Information Technology and Ethics/Ethics for IT Professionals
This is the print version of Ethics for IT Professionals You won't see this message or any elements not part of the book's content when you print or preview this page. |
The current, editable version of this book is available in Wikibooks, the open-content textbooks collection, at
https://en.wikibooks.org/wiki/Ethics_for_IT_Professionals
What Is Ethics
What is Ethics, Morals and Laws
[edit | edit source]For the ill-advised reader, ethics are the moral principles woven into a person’s or multiple individuals’ behavior. Ethics are what help an individual make decisions based on the conformity of society. An individual whom might be regarded to have ethical behavior might be considerate of those within a society and follow the norms of that society as well. An individual of whom might be deemed to have unethical traits is not usually seen as a “good” person within a society that sees behavior of that nature as “bad”. The terms “good” and “bad” are within quotation marks as these terms are mostly subjective, in the sense that they only have a meaning when it comes to the ethical code of the society. For example, if a neighborhood prides itself on having the residents keep their front yards looking nice with fresh green grass and clear of debris and one resident has dried up grass and garbage scattered across their lawn, the neighborhood may find the owner of the unkempt lawn as an unethical individual.
According to Dickson (2014, Rundu Campus), ethics are a set of moral principles that govern a persons' or groups' behavior. Someone is considered to be behaving ethically if they conform to generally accepted practices of the society or group making that consideration. Most ethically acceptable practices are almost universal across human cultures, and are increasingly so due to globalization and cultural hegemony. For example, using animals in research, abortion, or using cookies to track software, where organizations are able to gather users information to track their search behavior and their buying patterns on the Internet are all found with similar ethical and moral debates in various states. Furthermore, while these topics remain open to debate in their nuances, they are intrinsically seen as amoral and ultimately unnecessary and avoidable. Each society retains a set of rules that sets the boundaries for accepted behavior, these rules often expressed in statements about how one ought to behave. These statements come together to form a moral code by which a member of a society lives by. Morals are those ideas defining what is right, and wrong, and these ideas can sometimes come into conflict.
With a basic understanding of ethics out of the way, morality is next up on the table. Morality is difference between right and wrong or good and bad behavior. Morality is usually associated with the concept of moral dilemmas and moral issues. A moral dilemma involves a tough decision between two unwelcome choices, the lesser of two evils. A moral issue is a concern that has the potential to help or cause pain and suffering to someone, including oneself. The most common example of a moral dilemma is the runaway trolley scenario, in which a runaway trolley is barrelling down a track and is not able to brake. On one track are five workers and the other track has one worker. The difficult decision to be made is whether or not to pull the lever and let one worker die to save the five other workers from horror. Often times the decision is made more difficult when the one person on the other track is a close friend or loved one. An example of a moral issue would be related to topics such as the morality of experiments on animals, the sensitive subject of abortion, etc.
Dickson (October 19, 2013) also states that one's behavior (morals) follows a set of shared values (manners) within a society, and contributes to the stability of that society. Everyone operates by their own individual moral code, acting with integrity towards that code. Laws, on the other hand, are a system of rules that a society strictly imposes, and enforces. Laws aim to be more well defined than morals, so as to be limited to interpretation, and defendable in practice. States enforce their laws through institutions such as law enforcement, whereas morals are enforced typically by passive interactions by an individual, or group. For example, the moral code of a club may be enforced by excluding from participation those who do not abide the code. While a society's moral code often forms the base for its legal systems, a given law may or may not abide by an individual's moral code, or by the ethical considerations of a society. It is a process that is dependent not only on the legislation itself, but also the legislator and the participation/representation of the citizen's moral values.
Ethics is also most commonly defined as the norms of conduct that distinguish between acceptable and unacceptable behavior [1]. Most individuals learn ethics through social activities and institutions, such as at home, school and church. As children, we are taught by our parents/guardians what is 'right', and 'wrong'. We gain a more finely tuned understanding as we age, as moral development further occurs as we mature. Although morality is not to be confused with commonsense, ethical norms are often so ubiquitous that one is tempted to assume they unanimous across cultures.
Ethical theory
[edit | edit source]Ethical Theory is defined as attempts to provide a clear, unified account of ethical obligations and practices. Not only does Ethical Theory aim to generalize and unify ethical considerations, it also aims to be a recurrent cycle of reflection. Through exposure to repetitive and new situations, ethical theory is iteratively developed and improved for future considerations and precaution regarding ethics.
There are four categories of ethical theory: Consequence-based, duty-based, contract-based, and character-based. These categories are more commonly referred to as: Utilitarianism, Deontology, Rights, and Virtues, respectively.
Consequence-based
[edit | edit source]Consequence-based ethical theory, also known as, ‘Consequentialism’ is an ethical theory that judges the morality of an action and decides whether it is right or wrong based on the consequences the action entails. For example, most people would agree that lying is wrong, but if lying could help save a life, consequence-based ethical theory would claim that it is the right thing to do. The most common example of a consequence-based ethical theory is utilitarianism.
Criticisms
[edit | edit source]Critics of utilitarianism reject emphasis on the effects of individual acts. They point out that we tend not to deliberate on every single action in our day-to-day activities as if that action were unique. Rather, they argue that based on certain principles or general rules that guide our behavior, we are inclined to deliberate [2]. Consequence-based ethical theory is sometimes criticized because it can be very difficult and sometimes not possible to know the result/consequence of an action ahead of time.
Duty-based
[edit | edit source]Duty-based ethical theory focuses on what people do, rather than the consequences of their deeds. Under this form of ethics, you cannot justify an action was good if it produced good consequences, hence it is sometimes called ‘non-Consequentialist’. The theory states that when engaged in decision-making, people should adhere to their ethical obligations and duties. Deontology, a common name for duty-based ethical theory is derived from the Greek root word, ‘Deon’ which means duty. People who support this theory over Consequence-based claim that morality does not require reward.
Criticisms
[edit | edit source]Duty-based theory is criticized for a few reasons. Sometimes, a person’s duties may conflict internally. This theory has no mechanism to address that. Because this theory does not care about positive consequences, it can sometimes lead to negative effects. It also sets absolutist rules with exceptions being the only way to deal with conflicting cases.
Contract-based
[edit | edit source]Contract-based theory focuses on moral systems created from contractual agreements.
A well-known early version of this is Thomas Hobbes Leviathan, which was his outline for a social-contract doctrine. His idea was that this contract will give people motivation to be moral; the rights established are considered ethically correct and valid since a lot of people endorse them.
Criticisms
[edit | edit source]This theory promotes a minimalist morality, meaning that you are not required to make any effort beyond what the contract entails [2]. Another issue is deciphering what is seen as right in a society. The society needs to determine their goals and priorities and the most logical way to do so is to use another ethical theory to determine or base their goals.
Criticisms exist regarding the theory of Contract-based morality. One of the biggest criticisms is that the theory serves as a very minimalist, rather ‘bare-minimum’ towards morality - where a person will not do anything beyond their contractual agreements, even if ethical.
Character-based
[edit | edit source]Character-based ethics, also referred to as ‘Virtue Ethics’ focuses on determining what makes an individual good instead of what makes an action good. This theory argues that good people consistently perform good actions. The idea of Virtue Ethics was formulated first by Aristotle.
Criticisms
[edit | edit source]Character-based ethics is sometimes criticized as it does not accommodate for moral character changes within an individual. At the same time, it also does not take into account the character of someone who has conflicting values of ethics and can sometimes be good or bad.
Ethical Relativism
[edit | edit source]Another view of ethics that takes a different approach to what is right and wrong is Ethical Relativism. Ethical Relativism is the doctrine that explains that there is no absolute truth in ethics and that the basis for deciding what is right and wrong varies on the society or person. This argument stems from Herodotus’s 5th century view that different societies have different customs. Each person in the society believes that their own society’s customs are right (Rachels, 2009). Each society dictates what is right or wrong behavior based on standards developed over many years. These standards help to shape the society’s belief and therefore it is difficult to prove which society practices the most ethical decision making. There is no way of deciding that the values of one society are better than another. One example that sheds light on this is a society where polygamy and tatoos are allowed. Neighboring that society is a different society where polygamy and tatoos are forbidden and each act is judged as right or wrong based on religious precepts. Each society thinks that their values are acceptable and the morality of an act depends on values that differ society to society. In the realm of cybersecurity, cultural relativism is seen with different prosecutions of illegally selling intellectual property. intellectual property rights in some countries such as El Salvador do not prosecute retail sellers selling illegal movies or cds since they are poor people and are trying to sustain. The distributors of these illegal copies in many other countries are subject to prosecution and punishment regardless of economic class. This theory holds that there are no universal moral standards that can be applied for each society since each society judges in their own respective way.
Criticism
[edit | edit source]Most ethicists reject ethical relativism: some claim while moral practices of societies may differ, the fundamentals of the moral principals underlying these practices do not. For instance, in some societies, killing one's parents after they reach a certain age was common practice, stemming from the belief that they were better off in the afterlife if they entered it still vigorous and able. While in modern societies this practice is condemned, we would agree with this practice on the underlying moral principle--the duty to care for parents. Therefore, while societies may not agree on their application of moral principles, they may agree on the principles themselves. It is also argued that some moral beliefs are culturally relative while others are not. Certain practices may be dependent on the local customs, such as the definitions of decency and proper attire. Others may be governed by more universal standards, such as slavery and the defense of the innocent.
Ethics is an inquiry between right and wrong through a critical examination of the reasons underlying practices and beliefs. As a theory for justifying moral practices and beliefs, ethical relativism fails to recognize some societies have better reasons for holding their views than others. But, even if the theory is rejected, we must acknowledge that the concept raised important issues, and encouraged us to take a look at the other societies beliefs and cultures.[3]
Subjectivism
[edit | edit source]Subjectivism is an extension of relativism, as applied to individuals rather than societies. The moral interpretation of a practice or event is based on the personal perspective of the individual analyzing it. In other words, the judgment of an event is dependent on the individual doing the judging.
Objectivism
[edit | edit source]Something is objective when it is independent of any individual's personal beliefs. It is, in other words, a fact of the universe, separate from human beliefs -- such as the weight of an object. This forms the basis for moral realism: The idea that ethics and morals are not invented, but rather discovered over time. Ethicists typically try to maintain objectivity in their analysis, stressing that it does not matter who the person is, or what they choose to do; rather, they try to determine what the person should do, or what their decision ought to be.
Ethics Within Business
[edit | edit source]What is right or wrong conduct for a business is the standard called Business Ethics. Business Ethics are not always aligned with laws and therefore “ethical” and “legal” behavior is not the same. Companies establish business ethics to maintain trust between employees but also outwardly to other partners and investors. Throughout the years there have been many business scandals that have occurred due to a lack of ethics imposed on decision making and business conducts. The Enron scandal stemmed from a series of actions that covered up any losses and would falsely label project profits. Enron did this by investing in a project or building and immediately writing it off as a profit while in reality the project did not make a single penny for the company. When expected revenue from a project would be a lot higher than the actual revenue, the company would transfer the project to an off the record corporation and the loss would never be reported. These actions taken by Enron, while not completely illegal, did falsify Enron’s image of extreme success and led it to being named “America’s Most Innovative Company.”
Business Ethics have begun to become more of an importance to companies today as it creates a clear image of the company, builds trust between employees, and protects the company from any legal issues. As whistle-blowing has become more popular due to increased potential identity threats, companies have tightened up their business policies and practices to prevent any ethical missteps.
Corporate Policies
[edit | edit source]Business Ethics have prompted many companies to adopt corporate policies that address specific areas of company interactions. To make sure that employees understand what the rules are at a company and what procedures they are allowed to work on they sign an ethics contract. However, to establish that business ethics are properly followed, more must be done than just having an employee sign a contract. Companies must maintain constant communication about their policy which can be done through campaigns that will engage every member of the company or during an employee’s initial training. To ensure that these ethical policies are respected and followed, companies must continue to develop strong communication with their employees and partners and set up an open environment. In this environment, employees should be able to voice their opinions and concerns without judgment and companies should be able to take action when necessary if any instances of breaking the ethical code arise.
IT Ethics
[edit | edit source]The simplest definition of ethics within the world of information technology is the ethical issues that come out of the usage and development of electronic technologies. IT Ethics have a goal and that goal is to find moral solutions to the various problems that arise from online activity. The 10 Commandments of Internet Ethics
All jokes aside, this list of rules makes sense and somewhat works as a guideline for ethical internet use:
- The Internet must not be used to harm others.
- The interference of other Internet user’s work is prohibited.
- Poking around in the personal files of another Internet user is bad.
- The use of the Internet for stealing is not allowed.
- The internet should not be used for deception or trickery.
- The copying or pirating of unpaid software is illegal.
- The use of other Internet sources without permission or compensation is wrong.
- Do not take credit for other’s intellectual property.
- Understand the social consequences that can occur when coding or designing.
- Always use the Internet in considerate ways and show respect to your fellow human.
Computer Ethics
[edit | edit source]Ethical problems in IT existed long before mankind learned how to conduct machine learning and build neural networks. Asimov also deduced three laws of robotics in his works, but the modern idea of interaction with AI remains approximately at the same level.
For those who suddenly do not remember Asimov's postulates, I quote them separately:
- A robot cannot harm a person or by its inaction allow a person to be harmed.
- A robot must obey all orders given by a human, unless those orders are contrary to the first law.
- The robot must take care of its safety to the extent that this does not contradict the first or second law.
Many AI developers consider them to be the ideal principles by which robots should operate. Their main advantage is simplicity. After all, the more complex the algorithms of actions, the easier it is to break them.
Using these postulates as an example, one can try to uncover the complexities of ethics in robotics, thereby characterizing ethics in IT.
When creating true AI, there will be another problem that is paradoxically stupid today, but quite possible in the future. After all, if a robot thinks like a person, then there will definitely be a movement for the rights of robots.
Moreover, there are already precedents. In 2017, the sensational robot Sophia received honorary citizenship of Saudi Arabia. And, although it is very far from true AI, there is a legislative precedent, and it is quite possible to use it to give other androids rights comparable to human ones.
The more specialists work on robotics, the more questions arise. And they don't have a solution. For example:
- There are several companies in Japan and the US that create sex robots. And if AI robots get rights, can a robot refuse to have sex with a human? And will it be considered rape if you do not pay attention to the refusal?
- How will the creation and operation of autonomous military robots be regulated? And what danger will be borne by the changed laws of robotics, which in principle allow violence against humans?
- How will the buying and selling of self-aware robots be regulated? There are many opinions here that this can turn into a new wave of slavery and the liberation movement.
Now legislators consider the legal field of robots approximately similar to the legal field of animals. But even here, there has not yet been a consensus on who will be responsible if the robot harms other people: the owner or the manufacturer.
The point is that the topic of ethics in IT is very broad and requires deep study.
Cyberethics
[edit | edit source]Cybertechnology refers to any computing or communication technologies. This is arguably a more accurate term than computer ethics because it encompasses all technologies rather than just computers. There is a debate on whether or not cybertechnology brings in new or unique ethical issues, which would call for a new perspective or special consideration. There are two main views on this issue: traditionalist and uniqueness proponent. Traditionalists argue that nothing in this field is new in the sense that crime is still considered crime and fraud is still considered fraud, even in the cyber realm. The uniqueness proponents argue that there are new unique ethical issues that did not exist before cybertechnology. A common confusion in this thought is mixing up unique features of cybertechnology with unique ethical issues. The term unique, per Merriam-Webster, is defined as the only one or being without a like or equal [4]. The issues surrounding cybertechnology, such as privacy, property, and others are not new concerns. However, cybertechnology does have unique features that muddle the solutions for these types of issues.
Ethics for IT Professionals
[edit | edit source]Like any other profession, there are standards of ethical guidance used to help people when facing uncertain circumstances. It’s important for individuals to understand that what is legal may not always be ethical. Not behaving in an ethical manner can disturb the trust between employees, clients, staff, and the general public.
Ethical Code
[edit | edit source]Ethical code consists of principals and behavioral expectations established by organizations for their employees and third parties. The core values of a company are also implemented
The code of ethics also outlines core company values that workers are expected to uphold during business operations. Code of ethics is actually very similar to code of conduct. However, code of ethics focuses more on a company's morals and values at a high-level while code of conduct focuses more on specific situations. Having an ethical code is important as it serves as a permanent reminder of the principals every employee is expected to uphold everyday.
IT Code of Ethics
[edit | edit source]There are many resources for IT professionals to refer to when searching for ethical guidance. A few examples of these resources include:
- “The Code of Ethics” in section seven of IEEE.
- “The Code of Ethics and Standards of Conduct” from the Association of Information Technology Professionals (AITP)
- “IT Code of Ethics” from SAN
One of the main sections that are highlighted in the code of ethics are the ethical behaviors that are expected of each individual. Employees are often expected to uphold integrity, responsibility, and professionalism during work. This includes properly handling confidential information, maintaining a safe working environment, and avoiding unlawful conduct such as accepting brides. Code of ethics also highlights ethical behaviors towards others. Workers are often expected to treat others fairly without engaging in discriminatory and harmful behavior.
References
[edit | edit source]- ↑ Resnick; D.B. "What is Ethics in Research & Why is it Important?". National Institute of Environmental Health Sciences.
{{cite journal}}
: Unknown parameter|access date=
ignored (|access-date=
suggested) (help) - ↑ a b Tavani, H. (2016). Ethics and technology: controversies, questions, and strategies for ethical computing. Place of publication not identified: Wiley.
- ↑ Velasquez, etc. (1992). "Ethical Relativism". Markkula Center for Applied Ethics. Retrieved April 25, 2016.
- ↑ Unique. (2018). In Merriam-Webster.com. Retrieved April 27, 2019.
Bibliography
[edit | edit source]- An Overview of Ethics. (n.d.).
- Resnick, D. B. (n.d). What is Ethics in Research & Why is it Important? Retrieved April 25, 2016, from http://www.niehs.nih.gov/research/resources/bioethics/whatis/
- Valesquez, M. (n.d.). Ethical Relativism. Retrieved April 25, 2016, from https://www.scu.edu/ethics/ethics-resources/ethical-decision-making/ethical-relativism/
- Graham, G. (2004). Eight theories of ethics. London: Routledge/Taylor and Francis Group.
- OBJECTIVITY, SUBJECTIVITY AND MORAL VIEWS. (n.d.). Retrieved April 19, 2016
- ETHICS FOR I.T. PROFESSIONALS WITH ASPECTS IN COMPUTING by Charlemagne G. Lavina, Melchor G. Erise, Corazon B. Rebong, Susan S. Caluya (MINDSHAPERS CO.,INC. 61 Muralla St., Intramuros, Manila, Philippines)
- Securities and Exchange Commission (SEC), 1933
- Computer Fraud and Abuse Act (CFAA), 1984 & 1994
- Computer Security Act, 1987
- Privacy Act, 1974
- Electronic Communications Privacy Act
- Communications Decency Act, 1995
- Health Insurance Portability & Accountability Act, (HIPAA) 1996
- Sarbanes-Oxley Act of 2002
- Homeland Security Act of 2002 with the Cyber Security Enhancement Act
- Moor, James H. "WHAT IS COMPUTER ETHICS?*."
- Barman, T., & White, S. (2014, June 13). Implementing an effective corporate ethics policy. Retrieved April 26, 2016, from http://www.cgma.org/magazine/features/pages/20149701.aspx?TestCookiesEnabled=redirect
- Reynolds, George Walter. Ethics in Information Technology. Boston, MA: Course Technology, 2003. Print.
- “Ethics for IT Professionals/What Is Ethics.” Wikibooks, Open Books for an Open World, https://en.wikibooks.org/wiki/Ethics_for_IT_Professionals/What_Is_Ethics.
- LLP, Foley & Lardner. “The 10 Commandment of Internet Ethics: Blogs: Internet, It & E-Discovery Blog: Foley & Lardner LLP.” Blogs | Internet, IT & e-Discovery Blog | Foley & Lardner LLP, Foley & Lardner LLP, 4 Aug. 2016, https://www.foley.com/en/insights/publications/2016/08/the-10-commandment-of-internet-ethics.
- Rachels, J. (2015, August 24). ethical relativism. Encyclopedia Britannica. https://www.britannica.com/topic/ethical-relativism
- Woo, M. (2017, March 27). Ethics and the IT professional. EDUCAUSE Review. Retrieved April 25, 2022, from https://er.educause.edu/articles/2017/3/ethics-and-the-it-professional
- IEEE code of Ethics. IEEE. (n.d.). Retrieved April 22, 2022, from https://www.ieee.org/about/corporate/governance/p7-8.html
Professional Code of Ethics
ICT Ethical Code
[edit | edit source]Ethical code consists of principals and behavioral expectations established by organizations for their employees and third parties. The core values of a company are also implemented.
The code of ethics also outlines core company values that workers are expected to uphold during business operations. Code of ethics is actually very similar to code of conduct. However, code of ethics focuses more on a company's morals and values at a high-level while code of conduct focuses more on specific situations. Having an ethical code is important as it serves as a permanent reminder of the principals every employee is expected to uphold everyday.
Most IT Professionals, unlike doctors and other professionals, do not have a general rule making body, they may have many professional organizations specialized to specific groups.
- Association of Information Technology Professionals(AITP)
- CyberSecurity Institute (CSI)
- Independent Computer Consultants (ICCA)
- Information Systems Security Association (ISSA)
- Association for Computer Operations Management(AFCOM)
- Computing Technology Industry Association(CompTIA)
The existence of these bodies is made necessary due to the lack of respect for ethics in society in general, requiring not only the validation of this types of bodies but also their power to enforce sanctions when ethical violations are made evident. Something that could be well covered by the state and the academia.
It can be argued that these ruling bodies should be in fact unnecessary, since ethical considerations do not depend on ones profession, even if very specific considerations can seem restricted in the function they will be shared by another profession. It could also be stated that this is a function of the state and the legal system, that delegating these functions in non-governmental, even if public organizations, is detrimental to the public good, and overall block to transparency of procedures. These bodies will also promote the exertion of corporate influence toward their specific groups interests, one such interest is reducing competition by limiting or increasing the difficulty of access to functions and a general increase in prices since they permit a coordinated fixing of payments in a monopolistic way and promote the practice of obtaining special treatment and recognition for those that depend on their specific activities.
IT Code of Ethics
[edit | edit source]There are many resources for IT professionals to refer to when searching for ethical guidance. A few examples of these resources include:
- “The Code of Ethics” in section seven of IEEE.
- “The Code of Ethics and Standards of Conduct” from the Association of Information Technology Professionals (AITP).
- “IT Code of Ethics” from SAN.
One of the main sections that are highlighted in the code of ethics are the ethical behaviors that are expected of each individual. Employees are often expected to uphold integrity, responsibility, and professionalism during work. This includes properly handling confidential information, maintaining a safe working environment, and avoiding unlawful conduct such as accepting bribes. Code of ethics also highlights ethical behaviors towards others. Workers are often expected to treat others fairly without engaging in discriminatory and harmful behavior.
References
[edit | edit source]
IT Specialist
What is an IT Professional?
[edit | edit source]IT Professional Defined
[edit | edit source]Information technology (IT) is defined as “the use of any computers, storage, networking, infrastructure and processes to create, process, store, secure and exchange all forms of electronic data.” [1] Hence, an IT professional is a person who works in the information technology field. The term can refer to the engineering of software products, implementation, and maintenance control of the user's network and server systems after it has gone to use. IT professionals can also include people who received education in a computer-related institution and people who possess vast knowledge in information technology.
Qualities of an IT Professional
[edit | edit source]1. Diligence. Professionals in the IT field, such as developers, analysts, and system administrators, are associated with adhering to the ethical standards of their profession. Their work should be done with diligence and accuracy, free from assumptions and standardization.
2. Updated. They are needed to keep up their knowledge and technical expertise in their field with the changing IT environments to satisfy users' needs.
3. Skills and expertise. IT professionals have the skills to perform appropriate tasks or perform tasks that can cause damage to weak software systems, for example, a payroll system; these systems are at high risk of economic crisis where IT professionals are required to either correct the vulnerabilities or leave them exposed to cause harm.
Responsibilities of an IT Professional
[edit | edit source]The responsibilities of an IT professional include both job duties and moral and ethical obligations. Job duties vary from one professional to another, but typically they are centered around the management of computer-based information systems.
Differences from other Professionals
[edit | edit source]There exists a clear divide between professionals and pioneers of the IT industry and specialists from other fields. Information technology is a part of every aspect of human life. Hence, the development and improvement of this industry significantly affects the human race. These obligations put significant responsibility on IT professionals for their actions. These must be aimed at bettering human lives.
Moral Distinction
[edit | edit source]As a part of being a professional, IT specialists must have codes of ethical standards. These include the Association for Computing Machinery (ACM)[2], the Electrical and Electronics Engineers Computer Society (IEEE-CS)[3], and others.
IT professionals have some universal moral obligations as part of their jobs. Commitments include integrity, competence, professionalism, work, and societal responsibilities. An established and updated set of professional ethics will help all IT professionals. It will guide them through intricate interactions and relationships in their workspace. Since IT professions impact the broad society, it is crucial to hold professional ethics for all IT specialists.[4]
Legal Distinction
[edit | edit source]One distinction between doctors, lawyers, and IT professionals is that while the state must license doctors and lawyers, no such requirement exists for IT professionals.[5][6] Since a government authority does not license them, many courts have said that IT workers do not meet the legal definition and are thus not liable for malpractice.[7] It can also be argued that not every IT occupation requires advanced knowledge, and thus not every IT worker can be considered an IT professional.[7]
However, there are numerous legal regulations that IT professionals have to abide by. Some of these laws in the United States include HIPAA, Gramm-Leach-Bliley Act, FISMA, CISA, and National Cybersecurity Protection Advancement Act.[8]
Roles of the IT Professional
[edit | edit source]Job Titles of an IT Professional
[edit | edit source]There are an array of jobs under the IT professional umbrella. A few, but not all IT job titles include:[9]
- Support Specialists
- Support professionals are in charge of analyzing and resolving a company's computer network and hardware issues. They can work in various businesses, providing general support to employees, or in a technology or software as a service (SaaS) organization, providing technical support on user experience issues that require technical assistance.
- Computer Programmers
- A computer programmer uses coding languages such as HTML, JavaScript, and CSS to create new computer software. Computer game software can indeed be modified to improve online gameplay, allowing programmers to address issues after the game is published to the general audience.
- Technicians
- A technician works with support specialists to investigate and fix computer problems. They also monitor processing functions, install essential software, and test computer hardware and software as needed. Technicians may also teach a new software or functionality to a company's employees, clients, or other consumers.
- Systems Analysts
- A systems analyst examines design elements and applies information technology skills to solve business problems. They identify infrastructure changes that are required to streamline business and IT operations. They can also help technologists teach workers to put the improvements they propose into action.
- Network Engineers
- Network engineers are responsible for the day-to-day maintenance and development of a company's computer network, leveraging their expertise to ensure that it is accessible and valuable to all employees.
Where the IT Professional fits in the Organization
[edit | edit source]So, as simple as it sounds, an IT professional fits or belongs in the IT department. Now, within the IT department, you have branches needed. There's no right or wrong answer because people have different strengths. For example, if you need a programmer, you wouldn't put a support specialist in the programmer department of your IT staff because it won't be feasible to do. People with well diverse backgrounds that pivoted within the company can move around if appropriately trained, but it is entirely up to the department they think is the best fit for you. The IT department inside a firm involved in designing, managing, and maintaining information technology systems and services is an IT organization (information technology organization). In a large corporation, the IT department may also be in charge of strategic planning to ensure that all IT projects are aligned with its objectives. Depending on the company's demands, IT organizational structures might be centralized or decentralized. The IT department is usually led by a Chief Information Officer (CIO) in a major corporation. An IT director or operations manager may be in charge of smaller IT enterprises.[10]
Contractor from an Outsourced service provider
[edit | edit source]IT professionals, just like other industries, there are all different types of outsourcing services, such as Structured cabling systems to application development. Due to the essential nature of, the IT industry’s complicated architecture, there are different IT professionals, networks, support desks, hardware, system services, security, infrastructure, internet, and so on. All need to work together just like an orchestra.[11] Enterprises owners are more likely to hire contractors from service providers to save money. However, Contractors are not the employee of the Enterprises, due to different company cultures or working habits, there are a lot of ethical problems would arise:
SLA
[edit | edit source]A lot of service providers just provide on-site professional services. However, there is no detailed SLA or service level agreement. For example, the typical on-site service will charge clients per man day. A project should be finished in 100 Man Day. But the service provider may charge the client 200 Man-Day or even more. At the same time, the client may always adjust their project expectation to deny paying the service fee. One example would be if a service provider performed work that was not supported by the vendor. All these contradictions were caused by no clear SLA. both client and vendor, or service provider, may lose a lot of profits. Some clients want to terminate the SLA or the contract but have no appropriate execution, so the client will give a lot of difficult tasks to the contractors to finish, or refuse the contractor to use the Internet connection, which is very important to their jobs. Some client even asks the contractor to log what he did every minute.
Service Termination
[edit | edit source]Service Termination is caused by the project being finished, which is expected. Another is caused by a client's financial problem. If the contractor from the service provider has no other client, the contractor may lose his job. Big IT service providers such as TATA, HP, or IBM, have a lot of projects, and this kind of problem does not exist. Small businesses may be closed due to service Termination. On the side of the client, no need to pay a compensative salary to the contractor, it is not good, ethically. But transfer the cost to the service provider.
Security
[edit | edit source]Every company has its security policy, such as access card, server account, and database access. I remember many years ago, I went to a client’s server room to install the software. The client’s boss asked a staff member to open the door and let me in. Then he left. I found the door in the server room can not open inside. I refused to work and asked whether the client provides me with a temporary visitor access card or a staff member accompanied me. It is very dangerous to be locked in the server room. Once on fire, all the doors will be locked and the automatic fire extinguishing device will release a kind of toxic gas. Meanwhile, some contractors changed jobs whereas not return the access card or the client did not lock the contractor’s account timely, which will lead to information security problems.
Internal cross-department
[edit | edit source]IT professionals also work with colleagues from other departments. Different business units have different KPIs, the same project may have different expectations. Here are some decennia for cross-department:
- CASE 1. As a support engineer, my job is to install software for clients and provide a platinum service for clients for free. Another team from my company, the sales team, committed to the client that the platinum service will be handed over to the client. So the sales asked me to provide the password to the client for the platinum service. I denied the request. Very simply, I can not violate the company’s security policy.
- CASE 2. The software we installed has a bug that leads to the server rebooting again and again. The sales consultant noticed the bug will be released next week from the internal website. The sales manager asked me to apply the patch for the client. How can I apply a patch which is not been released? I also denied the request.
- CASE 3: There is a project manager who will manage the project and may be involved with different teams or business units. Another IT engineer just finished the software installation. The PM asked me to take over his job and it is a priority. After talking to the department manager, I denied the PM’s request. The PM is not my boss.
To sum up, every IT professional should not violate the policy and let his direct boss coordinate with others in the project.[2]
Change job to competitions
[edit | edit source]Due to financial problems, an employee may experience no salary increase. He may change his job for a better salary. It is a very common thing to switch jobs to a competitor’s company for IT professions. For a freshman, just graduating from college without any experience, his buddy or senior staff or his boss may teach him a lot of things. The company may demand him a high expectations. Unfortunately, he changed his job and the new employer is the competition of the old employer, even though it is legal does not mean it is ethical. For example, if the employee masters the core technology, the old company may fail in the market.[12]
Xiaolang Zhang who worked for Apple, was arrested by the FBI in 2019, when he was ready to board the flight to China, got the offer of Xiao Peng Car, Xiaolang had the key hardware and software of auto-piloting core technology.[13]
To sum up, this kind of situation should find a solution from a legal perspective. Ethically we can not stop it.
Where do Ethics Come From?
[edit | edit source]Codes of Ethics
[edit | edit source]Ethics and law, although often related, are not the same. Some laws reflect ethics and morality, but some things are perfectly legal that are not necessarily ethical. So where do ethics come from?
In a general context, ethics come from society and what people have decided is right and wrong. Ethics could stem from religion or simply strong values that are passed from parents to children. Often, especially in professional fields, ethics codes will be assembled to provide a guideline for how professionals should conduct themselves. There are many sources from which IT professionals can learn codes of ethics for implementation in their careers.
Codes of Conduct
[edit | edit source]Often, businesses or employers will devise a code of conduct for their employees, so they have documented guidelines regarding behavior in the work environment. They outline “what the organization aspires to become” and “rules and principles by which members of the organization are expected to abide. [14]
Certifications
[edit | edit source]Certifications are another way for IT professionals to learn about ethics, as many organizations that offer certifications include ethics as part of the covered material. Certifications are defined as “the action or process of providing someone or something with an official document attesting to a status or level of achievement.”[15]
Some common certifications are the CompTIA A+, Network+, or Security+ certifications, Cisco’s CCNA, Red Hat’s RHCE, or ISACA’s CISA. Often these certifications make certificate holders promise to uphold the standards as given in the certification materials. For example:
All persons having obtained any CompTIA certification or certificate program ("Certified Person") and taking part in CompTIA's Continuing Education Program ("CCEP") must agree that they have read and will abide by the terms and conditions of this CompTIA Candidate Code of Ethics Policy ("Ethics Policy")
- A Certified Person shall offer and provide professional services with integrity.
- A Certified Person shall perform professional services in a manner that is fair and reasonable to clients, principals, partners and employers, and shall disclose conflict(s) of interest in providing such services.
- A Certified Person shall provide services to clients competently and maintain the necessary knowledge and skill to continue to do so in those areas in which they are certified.[16]
The above is an excerpt from CompTIA’s Candidate Code of Ethics, a code that it asserts all CompTIA certificate holders must abide by.
Organizations
[edit | edit source]There exist some organizations whose purpose is to establish ethical codes for professionals. Often these organizations are specific to specific fields/professions. These organizations typically release their codes of ethics alongside certifications. Essentially, members of the organization are admitted either by simply applying or completing certifications and joining. By joining, members attest they understand and promise to abide by these ethical rules while practicing their profession.
Some organizations for IT ethics include IEEE, ISACA, and ACM. These organizations have their own ethics codes for members. For example:
1.1 Contribute to society and to human well-being, acknowledging that all people are stakeholders in computing.
1.2 Avoid harm.
1.3 Be honest and trustworthy.
1.4 Be fair and take action not to discriminate.
1.5 Respect the work required to produce new ideas, inventions, creative works, and computing artifacts.
1.6 Respect privacy.
This is an excerpt from the “General Ethical Principles” section of the ACM Code of Ethics and Professional Conduct.[17]
How Certifications Affect The Ethical Behavior of IT Professionals
[edit | edit source]Ethics is a very important concept to IT professionals as well as IT workers. There are many different ways to push proper ethical behavior and propel unethical ones. One example is certification in IT.
What Is a Certification
[edit | edit source]- Certifications are defined as “the action or process of providing someone or something with an official document attesting to a status or level of achievement,”.[18] Examples of certifications include:
- CompTIA’s A+, Network+, Security+ [19]
- CISCO’s CCNA, CCNP, CCIE [20]
- Red Hat’s RHCE[21]
Certifications are also typically given out by non-governmental organizations (IEEE, ACM, CompTIA, CISCO, and Red Hat).[22]
Ethical Code Of Conduct Example
[edit | edit source]Below are examples from the IEEE code of ethics/conduct. Excerpts from their code of ethics state:
- To uphold the highest standards of integrity, responsible behavior, and ethical conduct in professional activities.
- Unethical practices such as bribery and illegality.
- To treat all persons fairly and with respect, to not engage in harassment or discrimination and to avoid injuring others.
- Unethical practices such as discrimination and defamation.
- To strive to ensure this code is upheld by colleagues and co-workers.
- Adhering to code of conduct and ethical standards.[3]
Standardization And Measurable Metrics
[edit | edit source]Certifications tend to have definitive as well as non-definitive codes of conduct and ethics. As such it makes sense to argue that since the more people who have these certifications should at the very least know of more ethical behavior than those who haven’t gotten any. If you were to take two IT workers with the only difference being the certifications they have, you could assume that the worker with certifications from the likes of IEEE and ACM[23] has knowledge of and partakes in their ethical practices. For instance, after taking an IEEE administered exam you must agree to the IEEE Code of Ethics.
Many of the ethics and code of conduct feels fairly standard and self-explanatory. However, if it must be stated chances are that it isn’t common knowledge. As well as having a standard and measurable metric of ethics should prove useful. Violation of these ethical concepts results in actions that are not limited to rejection of certification, revocation of certification, losing the ability to apply for certification, and other legal actions and other remedies. Yet, it is important to remember IEEE isn’t the only association that pushes ethics for their certifications as CISCO[24] and Red Hat[25] are just a few of the names that do it as well. The code of ethics and code of conduct in modern certificate-granting organizations are written differently but contain the same content and context. Essentially fair competition, integrity, compliance, and conflicts of interest are written between all conducts and are pretty comparable. As well as many accredited technical certifications were written with ethics in mind to not only protect the business but also the workers inside and out of that workplace.
Compliance and its Importance
[edit | edit source]What is Compliance?
[edit | edit source]Compliance is defined by Gartner as “The process of adhering to policies and decisions.” [26]
Compliance is a cornerstone of IT ethics, ensuring that the ethical standards that have been set are upheld. Without compliance, no policy, regulation, standard, or law matters.
Compliance and the Technology Industry
[edit | edit source]Compliance is a must for any information technology professional. As an industry, compliance ensures that all parties involved are working towards a common goal about the policies, laws, and regulations that are in place. Compliance is also the way that organizations and individuals can measure others against the established standards.
This aspect of compliance plays a significant role in promoting correct ethical behaviors for IT Professionals. When IT Professionals adhere to respect and confidentiality, maintain professional competence, respect property rights, and embrace integrity, honesty, and fairness, this goes a long way toward creating a conducive working environment. Additionally, compliance promotes desirable ethical behaviors by uniting all parties involved by subjecting them to similar guidelines.[27] Compliance promotes fair play and competition in the IT sector. Trust and integrity among the parties involved are established through compliance with a code of ethics. When ethical standards are adhered to, illegal conduct is minimized and positive behaviors are promoted. Additionally, providing development opportunities for ethical behaviors and implementing best practices helps minimize undesirable behaviors.[28]
Compliance and the Workplace/Individual
[edit | edit source]Compliance or lack thereof can have a significant impact on the workplace, the staff, and the company. Compliance ensures that everyone in the workplace is on the same page regarding responsibilities, restrictions, policies, and laws. Compliance also protects the company and staff, both in reducing the risk of adverse situations and helping to mitigate any fallout should an incident occur. Compliance entails good communication among the employees, the management, and the government. Workplace rules should be accurate, and equitable, and assist in achieving your objectives by communicating them.[28]
Looking at the impact of compliance on the individuals and the workplace, studies have found that “the existence of ethics and a culture of compliance in IT is positively correlated with the overall effectiveness of IT governance.” [29] Compliance helps the workplace maintain a secure, professional environment for all employees.
Looking at the impact of compliance on the organization and the staff, compliance with policies, regulations, and laws can both protect the organization from legal, financial, and reputational damage, as well as limit any impacts of an incident. Policies, regulations, and laws are designed to protect the company and the public by limiting risk and mitigating damage. By complying, the organization is showing its commitment to protecting itself and everyone it comes into contact with.
Addressing the legal aspects to comply with the local, state, and federal business laws is key to effective, ethical behavior promotion. Adhering to insurance policies that improve safety and reduce insurance claims is another way of preventing undesirable ethical behaviors. Workplace rules and regulations governing all employees such as dress code, attendance, theft, fraud, behavior, sick and personal day policies, record keeping, when adequately implemented, work to discourage undesirable IT professional ethical behavior.
Failure to comply can lead to financial penalties, lost contracts, reputational harm, and in extreme cases, criminal charges. These negative outcomes can cost employees jobs, hurt organizational consumers, and even drive organizations out of business. There have even been cases of executives who have committed suicide to escape the ramifications of non-compliance.[30]
Ethical Dilemmas faced by IT Professionals
[edit | edit source]Many business entities are encountering several ethical challenges. Controlled decisions protect users' rights and data from unauthorized access. Some of the major information technology ethical issues potentially faced include:
Personal Privacy
[edit | edit source]Personal privacy is a very crucial feature of information technology ethics. IT encourages users to have their system hardware and software products retrieve data from the servers connected to them via a network. The transfer of big data via the internet of computers increases the probability of exposing the information to outsiders and therefore infringing the privacy of users and user groups. It is quite difficult for IT teams and firms to ensure data privacy and correctness and accidentally expose information to unauthorized users.
Misuse of users' details provided as we use the internet, for instance, online transactions we provide credit cards private information the companies store this information to be able to predict our interests but at the same time impede our privacy rights. Business firms use this valuable information to make money and advance their market niche.
Security
[edit | edit source]The second characteristic of computer systems ethics is security or access rights. It is a major priority for the IT staff and cybersecurity in the changing world of information technology. Online transactions and e-business enrollment raised the need for improved security measures by the corporate and government agencies. Securing the internet from unauthorized users, which is quite impossible, can be reduced by intrusion detection software to differentiate between an authorized and unauthorized user trying to access the system.IT security professionals are also to be intimate with copyright law, an ethical aspect that functions to control and prevent computer systems from bridging security before and after the breaches. [31]
Transparency & Honesty
[edit | edit source]Also termed liability, is another ethical aspect that software engineers give their word and declarations to the users on the features and state of the software product they will provide as express warrants. Therefore they should be realistic in making these promises about their ability to offer that quality and state of their software and hardware systems capability. This should be enhanced by putting their words and agreements in writing for protection against liability issues. A warning of guaranteed service provision can save a provider from the responsibilities if it fails to achieve the predictions made during agreement formulation.
Artificial Intelligence (AI)
[edit | edit source]Use of AI: Artificial intelligence has greatly improved the business firm's ability to gain profits.
Facial recognition: using IT software to identify people is less of an ethical aspect. However, there are several issues with this feature, for example, racial biases and invasion of personal free space. Tracking people's activities invades their privacy, and the system can also be incorrect as it uses algorithms to make decisions.
Jobs replacements: the goal of AI is to automate low-level tasks in the organization so that individuals can be used to perform more detailed and complex tasks. This will result in the large-scale elimination of job opportunities; therefore, many individuals are concerned about their job security.
Biasness of the AI technology: the programs and algorithms used in the development of AI carries the biases of their initial developers as all humans are prone to be biased. It only focused the low-level knowledge on the developer's present environment.[32]
Conflicts with Company Policies
[edit | edit source]One example would be if a patent is used to store and protect private information about a software product from outsiders. However, software needs disclosure of all its features to the outside world apart from that provided in the copyright. This becomes difficult for the developers to expose their secret idea to programmers. Maintaining and protecting valuable and vital information about a firm is also an important ethical issue in information technology, for example, trading secrets. Exposure of this confidential information to the firm's competitors can cause a lot of economic failures.
Harmful Actions
[edit | edit source]Harmful actions include damaging or inappropriate actions that lead to the loss of crucial data, resources, user rights, or destroying vital user systems are considered harmful. It also includes sharing files containing viruses via web pages that are deemed secure. This concept of ethics controls unauthorized users' use of information systems, to prevent losses by the stakeholders. This includes changing or damaging data and software programs critical to the firm's economic activities. Recovering from these harmful activities is time-consuming, and a lot of energy is needed to clear viruses in the information system.
Copyright and Piracy
[edit | edit source]Piracy refers to the illegal access and attempts to copy and distribute software. Based on the United States Copyright Act, illegal copying and reproduction of software are subject to attracting legal suits of up to a hundred thousand dollars in fine. Apart from the legal consequences, it is ethically wrong to reproduce another person’s work based on basic principles such as fairness and justice. Programmers and staff involved in the creation of that software require fair compensation for their work, however, when it is reproduced and distributed illegally, they stand to earn nothing to show for their efforts. [33]
Developer Liability
[edit | edit source]IT professionals need to be aware of the liability issues that can arise from making ethical decisions regarding the programs they publish. Developers make promises to the user regarding the nature of their program and what that program can deliver. Failing to deliver on these promises can not only harm their image and cause nuisance to the user but opens them up to legal retaliation. They need to be practical and honest about the assurances they make about their program and keep in mind the ethical considerations they need to make while delivering the product to their clients. A well-worded and accurate disclaimer can free a developer from being responsible for informal, speculative statements made by a user against their software.
Access Costs
[edit | edit source]With the increase in awareness about net neutrality, IT professionals have to keep in mind the access costs for every service they publish online. The vast majority of people favor maintaining net neutrality, ensuring that everyone gets fair access to every website and service. This raises the ethical question about whether internet usage and access to the data on the internet are now a universal right that needs to be protected. IT professionals will be the ones who pave the way in this discussion, setting a precedent for future generations and deciding the path that internet usage takes. The access cost to a website will determine the traffic a website gets and how widely it is used. This decision affects the users who may or may not be able to use the website and the developers of the website since it affects how widely used their website or service is.
References
[edit | edit source]- ↑ Rich Castagna (2021-08-05). "Definition of Information Technology (IT)". TechTarget. Retrieved 11 April 2022.
- ↑ a b The Code affirms an obligation of computing professionals to use their skills for the benefit of society. (n.d.). Https://Www.Acm.Org/Code-of-Ethics. https://www.acm.org/code-of-ethics
- ↑ a b IEEE. (2020, June). IEEE Code of Ethics. Institute of Electrical and Electronics Engineers. https://www.ieee.org/about/corporate/governance/p7-8.html
- ↑ Melissa Woo (2017-03-27). "Ethics and the IT professional". EDUCASE Review. Retrieved 11 April 2022.
- ↑ Kocher, Bob (2014, February 18). "Doctors Without State Borders: Practicing Across State Lines". Health Affairs. Retrieved April 26, 2021.
{{cite web}}
: Check date values in:|date=
(help) - ↑ CareerOneStop (2018, November 9). [Retrieved April 26, 2021, from https://www.careeronestop.org/toolkit/training/find-licenses.aspx "License Finder"]. CareerOneStop.
{{cite web}}
: Check|url=
value (help); Check date values in:|date=
(help) - ↑ a b Reynolds, George (2015). Ethics in Information Technology (Fifth ed.). Cengage Learning. p. 44. ISBN 978-1-285-19715-9.
- ↑ Drexel University. (2022-04-25). "Federal laws". Drexel University Information Technology. Retrieved 25 April 2022.
- ↑ Indeed Editorial Team (2021-11-02). "21 different types of it jobs to explore". Career Guide. Indeed. Retrieved 25-April 2022.
{{cite web}}
: Check date values in:|accessdate=
(help) - ↑ TechTarget Contributor (2013-12). "IT organization". SearchCIO. TechTarget. Retrieved 25 April 2022.
{{cite web}}
:|author=
has generic name (help); Check date values in:|date=
(help) - ↑ American Speech-Language-Hearing Association. (n.d.). Issues in Ethics: Competition in Professional Practice. https://www.asha.org/practice/ethics/competition-in-professional-practice/
- ↑ Gardner, T. M., Stansbury, J., & Hart, D. (2010). The Ethics of Lateral Hiring. Business Ethics Quarterly, 20(3), 341–369. https://doi.org/10.5840/beq201020326
- ↑ An ex-Apple employee has been charged with stealing autonomous vehicle secrets. (2018, July 10). Business Insider. https://www.businessinsider.com/xiaolang-zhang-apple-autonomous-vehicle-secrets-2018-7?international=true&r=US&IR=T
- ↑ Reynolds, George (2019). Ethics in Information Technology (6th ed.). Cengage Learning. ISBN 9781337405874.
- ↑ Oxford Language (2018-06-22). "Certification". Definitions. Retrieved 11 April 2022.
- ↑ CompTIA (2022-04-25). "Candidate Code of Ethics". Continuing Education Policies. CompTIA. Retrieved 11 April 2022.
- ↑ Association for Computing Machinery (2018-06-22). "ACM Code of Ethics and Professional Conduct". ACM Code of Ethics and Professional Conduct. Association for Computing Machinery. Retrieved 11 April 2022.
- ↑ Certification. (n.d.). In Oxford Language. Google. Retrieved April 28, 2021, from https://www.google.com/search?q=define+certification&oq=define+certification&aqs=chrome..69i57.4936j0j1&sourceid=chrome&ie=UTF-8
- ↑ CompTIA (2022-04-25). "CompTIA Certifications". CompTia. Retrieved 25 April 2022.
- ↑ Cisco Systems (2022-04-25). "Cisco Certifications". Cisco Systems. Retrieved 25 April 2022.
- ↑ Red Hat (2022-04-25). "Training and Certification". Retrieved 11 April 2022.
- ↑ Reynolds, G. W. (2014). Ethics in Information Technology (5th ed.) [E-book].54-60. CengageLearning.https://repository.dinus.ac.id/docs/ajar/ethics_in_information_technology2c_5th_ed._0_.pdf
- ↑ ACM. (2018). ACM Code of ethics. Association for Computing Machinery. https://www.acm.org/code-of-ethics
- ↑ Code of Certifications Ethics. (2013). CISCO. https://www.cisco.com/c/dam/en_us/training-events/downloads/Cisco_Code_of_Certification_Ethics.pdf
- ↑ Red Hat. (2019, November 22). Red Hat Partner Code of Conduct. https://www.redhat.com/cms/managed-files/Red_Hat_Partner_Code_of_Conduct_(Final).pdf
- ↑ Gartner (2022-04-20). "Compliance". Gartner Glossary. Retrieved 11 April 2022.
- ↑ Stoodley, I., Bruce, C., & Edwards, S. (2013). Experiential ethics education for IT professionals. Professionalism in the Information and Communication Technology Industry. https://doi.org/10.22459/picti.10.2013.12
- ↑ a b Gotterbarn, D. (2017). Computer Ethics, 249-258. https://doi.org/10.4324/9781315259697-27
- ↑ Ali, Syaiful; Green, Peter; Parent, Michael (2009). "The role of a culture of compliance in information technology governance" (PDF). GRCIS’09: Governance, Risk and Compliance. 459.
- ↑ Whitman, Michael E (2019). Management of Information Systems, 6th ed. Boston: Cengage. ISBN 9781337405713.
{{cite book}}
: Unknown parameter|coauthors=
ignored (|author=
suggested) (help) - ↑ GeeksforGeeks (2020-01-27). "Ethical Issues in Information Technology (IT)". GeeksforGeeks. Retrieved 11 April 2022.
- ↑ CompTIA (2021-07). "5 Ethical Issues in Technology to Watch for in 2021". CompTIA. Retrieved 11 April 2022.
{{cite web}}
: Check date values in:|date=
(help) - ↑ Terry E. Shoup. "Software Pirating and Ethics". Frequently Asked Questions. Santa Clara University Markkula Center for Applied Ethics. Retrieved 25 April 2022.
IT Professionals and Their Relationship
Contractor from Outsourcing service provider
[edit | edit source]IT Professional, just like other industries, there are all different types of outsourcing service, such as Structured cabling system to application development. Due to the essential nature of, IT industry’s complicated architecture, there are different IT professionals, networks, support desk, hardware, system services, security, infrastructure, internet, and so on. All need to work together just like an orchestra. Enterprises owners are more likely to hire contractors from service providers to save money. However, Contractors are not the employee of the Enterprises, due to different company culture or working habit, there are a lot of ethical problems would arise:
SLA
[edit | edit source]A lot of service providers just provide on-site professional services. However, there is no detailed SLA or service level agreement. For example, the typical on-site service will charge clients per man day. A project should be finished in 100 Man Day. But the service provider may charge the client 200 Man-Day or even more. At the same time, the client may always adjust their project expectation so as to deny pay the service fee. One of my company’s service providers did a project which is not supported by the vendor, Oracle 11g. All these contradictions were caused by no clear SLA. both client and vendor, or service provider, may lose a lot of profits. Some clients want to terminate the SLA or the contract but have no appropriate execution, so the client will give a lot of difficult tasks to the contractors to finish, or refuse the contractor to use the Internet connection, which is very important to their jobs. Some client even asks the contractor to log what he did every minute, such as the following form :
Time Morning | What
9:00 to 9:15 | Job activity debrief
9:15 to 9:30 | Job activity debrief
9:30 to 9:45 | Job activity debrief
Just like a slave or labor.
Service Termination
[edit | edit source]Service Termination is caused by the project finished, which is expected. Another is caused by a client's financial problem. If the contractor from the service provider has no other client, the contractor may lose his job. Big IT service providers such as TATA, HP or IBM, have a lot of projects, this kind of problem does not exist. Small businesses may be closed due to service Termination. To the side of the client,no need to pay a compensative salary to the contractor, it is not good, ethically. But transfer the cost to the service provider.
Security
[edit | edit source]Every company has its security policy, such as access card, server account, database access. I remember many years ago, I went to a client’s server room to install the software. The client’s boss asked a staff member to open the door and let me in. Then he left. I found the door in the server room can not open inside. I refused to work and asked whether the client provides me a temporary visitor access card or a staff member accompanies me. It is very dangerous to be locked in the server room. Once on fire, all the doors will be locked and the automatic fire extinguishing device will release a kind of toxic gas. Meanwhile, some contractors changed jobs whereas not returning the access card or the client did not lock the contractor’s account timely, which will lead to information security problems.
Internal cross-department
[edit | edit source]IT professions also work with colleagues from other departments. Different business units have different KPI, the same project may have different expectations. Here are some decennia for cross-department CASE 1. As a support engineer, my job is to install software for clients and provide a platinum service for clients for free. Another team from my company, the sales team, committed to the client that the platinum service will be handed over to the client. So the sales asked me to provide the password to the client for the platinum service. I denied the request. Very simply, I can not violate the company’s security policy.
CASE 2. The software we installed has a bug which leads to the server rebooting again and again. The sales consultant noticed the bug will be released next week from the internal website. The sales manager asked me to apply the patch for the client. How can I apply a patch which is not released? I also denied the request.
CASE 3: There is a project manager who will manage the project which may be involved with different teams or business units. Another IT engineer just finished the software installation. The PM asked me to take over his job and it is first priority. After talking to the department manager, I denied the PM’s request. The PM is not my boss.
To sum up, every IT professional should not violate the policy and let his direct boss coordinate with others in the project.
Change job to competitions
[edit | edit source]Due to financial problems, an employee may experience no salary increase. He may change his job for a better salary. It is a very common thing to switch jobs to a competitor’s company for IT professions. For a freshman, just graduating from college without any experience, his buddy or senior staff or his boss may teach him a lot of things. The company may demand him a high expectation. Unfortunately, he changed his job and the new employer is the competition of the old employer, even though it is legal does not mean it is ethical. For example, if the employee masters the core technology, the old company may fail in the market.
Xiaolang Zhang who worked for Apple, was arrested by the FBI in 2019, when he was ready to board the flight to China, got the offer of Xiao Peng Car, Xiaolang had the key hardware and software of auto-piloting core technology.
To sum up, this kind of situation should find a solution from a legal perspective. Ethically we can not stop it.
=
References
[edit | edit source]
American Speech-Language-Hearing Association. (n.d.). Issues in Ethics: Competition in Professional Practice.
https://www.asha.org/practice/ethics/competition-in-professional-practice/
An ex-Apple employee has been charged with stealing autonomous vehicle secrets. (2018, July 10). Business Insider. https://www.businessinsider.com/xiaolang-zhang-apple-autonomous-vehicle-secrets-2018-7?international=true&r=US&IR=T
Gardner, T. M., Stansbury, J., & Hart, D. (2010). The Ethics of Lateral Hiring. Business Ethics Quarterly, 20(3), 341–369. https://doi.org/10.5840/beq201020326
The Code affirms an obligation of computing professionals to use their skills for the benefit of society. (n.d.). Https://Www.Acm.Org/Code-of-Ethics. https://www.acm.org/code-of-ethics
Types of Computer Attacks
Types of Computer attacks
[edit | edit source]Viruses are pieces of computer programming code that causes a computer to behave in an undesirable way. Viruses can be attached to files or stored in the computers memory. Viruses may be programmed to different things such when they are downloaded or activated by a specific action for example viruses attached to file will infect that computer and any file created or modified on that machine.Viruses may also programmed to display a message when certain action are performed to execute the virus.Worms like viruses bury themselves in the memory of a machine and then duplicates itself with help from any help. It can send itself through emails and other connections. Phishing is when hackers try to obtain financial or other confidential information from Internet users, typically by sending an e-mail that looks as if it is from a legitimate organization, usually a financial institution, but contains a link to a fake Web site that replicates the real one. These con - artists urge the recipient of such emails to take action for rewards or avoid consequences. Hackers may use a backdoor within a computer system that is vulnerable, this allows them to remain undetected while they access important information. Key-logger programs allow attackers to view information that has been logged into a particular machine undetected. Botnets are a collection of computers that could bee spread around the world the are connected to the internet, they are controlled by one single computer.
Malware
[edit | edit source]Malware is a term denoted for malicious software that spreads from computers and interferes with computer operations. Malware may be destructive, for example, deleting files or causing system ‘crashes’, but may also be used to steal personal data.
Forms of malware
[edit | edit source]- Viruses: are a standout amongst the most surely understood sorts of malware. They can bring about gentle computer brokenness, however can likewise have more serious impacts regarding harming or erasing equipment, programming or documents. They are self-repeating programs, which spread inside and between computers. [1]They require a host, (for example, a document, circle or spreadsheet) in a computer to go about as a 'carrier', yet they can't contaminate a computer without human activity to run or open the tainted record.
- Worms: are likewise self-replicating programs, yet they can spread independently, inside and between computers, without requiring a host or any human activity. The effect of worms can hence be more extreme than viruses, creating destruction crosswise over entire networks. Worms can likewise be utilized to drop trojans onto the network framework.[2]
- Trojans: are a type of malware that give off an impression of being genuine projects, yet encourage illicit access to a computer. They can perform capacities, for example, taking information, without the client's learning and may trap clients by undertaking a normal errand while really undertaking covered up, unapproved activities.
- Spyware: is programming that attacks clients' security by get-together touchy or individual data from tainted frameworks and observing the sites went by. This data may then be transmitted to outsiders. Spyware can now and again be covered up inside adware (free and here and there undesirable programming that obliges you to watch commercials keeping in mind the end goal to utilize it). One case of spyware is key-logging programming, which catches and advances keystrokes made on a computer, empowering gathering of touchy information, for example, passwords or ledger points of interest. Another sort of spyware catches screenshots of the casualty's computer. Spyware is thought to be a standout amongst the most perilous types of malware as its goal is simply to attack protection.
Phishing
[edit | edit source]There are various forms of phishing attacks on channels such as emails, social software, websites, portable storage devices and cell phones. There are several different ways of trying to drive users to a fake website:
Types of Phishing attacks
[edit | edit source]- Spam e-mail, a spoof email which will distract customers to look similar to a bank email, or from any financial institution.
- Hostile profiling, a targeted version of the above method: the cyber criminal exploits web sites that use e-mail addresses for user registration or secret key reminders and directs the phishing trick at specific users (requesting that they affirm passwords, etc.). Introduce a Trojan that edits the hosts file, so that when the casualty tries to browse to their bank‟s web site, they are re-directed to the fake site.
- ‘Spear phishing’, an attack on a specific organization in which the phisher simply asks for one employee‟s details and uses them to gain wider access to the rest of the network.[3]
- Traditional type of phishing attack is Not all phishing attacks work in the manner just described.
- The “rock-phish" gang3 has adapted its attack strategy to evade detection and maximize phishing site accessibility. It has separated out the elements of the attack while including redundancy in the face of take-down requests. The pack first purchases a number of area names with short, generally meaningless, names, for example, lof80.info. The email spam then contains a long URL, for example, http://www.bank.com.id123.lof80.info/vr where the main part of the URL is intended to make the site appear genuine and a mechanism, for example, `wildcard DNS‟ can be used to resolve every single such variation to a specific IP address. It then maps each of the space names to a dynamic pool of compromised machines as per a pack controlled name server. Each compromised machine runs an intermediary system that relays requests to a backend server system. This server is loaded with a large number (up to 20 at a time) of fake bank websites, all of which are available from any of the stone phish machines. However, which bank site is reached depends solely upon the URLpath, after the main „/‟. (Because the group uses proxies, the real servers – that hold all the web pages and collate the stolen data – can be located anywhere.)
- Whale Fishing is a type of spear phishing where the target of the attack is someone with a high profile within a company or organization. These individuals are usually the CEO, CFO, COO, etc, because they will have sensitive information that once stolen, will be used for a malicious reason such as ransom [4].
Password Attacks
[edit | edit source]Password attacks are as they sound an external entity trying to gain access to any particular systems by cracking or guessing the user’s password. These attacks are very prominent in the current world scenario since, weak and easily known terms can be guessed as well as methods such as brute force can be carried out as raw processing power is readily available from high power computers available in the market. This type of attack works without any type of malicious software or code to run on the user’s system. These attacks are run on the hacker’s computers which use softwares and methodologies to crack the end user’s password thus gaining access into their secure accounts.
Types of Password Attacks
[edit | edit source]- Guessing
Even though there may be numerous ways and means which may be used to crack passwords and get through the loopholes that may exist in the system, the easiest and most non-technical but still the most effective way proven to get through any access control mechanism is to guess the most commonly used passwords. For many users passwords are more of a pain to remember rather than a security concern. Hence, most of such users use easy to remember passwords such as their birthdate, wife’s/husband’s name, pet’s name, same as the username or even the term ‘password’. All of such mentioned or related entries are easy prey to the password guessing technique. Another point to be noted in this approach is that, this technique will only work when the hacker is aware about certain things of its target or the target is very well known. This gives him/her the leverage to hack into the target’s account with some commonly tried guesses. Another thing to be kept in mind is that, when the hacker gets through a single account, there are many a times high chances that the affected person has kept the same login credentials for multiple accounts for which the hacker may also get access to.
- Dictionary Attacks
Dictionary attacks are based on the assumption that most of the passwords that are used in accounts are a permutation and combination of a given set of numbers like birthdates, etc. and details like addresses, first and last names, pet’s name, child’s name, etc. So how a Dictionary attack works is by choosing the word from the given dictionary of characters and numbers and having a code manipulate them into various combinations which are then tried to gain access to the corresponding account.[5] Here the problem lies in the fact that a dictionary attack unlike other password attacks only has a given set of dictionary from which it can pick out values and arrange/rearrange them in multiple ways to crack the password. The good thing is that even if one character in the entire password lies outside the dictionary, this attack is bound to fail. But, since the dictionary of words is limited the attack takes place at a rapid rate.
- Brute Force Attacks
Brute Force attacks are the least preferred type of password attacks for a simple reason that they are very inefficient. A brute force attack basically checks all of the permutations and combinations from the very beginning. Thus, these type of attacks require a lot of time as well as a lot of processing power. Plus, most of the mechanisms that exist in the current times are smart enough to actually alert the user if a brute force attack is in progress as it will have to check all of the wrong choices before reaching to the desired value. These attacks are still much considerate when the length of the password is less than or equal to 4 characters. But, things start going out of hand when the maximum length of the password increases. To put things into perspective, assuming only alphabetical characters, all in capitals or all in lower-case, it would take 267 (8,031,810,176) guesses.[6] Also, in these cases there are many assumptions of whether the length of the password is known. Also, other constraints that may cause alteration of result and increase of complexity would be if there are numerical values allowed, are there lower and upper cases involved, are there special characters involved, etc. On the brighter side of things, the way how a brute force attacks works it is assured that it will find the password at the end of the attack, though the timeline it will get to it is very vague indeed.
- Eavesdropping Attacks
Eavesdropping attacks are when an attacker intercepts a victim’s network traffic as their sensitive data travels from the victim’s device to their intended destination. This is usually done through software that monitors the network traffic of the victim while they are connected to a weakly encrypted or unencrypted network like a public Wi-Fi hotspot [7].
Web Attacks
[edit | edit source]Better known as Web application attacks in which an attacker exploits the vulnerabilities of a website’s code to steal personal or sensitive information from the website’s own databases through various methods [8].
Types of Web Attacks
[edit | edit source]- SQL Injection
SQL or Structured Query Language is used in programming to allow the user to create, manipulate, and delete databases. Attackers usually take try to take advantage of a website that has a data input field, web form, or even a search bar. Normal users would generally input data like their name, phone, or identification number while on the other hand, an attacker uses the the same input field and try to gain access to the website’s database by entering SQL prompts or queries. If the input field is not tested properly, this allows an attacker to execute specific SQL commands that can retrieve, change, or delete any information within the compromised database [9].
- Cross-Site Scripting (XSS)
Cross-Site Scripting is another web attack in which a potential attacker exploits the vulnerabilities of the website or web application. While SQL Injection is an attack that targets the website’s database, an XSS attack targets the users who visits these websites directly. Attackers achieve this by embedding malicious code or scripts on the website where a user will most likely interact with with; the most common choice would be an input field. Once compromised, an attacker will have control over the victim’s browser. With it they can view the browser history, cookies could be stolen, impart trojans, remote control the victim’s computer, etc [10].
Denial-of-Service(DOS) Attacks
[edit | edit source]A Denial-of-Service(DoS) attack inhibits the authorized users from accessing the system mostly by flooding the existing system with huge amounts of gibberish data/requests resulting into a blockage in the system. This attack basically overloads the system with an overwhelming quantity of data packets which is not anticipated by the server which results into a slowdown or a block.[11] This may result into a slow internet connection which may hamper the authorized user to access critical data like emails or files over FTP, etc. This may cause huge losses in both time and money. Such attacks are rarely used to hack systems from the authorized users but there have been cases where such DoS attacks were deployed to lock down the network and gain access to the vulnerable firewalls. These attacks are not easy to identify as they may be easily be confused with slower internet connection, etc. and may persist in an environment for as long as months.
Along with the regular DoS attacks, there is a different type of DoS attack called as a Distributed Denial-of-Service(DDoS). This attack is very similar to a regular DoS attack in the sense that even they act as a slowdown by throwing overwhelming amount of data packets at the target. But, the basic distinguish is that DDoS are much more efficient and dangerous since they operate from an entire affected network rather than from a single affected user. Hence, the DDoS is very difficult to dodge for any system since there is data coming in from multiple sources at the same time.
Drive-by Downloads
[edit | edit source]The term drive-by download gives us all the insights as to how a malware can infect the whole system when a user simply clicks on a website that runs the malicious code. There are various stages as to how this malware infects the system. The first stage is called the entry point as explained above. The second stage is called the distribution where some of the most trusted sites are compromised to redirect to the sites controlled by the hackers. The third stage is called the exploit stage where the browser succumbs to the exploit kit which lets the hackers know about the security vulnerability that it can easily attack. The following stage is the infection stage where the hacker is well aware of the vulnerability point and it downloads the payload package which installs itself into the computer. The final stage is the execution of the downloaded program which is designed to make money for the masters.
Safeguards
[edit | edit source]We can defend ourselves from such exploitation and infection by doing three things. First of all is to set up the accounts for users where there will outlines for limited access, no modification of applications or the Operating System. In order to install, delete or update any software, there has to be separate account for the admin to make changes and this account cannot be used for web or reading emails. Second of all, the updates for the operating system should be automatically installed and there should be firewalls turned on every time. Lastly, there should be installation for the robust anti-virus software product which can be updated timely and makes proper scans.
Types of Cyber Criminals
[edit | edit source]Script kiddies
[edit | edit source]These kinds of hackers can be anyone who is encouraged by the urge of immaturity to become a wannabe hacker. They have less technical knowledge and urge to run the scripts which have been pre-compiled so that there will be disturbances in the software. They lack the technical expertise to even understand what the software was meant to work for which lets them hack the systems which are very weakly secured.
Scammers
[edit | edit source]These are the daily scamming emails that we come across. Whenever we have to login into our email inbox we receive probably more emails from the scammers which offer different proposals for discounted trips or medicines, timeshares or personal ads.
Spammers
[edit | edit source]They are not direct criminals but commit the crime of wasting one's time. Spammers flood the email inbox with ads and everything gibberish possible. They are not dangerous in any particular way but they are always considered to be annoying and time-consuming. Spammers are even responsible for bringing in a real financial cost by bringing in the necessity to install expensive and unstable anti-spam technologies.
Hacker activist groups
[edit | edit source]They are often called as the 'Hacktivists'. They can be considered as petty criminals who always are on the try to prove their destructive behavior wherein they steal confidential information and release it publicly. They generally work anonymously and are responsible for creating tools that makes the hacking easier.
Phishers
[edit | edit source]The most prominent example of such activities are when we receive notification about our account expiring and where we have to update our information. This is not really the case. It's all the activities of the phisher to extract personal information or the identity. There has been survey about this which says that there are around 20,000 to 30,000 phishing websites found every month.
Political/Religious/Commercial groups
[edit | edit source]These groups can be categorized into the ones which do not aim at financial gain. They generally aim at developing malware for political success. One of the finest examples of such a malware is Stuxnet! This malware was found in Iran’s atomic program but it was believed to be originated from some foreign government. These can not be thought as harmless as they can have losses on the political, religion or commercial level.
Professional Cybercriminals
[edit | edit source]These kind of people are the most dangerous ones as they have proper technical expertise and know what they want to harm and how to harm. These are a group which can consist of technologists who have turned themselves into cybercriminals. They do the most damage to government, financial institutions or e-commerce businesses. They can be responsible for the most number of crimes than the rest combined.
Reason for Attacks
[edit | edit source]The complexity of networks, computers, operating systems, applications and other technology are interconnected and driven by many lines of code. This increases the number of back-doors with the more equipment attached. Inability to keep up with the change in technology, leaves little room for IT Professional to quickly find solutions for problems. A reliance on products with known vulnerabilities allows entrance into networks and personal computers before programmers are able to create a patch.
Impact on Business
[edit | edit source]The downtime required to repair networks that have been attacked, may harm the business's productivity, revenue, financial performance and damage the companies reputation. The impact on business may range from low to extreme impact. For example downtime that has minor impact on business may mean that minimal amount of systems are affected.While on the other side of the coin is the extreme impact on business,the company's future is at stake and cost of recover is inconsequential. Here is a list of cost involved of downtime:
- Direct Losses
- Loss of future earnings
- Billing losses of revenue
- Cash flow
- Stock price
- Overtime costs
- Loss of reputation
Prevention and Detection
[edit | edit source]Prevention
[edit | edit source]A firewall guards the companies network from outside intrusion and to prevent employees from accessing prohibited sites. Intrusion prevention systems prevent attacks by blocking viruses and other threats from getting into the network. Antivirus software prevents viruses from infecting a computer by scanning for virus signatures. For antivirus to be effective it must be up-to-date and uniformly deployed across the enterprise.
Detection
[edit | edit source]Intrusion protection system is software or hardware that monitors system resources, it identifies possible intrusions into the system from either within or outside of the organization.there are three types of intrusion systems:
- NIDS (Network intrusion detection system) identifies intrusions through network traffic and monitors multiple hosts.
- HIDS (Host based intrusion detection system) identifies intrusions by reviewing host activities.
- SIDS (Stack based intrusion system) examines packets as they pass through the TCP/IP stack.
Security Audit
[edit | edit source]A company's network is a means of communication and sharing of information. However it comes under attack everyday by professional or novice hackers with intention to use company information or databases for their own fortune. But it is not compromised only by external individuals but also sometimes by personnel present in the company. When performing your audit you will use any security policy that your organization has as a basis for the work you are undertaking. You need to treat the policy initially as a threat. The Security Audit is a policy based monitoring of existing procedures and practices of sites and accessing the risk associated by these actions. There are a number of steps that need to be performed in order to complete a security audit. For example:
- Preparation
- Review policy and documents
- Discussion (interviews)
- Technical Investigation
- Report Presentation
- Post Audit actions
To address issues related to security of company's network auditing is one of the many steps need to be taken by a company.
Types of Audits
[edit | edit source]Self Audit (Informal Audit): Every company has few servers providing services to the company. To monitor these processes every company develops some type of self-audit process to follow on regular basis. Some companies have software to monitor all the process and then register entire logs to be evaluated later by professionals. Based on these audit results if a bad on incorrect event is detected, you can even have the event undone and the initiator’s account event locked out. The collectors will send all the daily logs to a consolidator once a day where you will be able to create numerous reports and graphs surrounding your security events. You can also use this for Trends and Analysis.
Information technology Audits (Formal IT Audit; Formal Auditing is mostly done by companies like KPMG, Deloitte and other auditing firms): The purpose of an internal audit is to provide operations management with an independent review of the adequacy and effectiveness of the operations’ internal controls.[12] The IT audit is basically external auditing in which external auditors will be hired to perform all the required auditing operations. These auditors contact internal auditing department and make their auditing requirements known to the company. At the conclusion of the audit, usually an oral report is conducted with the management, accompanied by a written report. At this time the company must plan actions to take in response to the report or decide whether they wish to assume the risks involved. Once auditing is done and the report is presented, all the concerned individuals should meet to discuss that what actions issues will arise from it and what steps need to be taken to take care of it.[13]
References
[edit | edit source]- ↑ Annonymous, "Malware" Brown University Page 2 accessed 4/25/2016 at http://cs.brown.edu/cgc/net.secbook/se01/handouts/Ch04-Malware.pdf
- ↑ TLP White, "An introduction to Malware" Page 4 accessed 4/26/2016 at https://www.cert.gov.uk/wp-content/uploads/2014/08/An-introduction-to-malware.pdf
- ↑ Gunter Ollmann, "The Phishing Guide" Strategy IBM Internet Security Systems Page 20 accessed 4/26/2016 at http://www-935.ibm.com/services/us/iss/pdf/phishing-guide-wp.pdf
- ↑ “What Is Whaling? - Definition from Techopedia.” (2019). In Techopedia.com. Retrieved on April 29, 2019.
- ↑ Sam Martin and Mark Tokutomi, "Password Cracking" University of Arizona Page 5 accessed 4/26/2016 at http://www.cs.arizona.edu/~collberg/Teaching/466-566/2012/Resources/presentations/2012/topic7-final/report.pdf
- ↑ Will, Mitchell "Password Cracking" University of Denver, Computer Science BootCamp accessed 4/25/2016 at http://web.cs.du.edu/~mitchell/forensics/information/pass_crack.html
- ↑ Frankenfield, Jake. (2019). “Eavesdropping Attack." In Investopedia.com. Retrieved on April 29, 2019.
- ↑ “Web Application Attack: What Is It and How to Defend against It?” (2019). In Acunetix.com. Retrieved on April 29, 2019.
- ↑ “Sql Injection: Vulnerabilities & How To Prevent Sql Injection Attacks.” (2019). In Veracode.com. Retrieved on April 29, 2019.
- ↑ “Cross-Site Scripting (XSS) Tutorial: Learn About XSS Vulnerabilities, Injections and How to Prevent Attacks.” (2019). In Veracode.com. Retrieved on April 29, 2019.
- ↑ Qijun Gu and Peng Liu, "Denial of Service Attacks" Texas State University & Pennsylvania State University Page 4 accessed 4/26/2016 at https://s2.ist.psu.edu/paper/ddos-chap-gu-june-07.pdf
- ↑ Page, Pam “Security Auditing: A Continuous Process” SANS Institute InfoSec Reading Room 24 May 2003 accessed 7/30/2013 at http://www.sans.org/reading_room/whitepapers/auditing/security-auditing-continuous-process_1150
- ↑ Kapp, Justin “How to conduct a security audit” PC Network Advisor Issue 120 (July 2000) Page 3 accessed 7/30/2013 at http://png.techsupportalert.com/pdf/t04123.pdf
Who commits cyber crimes?
Cyber Criminals
[edit | edit source]There are criminals who commit cyber crimes for different reasons. Some of them steal from companies and private citizens for financial gain, while others steal secrets from not only companies, but governments and private citizens. Some of the perpetrators aim to disrupt the infrastructure of the government or company. Hackers test the limits of information systems for the challenge of doing so. Some believe that hackers perform a service by exposing security risks. "Crackers" break into networks and systems to deface websites, crash computers or networks, or spread harmful programs and/or hateful messages.
Malicious insiders are employees or officers of a business, institution, or agency that carry out activities intended to cause harm to the organization. Malicious insiders are not always employees. They can be consultants and contractors that have special access to sensitive information. It is difficult to detect and/or stop malicious insiders. They are authorized to access the systems they abuse. Most systems are vulnerable to these malicious actors because they were designed to keep intruders out. Insiders know how the systems work and how to circumvent them. The organization may be able to take steps to reduce these attacks. Industrial spies steal trade secrets to gain competitive advantage. Hacktivists and cyber-terrorists attack systems in order to promote their ideologies and intimidate governments in order to achieve their goals.
Internet Stalkers
[edit | edit source]Whereas stalking was once an act requiring the physical tracking of an individual's movements, it has since transcended the boundaries of reality and entered into the virtual worlds we tend to think of as private. Internet stalkers are similar to real-world stalkers; in simplest terms, their behavior can be considered harassment. An online stalker's behavior can take on many forms, dependent on their motive to stalk their chosen victim. These behaviors can include impersonating another individual to gain information or build a relationship with their victims and bullying by posting content that the victim might consider embarrassing or private to express power. Internet stalkers tend to blackmail their victims by threatening to release personal or intimate content or information. This is especially true if the cyber stalkers' motive for targeting their victims is financial gain or simply generalized anger towards the victim. Behaviors can also include harassment on social media platforms and continuous messaging from anonymous accounts. Although internet stalkers target individual victims, companies and large organizations can be a byproduct of risk for a stalker attempting to gain information about the victim. Statistics show that a majority of cyberstalking victims actually know their stalkers and report being a stalker for over a year.[1] What is most frightening, however, is that only 12% of cyberstalking incidents are reported to law enforcement, making it harder to accurately deduce the true extent of the issue.
Social Engineers
[edit | edit source]One of the best methods cybercriminals use is social engineering, which includes using psychological manipulation to trick individuals into revealing private information. Cybercriminals use social engineering methods since they are frequently simpler and more compelling than conventional hacking techniques. As opposed to attempting to find weaknesses in a computer system or organization, social engineering assaults focus on the human shortcomings of the people in question. Social engineering methods can sidestep even the most potent safety efforts, like firewalls or antivirus programming, by fooling clients into intentionally giving their sensitive information. Moreover, social engineering assaults can be sent off for an enormous scope, making it feasible for cybercriminals to focus on a considerable number.
Hacktivists
[edit | edit source]Hacktivism consists of a group using their computer hacking skills to create a political statement towards the government, power institutions, and other targets as a form of political activism[2]. It's mainly done anonymously to ensure the safety of the activists and make it harder for the government and institutions to retaliate against the hacktivists[2]. Hacktivists are extremists who have a strong sense of justice. They transcend the line of peaceful protest and being seen. Hacktivism is a theatrical statement, making the groups go to extreme lengths. Hacktivists use many methods: data theft, distributed denial of service (DDoS) attacks, spreading awareness via social media for doxing, website defacement, and more. Data theft and DDoS attacks are used as ransom to get the victim's attention to comply or do as the hacktivists state. Spreading awareness via social media can lead to helping people know the truth about the government or institution or dox the victims to expose them in hopes of change[3]. Lastly, website defacement brings a message about the importance of hacktivists' political activism by posting it in front of the site.
The Cult of the Dead Cow (cDc), started in 1984, is also known as one of the oldest computer hacking organizations. They rose to fame for their hacktivist campaigns and for starting Hohocon, one of the first hacker conventions. The cDc was involved in various causes, such as targeting the Church of Scientology in the mid-1990s. Their goal was to promote human rights along with freedom of information to ensure not only could Chinese citizen but anyone who has been silenced and lack information due to censorship.[3]
Anonymous started in 2003 on the online message board 4chan doing their best to keep the internet transparent.[3] They're well known for concealing their face with Guy Fawkes masks and using voice changers or text-to-speech programs. Anonymous has attacked multiple countries, most notably: the United States, United Kingdom, Australia, India, and many others. They seemed to have diminished from the public in 2018; however, they came back in 2020 to support the Black Lives Matter Movement.
DkD[|| also started in 2003 like Anonymous; however, they are a Frech hacktivist known for website defacing. They are notorious for defacing the U.S. Navy site because they promote political views and specifically spread messages against U.S. military policies.[3] Allegedly DkD[|| was a 17-year-old teen boy causing many to believe he was trying to show off his skills and less express political viewpoints.[3]
Identity Thieves
[edit | edit source]Identity theft is one of the oldest cyber crimes in history.[4] Identity theft is when someone uses your personal or financial information without your permission.[4] These identity thieves are a group of people or individuals who try to gain access to other people's personal information, such as names, addresses, phone numbers, emails, bank accounts, social security numbers, credit card information, and even bank information. Once identity thieves get ahold of the victim's personal information, they can access anything with your information. They can make new accounts under your name, make or commit fraudulent transactions, or cause damage to your bank account. With the latest technology and techniques today, many identity thieves can hack into corporations' databases and steal a high volume of personal information and identities.
Deep fake technology is the new technology that uses artificial intelligence (AI) to create realistic pictures or videos of anything or anyone. Deep fakes have been well-known in the film industry to bring dead actors back to life or make actors look younger. Impersonating someone's face for entertainment purposes. Deep fakes are now being used to commit cybercrime - identity theft.
With the improved technology, committing identity theft is easier for criminals now. Apps and software have been created so anyone can easily make deep fakes. They can impersonate another person's voice and face and use it for videos, pictures, or even voice messages.
Types of frauds:
[edit | edit source]- Ghost fraud: Criminals can use deep fake technology to steal the data of a deceased person and impersonate the person for their financial gain. They can access credit cards and loan accounts with their stolen identity.
- New account fraud: This is also known as application fraud when criminals use stolen identities to open new bank accounts. Severe financial damage can happen because criminals will max out their credit cards and take out loans under your name without paying them back.
- Synthetic identity fraud: Criminals mine information from multiple people and combine the information to make a fake person that doesn’t exist. They would create new credit card accounts and max out the accounts.
- Hiring fraud: Also known as recruitment fraud, is when criminals offer a person a fake job with unsolicited emails, text messages, and recruitment website links. They will try to gain your personal information through these applications and possibly set you up for illegal jobs.
Signs of identity thieves:
[edit | edit source]- Suspicious transactions in bank statements
- Mail stops coming to your house
- Debt collection calls for accounts you didn’t open
How to prevent:
[edit | edit source]- Don’t answer phone calls, text messages, or emails from people or numbers you don’t recognize.
- Do not share personal information like your Social Security number, bank account, or date of birth.
- Review bank statements often and watch for suspicious transactions.
- Store personal information in a safe place.
Cyber Terrorists
[edit | edit source]Cyberterrorists are terrorists who primarily have their acts of terrorism done through some form of cyberspace. Acts of cyberterrorism are politically inspired cyber attacks in which the cyber criminal attempts to steal data and/or corrupt corporate or government computer systems and networks, harming countries, businesses, organizations, and even individuals. Cyberterrorists have been a larger concern due to society's already developed fear of random, violent victimization, combined with the distrust, anxiety, and unfamiliarity of computer technology. This creates an amalgamation of two worries that concern the people and creates a larger unknown threat.[5]
Cyberterrorists differentiate themselves from other cybercriminals as their actions are often politically motivated rather than seeking financial gain. This usually allows cyberterrorists to be in the public eye more than just cybercriminals, as cyberterrorists' actions are often used to disturb the peace and seek media attention to spread awareness of the politics, which goes against the cyberterrorists' beliefs/standpoint.
Recent discussions have argued about what qualifies as "cyberspace" and what qualifies as "an act of terrorism." This has caused debate over different events if, in certain instances, an event qualifies as cyberterrorism. Dorothy Denning, a professor of computer science, made the adopted unambiguous definition of cyberterrorism. From her numerous articles on the subject and in her testimony before the House Armed Services Committee in May 2000, she defined cyberterrorism as: The convergence of cyberspace and terrorism. This refers to unlawful attacks and threats against computers, networks, and information belonging to such. These actions may be done to intimidate or coerce a government or its people in furtherance of political or social objectives. And in order to qualify as cyberterrorism, an attack should result in violence against persons or property, or at least cause enough harm to generate fear."[6]
By going off this definition, attacks that lead to death or bodily injury, explosions, or severe economic loss would be examples of cyberterrorist attacks. Serious attacks against critical infrastructures could also be acts of cyberterrorism, depending on their impact. However, attacks that disrupt nonessential services or are mainly a costly nuisance would not.
Recently, there has been an enormous upward spike when it comes to terrorist groups committing acts of terrorism through cyberspace. This has been thanks to the growing dependence of our societies on information technology has created a new form of vulnerability, giving terrorists a chance to approach targets that would otherwise be unassailable. This includes national defense systems, air traffic control systems, government data centers, etc. This allows infrastructural damage to a business or society and has shown that the more technologically developed a country is, the more vulnerable it becomes to cyberattacks. Terrorist groups have also flocked towards cyberterrorism as many protective measures have not been put in place against cyberterrorism as of this moment (due to its more recent development), as well as the many benefits that the digital world brings for criminal activities. There have been five significant benefits for these terrorist groups to switch their activities from physical terrorism to cyberterrorism. These include price, anonymity, ease of access to targets, all the benefits of remote work, and the ability for the act of terrorism to be even bigger than planned.[6]
Cyber Crime and the Healthcare System
[edit | edit source]In today’s “high-tech” world, both wireless and software-controlled technologies are commonplace throughout the medical world. From the bustling cities of Washington D.C. and Chicago, Illinois to the various small town “one-stoplight” places around this country, the advancement in medical technology has in some way shape or fashion affected all of us in many different ways. Even the normal “checkup” visit to the doctor brings us face-to-face with some form of software-controlled devices such as “surgical and anesthesia devices, ventilators, drug infusion pumps, patient monitors and external defibrillators” [7]. Most devices used in hospitals today are controlled via software and are either connected to the Internet via a hospital Intranet or have the capability to be connected via wireless technology.
And that is where one of the many problems arises——on the Internet. Most, if not everything, can be found, viewed, used, and exploited as long as it is connected to the Internet. As long as there is something of value out there in cyberspace, there will always be someone who tries to “hack” it, manipulate it or take it. Whether that is for the good of mankind or the selfishness of one, people will always try to use the internet to their advantage.
The healthcare industry is no stranger to cyber-crime. For the last ten years or so, most cyber-crimes against the healthcare system were for monetary reasons whether that be through extortion or by stealing someone’s identity.
Within the last few years there have been numerous security studies, conferences and demonstrations on the topic of cybersecurity vulnerabilities relating to “internet-connected implanted medical devices” [8], “hard-coded password vulnerabilities” [9] or “by the introduction of malware into the medical equipment or unauthorized access to configuration settings in medical devices and hospital networks.” [10]
Implanted devices have been around for decades, but only in the last few years have these devices become virtually accessible. While they allow for doctors to collect valuable data, many of these devices were distributed without any type of encryption or defensive mechanisms in place. Unlike a regular electronic device that can be loaded with new firmware, medical devices are embedded inside the body and require surgery for “full” updates. One of the greatest constraints to adding additional security features is the very limited amount of battery power available.[8]
There have been some health-care security related events in the past few years.
Anthem Blue Cross
[edit | edit source]On February 4, 2015, Anthem, Inc. experienced a data breach where more than 37.5 million records were stolen by hackers. Anthem, Inc, is a US health insurance giant. In December of 2014, Anthem employees noticed suspicious database queries. At the end of January of 2015, investigators confirmed unauthorized data queries on the company’s servers. In total, almost 80 million Americans have had their personal information exposed to hackers. This information includes: full names, addresses, SSNs, birthdays, etc. The truth about the Anthem hack is that they failed to encrypt their files. [11]
Advocate Health Care
[edit | edit source]In July of 2013, there was a burglary from an office of Advocate Medical Group in Illinois which involved the theft of four unencrypted desktop computers. This burglary may have exposed information of about 4 million patients. [12] The information that may have been stolen on the Advocate computers involve names, addresses, date of births, SSN, etc. While the Advocate computers were password protected, they were not encrypted.
Community Health Systems
[edit | edit source]In July of 2014, Community Health Systems confirmed its computer network was the target of an external criminal cyber-attack in April and June 2014. The data taken includes names, addresses, birthdates, SSNs, etc. The intruder was able to bypass the company’s security measures and successfully copy and transfer some data existing on the company’s systems. [13]
References
[edit | edit source]- ↑ "The Most Surprising Cyber Stalking Statistics And Trends in 2023 • GITNUX". 2023-04-05. Retrieved 2023-04-25.
- ↑ a b Sorell, Tom (November 2015). "Human Rights and Hacktivism: The Cases of Wikileaks and Anonymous, Journal of Human Rights Practice". Journal of Human Rights Practice. 7 (3).
- ↑ a b c d e "Hacktivism: An overview plus high-profile groups and examples". us.norton.com. Retrieved 2023-04-25.
- ↑ a b "Who Are Cyber Criminals?". Norwich University Online. Retrieved 2023-04-25.
- ↑ "Who Are Cyber Criminals?". Norwich University Online. Retrieved 2023-04-25.
- ↑ a b Weimann, Gabriel (December 2004). "Cyberterrorism: How Real Is The Threat?" (PDF). United States Institute of Peace.
- ↑ Pierson, R. and Finkle, J. (2013, June 13). “FDA urges protection of medical devices from cyber threats.” Reuters. Retrieved June 18, 2013 from http:// www.reuters.com
- ↑ a b Wadhwa, T. (2012, December 06). “Yes, You Can Hack A Pacemaker (And Other Medical Devices Too).” Forbes. Retrieved June 18, 2013 from http://www.forbes.com
- ↑ Alert (ICS-ALERT-13-164-01): Medical Devices Hard-Coded Passwords. (2013, June 13). In Industrial Control Systems Cyber Emergency Response Team. Retrieved June 18, 2013 from https://ics-cert.us-cert.gov
- ↑ FDA Safety Communication: Cybersecurity for Medical Devices and Hospital Networks. (2013, June 13). In U.S. Food and Drug Administration. Retrieved June 18, 2013 from http://www.fda.gov
- ↑ Article in "Infosec Institute", "InfoSec Institute"
- ↑ Advocate Medical Breach: No Encryption?, "Data Breach Today"
- ↑ Data Breach Notification, "Community Health Systems""
Freedom of Speech
Big Brothers Watching
Steps for Software Development
The software development life cycle is the process of developing, testing, implanting and maintenance of software.
Information Gathering and Planning
[edit | edit source]This is the first step in software development, in which teams gather the business requirements. At this phase, the primary emphasis of the project team and project managers is to identify the specific features required from any program under consideration. Clients give programmers an abstract view of what they need the program to do, at this time IT Professionals communicate whether or not the client's specification are able to be reached. Sometimes Clients have requirements that contradict one another and this may make it difficult for the programmer to do their job. At this point, it may best for the programmer to provide the client a demonstration of code to communicate better what the client wants or expects. Scope document states what the client expects from the project, describes the objectives and costs. If the project is developed outside of the company or organization the scope could be used as a legally binding document. The scope should contain the following:
- The Project Name
- The project definitions
- The project owner, sponsors, and stakeholder
- The problem statement
- The project goals and objectives
- The project requirements
- The project deliverable
- Milestones
- Cost Estimates
Programmers may also want to review current systems (if any) to identify any existing procedures that may continue in the new system. During the planning process IT professionals may want to replace the hardware in order to facilitate the new system.Finally, a requirement specification document is created to act as a guidance for the next stage of the software development process.
Design
[edit | edit source]This is the next stage in the software development process. The prototype design for the application is created in this stage using the requirement specification document. System designs aid in the specification of hardware as well as system needs. In software architecture, it also aids in the definition of an entire system. The system design specifications are used as input for the next step of the software development methodology. The testers build test strategies during this phase by describing what to test and how to check it.
Development and Testing
[edit | edit source]During the development phase, IT workers develop system interfaces, screen layouts and how the system would generate reports. Users would then review and approve these features. Software designers may decide to input redundancy has to protect the system from failure if an error occurs. Programmers then complete the program, writes the code and test the software with different testing techniques. The testing ensures the software works as specified in the project scope. If the project fails to meet a milestone, the budget, or the project requirements the clients may sue IT professionals for any of the following:
- Fraud
- Misrepresentation
- Breach of Contract
Implementation, Documentations and Testing
[edit | edit source]The implementation process begins with the client and IT workers coming together to create a strategy of implementation. Following the receipt of the design documentation for the software to be built, the work is split evenly into numerous parts and modules. This is where the actual code starts. The production of excellent codes by the software developers is the major emphasis of this phase. This is the most time-consuming phase of the entire process. This stage is important for the developers. If anything goes wrong during the testing step, or if any errors are discovered in the codes, the coding process will have to be repeated, and the cycle will continue until the project is completed. All types of functional testing, including integration testing, unit testing, system testing, acceptance testing, and non-functional testing, are completed at this point. This strategy covers the who, what, when, where and how. Then the process of correcting and converting data to the new system begins. Procedures for both users and IT workers are created. Documentation should contain the following:
- procedures
- instructions to end-users
- flowcharts data flow diagrams
- Archive, purge, and retrieval
- Backup, storage, and recovery
The organization's IT workers and End-users should be trained in the use and maintenance of the new system. The system is then retested to make sure the system works as expected and to discover any bugs.
Maintenance
[edit | edit source]During the maintenance phase, they correct bugs discovered either through the testing phase or through use by end users. Maintenance may also happen when the companies have new requirements of the system. The maintenance phase may be the most time consuming of all because you may need to add code that does not fit the original design. If the maintenance cost becomes out of control it may be more prudent to rebuild the system then continue with the one currently used.
Ethical Issues in software development process
[edit | edit source]The demand for morally good software is growing as our dependence on software-supported activities grows. Software companies are finding themselves in a situation where they are being held liable for unfavorable results and prejudices resulting from the usage of software or the development process. Software security is inextricably linked to ethics and professionalism. To protect the public's safety, ethics, and obedience to the law are essential. Any deviation from the principles of ethics and professionalism may jeopardize the system's and hence the public's safety. Organizations that care about their employees' safety should demand and promote adherence to a code of ethics. It should also create a climate where employees may easily utilize, promote, and debate the code of ethics. Because of the gravity of the issue, Safety Critical development teams, more than anybody else, should be aware of their legal obligations when designing software. A safety-critical system is frequently accountable for the user's life or death, which is a huge responsibility.
Social Networking, Virtual reality and Crime
Cyber-bullying
[edit | edit source]Technology is an ever growing part of children's lives.they spend more and more time either text messaging or on social networking sites.because of this trend bully's have moved from not only being in the classroom but also in the home.Technology such as social networking sites, Instant Messaging(IM), and text messaging since children tend use these devices extremely different from their parents. Cyber-bullying is the harassment of one minor to another via technology.Cyberbullies torment their victims by using social devices in the following ways.
- They may create fake profiles of their victims and post false, inappropriate information.
- Sending threatening or hurtful to their victims
- Logging into their victims social networks and modifying them to include inappropriate content.
- Taking inappropriate pictures of their victims and then posting them on social websites and maybe the bullies personal blog.
Cyber bullying has led to many cases to many cases of suicide the most notable cases
Cyber-stalking
[edit | edit source]Cyber-stalking is similar to cyber
Virtual Worlds
[edit | edit source]