The Ethical Issues of Information Security - Term Paper Example

Report on Ethics and Information Security (Name) (Course) (Institution) (Date) Table of Contents Table of Contents 2 1.0Abstract 3 2.0Introduction 4 3.0Research methods and approach 4 4.0Application of the law and ethics in information security 5 4.1 Due care, diligence, ethics and information security 5 4.2 Policy versus law 6 5.0 General categories of unethical and illegal behavior 8 5.1 Privacy of information 8 5.20 Privacy of customer information 8 5.21 The electronic communications privacy Act of 1986 9 5.22 The Kennedy- Kassebaum Act of 1996 9 5.23 Gramm-Leach Bliley Act of 1999 9 5.3 Identity theft 9 6.0 Results 10 7.0 Scope and limitations 10 8.0 The best method for preventing unethical activities 10 9.0 Conclusion 11 10.0 References 12 1.0 Abstract Information security is a very sensitive issue because of the ethical issues that are raised as areas of concern. The expansion of global networks has facilitated the smooth operations of trade and commerce because of increased use and dependence on computing systems and communication. Attacks that have been directed at information assets have heightened the need for information security. Securing these systems has had organizations develop their own pool of information security to ensure that they have secure computing environments. The law mandates organizations to protect the personal employee information such as phone numbers and their medical conditions for security reasons (Quigley, 2004). While this information falls into the category of personnel data information security is expected to ensure that this data receives the same level of protection accorded to the important data in the organization. Information security problems that arise most of the time are not technical problems but a people problem. This is because ethical issues do not arise because of technical problems but because of people either intentionally or by accident (Buchanan & Huczynski, 2004). This report looks at the ethical issues of information security as well as the various legislations that have been made to guarantee information security to individuals as well as to organizations and the empirical theories that explain behavior. 2.0 Introduction Security is a major concern in every facet of today’s life and technology is no exception. Technology exposes its users to various threats and so the need for legal systems to guarantee the safety of its users (Whitman & Mattord, 2009). The internet which is the base of information technology has no geographical boundaries and this makes it a security concern in every country of the world. While it is impossible to formulate laws that generate acceptable behavior, ethics produce socially acceptable behavior in society and it is therefore the responsibility of organizations to establish their codes of ethical behavior that their users should adhere to and live by (Whitman & Mattord, 2009). This is because ethics provide society with the morals standards that enable it function easily. Based on this organizations have formulated their own codes of ethics that its members should abide by which is a collaborative effort that aims to raise awareness of computer responsibility (Whitman & Mattord, 2009). 3.0 Research methods and approach A random assessment of information security variables was used and a model constructed with all these variables: the law, policy and behavior. The data was collected using questionnaires and interviews to provide information about the underlying factors that affect the ethical behaviors of individuals. The inter-relationships between these variables and the overall effect they have on the ethical judgments of individuals. 4.0 Application of the law and ethics in information security Information security is governed by laws and ethics which are determined to maintain balance in the society. Laws prohibit certain behavior while ethics are socially acceptable behaviors (Whitman & Mattord, 2009).Organizational ethics are drawn from the moral attitudes and the customs of the organization. Actions that move away from what is viewed as acceptable behavior may be punished by the law as a crime. An organization’s legal environment influences the scale in which the information security professionals are able to guarantee the safety of the organization’s information (Whitman & Mattord, 2010).The law enforcement is contacted first due their capacity to handle physical security threats but they are ill equipped to handle electronic crime. An organization needs to support and encourage strong ethical conduct by its employees because even though there may be no criminal behavior the organization has legal obligation even if no law has been violated (Whitman & Mattord, 2009).The organization may be liable to pay financial compensation for the wrong its employees or representatives may commit while acting for the organization. In today’s litigious society information security professionals play an important role in controlling the liability for security risks. Employees and management need to be educated on their ethical and legal obligations and the use of information security and information technology and this will help organizations focus on their core objectives (Whitman & Mattord, 2009). 4.1 Due care, diligence, ethics and information security An organization exercises due care when it has ensured that all the members of the organization; employees and management alike, have knowledge of what is right and what is wrong and the consequences of unethical actions. The legal obligation of an organization is increased if it fails to exercise due care and ends up doing an illegal act that causes harm or injuries to others (Quigley, 2004) Due care is a concept that promotes the common good and maintains usual observances (Whitman & Mattord, 2010). Due diligence on the other hand are the valid endeavors by the organization to protect others and their continued efforts in maintaining this level of effort (Whitman & Mattord, 2009). It refers to honesty in fact and in intent and examples include: Training of employees in information security is a standard of due care measure that is aimed at protecting information assets. Buying insurance policy to protect the physical assets against loss Requiring statements from employees that acknowledge the computer security requirements that have been understood. 4.2 Policy versus law Security in an organization is maintained by enforcing policies. Policies are organizational laws and sanctions that require compliance (Whitman & Mattord, 2010). They are the expectations that portray acceptable behavior in the workplace by employees and function as laws. Due to their function they are crafted to ensure their applicability to everyone in the organization and must meet the following criteria: Uniform enforcement- policies are put into effect regardless of the status of employees. This ensures compliance from quotas of the organization Compliance- employees need to agree that they comply with the policy by either committing their signatures to a document indicating that they fully understand and agree to comply with the policy. Review- the organization needs to distribute the policy document in a form that is understandable for the employees to read and understand. Distribution- the policy document need to be readily available to employees in formats that they can easily access to enable them review it. Comprehension- the organization needs to ensure that the employees had understood the policy and its requirements The law is determined by the legal environment in which an organization operates in. the law is categorized into: Civil law which encompasses laws that pertain to relationships among organizations and individuals. Criminal law which addresses violations against the society prosecuted by the state Public law which is a regulator of the administration and structure of government agencies and the relationship with citizens and government Private law which regulates the relationship between the organization and individuals Tort law which allows individuals to seek justice in the event of physical and financial injury The United States has developed and implemented information security legislation to prevent the exploitation of information technology (Whitman & Mattord 2009). This legislation will go a long way in the development of information security which will promote a stable economic environment. This legislation specifies the punishment and penalties for individuals and organizations that fail to adhere to these requirements. 5.0 General categories of unethical and illegal behavior The general computer crimes are punishable by imprisonment for up to twenty years and fines. The computer fraud and abuse act is the bedrock of computer laws and has had amendments made to it that are relevant today to include crimes that were previously nonexistent. The harshness of the penalty depends on the value of information that has been acquired. The general categories of unethical behavior are: Criminal actions Financial gain Commercial advantage Amendments to the information laws have included the current threats of terrorism and have revised criminal penalties associated with terrorism activities. 5.1 Privacy of information Privacy is one of the core issues in information security and so the government has had to step in to guarantee the privacy of its citizens. Though privacy is not complete freedom from observation but being free from unwarranted infringement and has necessitated privacy laws to be formulated (Workman et al., 2008). 5.20 Privacy of customer information The privacy of customer information section guarantees that proprietary information is used explicitly for purposes of providing services and this information is only disclosed in the provision of services (Workman et al., 2008). This guarantees individual privacy because of the regulation by government. 5.21 The electronic communications privacy Act of 1986 This act regulates interception of electronic communications but in conjunction with the fourth amendment that protects against unlawful arrests (Whitman & Mattord, 2010). 5.22 The Kennedy- Kassebaum Act of 1996 The act protects the security of health care documents by evening out electronic data exchange. Health care organizations face stiff penalties when they fail to comply with the provisions of the act. The act requires these organizations to keep health care information and use mechanisms that guarantee the security of this information. This act prohibits the distribution of private health information without documented consent and gives the patient the right to know who has access to their private medical information (Whitman & Mattord, 2010). 5.23 Gramm-Leach Bliley Act of 1999 This act requires all financial institutions to disclose their privacy policies on the sharing of nonpublic personal information. This act ensures that information is not shared out to third parties without due notice to the financial institutions customers (Whitman & Mattord, 2010). 5.3 Identity theft This occurs when someone else uses information that personally identifies you without your knowledge to commit a crime (Whitman 2004). Identity theft laws criminalizes the possession or use of false identification documents or equipment that aid in falsifying documents and this attracts a penalty of 25 years with a fine that is determined by the courts. 6.0 Results The results were concurrent with the empirical theories of deterrence and planned behavior which explain the effects of controls on the behavior of individuals. Organizational controls together with education and training provide employees with laid out policy of the organization and this provides the knowledge that when crime is committed there will be punishment. 7.0 Scope and limitations The report covers empirical studies in deterrent theory and planned behavior in information security. These theories explain the ethical behaviors and judgments of individuals that direct behavior. 8.0 The best method for preventing unethical activities Information security personnel should use all means at their disposal to protect information and systems such as education and training, policy and technology (Whitman, 2004). Addressing the causes of the unethical behavior will help in deterring unethical behavior because approaches that address the real issues will be used. The causes of unethical behavior are accidents, ignorance and intentional actions (Whitman & Mattord, 2010). The most appropriate method for preventing unethical activities is deterrence which encompasses various methods such as policies and laws and other technical controls. However laws and policies act as deterrents if: The potential offenders believe for a fact that a penalty will be administered. The potential offenders fear the penalty because of the threat of imprisonment The potential offenders believe that there is a strong possibility of them being caught and this instills in them a fear that restrains them from unethical behavior. The deterrence theory as it relates to the criminal justice system has succeeded in keeping communities safe on many levels (Workman, 2007). The general deterrence theory suggests that controls serve as deterrence mechanisms because of the perceived threat of punishment for misusing information systems. The intention to misuse information is reduced because of the increased awareness of security measure that clearly spell out the certainty and severity of misuse of organization information systems (D’Arcy et al., 2009). The theory of planned behavior states that behavioral control predicts behavioral achievement and so to achieve successful behavior behavioral control needs to be exercised (Mohammed & Shen, 2008). This theory constructs perceived behavioral controls with relations to the beliefs, intent and behavior concerned with how well a person can carry out courses of action that are required to handle specific situations (Ajzen, 2006). 9.0 Conclusion The revolution that was brought about by computer technology has been unrivalled. The internet has managed to remove the physical boundaries that separate people and brought about the existence of one culture. Computer systems store immense amounts of information and so the need for computer security to protect this information. The development of computer ethics in organizations has helped in minimizing outside intrusions. Establishment of a code of ethics to be used has a positive effect on the opinions of people regarding the use of computers. Professional bodies that have established a code of ethics guarantee that their members will practice ethical principles and standards that help in deterring them from violating the ethical standards laid out by the body. Organizations have the responsibility of developing and distributing its ethical policies and also enforcing them in the organization. Information security professionals ought also to be informed about the ethical issues that their professions demand of. The expectation is that these professional conduct themselves ethically according to the laid out policies of their organizations and the laid out laws of society. 10.0 References Ajzen, I. 2006. Behavioral interventions based on the theory of planned behavior. Available on http:// people.umass.edu/aizen/pdf/tpb.intervention.pdf [Accessed 24 March, 2011] Buchanan, D. & Huczynski, A. 2004. Organizational behavior: An introductory text. New York: Prentice hall. D’Arcy, J.et al., 2009. User awareness of security countermeasures and its impact on information system misuse: a deterrence approach. Journal of information system research. vol.20 no.1. Dinev, T. et al. 2008. User behavior towards protective information technologies: the role of national cultural differences. Information science and technology journal, vol.19 no.4. Mohammed, K. & Shen, K.N. 2008. Drivers for transactional b2c m-commerce adoption: Extended theory of planned behavior. The journal of computer information systems. Quigley, M. 2004. Information security and ethics: Social and organizational issues. New York: Idea group Inc. Quigley, M. 2004. On the role of human morality in information system security: from problems of description to non-descriptive foundations. Information resources management journal, vol.14 no.4, 15-23. Whitman, M. 2004. In defense of the realm: understanding the threats to information security. International journal of information management. 24(1). Whitman, M.E. & Mattord, H.J. 2009. Principles of information technology. New York: Cengage learning. Whitman, M.E. & Mattord, H.J. 2010. Management of information security. New York: Cengage learning. Workman, M. et al. 2001. Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in human behavior. 24(6), 2799-2816. Workman, M. 2007. Punishment and ethics deterrents: a study of insider security contravention. Journal of the American society for information science and technology, 58(2). Read More