Introduction

to
Computer
Ethics
GEORGE REYNOLDS
ETHICS IN INFORMATION TECHNOLOGY
THOMSON COURSE TECHNOLOGY, SECOND EDITION
 Introduction to Ethics
Quote from Aristotle:
“ Man, when perfected, is the best of
the animals, but when separated
from law and justice, he is the
worst of all”
 What is Ethics?
 Each society forms a set of rules that establishes the boundaries
of generally accepted behavior.
 These rules are often expressed in statements about how people
should behave, and they fit together to form the moral code by
which a society lives.
 Ethics is the set of beliefs about right and wrong behavior.
 Ethical behavior conforms to generally accepted social norms,
many of which are almost universal.
 Virtues are habits that incline people to do what is acceptable, and
vices are habits of unacceptable behavior
 People’s virtues and vices help define their value system – the
complex scheme of moral values by which they live
 Professional Codes of
Ethics
 A professional code of ethics states the principles and core
values that are essential to the work of a particular
occupational group.
 Association of Computing Machinery ACM (founded 1947)
has a code of ethics and professional conduct.
 Association of Information Technology Professionals AITP
(founded 1996) – provides quality IT-related education,
information on relevant IT issues, and forums for
networking with experienced peers and other IT
professionals. The AITP also has a code of ethics.
Common Ethical Issues for
IT Users
 Software Piracy: a common violation occurs when employees
copy software from their work computers for use at home
 Inappropriate Use of Computing Resources: some
employees use their work computers to surf popular Web sites
that have nothing to do with their jobs.
Common Ethical Issues for
IT Users
 Inappropriate Sharing of Information:
 Organizations stored vast amount of information that can be
classified as private or confidential.
 Private data describes individual employees – for example,
salary, attendance, performance rating, health record.
 Confidential information describes a company and its operations:
sales, promotion plans, research and development.
 Sharing this information with unauthorized party, even
inadvertently, has violated someone’s privacy or created the
potential that company information could fall into the hands of
competitors.
 Supporting The Ethical
Practices of IT Users
 Defining and Limiting the Appropriate Use of IT Resources
 Companies must develop, communicate and enforce written
guidelines that encourage employees to respect corporate IT
resources and use them to enhance their job performance.
 Effective guidelines allow some level of personal use while
prohibiting employees from visiting objectionable Web sites
or using company e-mail to send offensive or harassing
messages.
 Supporting The Ethical
Practices of IT Users
 Establishing Guidelines for Use of Company Software
 Company IT managers must provide clear rules that govern
the use of home computers and associated software.
 The goal should be to ensure that employees have legal
copies of all software
 Structuring Information Systems to Protect Data and
Information
 Implement system and procedures that limit data access to
employees who need it.
 Employees should be prohibited from accessing the data
about research and development results, product formulae,
and staffing projections if they don’t need it to do their job
Supporting The Ethical
Practices of IT Users
 Installing and Maintaining a Corporate Firewall
 Firewall is a software or hardware device that serves as a
barrier between a company and the outside world and limits
access to the company’s network based on the Internet usage
policy.
 Firewall can be configured to serve as an effective detergent
unauthorized Web surfing by blocking access to specific,
objectionable Web sites.
 Firewall can serve as an effective barrier to incoming e-mail
from certain Web sites, companies or users
 Can be programmed to block e-mail with certain kinds of
attachments, which reduces the risk of harmful computer
viruses
 Computer and Internet
Crime
IT Security Incidents

 The security of IT used in business is very important

 Although, the necessity of security is obvious, it often must
be balanced against other business needs and issues
 IT professionals and IT users all face a number of ethical
decisions regarding IT security:
Ethical Decisions Regarding
IT Security
 Business managers, IP professionals, and IT users all face a number of
ethical decisions regarding IT security:
 If their firm is a victim of a computer crime, should they pursue prosecution
of the criminals at all costs, should they maintain a low profile to avoid the
negative publicity, must they inform their affected customers, or should they
take some other actions?
 How much effort and money should be spent to safeguard against computer
crime (how safe is safe enough?)
Ethical Decisions Regarding
IT Security

 If their firm produces software with defects that allow hackers to attack
customer data and computers, what actions should they take?
 What tactics should management ask employees to use to gather
competitive intelligence without doing anything illegal?
 What should be done if recommended computer security safeguards
make life more difficult for customers and employees, resulting in lost
sales and increasing costs?
 What could be done to deal with the
increasing number of IT-related security
incidents, not only in USA but around the
world?
 To deal with the incidents, the Computer Emergency Response
Team Coordination Center (CERT/CC) was established in
1988 at the Software Engineering Institute (SEI) – federally
funded research and development center at Carnegie Mellon:
 Study Internet Security vulnerabilities
 Handle Computer Security Incidents
 Publish Security Alerts
 Research long-term changes in networked systems
 Develop information and training
 Conduct ongoing public awareness campaign
 Challenges

 Increasing complexity increases vulnerability:

 The computing environment has become very complex
 Networks, computers, OS, applications, Web sites, switches,
routers and gateways are interconnected and driven by
hundreds of millions of lines of code
 The number of possible entry points to a network expands
continually as more devices are added, increasing the
possibility of security breaches
 Challenges
 Higher computer user expectations:
Time means money
Help desks are under intense pressure to
provide fast responses to user’s
questions.
Sometimes forgets to verify user’s
identities, or to check authorization to
perform a requested action
 Challenges
 Increases reliance on commercial software with known
vulnerabilities:
 Exploit is an attack on an information system that takes advantage
of a particular system vulnerability. Often, this attack is due to
poor system design or implementation.
 Once a vulnerability is discovered, software developers create and
issue a “fix” or patch to eliminate the problem. Users are
responsible for obtaining and installing the patch. Any delay in
installing a patch exposes the user to a security breach.
 A rate of discovering software vulnerabilities exceeds 10 per day,
creating a serious work overload for developers who are
responsible for security fixes.
 Types of Attacks
 Security incidents can take many forms, but one of the most frequent is
an attack on a networked computer from outside source.
 Most attacks involve:
 Viruses
 Worms
 Trojan Horses
 Denial – of – Service (DoS)
 Viruses

 Computer virus has become an umbrella term for many

types of malicious code.
 Technically, virus is a piece of programming code that
seeks out other programs and “infects” a file by embedding
a copy of itself inside the program. The infected program is
often called a virus host. When the host procedure runs, the
virus code runs as well and performs the instruction it was
intended to perform.
 A virus needs a host to infect. Without a host, the virus
cannot replicate.
 Viruses
 Viruses cause some unexpected and usually undesirable event.
 Most viruses deliver a “payload” or malicious act. For example, the virus
may be programmed to display a certain message on the screen, delete or
modify certain document, or reformat the hard drive.
 A true virus doesn’t spread itself from computer to computer. To propagate
to other machines, it must be passed through e-mail attachment, shared
files, etc…. It takes action by the computer user to spread a virus.
 Macro virus: attackers use an application macro language (Visual Basics
Scripting) to create programs that infects documents and templates. After an
infected document is opened, the virus is executed and infects the user’s
application template. Macros can insert unwanted words, numbers or
phrases into documents. After a macro virus infects user’s application, it
can embed itself in all future documents created with the application
 Viruses

 Virus is a program that can be broken into three functional

parts :
 Replication
 Concealment
 Bomb
 Worms
 A worm is different from a virus in that it is a standalone program.

 A typical worm maintains only a functional copy of itself in active

memory and duplicate itself . They differ from viruses because they can
propagate without human intervention, sending copies of themselves to
other computers by e-mail, for example.

 In the last few years, the boundary between worms and viruses has
become increasingly blurry, starting with Melissa (1999).

 Melissa was a worm/virus hybrid that could infect a system like a virus
by modifying documents to include quotes from The Simpsons TV show.
But it could also use the Address Book in Microsoft Outlook and Outlook
Express to resend itself like a worm to other clients, who where then
subsequently infected by an attached document (which might be a
confidential document ).
 Trojan Horse
 The Trojan horse is an application that hides a nasty surprise .

 The Trojan horse is a program that a hacker secretly installs on a

computer.

 The program harmful payload can allow the hacker to steal password,
SSN, or spy on users recording keystrokes and transmitting them to a
server operated by a third party. The data may then be sold to
criminals who use this info to obtain credit cards.
 Trojan Horse

 The Trojan horse is standalone application that appears to

perform some helpful or neutral purpose, but is actually
performing a malicious act while the user watches the
program appear to do something else.

 Trojan horse doesn’t replicate itself, and doesn’t attach

itself to other files.
 Logic Bomb
 Type of Trojan horse, which executes under specific conditions.

 A logic bomb can execute based on a date and time, or when you shut
down your machine for the 33rd time or based on typing a specific
series of keystrokes. Any event works.