to be
withdrawn from public view
• Information technology makes it technically and
economically feasible to collect, store, integrate,
interchange, and retrieve data and information
quickly and easily.
• Data is constantly being collected and stored on
each of us.

59
 Privacy Issues

• Confidential information on individuals contained in

centralized computer databases by credit bureaus,
government agencies, and private business firms
has been stolen or misused, resulting in the
invasion of privacy, fraud, and other injustices.
• The unauthorized use of such information has
badly damaged the privacy of individuals.

60
 Privacy and the Government
• Governments across the world:
– Has implemented a number of laws addressing
personal privacy
• European Union:
– Has data-protection directive that requires firms
transporting data across national boundaries to have
certain privacy procedures in place

61
 E-Mail Privacy
• U.S Federal law:
– Permits employers to monitor e-mail sent and received by
employees
• E-mail messages that have been erased from hard
disks can be retrieved and used in lawsuits.
• Computer monitoring:
– computers are being used to monitor the productivity and
behavior of millions of employees while they work.
– Computer monitoring has been criticized as an invasion
of the privacy of employees because, in many cases,
they do not know that they are being monitored or don’t
know how the information is being used
62
Privacy and Personal Sensing Devices
• RFID tags:
– Microchips with antenna
– Embedded in many of the products we buy:
• Medicine containers, clothing, computer printers, car keys,
library books, tires
– Generate radio transmissions that, if appropriate
measures are not taken, can lead to potential privacy
concerns

» 63
 Privacy and the Internet
• Huge potential for privacy invasion on the Internet:
– E-mail messages
– Visiting a Web site
– Buying products over the Internet
• Social network services:
– Parents should discuss potential dangers, check
their children’s profiles, and monitor their activities

64
 Internet Libel Concerns
• Libel:
– Publishing an intentionally false written statement that
is damaging to a person’s or organization’s reputation
• Individuals:
– Can post information to the Internet using anonymous
e-mail accounts or screen names
– Must be careful what they post on the Internet to
avoid libel charges

» 65
 Filtering and Classifying Internet
Content
• Filtering software:
– Help screen Internet content
• Internet Content Rating Association (ICRA):
– Goals are to protect children from potentially harmful
material while also safeguarding free speech on the
Internet

» 66
 Fairness in Information Use
• The Privacy Act of 1974:
– Provides privacy protection from federal agencies
– Applies to all federal agencies except the CIA and law
enforcement agencies
– Requires training for all federal employees who interact
with a “system of records” under the act

» 67
67
 Electronic Communications Privacy
Act
• Gramm-Leach-Bliley Act:
– Requires financial institutions to protect customers’
nonpublic data
• USA Patriot Act:
– Internet service providers and telephone companies
must turn over customer information
• Corporate privacy policies:
– Should address a customer’s knowledge, control,
notice, and consent over the storage and use of
information

68
 Personal Data Protection Act
2010(Malaysia)
• With it, businesses in Malaysia are now faced with additional
responsibilities and requirements when it comes to dealing with personal
data of their employees, suppliers, and customers
• Under the Act, data users are required to comply with 7 Personal Data
Protection Principles.

1. General: Personal data can only be processed with the data subject’s
consent.

2. Notice and Choice: Data subjects must be informed by written notice

of, among other things, the type of data being collected and the
purpose, its sources, the right to request access and correction, and the
choices and means by which the data subject can limit the processing of
their personal data.

69
 Personal Data Protection Act
2010(Malaysia)
3. Disclosure: Personal data may not be disclosed without the data
subject’s consent for any purpose other than that which the data was
disclosed at the time of collection, or to any person other than that
notified to the data user.

4. Security: Data users must take practical steps to protect the

personal data from any loss, misuse, modification or unauthorized
access or disclosure, alteration or destruction.

70
 Personal Data Protection Act
2010(Malaysia)
5. Retention: Personal data shall not be kept longer than is necessary
for the fulfillment of its purpose.

6. Data Integrity: Data users must take reasonable steps to ensure

that personal data is accurate, complete, not misleading and kept up
to date.

7. Access: Data subjects must be given access to their personal data

and be able to correct any personal data that is inaccurate,
incomplete, misleading or not up to date.

71
 Individual Efforts to Protect Privacy
• To protect personal privacy:
– Find out what is stored about you in existing databases
– Be careful when you share information about yourself
– Be proactive to protect your privacy
– Take extra care when purchasing anything from a Web
site
– Do not allow online merchants to store your credit card
information for future purchases
– Send payment information only to secure sites, look for
the padlock or key icons to ensure data traffic is
encrypted
72
 Individual Efforts to Protect Privacy
• To protect personal privacy:
– Sensitive email should be protected by
encryption(However, this requires both email parties to
use compatible encryption software built into their
email programs)
– Individuals can also decline to reveal personal data
and interests on online services and on website user
profiles to limit the exposure to electronic snooping

73
 Individual Efforts to Protect Privacy
• “Let’s face it; we can’t always control what is happening
in our world, so we must take steps to control what we
can. Technology is here to stay, but there are still
simple and inexpensive ways to prevent identity theft.
Remember that a crook always looks for the easiest
route to riches. Don’t hand him a map. Be proactive and
start protecting yourself today.”

• Source: Adapted from Frank Abagnale, “Abagnale: Top Tips to

Prevent Identity Theft and Fraud,” CIO Magazine , May 24, 2007

74
 The Work Environment
• Use of computer-based information systems has
changed the workforce:
– Jobs that require IS literacy have increased
– Less-skilled positions have decreased
• Enhanced telecommunications:
– Has created global markets in industries once limited
to domestic markets

75
 Health Concerns
• Video display terminal (VDT) bill(US):
– Employees who spend at least four hours a day
working with computer screens should be given 15-
minute breaks every two hours

76
 Avoiding Health and Environment
Problems
• Work stressors:
– Hazardous activities associated with unfavorable
conditions of a poorly designed work environment
• Ergonomics:
– Science of designing machines, products, and
systems to maximize safety, comfort, and efficiency
of people who use them

77
Ethical Issues in Information Systems
• Code of ethics:
– States the principles and core values essential to a
set of people and, therefore, govern their behavior
– Can become a reference point for weighing what is
legal and what is ethical

78
 Summary
• Computer waste:
– The inappropriate use of computer technology and
resources in both the public and private sectors
• Preventing waste and mistakes involves:
– Establishing, implementing, monitoring, and
reviewing effective policies and procedures
• Some crimes use computers as tools
• Cyberterrorist:
– Intimidates or coerces a government or organization
to advance his or her political or social objectives

79
 Summary (continued)
• To detect and prevent computer crime use:
– Antivirus software
– Intrusion detection systems (IDSs)
• Privacy issues:
– A concern with government agencies, e-mail use,
corporations, and the Internet
• Businesses:
– Should develop a clear and thorough policy about
privacy rights for customers, including database
access

80
 Summary (continued)
• Computer-related scams:
– Have cost people and companies thousands of
dollars
• Ergonomics:
– The study of designing and positioning computer
equipment
• Code of ethics:
– States the principles and core values that are
essential to the members of a profession or
organization

81
• Homework – nah..

82