1. Why organizations are heavily reliant oninformation systems.
Informationtechnology and organizations stimulus each other depend on organization’s structure,business processes, politics, culture, environment and management decisions. ITsecurity should be viewed as a necessary cost of doing business. In the work onIT and information security with companies in a wide range of industries,including banking, insurance, defense, aerospace, industrial goods, energy, rawmaterials telecommunications, and logistics, have identified a number of otheractions that executives can take to improve the companies’ chances of success.
Torival and success in global market, information technology is important incompetitive environment. (Kenneth C. Laudon, Jane P. Laudon, 2018), global investmentin information technology has expanded by 30 percent in the period 2005 to2015. IT investment now accounts for an estimated 20 percent of all capitalinvestment. Information systems are transforming businessas mobile digital platform, systems used to improve customer experience,respond to customer demand, reduce inventories, growing online newspaperreadership, expanding e-commerce and internet advertising, new federal securityand accounting laws. Firms contribute heavily in information systems to get sixstrategic business objectives.
There are operational excellence, new products,services, and business models, customer and supplier intimacy, improveddecision making, competitive advantage and survival. IT platform can top tochanges in business objectives and strategies. Businesses rely on informationsystems to help them achieve their goals and to attain higher profitability.Information systems improved decision making from accurate information. Toachieve the greater efficiency and productivity, the tool of informationtechnology is an important. IS support organization to achieve competitiveadvantage as delivering better performance, charging less for superiorproducts, responding to customers and suppliers in real time (Examples: Apple,Walmart, UPS).
Competitiveness was very often increased because of greatcost savings and better service to clients. Communication and interorganizational systems seemed to be very important in this respect. Nowa day, organizations are in the rival for improving their capability in orderto survive in the global market. To make effective and timely decisions thatbest achieves their organization goals more easy to get from using the appropriateinformation of internal and external sources. (Karim, 2011).(Karim, 2011),statedthat “information is an arrangement of people, data, process, and informationtechnology that interact to collect, process, store and provide as output theinformation needed to support an organization,” “If the relevantinformation required in a decision-making process or an organization planningis not available at the appropriate time, then there is a good change to be apoor organization planning and priority of needs, inappropriate decision-makingand defective programming”, (Adebayo, 2007).
Inpostindustrial organizations, authority progressively relies on knowledge andcompetence rather than formal positions with sufficient information technology.Because of the difficulty to sustain competitive advantage, organization needsto be continuous innovation. In order to stay ahead system performing strategicmay become tools for survival and firm value chains.
The reasons to why theinformation system is critical are operation excellence, new products,services, and business models, customer and supplier affection, improveddecision making, competitive advantage, survival.2. Outlinethe various types of security threats to any information systems.Internet isbecoming the domain platform for life in the 21st century.Organization face related situation and must struggle with their specificprobable threats. The aim of computer securityprofessionals is to attain protection of valuable information and systemresources. A division can be made between the security of system resources andthe security of information or data as the system security, and the informationsecurity or data security.
System security is the protection of the hardwareand software of a computer system against malicious programs (Spinello, R. and Tavani, H., 2001). Most of thebusinesses make risk identification, assessment, and mitigation a highpriority. There is a specific type of threat today for which many companies. Information security is a seriousproblem for individuals and organizations because it indications to unlimitedfinancial losses. Information systems are exposed to different types ofsecurity risks. The type of damage caused by security threats are different asdatabase integrity security breaches, physical destruction of entireinformation systems facility caused by fire, flood, etc.
The sources of thosethreats can be unwanted activities of reliable employees, hacker’s attack,accidental mistakes in data entry, etc. Information systems are vulnerablebecause of the accessibility of networks can breakdowns hardware problems,unauthorized changes and programming errors software problems, disasters, useof networks outside of firm’s control, and loss of portable devices (Kenneth C. Laudon, Jane P. Laudon, 2018). Risks come fromeasily by using network open to anyone, size of internet mean abuses can havewide impact, use of fixed internet address with cable and DSL moderns createsfixed targets for hackers, unencrypted VOIP, interception and attachments withmalicious software from email. Security is breached easily from radio frequencybands easy to scan. And using service set identifiers, identify access points,broadcast multiple times, can be identified by sniffer programs, war driving, eavesdroppersdrive by buildings and gain access to network and resources. Malware (malicious software) as viruses and worms canoperate on their own without attaching to other computer program files and canspread much more rapidly than computer viruses.
Worms and viruses spread by drive-bydownload and destroy data and programs. Malware that comes with a downloadedfile that a user intentionally or unintentionally requests by E-mail, IMattachments, hackers, request malicious files without user intervention, deletefiles, transmit files, install programs running in the background to monitoruser action, & potentially convert the smartphone into a robot in a botnetto send e-mail & text messages to anyone, mobile device malware and socialnetwork malware. Hackers & crackers make intentionaldisruption, damage of website or information system gain unauthorized access byfinding weaknesses computer systems. Hackers flood a network server or Webserver with many thousands of false communications for spoofing for redirectinga Web link to an address different from the intended one. It’s very damagingand difficult to detect.
An extremely serious threat becausethey can be used to launch very large attacks using many different techniques.Computers as targets of crime for breaching the confidentiality of protectedcomputerized data and computer may be instrument of crime theft of tradesecrets or unauthorized copying of software or copyrighted intellectualproperty, such as articles, books, music, and video, schemes to defraud, usinge-mail for threats or harassment intentionally attempting to interceptelectronic communication, illegally accessing stored electronic communications,including e-mail and voice mail, transmitting or possessing child pornographyusing a computer. Hackers may be aim for identitytheft as used information to obtain credit, merchandise, or services in thename of the victim and phishing, evil twins, pharming, click fraud,cyber-terrorism, cyber-warfare. The sources of threat can be inside or outsidethe attacked system. The organizations and their security systems are usuallyfocused on protecting themselves from threats that are origin from outside thesystem. The threats that are coming from inside are often not considered.
Because the way it is possible to determine from what we are protectinginformation system, it is possible to more efficiently use limited resources. 3. Examine the impacts of ransomware on businessorganizations. It will not be amazing if ransomwarechange in a few years.
A key area that could become a bigger target forcybercriminals are payment systems, as seen with the Bay Area Transit attack in2016 where the service provider’s payment kiosks were targeted with ransomware(web link 3).”The Bitcoin Connection with theexception of some ransomware families that demand high amounts, ransomwarealternates typically ask for 0.5?5 Bitcoins (as of 2016) in exchange for adecrypt key.
This is important for two reasons—some variants increase theransom as more time elapses with nonpayment, and the Bitcoin exchange rate ison the rise. In January 2016, 1 BTC was worth US$431. Bitcoin’s value has risendramatically since then, topping out at US$1,082.55 at the end of March, 2017″(web link 3).
Ransomwareis a type of malware that uses malicious codes to intrude the system beforeusers notice it, to encrypt important files, to require money using encryptedfilesas acriminal, and togive fiscal damages to users. The rapid growth of the mobile market has beenthe main target of hackers to obtain illegal gains by using ransomware. Themarket share of Korea’s Android OS is approximately 80%of the total share ofsmartphone market as shown in Table 1. Compared to other OS such as iOS,Windows Phone, or Blackberry, Android holds a high market share close tomonopoly, while the others combined have less than 15% share in the mobile devicemarket (web link 1). The share of the Android platform is so high that theplatform is the main target of ransomware attacks.
Damage cases ofAndroid-based smartphones are continuously growing recently. Traditionalvaccine system can detect a system if it is infected with ransomware and cureit. However, it cannot prevent attacks by ransomware without obtaininginformation on the ransomware.
Inaddition, files cannot be recovered without the encryption key because filesare already encrypted even if the traditional vaccine system can remove the ransomware(web link 2). Users can avoid infections by updating the vaccine system fromtime to time. However, this method has limited efficacy. Existing vaccinesystem can detect ransomware using intrusion detection method based on files (D.
Kim and S. Kim, 2015).However, this approach cannot detect modified ransomware with new patternsbecause it can only prevent ransomware based on analysis information of theransomware. Therefore, an active instead of a passive prevention method isurgently required. TABLE 1: Smartdevice operating system market share Source: “WorldwideQuarterly Mobile Phone Tracker,” IDC, August 2015. 4. Preparea prevention and risk mitigation plan to organizations so that the organizationsare well prepared to overcome future attacks.Organizations have very treasuredinformation assets to protect.
Poor security and control may result in criticalallowed liability. Failed computer systems can lead to significant or totalloss of business function. Business must protect not only their informationassets but also those of stakeholders. An organization can be held liable forunnecessary risk and harm created if the organization fails to take appropriateprotective action to prevent loss of confidential information (Kenneth C. Laudon, Jane P.
Laudon, 2018). Security threats comenot only outside from organization but also originate inside an organization. Asecurity breach may cut into a firm’s market value almost immediately.
Information system controls may be automated or manual controls unique to eachcomputerized application. To protect the information systems, organization determineslevel of risk to firm if specific activity or process is not properlycontrolled in organization as types of threat, probability of occurrence duringyear, potential losses, value of threat and expected annual loss. Ranksinformation risks, identifies acceptable security goals, and identifiesmechanisms for achieving these goals. Set up policies for drives acceptable usepolicy (AUP). Theprimary attack technologymay or may not cross the firewall as they are executed. Technologyisn’t the only source for security risks. Psychological and sociologicalaspects are also involved (Ponemon Institude, July 2016).
Management sets identifyingvalid users and controlling access to prevent, respond to cyber attacks anddata breaches. Monitor the occurrence of possible cyber attacks and set uppolicies and procedures for employees to follow depend on each company businessunit as IT, Human Resources, Legal. The organization should invest in securityequipment and procedures to deter or prevent cyber attacks. These include themost up to date IT protection measures, for example: having the company’sdatabase on a different web server than the application server, applying thelatest security patches, protecting all passwords, using read-only views ofdocuments and materials when possible, maintaining strict input validation,developing network security architecture, monitoring activities and proceduresof third-party contractors with access to the computer system (whether director remote), performing network scans to assess activity on the network,comparing outbound network traffic to baseline operations, choosing names fortables and fields that are difficult to guess. If organization face systems break down,make a plan for recovery disaster as devises plans for restoration of disruptedservices, focuses on restoring business operations after disaster. Assessfinancial and organizational impact of each threat by auditing.
After analyzingand planning, should audit and control information systems and securityinformation systems. The most importanttools and technologies for safeguarding information systems are identitymanagement software, authentication, firewall, Intrusion detection system,antivirus and antispyware software, unified threat management (UTM) systems,Wired Equivalent Privacy (WEP) security, Wi-Fi Protected Access (WPA2)specification. In recent years, new and increased use of technologies such asmobile devices, social media and cloud computing has increased the risk posedby cyber criminals. Two methods of encryption are symmetric key encryption andpublic key encryption.
Firms must ensure providers provide adequate protectionand need to include key factors in Service level agreements (SLAs) beforesigning with a cloud service provider to security in the cloud. Securitypolicies should include and cover any special requirements for mobile devices. Quicklycontaining any attacks and minimizing any financial and reputational harm. Somecompanies delegate responsibility for computer systems security to their chief informationofficer who is usually responsible for protecting access to a company’sinformation technology (IT) system and the privacy and security of informationon that system. ? Individual or organization may receivethreats from individuals requesting to have hacked its computer systems submissionto return stolen confidential information in exchange for property. Companiescan determine whether the extortionist has done what he claims by isolatingareas that may be affected to determine if they have been compromised. Anddetermine the feasibility of restoring critical systems where a denial ofservice attack affects critical infrastructure. This includes assessing whetherrestoring service will negatively affect collecting evidence in the investigationand document all aspects of the investigation and secure and preserve allevidence, including logs of critical system events.
According (NTT Group , 2016), if seventy-seven percent oforganizations lack a recovery plan, then may be their resources would be betterspent on protective measures. That’s why companies should detect the attack inits early stages. The cyber incident response plan should address the recoveryof the company’s computer systems by both: Eliminating the vulnerabilitiesexploited by the attacker and any other identified vulnerabilities and bringingthe repaired systems back online.
If systems are restored, management shouldevaluate how the response the executed the response plan and consider whetherthe cyber incident response plan can be improved. Where an internal investigation leads toevidence of the attacker’s possible identity, companies should considerpreparing formal referrals to law enforcement for possible criminalprosecution. Companies considering this course of action can retain white collarcrime or intellectual property counsel to guide them through the investigation,referral and criminal proceedings. The outcome of a criminal prosecution may dependon thecompany’s ability to provide evidence and testimony. Therefore should beprepared to help the prosecutor present complex computer crime evidence to ajudge and jury.
5. As an employee of a highly connectedand globalized world, highlight and critically those ethical issues that mayarise from using connected devices an organization.Ethical analysis of security and privacy issues in informationtechnology largely takes place in computer ethics which appeared in the 1980s (Herman T.
Tavani , 2004). Computer ethics analyzes right and responsibilities of computer professionalsand computer users. Ethical issues in public policy for information technologydevelopment and use.
Many privacy disputes in today’s society result fromtensions between people’s right to privacy and state and corporate interests insurveillance. Theemployee and organization must know the basic concepts of ethic asresponsibility, accountability, and liability and should well-known andunderstood to Laws, with an ability to appeal to higher authorities. Theconfuse as a person is injured by a machine controlled by software, it isshould be or not such as is it wrong for business toread their employee’s e-mail and is it ethically allowable for computer usersto copy copyrighted software? Ethic is mostlyconcerned with rights, harms and interests, it will be considered what privacyis, why it is important and how it is impacted by information technology. Ethical issues require ethic or ethicalanalysis. Ethical analysis aims to get clear on the facts and values in suchcases, and to find a balance between the various values, rights and intereststhat are at stake and to propose or evaluate policies and courses of action.
In Western societiesrespect of a right to personal privacy. “The right to privacy was firstdefended by the American justices Samuel Warren and Louis Brandeis, who definedprivacy as “the right to be let alone” (Warren, S. and Brandeis, L, 1890). Privacy is held tobe valuable for several reasons.
It is held to be important because it isbelieved to protect individuals from all kinds of external threats, such asdefamation, ridicule, harassment, manipulation, blackmail, theft,subordination, and exclusion. In the information society, privacy protection isrealized through all kinds of information privacy laws, policies anddirectives, or data protection policies. Along with privacy and propertylaws, new information technologies are challenging existing liability laws andsocial practices for holding individuals and institutions accountable (Kenneth C. Laudon, Jane P. Laudon, 2018).The ethics importance of computer security will be assessed, as wellas the relation between computer security and national security. Informationsecurity is customarily defined as concerned with the protection of threeaspects of data: their confidentiality, integrity and availability.
Computersecurity poses ethical issues by exploring the relation between computersecurity and rights, harms and interests. The most observable damage that canoccur from breaches of computer security is economic harm. When system securityis dented, valuable hardware and software may be damaged service may becomeunavailable, resulting in losses of time and resources. That because breachesof information security may come at an even higher economic cost. Stored datamay also have personal, cultural or social value, as opposed to economic value,that can be lost when data is corrupted or lost. Any type of loss of system ordata security is moreover likely to cause some amount of psychological oremotional damage.
Compromises of the confidentiality of information may causeadditional harms and rights violations. Third parties may compromise theconfidentiality of information by accessing, copying and disseminating it. Suchactions may, first of all, violate property rights, including intellectualproperty rights.In addition to violations of property and privacy rights, breachesof confidentiality may also cause a variety of other harms resulting from thedissemination and use of confidential information, a firm damages itsreputation, and compromises of the confidentiality of online credit cardtransactions undermines trust in the security of online financial transactionsand harms e-banking and e-commerce activity. Compromises of the availability ofinformation can, when they are prolonged or intentional, violate freedomrights, specifically rights to freedom of information and free speech.
Freedomof information is the right to access and use public information. Security systemsmay be so protective of information and system resources that they discourageor prevent stakeholders from accessing information or using services but it mayalso be discriminatory: they may wrongly exclude certain classes of users fromusing a system, or may wrongly privilege certain classes of users over others. A recent concern in computer and national security has been thepossibility of cyberterrorism, which is defined by Herman Tavani as theexecution of “politically motivated hacking operations intended to cause graveharm, that is, resulting in either loss of life or severe economic loss, orboth” (Herman T. Tavani , 2004).
A distinctionbetween cyberterrorism and other kinds of cyberattacks may be found in itspolitical nature: cyberterrorism consists of politically motivated operationsthat aim to cause harm. Ethical analysis of privacy and security issues incomputing can help computer professionalsand users recognize and resolve ethical dilemmas and can yield ethical policiesand guidelines for the use of information technology.