Business Information Systems - Assignment Example

MIS101 – Assignment Template – Trimester 1, 2015 Your Name: Insert your name here Student Number: Insert you student ID number here Deakin Email: Insert you Deakin email address here Assignment – Part A Question 1: Provide a brief explanation of each of the following security terms and provide an example of each. (~250 Words) Something the user is … According to Pfleeger and Pfleeger (2003, p. 209), something the user is is one of the authentication mechanisms used by a computing system to identify anyone who attempts to log into it. It usually consists of biometrics which capture the physical and physiological features of the user. Examples of such biometric authenticators are iris recognition or retina scans, fingerprint, handprint or palm scans, finger geometry, vein pattern, or face, picture of the face and facial characteristics. Cranor and Garfinkel (2005, p. 109) further observe that biometric authentication mechanisms can also be based on behavioural biometrics. Examples of these include patterns of using the computer mouse, and dynamics or latencies keystrokes in the process of using in the computer keyboard. Something the user has … Rainer and Cegielski (2010, p. 102) observe another authentication mechanisms to be something the user has. Examples of authenticators used through this mechanism are regular identification (ID) cards, tokens and smart ID cards. Regular ID cards usually bear the picture and signature of the user being authenticated. Smart ID cards store the user information within an embedded chip. On the other hand, tags have an embedded chip and a digital display that indicates the log-in number of the user. The log-in number is changed with each login. Something the user knows … Speed (2012, p. 277) notes this to be a third authentication mechanism. It requires that the user know some piece of information, in addition to their identification for their login attempt to be successful. Examples of these authenticators include a personal identification number (PIN), an answer to a secret question, a pass phrase or a password. Something the user does … Pfleeger and Pfleeger (2003, p. 209) point out that this is a fourth authentication mechanism. It makes use of voice recognition and signature dynamics. In using voice recognition for example, the user is required to speak a pre-recorded phrase like their name and a match of the two voice signals authenticates them. Signature recognition requires that the user signs their name, and the signature is matched to a pre-recorded signature, including the speed and pressure of the signature. Question 2: Briefly discuss the following, is it ethical for an employer to monitor their staff’s usage of the Internet at work? List three (3) acceptable and three (3) unacceptable activities you would include in an ‘acceptable internet usage’ policy? (~250 Words) Yes, it is ethical for an employer to monitor their staff’s usage of the internet at work. According to Catelli (2012, p. 211), there are many reasons why the employer would be justified in doing so. Some of these reasons are to minimize the security risks associated with certain online activities, to ensure stable productivity by actually confirming that the staff are working, to protect against liabilities associated with security breaches and leaked stakeholder information, to remain legislatively compliant with existing regulations, and for purposes of conducting performance evaluation and gathering user feedback. Daft and Marcic (2010, p. 504) observe that according to the courts, it is the right of the organization to monitor “any and all” activities of the employees conducted on the computers bought by the employer for work purposes. An “acceptable internet usage policy” should state whether, and when the employees are allowed to use the workplace internet for personal use. Some acceptable internet usage activities are: Not revealing personal or company information to unauthorized users, unless compelled by the law Notifying the network or system administrator of any security problems that are identified in the process of internet usage, and refraining from demonstrating the problem to other users Using the organization’s network in such a manner that other users also enjoy the full benefits of its availability Some unacceptable internet usage activities are: Sending or posting information that defames the company, or its clients, staff, or products and services Sending or posting messages or images that are threatening, harassing or discriminatory Making representations of the organization using personal views Question 3: List and describe the three fundamental tenets of Ethics in a business environment. Explain why ‘unethical is not necessarily illegal’ and give an example that shows this? (~250 Words) According to the Information Resources Management Association (2001, p. 33), ethics is “doing the right or proper thing for the right reasons”. It involves engaging in behaviour that is moral. Three approaches to ethics have been produced from ethical thinking spanning a long time: The motivational approach considers the virtues of the moral agent, in relation to the ideals that are accepted by their culture. One such virtue is honesty. In business, open and honest communication is necessary when dealing with clients, colleagues and associates. The principled approach highlights the means used to sustain or implement ethical behaviour. These include rules, duties, laws and principles. Within these means is the ethical tenet of professionalism. It is the principle of any ethical business entity to have the best interests of the customer in great priority. The consequentialist approach relates to the goals of an action and the result of such an action. The most acknowledged action related to this approach is utilitarianism whose goal is to produce the most good for the largest number of people. Within this, one can recognize the quality of fairness. Business entities should give an account of situations in a manner that is balanced. They should share available business information to all relevant parties, and equally grant them opportunities, without favouritism. An unethical act may not always be illegal because ethics are guided by the moral principles of the doer of the action as defined by their cultural environment, while the legality of an action is defined by the laws put in place and enforced by the government. For example, a mining company may choose not to compensate or relocate the residents of the area adjacent to a mining site due to the inconveniences caused by the mining activities. This may be considered unethical but not illegal if the law does not require the company to extend such relief to the residents. Question 4: Informed consent is an important consideration for an organisation’s customers and their Privacy Policy. Identify and describe the two models of informed consent typically used in e-Commerce and Social Networking sites privacy policies. Which is the preferred option? Justify your answer. (~250 Words) Rainer and Cegielski (2010, p. 116) take note of two models of informed consent, namely opt-in and opt-out. The opt-in model of informed consent prohibits the business from collecting any information that is considered private and personal to the customer, unless the customer expressly gives authorization. The opt-out model of informed consent permits the business to collect the personal information of the customer until the customer objects to any further collection or sharing of their data. The opt-out model is the more popular and preferred model typically used in e-Commerce and social networking sites. This is because currently, not much detailed distinction is made of what one signs up for, be it an online newsletter or catalogue. These two entities are not very transparent when it comes to collecting the information of the users of their services. The motivation behind such practices is the grey areas that the law has left by not keeping pace with technology. Users can only exercise control over their data when they have knowledge that such data is being sought after by an entity, and by being given the choice of opting in or opting out of such data collection activities. In the case of the opt-out model, the user of the social networking site or e-Commerce service has to actively make an effort to remove themselves from any data collection or sharing of their information. An entity that sells this information may not make the steps of opting out as readily available or understandable to the average user of their service. The opt-out strategy is especially preferred because consumers are usually ignorant of the tracking and collection of data based on their interests, likes, or personal information. Assignment – Part B A case study analysis using Toulmin’s Model of Argument (~600 WORDS) Use the Toulmin Table provided for your answers. Element Sentence/s Claim Australian business is an ‘easy target’ for cyber attacks Evidence A study conducted by Ernst & Young found that 8o percent of Australian businesses believe that they face an increasing threat of cyber-attacks. The study also found that 51 percent of these companies believe that they do not have in place the systems necessary to detect such attacks. A survey conducted by EY’s Global Information Security Survey (GISS) also revealed that more than 50 percent of Australian companies lack the skillset, agility and finances necessary to address cyber security demands. This is characterised by the annual InfoSec budget remaining unchanged or decreasing. GISS further observed that 34 percent of the businesses had no real-time means to monitor cyber risks; 55 percent lacked the skilled resources necessary to fortify or implement their information security program; and only 17 percent had met the requirements for in house security operations Warrant It can be argued that Australia does not have many enemies. With such a perception, Australian businesses may not be adequately prepared for cyber-attacks. Cyber-attacks are viewed as an economic activity by the cyber-criminals. Any smart business-person will grab an opportunity in an area of business with most opportunities and limited competition. In the same way, the cyber-criminals will target organizations whose information security bar is “set lower” Cyber-attacks are also motivated by the need to extort others, revenge for perceived or actual wrongs done and activism Backing Many small business enterprises do not have the kind of security mechanisms that are characteristic of enterprise-level security. As a result, it is very easy for cyber-criminals to gain access to their websites and internal systems, and the information therein. There is a poor uptake of cyber-insurance in Australia. Cyber-insurance would go a long way in cushioning a business in the event of a cyber-attack. It would help the business cover costs related to lost income, damage to brand, legal fees, liabilities, fines and penalties, and compensation fees. Yet, Australian businesses do not seem to really recognize this importance. Rebuttal It has been previously argued that there are no Australian government mechanisms to combat cyber-crime. As of 2014, the Australian Cyber Centre was established by the government. There are isolated “islands” of cyber-crime awareness in which concrete steps have been made to thwart possible cyber-attacks. These take the form of businesses like the big banks, telecommunication companies and some resource companies. Qualifier Cyber-insurance is a necessity for any business that applies e-Commerce in its operations. Besides the financial relief it offers to the business in the event of a cyber-attack, it also makes the business more attractive to customers who may feel more confident that the necessary measures have been taken to safeguard their interests Inadequate implementation of information security programs leave organizations vulnerable to even the simplest of security breaches. Any security mechanisms that have been put in place in most Australian businesses have been set up informally, and without the proper structures. Any decent information security program will thwart most cyber-attacks, unless the attack is specifically targeted at an entity Your Opinion I believe that cyber-attacks are becoming a more common phenomenon than they were in the past. It is not only Australian businesses that are being viewed as soft targets for such attacks. Any business with an inadequate information security program is prone to a cyber-attack. Some businesses are also not as conscious of the reality of cyber-crime as they have not been affected. Conversely, they may have already been compromised and their infrastructure is currently being exploited illegally and covertly to implement other cyber-attacks, and the business owners are none the wiser. Reference List: Cartelli, A (ed.) 2012, Current Trends and Future Practices for Digital Literacy and Competence, IGI Global, Hershey, PA. Cranor, LF & Garfinkel, S 2005, Security and Usability: Designing Secure Systems that People Can Use, O'Reilly Media, Inc. Sebastopol, CA. Daft, R & Marcic, D 2010, Understanding Management, 7th edn, Cengage Learning, Stamford, CT. Information Resources Management Association 2001, International Conference, Managing Information Technology in a Global Economy, Idea Group Inc (IGI), Hershey, PA. Pfleeger, CP & Pfleeger, SL 2003, Security in Computing, Prentice Hall Professional, Upper Saddle River, NJ. Rainer, RK & Cegielski, CG 2010, Introduction to Information Systems: Enabling and Transforming Business, 3rd edn, John Wiley & Sons, Hoboken, NJ. Speed, TJ 2012, Asset Protection through Security Awareness, CRC Press, Boca Raton, FL. Read More