A framework for ethical information security.

Full text

(1)CHAPTER 1 INTRODUCTION “The great thing in this world is not so much where you stand, as in what direction you are moving.” Oliver Wendell Holmes [HOLM 94].

(2) 1.1 INTRODUCTION. Political and ideological barriers have been changing, leading to an abundance of opportunities for collaboration between organisations. This has in turn led to an increased need for technological advances in order for organisations to support these collaborative efforts.. Even though some of these technologies have existed for years, it is only recently that changes in political climates have allowed for the utilisation of these technologies, for instance the increased use of business-to-business trading via electronic commerce. This technological advancement has meant that there is an increase in the misuse of these information technologies. Initially organisations needed to protect their resources from physical security threats, such as fire or floods. Most organisations entering into online commerce will have noted an increase in the number of information security threats to which they are now exposed. These security threats to information have led to a new need within the information technology industry, more specifically, information security. This need for information security has continued to evolve over the past two decades.. With the advancement of information technology, organisations created warehouses of information, more commonly referred to as databases. However, the information within these databases needed to be managed appropriately. It had to be disseminated within the appropriate constraints, i.e. it had to be delivered within the organisation on time, but only to those authorised to view this information.. This led to the increased need for logical information security. mechanisms. These mechanisms included controls for granting access rights to individuals within the organisation to view the information within these databases.. A framework for ethical information security. 2.

(3) The collaborative efforts between businesses and other trading affiliates resulted in a need to disseminate information across a global infrastructure. The Internet was the enabling mechanism that was used to transport this information. However, organisations had to transport their information over this inherently insecure network in a secure manner.. Suddenly they were connecting their. relatively secure internal networks to an insecure external network environment. The number of threats to which they were exposed mushroomed. Some of these threats included data theft, system espionage, software piracy, identity theft and fraud. Each of these threats created an urgent need for a new approach to information security management and has emphasised the unethical behaviour that can accompany the use of information technology.. Organisations needed to create an awareness of the need for information security.. Mechanisms, such as firewalls, were put in place to protect the. organisation from external threats.. Internally, however, information security. policies needed to be put in place along with guidelines to be followed and standards that could be used to comply with a minimum acceptable level of security assurance.. Providing a secure information technology environment is not as simple as implementing recommended security policies and procedures. The complexity of the information technology environment makes it increasingly difficult for organisations to protect themselves, whilst keeping the best interests of their customers and trading affiliates at heart. The need for an appropriate, ethically correct approach to the management of this information security environment is paramount, and this therefore provided the primary motivation for this study.. 1.2 TERMINOLOGY. For the purposes of this dissertation, the following definitions will be ascribed to frequently recurring terms and concepts:. A framework for ethical information security. 3.

(4) Information security. The International Organization for Standardization (ISO) has defined information security in terms of five security services, namely identification and authentication, authorisation, confidentiality, integrity and nonrepudiation. Each service is required to ensure that information will be protected and secured during its storage, transmission and usage [PFLE 97, ISO 01].. Ethics. Ethics is defined in the Oxford Dictionary as the science of morals in human contact [OXFO 98].. Code of conduct. This is a guideline directing organisations and individuals in expected ethical behaviour [OXFO 98].. It is a. suggested method for best practice and is therefore not enforceable. Often codes of conduct are intended to be used as a reference document for organisations and their employees, implementing. who and. are. responsible. maintaining. for. initiating,. information. security. procedures [BSI 99]. Standard. A standard is a quality or measure serving as a basis or example or principle to which others should conform or by which others are judged [OXFO 99]. A standard is often implemented as a mandatory statement of goals and, most importantly, it is measurable.. Electronic. The shopping part of the Internet where customers. commerce (e-. purchase goods and services from organisations. commerce). [RAPP 01].. Electronic business. These are the business activities conducted using. A framework for ethical information security. 4.

(5) (e-business). electronic data transmission elements of e-commerce. These elements include: o. consumer shopping on the web or business to consumer (B2C). o. transactions conducted between businesses on the web or business to business (B2B). o. the transactions and business processes that support selling and purchasing activities on the web [RAPP 01].. 1.3 PROBLEMS AND ISSUES TO BE ADDRESSED. The increasing need for and dependence on e-commerce for trading between organisations has created new ethical challenges for information security. Although organisations have always needed to protect their systems against intellectual property breaches and privacy breaches, they are now obligated to formulate security policies that will control the deluge of ethical threats to which organisations and individuals are now exposed.. This dissertation is aimed at making a contribution towards the management of ethical issues within information security.. An information security ethical. framework will be proposed to assist organisations in creating an ethical awareness.. The main problems and issues to be addressed in this study can therefore be formulated in the following three questions:. 1.3.1 What is meant by an ethical approach to information security? Answering this question involves a thorough description of ethics. The origin of ethics must be studied. A clear understanding of ethics will help to establish the need for an ethical approach to information security. A framework for ethical information security. 5.

(6) 1.3.2 What information security ethical controls and mechanisms can be used. to. address. the. information. system. requirements. of. organisations and individuals? To answer this question detailed research was undertaken to study available security services and mechanisms and to establish possible ethical information security mechanisms and controls that can be used to assist organisations in their endeavour to protect themselves, their customers and trading affiliates from ethical information security breaches.. 1.3.3 What ethical codes of conduct and information security standards can an organisation use? This final question is very important.. Organisations often use information. security standards as a starting point for implementing security controls. This dissertation aims to examine these information security standards to determine the extent to which they are able to create an ethical awareness.. As most. standards will not specifically include ethical awareness issues, ethical codes of conduct should be able to assist organisations in creating an ethical awareness. This dissertation will determine the extent to which this is achieved.. The principal aim of this dissertation is to consider information security from an ethical perspective to establish an awareness and the need for an ethical information security framework.. A framework for ethical information security. 6.

(7) 1.4 DISSERTATION LAYOUT. Figure 1.1 depicts the relationship between the various chapters in this dissertation. Chapter 1 Introduction. Chapter 2 An ethical approach to information technology with specific reference to the Internet. Chapter 3 A framework for the implementation of ethical controls in information security. Chapter 4 Privacy. Chapter 5 Property. Chapter 6 Obligation. Chapter 7 Ethical codes of conduct. Chapter 8 Standardisation and its adherence to ethical information security controls. Chapter 9 Conclusion. Figure 1.1 Layout of the dissertation. A framework for ethical information security. 7.

(8) Chapter 1 forms the introduction to the dissertation.. Chapter 2 is devoted to defining the term “ethics” and providing the detailed origin of ethics. A distinction is then made between legal expectations versus an ethical approach. A broad approach is taken in this chapter regarding the utilisation of ethical awareness within general information technology.. Chapter 3 gives a complete description of the framework that will be used to analyse and assess the implementation of ethics in information security.. Chapters 4, 5 and 6 all have the same structure. Each of these chapters discusses the three controls that were defined in the ethical information security framework. Each control is analysed according to possible threats to organisations. An awareness is created with regard to problem areas that pose ethical breaches in organisations with specific reference to each ethical information security control. The recommended solutions that can and should be implemented by organisations are then described.. Chapter 7 evaluates the adoption of ethical codes of conduct for organisations and their employees. It stands to reason that if organisations and employees adopt these codes of conduct, the codes should adhere to the ethical information security controls of privacy, property and obligation. Therefore the objective of this chapter is to determine whether the ethical information security controls are adequately addressed in these ethical codes of conduct. If not, an awareness must be created as to where they are lacking.. Chapter 8 describes available baseline information security standards. Each of these standards can be adopted by organisations as a starting point for the implementation of security. This chapter studies the need for a unified ethical approach to information security management. The recent ISO 17799 standard. A framework for ethical information security. 8.

(9) was chosen to be assessed according to the ethical information security controls. An awareness must be created of the limitations of this standard.. Chapter 9 brings the dissertation to a close by summarising the whole study and concluding what was gained by it.. Appendix A is a paper entitled “A framework for the implementation of socioethical controls in information security”. This paper was published in Computer and Security, volume 20, number 5. It was adapted with results from recent research and was then presented at the 1st Annual Information Security for South Africa Conference, held in Magaliesberg on 19-20 July 2001. This paper was further enhanced and presented at the Interpol National Cybercrime Summit held in Midrand, August of 2001.. Appendix B is the detailed analysis that was given of the ISO 17799 standard. This was the basis for the discussion in chapter 8.. A framework for ethical information security. 9.

(10) CHAPTER 2 AN ETHICAL APPROACH TO INFORMATION TECHNOLOGY WITH SPECIFIC REFERENCE TO THE INTERNET “The health and well being of the Internet is the responsibility of its users who must, uniformly, guard against abuses which disrupt the system and threaten its long term viability.” [ITO 00]. A framework for ethical information security. 10.

(11) 2.1 INTRODUCTION. A revolution is currently taking place in information technology. The area most affected by this revolution is the usage of the Internet. convergence. among. intelligent systems.. computing. environments,. There has been a. telecommunications. and. This convergence has drawn increased attention to the. impact that the Internet is having on society.. The rapid growth and inherent advantages of conducting business electronically over a worldwide network, i.e. the Internet, makes it easier for organisations to overlook the many implications involved [RAPP 01] [CLAR 99a].. These. implications include the education of people in the correct usage of new technologies, the impact that the above-mentioned convergence has on society, as well as the impact society has on the digital organisation.. This chapter examines the extent of information technology’s social and ethical implications. A thorough exposition will be given of the behaviour of individuals and the creation of virtual communities, organisations and governments within the Internet context. This chapter is structured as follows: •. A detailed background of the origin of ethics will be given first.. •. A distinction will then be made between legal versus moral and ethical behaviour.. •. The possible theories of various ethical methodologies will be examined, and in conclusion the ethical approach that many organisations should take with regard to Internet usage will be considered.. A framework for ethical information security. 11.

(12) 2.2 ETHICS DEFINED. In 430 BC, one of the world’s most famous philosophers first set out to define the term “ethics” [BECK 98]. Socrates succinctly defined the term as that state in which it is “conceivable to master pure virtue and achieve the ultimate truth”. His definition paved the way for a more recent and more widely used definition, contained in the Collins English Dictionary, where ethics is defined as “the dealing of moral questions and involves the conforming of a person to a recognised code” [COLL 92].. It is therefore a science in itself, as it deals with a system of principles and the rules of conduct of a person or an organisation. In short, it can be summarised as a code of behaviour or a system of moral beliefs about what is right or wrong in accordance with the principles of professional conduct.. How then does ethics fit into the science of information technology? “It is an area of study regarding what human behaviour is acceptable and what is unacceptable in terms of IT” [WOMB 00]. Ethics could also manifest as a power struggle, with the one in the most powerful position having the upper hand, which is exactly where ethics is needed to protect those with less power or those unable to defend their rights. Therefore organisations must be made aware of what behaviour is deemed acceptable and unacceptable under varying information technology (IT) circumstances. Furthermore, it must be the constant endeavour of an organisation to incorporate ethical issues in the inception, development and maintenance of its IT system.. This newfound awareness. specifically manifests in the understanding that both the user (including the customer) and the organisation must adhere to certain ethical principles.. Therefore ethics can be defined for the purpose of this thesis as: a moral philosophy or body of principles governing what behaviour is deemed acceptable or unacceptable within the information technology paradigm.. A framework for ethical information security. 12.

(13) Many diverse cultures exist globally and these cultures vary according to race, religion, class distinction and even interest groups. Ultimately the common underlying element among these groups is that each one has an ethical code to which they adhere and under which they find unity. At times this ethical code is supported by legislation, and at others it is supported by moral standards. Therefore a distinction must be made between what is legally acceptable, ethically acceptable and morally acceptable. The next section delves into this distinction.. 2.3 LEGAL APPROACHES VS. MORAL STANDARDS VS. ETHICAL APPROACHES TO THE IDEAL SOCIAL BEHAVIOUR. Ethics is the study of the science of social behaviour. As mentioned previously, every culture has an ethical code. Even the Internet has formed its own culture. Depending on the Internet community or virtual community of an individual, the ethical culture will vary. Each of these virtual communities forms because of common interests.. Unfortunately, there is a tendency for some virtual. communities to abuse the available technology. In these cases, ethical codes have not developed sufficiently in these individuals at birth. There is an inability to determine right from wrong. This is where parameters need to be defined. Three general areas have been identified, namely legislation, ethics and morals [FORC 95] [ROSE 00]. However, it is important to note that there is no specific distinction between the three areas, as they overlap significantly.. If there is a lack of ethical behaviour in the usage of the Internet, often legislation can be used to enforce ethical standards. Citizens will be prohibited from acting of their own volition, and therefore a social structure will be promulgated. However, in some cases legislation has been passed where the laws can be interpreted as being unethical.. A framework for ethical information security. In other cases, there is no legislation to. 13.

(14) determine what is ethically correct; perhaps it is necessary to appeal to a person’s sense of morality?. A fine distinction can be made between ethics and morality. Morality is often an attempt to control a person’s most powerful urges, i.e. a hunger for money, sex and power. Often a person’s religious convictions can be used to sway them from these urges and to force them to act morally. Unfortunately on the Internet, the ability to remain anonymous at times dissuades people from acting morally. This is where ethics is needed to influence even virtual communities to act according to social beliefs.. According to a study by Karen Forcht [FORC 95], a quadrant of behaviour can be developed. Her model includes legislation and morality, but it fails to depict an area for ethics. An enhancement of this model to include ethics has been depicted below: Legal Opt in/out of information collection. Collection of adult information without consent. Immoral. A. B. C. D. Ethical. Moral Unethical User profiling. Collection of children’s information Illegal. Figure 2.1 Quadrants of acceptable behaviour. A framework for ethical information security. 14.

(15) Legend for each quadrant Quadrant A – Information that is collected on an adult in a cookie to track his or her movements on the Internet. Quadrant B – No information will be collected on children 16 years and younger for promotional purposes. Quadrant C – Information collected on children 16 years and younger. Quadrant D – Information collected in a cookie that was not originally sent in the cookie.. The easiest quadrant to understand is quadrant B. An organisation is not legally allowed to collect information on minors. Therefore it is legally acceptable to state that an organisation will not gather information on minors for promotional purposes. It stands to reason then that this policy would be morally and ethically acceptable too. Quadrant C is also easy to understand. If an organisation defies the law and collects information on a minor, it is acting illegally, immorally and unethically. However, the confusion can arise between quadrants A and D. To elaborate further, in quadrant A an organisation may legally allow for the monitoring of an adult's information.. However, even though it is legally. acceptable, it is still not considered morally acceptable to monitor an individual’s movements. It is still ethically acceptable to assist individuals by helping to keep information on them in the form of cookies, even if it is morally unacceptable. A fine line exists between quadrant A and quadrant D. A problem arises if an organisation starts accessing the cookies that have been stored on individual computers by other organisations, and begins to put a profile together on the individual so that they could even find that person's physical identity. In many countries, this is deemed illegal, as it entails accessing information on the individual's computer without their consent - a kind of a breaking and entering scenario. This situation is unethical, yet some organisations feel it is morally acceptable as it can help them improve their competitive status in the marketplace.. A framework for ethical information security. 15.

(16) If an organisation or an individual can understand the fine line between the three key areas that govern our lives, then hopefully it will make it easier for us to accept the social impact that the Internet has on our lives. It is then possible to understand acceptable and unacceptable behaviour that governs the Internet.. 2.4 A LOOK AT ETHICAL THEORIES. Businesses are often faced with difficult ethical situations, such as whether to cut corners on quality to meet a deadline or whether to lay off workers to enhance profits. Perhaps a more recent and difficult debate concerns the use of foreign workers paid extremely low wages, especially in the clothing industry.. With the extreme pressures of business, managers may not always have the luxury of time for reflection on an ethical situation. The stakes may be high and tempt the managers to compromise ideals. However, how should they respond? No doubt they have over time developed an ethical outlook. They know what is deemed acceptable and unacceptable under various conditions. By considering various approaches to ethical decision-making, these managers will be able to make the right choice when the need arises.. The subject of ethics is highly intricate and there are significant differences of opinion regarding what constitutes ethical behaviour and how ethical decisions should be made [POZN 01]. The method that each manager prefers may differ, but hopefully, by considering the alternatives, managers will be able to make decisions that are right for the situation.. 2.4.1 A background to ethical schools of thought As already mentioned, ethics is a branch of philosophy that is concerned with moral duty and ideal human character. Ethical problems are often examined by using knowledge that has been gained from past experiences.. Philosophers. have over many decades analysed various ethical theories to create an ethical. A framework for ethical information security. 16.

(17) methodology.. However, is it possible to always find a methodology that will. coincide with the problem at hand?. Ultimately, the solution to an ethical problem depends on the code of ethics on which an individual bases his or her ethical viewpoint [DICT 01]. There are two traditional theories of ethics: 1). Teleological ethics - an action is right if it brings about the desired good.. 2). Deontological ethics - an action is deemed correct when it coincides with a moral rule.. The next section will consider these two schools of thoughts and define a newer theory that is used today.. 2.4.2 Classical ethical theories The moral standards that most of us subscribe to depend on rules of conduct which, when used in addition to factual knowledge, can help us determine what an individual or organisation should or should not do in a situation. The two ethical theories, as mentioned above, are fairly contemporary.. The first ethical system, i.e. teleological, is based on a principle proposed by Jeremy Bentham in the late 1700s [DICT 01]. It states that an action is morally right if the consequences of the action bring about the desired good. In other words, an action is judged not by its intrinsic rightness, but by the extent to which the action advances the goals pursued by the individual.. Immanuel Kant proposed the second ethical system, deontological ethics, in the late 1700s [STRE 01]. It states that an action is right if it coincides with a moral rule and wrong if it violates this moral rule. In such an instance the moral rule is based on an ultimate principle of duty. In other words, theories of actions are based on a duty or moral obligation.. A framework for ethical information security. Actions are judged by their intrinsic. 17.

(18) rightness and not by the extent to which they further an individual's own goals or aspirations.. Suppose a charity organisation finds software that would greatly assist it in its endeavours. This software is then copied for the organisation. 1). Under the teleological system, the cost savings and enhanced service that it as a charitable organisation can now offer greatly offset the monetary loss incurred to the software owner, and this action is therefore considered ethical.. 2). Under the deontological system, the copying of the software would be unethical as it violates the moral rule that stealing is wrong.. Knowing that there are two equally moral yet relatively opposing theories to ethics, the information technology profession tends to adopt an instrumentalist approach to ethics, i.e. a combination of the two schools of thought [CLAR 99a]. These ethical theories are implemented in such a way that when an ethical situation arises, the principles or moral rules used should have a volitional power. This means that people will be compelled to act ethically based on their own motivational power to determine right from wrong.. 2.4.3 A modern approach to ethics – the instrumentalist approach While the classical views of decision-making emphasise consistency with past decisions, the instrumentalist approach advocates an investigation into the effects a decision might have and the capabilities of the law [BUTL 01].. Therefore an instrumental view is less interested in precedence than on an “orientation towards the future” [BUTL 01].. In other words, instead of an. emphasis on consistency with the essence of past experiences, the instrumentalist decision-maker looks to the worldly implications of his or her decision. For instance, referring to the previous example on software piracy, a person who bases his or her ethical judgement on teleological or deontological. A framework for ethical information security. 18.

(19) reasoning would look at antecedent rights and obligations, as was the case in previous incidents.. Suppose a non-profit organisation, such as the Red Cross, is to supply relief aid to natural disaster victims, such as the flood victims in Mozambique. Given an unusual situation, they require software to enable them to analyse the demographics, food requirements and location of these victims.. Taking an. instrumentalist approach, this non-profit organisation will copy the software based on the fact that the future good of doing so will be more beneficial than the consequences of pirating the software. Ultimately, the instrumentalist adopts a pragmatic approach and realises that the issues involved are as important as the victims' relief. However, he or she will still look at the greater implications for all parties involved in the future.. The table below sets out the different theories of ethical methodologies.. A framework for ethical information security. 19.

(20) Example. Instrumentalist. Teleological. Deontological. theories. theories. theories. The usage of. If the situation arose. Many individuals. Individuals who. company. in which an important. would use the. apply this school of. Internet. document could not. company's Internet. thought would find. resources by. be sent due to the. resources as long. this scenario to be. individuals. amount of private. as they felt that it. unethical because it. while at work. usage of a company. would advance. affects the. resource, this school. their personal. bandwidth or even. of thought would find. desires and needs.. the cost of using. this usage unethical.. This action is. this facility for the. However, if this. therefore ethical.. organisation. This. usage did not have. action is therefore. any future. unethical.. consequences, it would be deemed ethical. To. Looking at the future. Looking at past. Looking at a moral. summarise. consequences of an. experience and if. rule or even the. action will determine. the deed greatly. law, if a situation. its ethical basis.. offsets the harmful. arises where it. implications. breaks this rule,. involved, then it is. this action is. deemed ethical.. deemed unethical.. Table 2.1 Example of the different views and theories of ethical methodologies. Managers in organisations today tend towards the instrumentalist approach. They base their outlook on the possible consequences on the future, despite the inherent implications of software piracy. This is still a problem for many software houses.. A framework for ethical information security. 20.

(21) Building on this and adopting the instrumentalist view for the purposes of this thesis, the ethical aspects of an individual’s behaviour will be discussed within the context of an organisation. It is necessary to understand why individuals behave in a certain way and what the effect of this behaviour is on the organisation.. Furthermore, it is important to see why this in turn affects the. organisation. The next section investigates the ethical behaviour that can be expected of an individual on the Internet. Following on from this, the ethical behaviour of virtual communities, organisations and governmental agencies will be viewed in a modern context.. 2.4.4 Ethical aspects of individual behaviour, virtual communities, organisations and governmental behaviour Individuals, organisations and governmental agencies have a certain social behaviour when operating in an electronic environment. Each form of behaviour that arises because of this electronic environment can be categorised into behaviour expected by individuals, virtual communities, organisations and governments. This section investigates each of these categories to determine the effect they have on an electronic environment and its participants and conversely, how they are affected by this electronic environment, particularly the Internet.. a) Individual behaviour on the Internet Information technology has resulted in a convergence of powerful computers; in a distributed networking environment that is capable of gathering, storing and distributing large amounts of information. There have been several positive uses of the Internet by individuals.. Some of these uses include education of. individuals over long distances, interpersonal communications and increased access to multifarious information resources.. However, despite the many. positive attributes the Internet offers people, there is the opposing dysfunctional behaviour that arises. This behaviour includes the milder problem of rumour. A framework for ethical information security. 21.

(22) mongering, to problems of harassment, to the dreadful proliferation of child pornography. Both positive and negative aspects of individual behaviour on the Internet lead to the grouping of these individuals, that is, the creation of virtual communities.. b) Virtual communities The main locus for the meeting of individuals with common objectives is in cyberspace. These associations, which are facilitated by the use of the Internet, are termed “virtual communities”. Membership is often depicted by a common lingual boundary, despite having a globally distributed membership. However, these groups are found to have a common value system. In the late 1970s groups of computer scientists interacted to share research information. This has evolved into many other areas. Studies have shown [CLAR 99a] that most of these virtual communities have been social in nature rather than political. However, with the increase in business activities being conducted over the Internet, the government is becoming increasingly involved in monitoring these virtual communities. The drawback of the proliferation of these communities is that the once small groupings of individuals, who shared the same ethical and moral philosophy, start becoming affected by large increases in subscriptions to their community, and this degrades the shared philosophy.. As a New York. Times cartoon caption once stated, “On the net, nobody knows you’re a dog” [CLAR 99b]. However, despite the ability of an individual to truly hide his or her identity, certain attitudes begin to reveal themselves and the ethos begins to degrade.. Despite numerous views on virtual communities, an underlying. aphorism is that use of information is free. Many organisations prefer to apply a value to their information and therefore try to prevent the free use of information. Ultimately this is an ethical dilemma that needs to be addressed in society and hopefully will be addressed in the course of this dissertation.. Further to this aphorism is the right that all people have to act anonymously. It is an area of ethical concern for many philosophers, perhaps less so for. A framework for ethical information security. 22.

(23) organisations.. Unfortunately, along with this right of an individual or virtual. community to act anonymously comes the prospect of unethical behaviour. Referring to the previous example on the proliferation of child pornography on the Internet, the freedom to act anonymously brings with it the risk of anti-social behaviour. The person to be held accountable in such a case is often difficult to determine.. Hence the need for governmental agencies to monitor and. compromise anonymity on the Internet within certain virtual communities.. c) Organisational behaviour A disconcerting ethic has evolved with the advent of these virtual communities and the Internet. Many people feel that information should be “gratis”. People do not like paying for information that is available electronically and have come to feel that valuable information should simply be given away. However, organisations would find it very difficult to survive in such a culture.. It is. unreasonable and against the laws of commercial trade! So much so, that this ethic of free information has made it difficult even for publishers to operate on the Internet. One such case was the release of Stephen King’s book on the Internet [KING 00]. King promised to release the next chapter of his book upon receipt of 90% of the payments from subscribers. Unfortunately people were not interested in subscribing for this service and only five chapters were released!. The. unethical nature of some people has meant that great barriers may and do develop for organisations.. On the flip side is the ethical and oft legal right of individuals to have access to information that may reside on an organisation’s systems. This right to the property of information will be discussed in greater detail in the following chapter.. d) Governmental behaviour Many governmental agencies have taken cognisance of the fact that the Internet can be used as a value-added service to the public as a general information delivery channel. In using the Internet in this way, many organisations have. A framework for ethical information security. 23.

(24) attempted to reduce administrative costs whilst improving their service. Not only has the Internet been recognised as means of creating enhanced service delivery, but it is also used to source information for social control, i.e. government agencies can use the Internet to source information relating to citizens and track this information with increased awareness.. Perhaps the. greatest use of this is in the ethical prevention of criminal activities by law enforcement agencies.. All four of the above categories affect the ethical usage of the Internet or are affected by the Internet. There is a great need on behalf of all Internet users for an ethical approach to usage of the Internet. Most importantly is the need for IT professionals and all users to take cognisance of the weaknesses of any technology. For any user to do so, they must fully understand the technology being used. Once they are aware of the technology and its potential for abuse, the users can then ameliorate the situation.. 2.5 WHAT ETHICAL ISSUES GOVERN INTERNET USAGE?. Having understood the difference between moral and ethical rights, as well as where legislation can be used to assist people and organisations in determining right from wrong, the following list of ethical issues can be analysed. Note that each of the following ethical issues are of concern to individuals, virtual communities, organisations and government agencies [GRAN 98] [MASO 86] [CLAR 99a] [FORC 95]: ¾ Individual responsibility – Individual responsibility governs an individual’s behaviour and can often be influenced by legislation. It is here that family values, political affiliations and cultural differences take effect. Each of these factors must be examined to understand the ethical values of individuals.. A framework for ethical information security. 24.

(25) ¾ Professional responsibility – The professionals in charge of an organisation’s computing facilities are obliged to take responsibility for their actions based on their skills and knowledge. Society places trust in them because of their skills and position. Often merely belonging to a profession entails a code of ethics to which the professional adheres. There are several for the IT industry, but unfortunately not many for the information security industry. These codes will be discussed in a later chapter. ¾ Equity – This ethical element concerns an individual’s right to access information and technology facilities based on equality. There should be no discrimination regarding gender, socio-economic status, ethnicity, race or disability. ¾ Obligation – Another ethical concern is obligation or quality of life. This area includes any impact that the technology can have on the social and cultural interaction of individuals and changes in work status. All technology developments must be reviewed on ethical lines to see whether they enhance or decrease an individual’s quality of life. ¾ System quality – The timeliness of information is critical. should be reliable and accurate at all times.. Information. Inaccurate or unreliable. information could seriously impact the quality of life of an individual and is therefore of prime ethical concern to anyone [MASO 86]. ¾ Intellectual property – Legislation tries to protect intellectual property, but this is not always possible. As mentioned earlier, whether a person abides by the legislation depends on his or her background and ethics. ¾ Privacy – This final ethical factor is of key concern on the Internet at present. It considers society’s rights and organisational rights to protect the privacy of an individual.. Each of these factors needs to be considered and dealt with for an individual, virtual community, organisation or the government to use the Internet effectively.. A framework for ethical information security. 25.

(26) Each of these issues must be addressed for society to fully embrace the Internet and its supporting technologies.. 2.6 CONCLUSION. An ethical awareness needs to be created so that society trusts the Internet. The next chapter will address the issue of creating such an ethical awareness. If each of the ethical factors governing the usage of the Internet is addressed, society will ultimately realise the full potential of the Internet. The way in which this can be achieved is through the use of information security mechanisms. In the chapter to follow, these mechanisms will be analysed with specific reference to the factors governing the ethical use of the Internet. Information security, information security mechanisms and the creation of an ethical information security awareness will be discussed extensively in the following chapters.. A framework for ethical information security. 26.

(27) CHAPTER 3. A FRAMEWORK FOR THE IMPLEMENTATION OF ETHICAL CONTROLS IN INFORMATION SECURITY “You cannot choose your battlefield, God does that for you; But you can plant a standard where a standard never flew.” [CRAN 01]. A framework for ethical information security. 27.

(28) 3.1 INTRODUCTION. Even though many organisations use information technology, they are still lagging behind in the ethical usage of this technology, as was illustrated in the previous chapter. The purpose of this chapter is to further explore the changing domain of information security with specific reference to e-business.. It will. become clear how ethics can be incorporated into information security. Appendix A is a summarised version of this chapter.. The advent of e-business has not only created an ever-growing demand for information security, but has also given information security a new dimension. The term “e-business” will be used in this context for the very reason that it encompasses the monetary transactions effected in and by an organisation, as well as all its other commercial activities.. Organisations are privy to information that is deemed valuable, not only to themselves but also to their competitors. In many instances, it is possible even to put a monetary value to this information. This has naturally created an urgent need to secure all such information, which has, in turn, led to the advent of information security.. For many years now, securing an IT environment has meant that information security has had to be addressed primarily from a technical point of view. Unfortunately, information security has, for the most part, been reduced to the implementation of firewalls. More recently, however, the functional aspects of information security have come to the fore.. In terms of this trend, many. organisations have decided to employ IT managers in a bid to exercise some form of managerial control. As a result, these IT managers implement a common baseline standard to prove that the organisation is, indeed, protected. In terms of this development, information security was therefore approached from a. A framework for ethical information security. 28.

(29) business-functional angle for the first time, as opposed to merely from a technical point of view.. Even though many people may find solace in the fact that information security is addressed both technically and functionally, its implementation must also take cognisance of ethical and human considerations. In this way, the full potential of information security can be unleashed to enrich jobs and enhance productivity. This implementation would, however, call for an in-depth investigation into information security itself, particularly the ethics involved.. In terms of this. implementation, people will have to be placed at the centre of the equation, rather than at its periphery. The diagram below (figure 3.1) illustrates the ideal relationship between the technical, functional and ethical aspects of information security.. Functional aspects. Technical aspects. Ethical aspects. Figure 3.1 Equalisation of the three fields of information security. Below, an example will attempt to elucidate the need to put the ethical aspects of information security on a par with its technical and functional aspects.. Suppose a newly graduated programmer has just been employed to develop a computerised incubator. Without either evaluating or testing the system properly, the newly appointed programmer’s superior pressurises him or her to finish the job quickly. Management is only too happy with the system’s rapid development and sells the product to several maternity wards at hospitals across the country. The anomalies sustained in the software, however, lead to the death of several. A framework for ethical information security. 29.

(30) infants. The question that arises is: Who is to be held responsible? The hospital administrators in question have certainly acquired the system in good faith, especially in the light of the fact that they are no experts in this field.. The. responsibility therefore clearly lies with the developer. The researcher trusts that this example illustrates the oft-times emotionally charged aspects of technology − especially the need for some form of ethical awareness and accountability.. The urgent need for ethical information security awareness can be best illustrated by means of an actual event. In October 2000, Microsoft suffered a breach of security in its corporate network that had all the markings of a group of hackers attempting to penetrate its systems [HANC 00b] [UHLI 00] [COMP 01] [HANC 01]. Security personnel were alerted to this illegal activity shortly after its occurrence and although they proceeded promptly to track the hackers’ attempts to expand on their unauthorised access over a 12-day period, they could not be sure of the full extent of the breach. Rumour has it, though, that at least one valuable source code for a future product had been accessed. The question therefore remains: What are the full implications of that security breach for the organisation? Could Microsoft be assured that no attempt had been made to alter the said product or to analyse it for some form of trapdoor through which to launch future security breaches?. Although they remain largely unanswered, the questions that arise from the above two cases, hypothetical and real, serve further to impress upon us the urgent need for creating and heightening ethical information security awareness within the IT environment of all organisations.. Having understood the need for and the inherent usage of ethics by individuals and organisations in everyday business, this chapter will be devoted to a discussion of the following questions: •. Why does ethics need to be applied to information security?. A framework for ethical information security. 30.

(31) •. How can a pillar of strength be formed in organisations to allow for and further ethical information security awareness in their ranks?. In conclusion of this chapter, an example will be cited to illustrate the application of such a pillar of strength in any organisation.. 3.2 THE APPLICATION OF ETHICS TO INFORMATION SECURITY. In the previous chapter ethics was defined as a code of behaviour or a system of moral beliefs about what is right or wrong in accordance with the principles of professional conduct. It was also discovered that, depending on the outlook of the individual or organisation, they could adopt any one of the ethical methodologies or theories to deal with a situation.. Before attempting to define the term “ethics” for IT security, it is important to define ethics for the information security paradigm. In the latter context, it can be defined as “the protection of assets against vulnerabilities that have been identified and the reduction or complete elimination of the threats to which information and information systems are exposed” [PFLE 97].. The ISO has. recommended that all secure systems adhere to five information security services in order to fully secure the systems of an organisation (ISO 7498-2): 1). Identification and authentication. 2). Authorisation. 3). Confidentiality. 4). Integrity. 5). Non-repudiation.. These services are, for the most part, viewed as technical services that support mechanisms which, in turn, enable the implementation of information security. It is also possible, however, to consider these services from an ethical information security awareness point of view.. A framework for ethical information security. 31.

(32) The concept ethical information security awareness can, in turn, be defined as the conforming of an organisation to recognised information security ethical principles.. For the purposes of this thesis, the latter principles. encompass privacy, property and obligation. The onus therefore solely rests on an organisation to create this ethical awareness in every one of its members and among all its clients and affiliates. Furthermore, it must be the constant endeavour of an organisation to incorporate ethical issues with the inception, development and maintenance of its IT system. Organisations must be made aware of what behaviour is deemed acceptable and unacceptable under varying IT circumstances.. The selfsame ethical information security awareness must then be applied to all organisations implementing an IT product. This awareness should govern the expected IT security controls and measures that must be effected in accordance with the information security policy of an organisation.. This awareness. specifically manifests in the understanding that both customer and organisation must adhere to certain ethical principles. These principles include the right of both the individual and the organisation to privacy, to property of their information and to the obligation to uphold this ethical commitment. Where then does this ethical information security awareness fit into the organisation specifically?. 3.3 A PILLAR OF STRENGTH. Each organisation should adopt an information security policy that includes its viewpoint on ethical information security awareness issues. This policy can then be used to guide staff members in, for example, the various ways in which to protect client information (privacy). This policy should also inspire staff members to its adherence. In so doing, it will not only lend support to the information security initiatives taken in the organisation, but it will also provide a means of deterrence and a framework for disciplinary action, if and when required. By. A framework for ethical information security. 32.

(33) educating, guiding and supporting the staff members in this way, they are made aware of their obligation legally to adhere to the accepted code of behaviour in their organisation.. This process will serve to involve the clients and trading. partners of the organisation too, albeit by implication only, as they will also become aware of the socio-ethical information security awareness policy of the organisation and their obligation to uphold it.. The diagram below (figure 3.2) depicts a logical yet holistic approach to information security management (ISM) in an organisation.. It also indicates. exactly where the ethical awareness of information security issues fits into the organisation.. 7. ISM 6. Security policies and procedures 5. Ethical awareness. obligation. property. privacy. 4. Adherence to the law −legislation Codes of conduct. 3. Standards. 2. Technical services −firewall, IDS 1. E-business −external link. Figure 3.2 A pillar of strength Figure 3.2 depicts an ideal organisation in terms of the ethical approach to information security management. As is evident from the above structure, each block in the pillar builds on the previous one, thus creating a pillar of strength for information security.. The various levels can be explained as follows:. A framework for ethical information security. 33.

(34) 1). E-business − The first block constitutes the organisation at entry level. At this, the very first level, there is a dire need for protection against all outside intrusion. It is at this level, too, that the initial interface with clients takes place, thereby creating an almost insatiable need for security and security assurance.. The. organisation, however, is obligated to provide this assurance to its clients.. 2). Technical services − The very next block up, representing technical services, already invokes certain technical issues. The technical services and mechanisms in this block can be put into place not only to protect the organisation, but also to provide a service to its e-business clients. These security mechanisms will typically include biometrics, intrusion detection systems (IDSs) and firewalls.. 3). Standards −How can an organisation be assured that its protection is on a par with the minimum acceptable level? Every organisation should, as a first line of defence, implement a certain baseline level of security assurance. In so doing, it could subscribe to any of the existing internationally accepted standards that many organisations adhere to already, such as ISO 17799, in terms of which a “baseline standard” has been defined as “the security level adopted by the IT organisation for its own security and from the point of view of good due diligence” [BS77 99]. One such control which could, for instance, be applied to IDSs is as follows: •. 9.7.2 Monitoring system use − unauthorised access attempts such as alerts from proprietary intrusion-detection systems, access. policy. violations. and. notifications. for. network. gateways and firewalls.. A framework for ethical information security. 34.

(35) The question that arises, however, is whether or not this would ultimately provide the necessary assurance to an individual or a trading partner. This brings us to the next issue, namely what is required by law.. 4). Adherence to the law − The only sure thing in IT security is the very criminal element that induced its inception in the first place. Under this block, therefore, falls people’s need to know what their rights are and the punishment to be meted out if they were to infringe other people’s rights. This block is strictly regulated, as the law requires that specific controls be put into place. In this way, the UK Computer Misuse Act of 1990 provides for all computer misuse offences by protecting against unauthorised access to computer material, unauthorised access with intent to commit or facilitate commission of further offences and unauthorised modification of computer material [COMP 96]. The question, however, is whether or not the law amply provides for all such offences.. 5). Ethical information security awareness − As ethics is more situational and personal than the law, it does not have to change with time. Even if the courts were to side with a particular person, that person would not always want to resort to the law, as the legal process could be painfully slow, as well as emotionally draining and, above all, costly. It is vital, therefore, to have certain ethical information security controls in place. These controls may include privacy, property and obligation. Property of information would, for instance, constitute the right of an individual and an organisation to ownership of all information about them or of all information that has been gathered at their expense.. Often, property is also. protected by law, such as copyright on program code. Privacy of information concerns the right of an individual or an organisation to. A framework for ethical information security. 35.

(36) have its information deemed secret.. Finally, an organisation is. obligated to adhere to these ethical information security awareness controls, as well as to follow through on the client’s e-commerce wishes; in other words, the obligation, upon receipt of order and payment, actually to follow through with delivery of the required goods.. This block in the pillar of strength exerts a profound. influence on all preceding and subsequent blocks. The question that arises here, however, is whether or not all organisations do indeed incorporate such controls in their security policies.. 6). Security policies and procedures − The ethical information security awareness must be incorporated in the security policy of the organisation. It must be made an integral part of the everyday procedures of the organisation, as well as of its guidelines for good practice. Members must, in addition, sign a contract to this effect, thus acknowledging the ethical information security awareness policy of their organisation. This will serve legally to bind them to it, especially in the event of their breaching it. This policy could be made public, so that the clients and other trading partners of the organisation are also made aware of their obligation to uphold it.. 7). Information security management − ISM is an involved and multifaceted science.. It is vital, therefore, that any form of. protection put into place in terms of this field be closely managed. If managed correctly, the seven blocks that make up the pillar of strength will ensure a safe, sound working environment for all parties involved.. A framework for ethical information security. 36.

(37) 3.4 COMPANY_X HAS BEEN HACKED!. Finally, it is important to illustrate the application of this model by means of an example. Suppose a large and prominent company, Company_X, suffered a serious breach of security on its corporate network, in terms of which newly developed software coding was hacked into, studied and possibly compromised. Although Company_X has since assured its clients that no vital information was revealed, the question remains:. What assurance could Company_X give its. clients that that was, in fact, the case?. Information deemed vital to an. organisation may not necessarily be valued equally by its clients.. Another. question that may be posed is this: If security standards were so poor for a major organisation such as Company_X, how secure were its products?. Although Company_X has assured its clients of the safety of both its information and products, clients might rightly ask questions as to the chances of such an incident being repeated.. Furthermore, it is evident that, from a security point of view, Company_X has come up against the infamous ethical dilemma of hacking. Although the ethics (or lack thereof) of hacking is not covered in the scope of this chapter, the implications of this security breach will be discussed. Company_X needs, in short, to assure its clients of the fact that their privacy will be guaranteed.. Another ethical implication that could be considered by the company is the piracy of its newly developed source code. Considerable time and money have been spent on its development and now, due to insufficient controls, that source code could have been stolen, which again illustrates the need to create and further ethical information security awareness both inside the company and among its clients.. A framework for ethical information security. 37.

(38) The figure below (figure 3.3) serves, once again, to indicate the various levels that must be managed and implemented correctly to secure an IT environment:. 7. ISM 6. Security policies and procedures 5. Ethical awareness. obligation. property. privacy. 4. Adherence to the law −UK Misuse Act 3. Standards ISO 17799. Codes of conduct. 2. Technical services −firewall, IDS 1. E-business −source code has been hacked. Figure 3.3 Company_X has been hacked!. Below is a discussion of each step of creating such a pillar of strength:. 1) E-business:. Virtually every business is connected to the Internet at. present. The first level therefore constitutes the need for protection from all intrusion at a very basic level. In terms of our example, Company_X needs protection against the hackers accessing its corporate network.. In. addition, its clients need to be assured that their privacy will be protected. Company_X should, for this reason, also ensure that the interface used for trading with clients is rendered secure and tamper-proof.. 2) Technical services: At a more technical level, this system should adhere to the five information security services, namely (i) identification and A framework for ethical information security. 38.

(39) authentication, (ii) authorisation, (iii) confidentiality, (iv) integrity and (v) non-repudiation.. One such mechanism that could be implemented to. support the service of authorisation would, for instance, be a firewall, whilst another would be to install an access-control list in Win NT for all registered clients. Company_X should ideally have these mechanisms in place, along with other mechanisms such as an IDS.. 3) Baseline standards: Company_X should be able to guarantee its trading partners that they enjoy a minimum acceptable level of security, such as a certificate to prove that it has been audited by an ISO17799 auditor and, in this case, approved specifically for ISO17799 rule 9.7 [BS77 99]. In this way, the system will be protected against unauthorised activities such as a false user trying to gain access to the system for malicious purposes. As access attempts made by false users are being monitored, the information security manager will be alerted to suspect attempts without delay.. 4) Adherence to the law:. Now that Company_X is aware of the illegal. access to its information, what can be done about it? What law is invoked in the country in which the breach occurred? Even though the USA, UK and other countries will co-operate in extraditing offenders, it is important that organisations be made aware of havens where these hackers do, in fact, enjoy protection.. 5) Ethical information security awareness: The long arm of the law, it seems, is not always long enough, which means that other, more stringent controls need to be put in place, such as controls for property of information.. Even though, for example, the source code belongs to. Company_X, that is no guarantee that its code has no latent trapdoors and that those hackers have not compromised it. The company also needs to assure its current clients of the fact that their private information has always remained just that and that it has done its utmost to maintain the. A framework for ethical information security. 39.

(40) status quo. The company is, in fact, obligated to reassure its clients in this manner. The urgent need to implement an IT policy is manifested in these ethical information security controls.. 6) Security policies and procedures:. Company_X should include all of. these aspects in its information security policy, from a high to a low level. These aspects should be deemed an integral part of everyday procedures for all employees, as well as for all clients and trading partners. Company_X should, for instance, word its employment contracts in such a way as to legally bind its employees to the enforcement of stringent security controls.. 7) ISM: Finally, Company_X would be fully secured, on condition that all of these aspects were implemented and managed correctly. It would have adopted a holistic approach to information security management and it would enjoy protection from its weakest link −the human element.. 3.5. CONCLUSION. In this chapter, a framework for implementing ethical information security awareness controls was developed. This framework will assist organisations in creating an awareness among all their members, clients, affiliates and other trading partners about the importance of having an ethical approach to information security. The three ethical information security controls of privacy, property and obligation will be instrumental in establishing this awareness. Especially in today’s electronic era, it has become vital to establish norms of behaviour for both organisations and clients.. Individuals and organisations. trading over the Internet must be assured of their rights to privacy, the property of their information and an obligation to control this information correctly and ethically. The creation of an ethical awareness of information security that takes. A framework for ethical information security. 40.

(41) cognisance of the human dimension will help organisations and clients alike to start comprehending the full impact of the electronic age on modern civilisation, especially as we have, once again, proven to be our own worst enemies. The next three chapters examine the three ethical information security controls that enable organisations and individuals to control information ethically.. A framework for ethical information security. 41.

(42) CHAPTER 4 PRIVACY “The closing of a door can bring blessed privacy and comfort — the opening, terror. Conversely, the closing of a door can be a sad and final thing — the opening a wonderfully joyous moment.” [ROON 94]. A framework for ethical information security. 42.

(43) 4.1 INTRODUCTION. It is commonly accepted that any service, process or asset that can be digitised is going to be transferred over a network at some time or another. This may appear to be wonderful news for all information systems managers and their respective recipients.. However, have all the implications of this been. considered? What are the implications of a service or process being adapted, intentionally or unintentionally, by another individual along its route? An organisation’s managers, trading affiliates and clients all need to be aware of the full implication of transferring assets over a network. What would happen if these assets were stolen or even made available for others to access?. As already mentioned in the previous chapter, a logical yet holistic approach can be adopted by an organisation to enable a sound information security management structure.. This approach creates an ethical awareness of. information security and therefore forms a pillar of strength for the organisation. All of the questions introduced in the first paragraph can be answered and therefore provide assurance to customers, organisations and their trading affiliates if this pillar of strength is adopted.. More specifically, the above. questions can be answered by implementing the key ethical information security awareness control of privacy. The focus of this chapter is to determine how to quell an organisation’s privacy fears, as well as those of individuals.. The. diagram below illustrates the ethical information security awareness control of privacy.. A framework for ethical information security. 43.

(44) 7. ISM. 6. Security policies and procedures 5. Ethical awareness. obligation. Privacy property. privacy. 4. Adherence to the law −legislation 3. Standards. Codes of conduct. 2. Technical services −firewall, IDS. Defined How is it obtained? What are the solutions? How is privacy implemented in the organisation?. 1. E-business −external link. Figure 4.1 Ethical control of privacy Confidential information is being released unintentionally by organisations, which is violating an individual's right to privacy of their information. To understand the full extent of the ethical information security awareness control of privacy, it is necessary to ask the following question: What must a person or an organisation reveal?. Take, for example, a recent case of an Indianapolis-based pharmaceutical organisation, Eli Lily and Co [CNN 02]. They are the manufacturers of the antidepressant drug, Prozac. The company sent an e-mail to more than 600 Prozac users that carried the name and e-mail addresses of every recipient in the message. What is the problem with this? As harmless as this may seem, the entire name and address of the recipient constitutes confidential details, which can be used for malicious purposes. The Federal Trade Commission (FTC) has filed a complaint against the company. [CNN 02] According to Howard Beales,. A framework for ethical information security. 44.

(45) “even the unintentional release of sensitive medical information is a serious breach of consumers’ trust”. [GENG 02]. Unfortunately, cases like this are numerous. The right to hold information about an individual or an organisation as private and confidential is perhaps a privilege bestowed on us [CBPR 99]. However, in some instances, the law can protect us. For instance, an individual’s medical information must remain confidential. Each time a patient sees a doctor, is admitted to a hospital, goes to a pharmacist or sends a claim to a health plan, a record is made of their confidential health information. In the past, family doctors and other health care providers protected the confidentiality of those records by sealing them away in file cabinets and refusing to reveal them to anyone else [CAHI 02]. These days this information is stored on some kind of electronic medium. Who has access to this information? Who is in charge of the security and protection of our private information? All those in charge of this confidential information must answer these questions.. This chapter will answer the above questions, and suggest possible standards and controls that can be used to secure the privacy of information. The possible threats to privacy of information will also be discussed, and finally a guideline will be presented for understanding the right of an individual, as well as an organisation to privacy.. 4.2 PRIVACY DEFINED IN TERMS OF ETHICAL INFORMATION SECURITY AWARENESS Before privacy in terms of an ethical information security awareness control can be discussed, it is necessary to define it. Privacy is defined in the Oxford Dictionary [OXFO 99] as “the right to be alone or undisturbed”. EPIC, the Electronic Privacy Information Centre, has adopted an antiquated, yet relevant definition of privacy: “The right of the people to be secure in their. A framework for ethical information security. 45.

(46) persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” - Amendment IV, The United States Constitution (1791)” [EPIC 02]. What is the ethical information security awareness control of privacy? For the purposes of this dissertation, privacy will be defined as a right that an individual or an organisation has to be left alone and not intruded upon. It is the right an individual or an organisation has to be protected against physical and/or psychological invasion and/or against the misuse or abuse of something legally owned by that individual/organisation, such as information pertaining to that individual/organisation.. A prime example of a breach of an individual’s privacy can be sited from Bruce Schneier’s recent book Secrets and lies [SCHN 00]: “For years, personal information has ‘leaked’ from web sites to advertisers.. For example, when. visitors visited the Intuit site to use the various financial calculators, a design glitch in the web site’s programming allowed information that they entered to be sent to DoubleClick. This happened without the users’ knowledge or consent, and (more surprising) without Intuit’s knowledge or consent.”. This breach of privacy illustrates how, despite warnings, privacy of information is still a low priority for many organisations. Marketing organisations are delighted to trace the buying trends of individuals, as is the case with DoubleClick. Companies should increasingly be made aware of the need to protect the privacy of their customers and themselves.. How then do the information security officers or business owners high up the organisational hierarchy guarantee privacy of information? In many countries there is a Privacy Act that gives people certain rights to information collected. A framework for ethical information security. 46.

(47) about them by governments and organisations. The legal implications of this are beyond the scope of this dissertation. However, organisations must still be made aware of laws and rights that have been implemented within different countries and the policies that have been established to protect the privacy of individuals. In many instances the organisation can be held liable for the failure to adequately secure an individual's information. Therefore there are many factors affecting privacy that need to be considered by organisations, managers, clients and trading affiliates. The following section details how this private information can be obtained intentionally by hackers, advertising agencies and the like, or even unintentionally by individuals or employees of an organisation.. 4.3 HOW IS THIS PRIVATE INFORMATION OBTAINED?. How do organisations, government agencies and various virtual communities gather this private information? Numerous methods are available that must be considered by all organisation managers and individuals. Often web sites display browser advertisements. Most browser advertisements or web pages have the ability to determine the IP address of the user merely by having the user click on the site displaying the advert. For this, these sites utilise methods such as referrer logs, cookies and web bugs.. It is also possible that this site can. determine not only the IP address of the user, but also the domain name from whence this user came and the platform and browser that he or she is using, and associate this information with the information that is being requested. Often a profile can be made up from this information alone. This information is then available to servers, local administrations and other third parties. There are a variety of methods available to gather this information. For the sake of simplicity each of these methods can be categorised as being either a technical tool or a functional tool. The diagram below summarises the categorisation of these methods.. A framework for ethical information security. 47.

(48) Technical methods • • • •. Cookies Web bugs Referrer logs Identity theft. Functional methods • Social engineering Workplace • Online vs. offline privacy. Figure 4.2 Categorisation of privacy infringement methods. These methods are described as follows [CRAN 00] [PFLE 97] [SCHN 00] [GREE 00] [LAWR 98]:. 4.3.1 Technical methods These methods are based predominantly on a form of physical tracking using algorithms or a program designed specifically to monitor privacy.. 4.3.1.1. Cookies. Cookies can be a useful tool. A server logs the IP address or name of a user’s machine. In such a case, there is insufficient information being logged to trace the request back to a specific person. Individual server logs also do not provide sufficient information to trace the user’s path through the web. At most the site can look back one step only. Browser cookies change this so that the users can be tagged and their web surfing sessions monitored. Not only can they track movements, but they can also be used to identify a person when they return to a web site so that they do not have to remember a password. The final useful advantage of a cookie is that it can help web sites understand how people use. A framework for ethical information security. 48.

(49) them [CRAN 00] [PFLE 97] [SCHN 00]. Used properly, cookies can actually protect an individual's privacy by storing personal information locally on the hard disk, rather than on a remote server. However, used improperly, cookies can threaten privacy.. As cookies are generated by the web server, not by the. browser, a cookie cannot hold any information that the individual has not voluntarily given to the remote site. For example, a cookie cannot hold a person's e-mail address unless that person gave the address to the remote site at some point. So what is the problem?. The downside of cookies is that they are often used to profile users and track their activities, especially across web sites.. The diagram below depicts the. possible privacy implications of enabling cookie use on a web browser.. Search for medical information. Buy book. Read cookie. Double Click ad Yahoo.com. Set cookie Double Click obtains your name and address from the ordering of the book and links them to your search on medical information. Double Click ad Amazon.com. Figure 4.3 The problem with a cookie. Referring to the previous DoubleClick example, the above diagram will be explained with specific reference to the use of cookies [CRAN 00] [SCHN 00].. A framework for ethical information security. 49.

No results found