Social, legal and ethical aspects of IS security and privacy - Research Paper Example

? Social, Legal and Ethical Aspects of Information Security and Privacy Social, Legal and Ethical Aspects of Information Security and Privacy Introduction Recent advancement in technology has resulted to the development of innovative computing systems which have facilitated the functions of various organizations and institutions. The adoption and implementation of information systems is the modern trend because of the advantages that are associated with the use of technology (Sangkyun, 2011, p. 270). The increasing complexity of information systems has resulted to information security threats which have infringed the right of individuals to privacy of information. This research paper gives a critical review of the social, legal and ethical aspects which relate to the security and privacy of information within information systems in addition to recommendations on the appropriate approaches of curbing the information security concerns of organizations. Information Systems An information system is a combination of hardware, software, procedures, policies, people, information and data which is involved in the management of organizational business functions with an aim of meeting organizational objectives and goals with efficiency and effectiveness. The hardware within information systems includes the physical aspects of the system such as computer components and the related equipment. The software is a set of applications alongside the hardware to effectively perform organizational or business functions. The software applications include information processing systems, finance and accounting packages, anti malware applications, statistical tools and word processing packages (Spears and Barki, 2010). Policies comprise of the set standards for proper management of the information system according to the internal and universal norms of organizational functioning. Procedures are the steps through which various activities and processes in within the systems should follow to ensure that efficiency is enhanced and thus achievement of high productivity (Babad and Lubitch, 2011, p. 236). In an information system, the people are the human resource and expertise who are involved in various organizational activities and processes. These include the clients, staff, management, suppliers and distributors. Data or information is one of the significant aspects of an information system because it helps organization to function and survive in the business environment through its application to enhance all business processes and to compete favorably within the market (Qing, Zhengchuan, Tamara and Hong, 2011, p. 54). Examples of information systems include transaction processing systems which include as set of applications for the processing of the daily activities and processes of an organization. Decision supports systems are other examples of information systems that are important in the decision making process of organization and thus serve as an essential tool for the management team. Management information systems are commonly used technologies which facilitate the management process of all functional areas of an organization (Skupsky, 1994, p. 40). Other information systems such as expert systems are used to perform specialized functions such as the application of technology and software applications in the diagnosis of various conditions by medical practitioners. Information System Security and Privacy Within information systems, individuals desire to have data or information about them be kept safe from unwarranted, unauthorized access and use for malicious intentions. Additionally, organizational data must be safeguarded from business rivals or malicious system attackers who would take advantage of vulnerabilities within the information system to gain access with intentions of causing damage to the system or accessing sensitive information without proper authority (Mingers and Walsham, 2010, p. 833). The continuity of business activities and processes is made possible only if an organization’s information system is functional (Culnan and Williams, 2009, p. 673). Damage to information systems as a result of security breaches would result into loss of functionality and thus cause the organization to incur losses. Moreover, failure of an information system usually leads to the loss of customer and investor confidence in the organization. These arguments illustrate that the issue of information privacy and the need for provision of security measures within information systems is a very important area of consideration by all organizations. Information security Information security within an information system is a concept used to refer to the measures which are put in place to ensure that data and information within the system is protected from unauthorized entry, disruption, damage, use, alteration or recording by individuals within the organization or external attackers (Sangkyun, 2011, p. 274). Therefore consideration of the security of information in Information Systems is crucial to enable organizations to manage all the key components of information security effectively so that data is adequately protected. Security measures are vital for organizations because they allow them to identify the organizational risks which are associated with security breaches (Love, 2011, p. 15). the sensibility of information within organizations such as hospitals and military agencies calls for the involvement of the management in matters of information security so that these organizations are allowed develop and implement a security policy to safeguard all their records from possible security threats. Information privacy Information privacy refers to the right of protection of an individual’s information from unauthorized access and use (Bloom, Milne and Adler, 1994, p. 98). Employees and management in all organizations should follow the professional rules of conduct and all privacy principles and laws that protect information from unauthorized access and use (Spears and Barki, 2010). The concept of information privacy is closely interrelated to security because it is through secure systems that information privacy is made possible. Therefore in the design, development and maintenance of Information Systems, information security must be considered because the cost of loss of data to a business organization is immense. Security breaches into private information held by organizations results into lawsuits, fines, insider trading, credit card fraud and a damaged reputation to an organization (Brueggemann, 2010, p. 81). The infringement of individual privacy in information systems is usually as a result of hacking. Hacking is a serious problem in all computing environments because unauthorized access into computer systems by hackers enables them to damage systems and thus access private information. In the United States hacking is a serious legal offense and a legal framework was enacted to protect individual privacy and security of information (Love, 2011, p. 17). Concepts of Information Security and Privacy Security systems are necessary in information management so that confidentiality, authenticity and integrity of information are guaranteed within an information system (Schwartz, 1997, p. 27). Confidentiality is used to refer to the protection of data and information on individuals or organizations from unauthorized access, use and disclosure (Babad and Lubitch, 2011, p. 237). The term information authenticity is used to refer to the extent to which information within an information system is genuine. Information integrity means that information or data within an information system should be kept free from unauthorized modification. The components of information security can only be achieved if information security and privacy are considered in management of Information Systems. Confidentiality of the information will be ensured if the design of Information Systems aims at keeping information confidential and hidden from all but the intended viewers (Sangkyun, 2011, p. 276). Therefore, securing information systems is essential in ensuring that data and information on transactions, in records, databases and communications are confidential, authentic and integral (Massey, Otto, Hayward and Anton, 2010, p. 119). The management of organizations and staff play a big role in prevention of security breaches by driving security messages, policies and procedures to ensure that access and use of information is authorized secure and in accordance to the principles of information privacy (Belanger and Crossler, 2011). Social, Legal and Ethical Issues The application of modern computing technology has facilitated digital convergence through various information systems in local, national and international scale. Globalization and the facilitated access of data via networks and computing systems have led to social, legal and ethical issues regarding the access and use of information and data within these systems (Mingers and Walsham, 2010, p. 833). Various countries have provided within their laws, acts which provide guidelines to the security of information systems and protection of individual privacy in relation to information that is stored in various databases (Kumar, Park and Subramaniam, 2008, p. 246). Legal implications have been faced by people and organizations for the infringement of the privacy of individual information. The security breaches into systems and unauthorized access and use of information is attributed to the violation of professional ethics and standards of social conduct. This paper gives a critical review and discussion of the social, legal and ethical issues that are related to information system security and privacy. The contemporary society is characterized with legal provisions which advocate for freedom of access to information for all. Additionally, people within the civilized world and the global environment have social and legal attitudes which illustrate the value of individual freedom for expression with the modern society that is culturally diverse. Despite the freedoms that give people the right of access to information, there are limitations by the legal provisions for the right to privacy of individual information (Smith, Dinev and Xu, 2011). The use of information communication technology is increasingly becoming a basic need for all individuals as illustrated by the use of information systems in financial transactions and institutions of learning. The inevitability of information systems therefore has led to their wide application and consequent legal, social and ethical implications. The social, legal and ethical implications of information security and privacy has led government authorities to analyze the situation of information systems and networked environment with a view of preventing the increased incidences of system attacks. This is due to the need to protect the users from the infringement of their legal rights to privacy of private information (Skupsky, 1994, p. 40). The ethical and legal incidences that are common in the contemporary computing societies include fraud, system sabotage, forgery, violation of copyright and intellectual property privileges, child pornography and computer theft. The wide application of information systems especially within networked environment has caused unethical system attacks most of which arise from the organization expertise themselves. Unethical behavior of employees would result to malicious sabotage of various information systems. This is common among employees who lose their job and decide to engage in unethical malpractice as a retaliatory measure against an organization (Brueggemann, 2010, p. 84). Moreover, hacking from external attackers may lead to the access of private information of clients of an organization such as a banking institution. This scenario would lead to the defrauding of clients who are convinced by hackers to innocently give private information such as passwords to credit cards. The hackers then use this information to access the accounts of the clients without their consent. Public outcry out of such antisocial acts results to the enactment of stringent regulations by governments to protect the privacy of the public from security breached into financial systems (Sangkyun, 2011, p. 281). Social implications of information systems within networked environments include promotion of immoral behavior in the society through pornographic images within networked environments. These images are accessible to children and it is therefore evident that when information systems are not secured from such content, the social impact is inevitably felt (Spears and Barki, 2010). Moreover, information systems are being used to communicate immoral messages to innocent members of the community in addition to the use of these systems to advertise socially immoral sites (Belanger and Crossler, 2011). The fact that information systems of various organizations have been linked to global networks and the internet, unlimited access is the illustration of the looming social implications of these systems. The negative social implication of information systems especially those that are connected to global networks is demonstrated by the use of the internet to market and sell drugs and substances of abuse to potential consumers (Caudill and Murphy, 2000, p. 11). Employees in organization are able to access the internet and thus are exposed to the convincing advertisements of drugs which they would order for from the comfort of their desks. The legal regulation of internet content and its eventual infiltration into information systems is demonstrated by the Chinese legal system which blocked some sites from being accessed by the public. At the organizational level, information systems are playing a role in the human relations. Mangers may access employee information over information systems which may tarnish their relationships. Unethical practices within organizations may cause malicious communication over information systems’ communication capabilities which would lead to a negative image being portrayed on some staff or senor management (Qing, Zhengchuan, Tamara and Hong, 2011, p. 57). Social networking sites are allowed to run within information systems of many organizations (Kumar, Park and Subramaniam, 2008, p. 246). Apart from the efficiency and productivity afforded through the use of social media in the work place, there are issues on human relations, ethics, security and privacy that must be considered because of the profound impact of the social media on the work environment (Culnan and Williams, 2009, p. 673). The ethical issues surrounding the growth of social media in the work place such as posting of discriminatory statements by supervisors, sexual innuendo, racial slurs that are directed at the management, co-workers or vendors have an impact on the personal elations within the organization. The use of technology to monitor employee access to social networks by employers is often justified by potential legal liability that would result if inflammatory information in posted on the internet (Love, 2011, p. 17). Some firms therefore employ blocking or filtering systems to prohibit employees from accessing social network sites (Skupsky, 1994, p. 40). Employees who have adequate knowledge on information technology may unblock the restricted access to enable unlimited use of the internet. The issue of security and ethics within information systems of organizations is interlinked. The technologies that are applied within organizations such as hardware and the related equipment are vulnerable to the professional malpractices which may emanate from the employees (Smith, Dinev and Xu, 2011). Vandalism of organizational computer hardware by employees for example is an ethical issue that would be difficult to control through the implementation of security measures. Ethical malpractice within organizations may also include misuse of technology resources of the organization by employees for personal benefit (Brueggemann, 2010, p. 87). Many employees indulge in the use of information and communication technology resources of organizations for personal ends. Such unethical behavior includes online shopping and communication via the global networks. When employees are engaged in the use of information systems for personal reasons, a lot of time is wasted which reduces their productivity. To prevent such behavior, mangers of some organization monitor the online activities of employees which in return cause concerns on the privacy of individual information (Schwartz, 1997, p. 27). Employees usually misuse the privacy that they are offered in the use of information systems for their own benefit and thus derailing the success of an organization in achieving set goals. The increasing incidences of security breaches and infringement of individual privacy to information is attributed to lack of awareness of issues related to security of information systems (Bloom, Milne and Adler, 1994, p. 98). The complexity of information and communication technologies is growing as innovative computer applications are being introduced into the market. System attackers have taken an advantage of the limited awareness of individuals on matters of information systems security and the related vulnerabilities to attack information systems. Moreover, information systems offer anonymity to attackers which make them confident in violating the legal and ethical framework which surround the issue of information security and privacy (Belanger and Crossler, 2011). Other vulnerabilities that increase attacks to information systems are related to the widening reach of networked environments. This makes organizations vulnerable to attacks from any part of the world. The legal frameworks of some countries especially in the developing world has failed to provide clear guidelines and standards adequate protection of information systems from social and ethical misconducts. For example the use of computer networks in the glorification of sexual immorality and drug abuse has not been stipulated clearly in many constitutions (Caudill and Murphy, 2000, p. 13). Even though the challenges of information security may not be protected adequately by the provision of various constitutions, it is necessary for countries to have legal guidelines to discourage the involvement of people in unethical practices and infringement of personal privacy across information systems (Himma, 2007, p. 241). Legal systems should also include the penalties associated with the infringement of the information privacy law so that legal proceedings in matters of violation of such Acts can be guided by a clear legal framework. The implication of unethical practices within information system on the confidentiality of information can be illustrate by the fact that some medical practitioners have been reported to have accessed and disclosed private and sensitive patient information to a third party without consent (Massey, Otto, Hayward, and Anton, 2010, p. 123). Such kind of unethical behavior in professional practice is a demonstration of the height of infringement of the privacy of information within information systems. The importance of keeping information confidential is explained by the need to avoid negative social implication of unauthorized disclosure of private information. The disclosure of medical records of an individual to a third party may lead to family breakups or heightening of fear within social systems and family units. Sensitive information such as that which pertains to the security of a nation may be disclosed to the enemy by an individual within the military for various reasons (Culnan and Williams, 2009, p. 673). This is an unethical practice that would lead to adverse consequences such as war between nations and thus the death of many people. These examples illustrate the importance of information confidentiality and how ethical malpractice can lead to adverse consequences. Information security within computer systems aims at safeguarding and protecting the integrity of information that is contained in the databases of organizations. Security measures which aim at protecting the integrity of information function to prevent alteration of data or information through deletion, insertion or modification (Caudill and Murphy, 2000, p. 12). Professionals within an organization who are involved in ethical malpractice for example my access information in an organization’s database which contains some evidence and thus delete it. Additionally attackers from an organization may access an information system and delete sensitive information with a malicious intention of destroying the credibility of the organization. Such security breaches and violation of information integrity would have a big negative impact in the organization such as loss of customers and investors. Financial information systems are commonly targeted by attackers and internal ethical malpractices which involve modification of financial records with an intention of defrauding the organization or customers substantial amounts of money (Love, 2011, p. 15). The seriousness of violation of information integrity demonstrate the necessity of organizations to put in place all measures possible in order to safeguard information from possible deletion, insertions and modifications. Availability of information to the intended users in any information system is the most important aspect of the system because it reflects its functionality and ability to perform its intended purpose or goal (Smith, Dinev and Xu, 2011). Therefore the security breaches to information systems which prevent the users of the system in accessing the information would cause unimaginable damage to the organization concerned. Hackers may access information systems and company websites and destroy their functionality which bars users from accessing useful information. Inability to find the required information at the required time will definitely cause los of clients. Unhealthy competition within a specific market may lead to such security breaches against organizations. Therefore for an organization to remain competitive, the issue of information security within its information systems should be given utmost importance (Skupsky, 1994, p. 40). System sabotage is an example of a security concern which would lead to the loss of system functionality and thus tarnish the image of an organization. Even through the issue of security of information systems has led to negative implication in the social, legal and ethical dimensions, information system use within organizations has many advantages including boosting the image of the organization. The efficiency and effectiveness which is afforded by information systems is a means of increasing productivity and the quality of services which are offered to clients (Belanger and Crossler, 2011). Information systems which are safeguarded form security concerns are helpful to organizations because they enhance the customer experiences while promoting interaction with the stakeholders of the organizations and thus positive relationships. Moreover, information systems aid the decision making process of organization management and thus enhance the speed into which the strategic plans of an organization are reached (Brueggemann, 2010, p. 91). It is through information systems and networked environments that an organization is enabled to market its products and services into a wide audience. Most importantly, the use of information systems within an organization is a motivational factor for the employees and thus boosts their morale for increased productivity and quality of service. Recommendations Due to the negative implication of security breaches, organizations must endeavor to protect the confidentiality, integrity and make information within their information systems available to clients through proper protection of these systems from security breaches. The management of organizations should recruit and retain employees who have professional qualification and proper ethical conduct so that security policies are followed. Organizational management can prevent security breaches by launching and supporting internal campaigns in the organization to spread the word about information security. The top executives should also partner with information security officers to ensure their internal practices lead to security of information and safeguard of individual privacy (Culnan and Williams, 2009, p. 673). Most importantly, the managing team of an organization should determine the level to which the organization is compliant to the regulations and requirements of the industry on matters of information security. Moreover, the management should prevent future security breaches by ensuring that new employees are fully aware of information security policies and regulations. This will enable them adhere to professional ethics in the use of information systems and thus reduce the risk of theft, misuse of data by employees. The possibility of employees being involved in fraud schemes which target the customers will also be avoided. The poor awareness on issues related to information security within many organizations leads to the need for training of personnel on the legal, social and ethical aspects of information security and privacy as well as protecting information from possible security violations. The integrity of information will be ensured within an Information System if its administrators are trained and qualified with skills that enable them to detect possible security breaches and alterations to information so that appropriate measures are put in place to prevent security breaches. Therefore information security considerations in an Information System should ensure authentication of information and use of safeguarding technology such as firewalls, digital signatures and encryption to protect information from unauthorized access, use and modification (Himma, 2007, p. 241). Consideration of information security and privacy should be mandatory in all organizations. Therefore the management of organizations should advocate for training of its employees and create awareness on reasons why their role in information security is critical. As a result, internal threats from employees on the security of information can be determined and monitored. This is necessary because most hacks to organization security systems come from employees (Smith, Dinev and Xu, 2011). Security considerations that will enable incorporation a physical security plan to safeguard information systems is recommended for all organizations which use information and communication technology. A security plan will provide for the responsibilities of the staff in promotion of information security. This will ensure that there is someone who keeps track of emergent issues in information security, including new vulnerabilities and attacks (Kumar, Park and Subramaniam, 2008, p. 246). The individuals responsible for information security can then hire independent auditors to evaluate the level of information security in the organization and use the auditor’s recommendations to ensure that information is secure. A good security plan for information systems will allow information security managers to ensure that the sources, collection, accuracy, storage and access to information follow the information privacy principle Conclusion Information security encompasses the protection of information and information systems from unauthorized access, use, recording, disruption, disclosure, modification, perusal, inspection or destruction of individuals’ private information. The social, legal and ethical issues concerned with information security and privacy and the challenges that organizations face in the use of information systems makes it necessary for all organizations to design a Human Resource Information Systems that are secure from information breaches so that information on individuals and organizations themselves is secured. References Belanger, F., and Crossler, R. (2011). Privacy in the Digital Age: A Review of Information Privacy Research in Information Systems. MIS Quarterly, 35(4), 1017-A36. Brueggemann, T. (2010). CHAPTER 5: How Understanding Impacts Ethics and Privacy. In, Refractive Thinker: Volume IV, pp. 81-102. Bloom, P. N., Milne, G. R., and Adler, R. (1994). Avoiding misuse of new information technologies: Legal and. Journal of Marketing, 58(1), 98 Babad, Y., and Lubitch, A. (2011). Ethical and legal issues of privacy and patient rights in the application of information healthcare delivery systems. International Journal of Healthcare Technology and Management, 12(3/4), 230-249 Caudill, E. M., and Murphy, P. E. (2000). Consumer online privacy: Legal and ethical issues. Journal of Public Policy and Marketing, 19(1), 7-19. Culnan, M. J., and Williams, C. (2009). How Ethics Can Enhance Organizational Privacy: Lessons From The Choicepoint And TJX Data Breaches. MIS Quarterly, 33(4), 673-687. Himma, K. E. (2007). Foundational issues in information ethics. Library Hi Tech, 25(1), 79-94. Kumar, R. L., Park, S., and Subramaniam, C. (2008). Understanding the Value of Countermeasure Portfolios in Information Systems Security. Journal of Management Information Systems, 25(2), 241-279 Love, V. D. (2011). Privacy Ethics in Health Care. Journal of Health Care Compliance, 13(4), 15-57. Massey, A. K., Otto, P. N., Hayward, L. J., and Anton, A. I. (2010). Evaluating existing security and privacy requirements for legal compliance. Requirements Engineering, 15(1), 119-137. Mingers, J., and Walsham, G. (2010). Toward ethical information systems: the contribution of discourse ethics. MIS Quarterly, 34(4), 833-854 Qing, H., Zhengchuan, X., Tamara, D., and Hong, l. (2011). Does Deterrence Work in Reducing Information Security Policy Abuse by Employees?. Communications of the ACM, 54(6), 54-60 Smith, H., Dinev, T., and Xu, H. (2011). Information Privacy Research: An Interdisciplinary Review. MIS Quarterly, 35(4), 980-A27. Schwartz, P. M. (1997). Privacy and the economics of personal health care information. Texas Law Review, 76(1), 1-75 Skupsky, D. S. (1994). Legal standards for records and information management programs. Information Management Journal, 28(3), 40 Spears, J. L., and Barki, H. (2010). User Participation in Information Systems Security Risk Management. MIS Quarterly, 34(3), 503-A5. Sangkyun, K. (2011). Auditing methodology on legal compliance of enterprise information systems. International Journal of Technology Management, 54(2), 270-287. Read More