Security and Ethical Challenges Contributors Kim Wanders.docx

Security and Ethical Challenges
Contributors: Kim Wandersee, Les Pang
Computer Security
Computer Security Goals
Computer security must be viewed in a holistic manner and
provide an end-to-end protection
as data moves through its lifecycle. Data originates from a user
or sensor, passes over a
network to reach a computing system that hosts software. This
computer system has software
and processes the data and stores in in a storage device. That
data is backed up on a device
and finally archived. The elements that handle the data need to
be secure. Computer security
pertains to all the means to protect the confidentiality, integrity,
availability, authenticity,
utility, and possession of data throughout its lifecycle.
Confidentiality: A security principle that
works to ensure that data is not disclosed to
unauthorized persons.
Integrity: A security principle that makes sure
that information and systems are not

modified maliciously or accidentally.
Availability: A security principle that assures
reliable and timely access to data and
resources by authorized individuals.
Authenticity: A security principle that the
data, transactions, communications or
documents are genuine, valid, and not
fraudulent.
Utility: A security principle that addresses
that the information is usable for its intended
purpose. .
Possession: A security principle that works to
ensure that data remains under the control of
the authorized individuals.
Figure 1. Parkerian Hexad (PH) security model.
The Parerian Hexad (PH) model expands on the Confidentiality,
Integrity, and Availability (CIA)
triad that has been the basic model of Information Security for
over 20 years. This framework is
used to list all aspects of security at a basic level. It provides a
complete security framework to
provide the means for information owners to protect their

information from any adversaries
and vulnerabilities. It adds Authenticity, Utility, and
Possession to CIA triad security model. It
addresses security aspects for data throughout its lifecycle.
The Center for Internet Security has identified 20 controls
necessary to protect an organization
from known cyber-attack. The first 5 controls will provide
effective defense against the most
common cyber-attacks, approximately 85% of attacks. The 5
controls are:
1. Inventory of Authorized and Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software
4. Continuous Vulnerability Assessment and Remediation
5. Controlled User of Administrative Privileges
A full explanation of all 20 controls is available at the Center
for Internet Security website.
Search for CIS controls.
Security Standards and Regulations
The National Institute of Standards and Technology (NIST),
Computer Security Division, provides
security standards in its Federal Information Processing

Standards (FIPS) SP 800 series. These
publications are used often by security professionals to ensure
they are properly safeguarding
information technology. NIST maintains a library of security-
related publications.
Individual industries are often guided by a Federal law to help
ensure that the proper security
and privacy controls are established. The following list
provides examples of an industry and it
associated Federal Law.
-- HIPAA
- FISMA
- FERPA
Responsibilities
Computer Security's responsibility is to prevent an intrusion
from occurring, detect a security breach if
one occurs and recover from the security breach. Computer
security generally involves the following
practices:
http://csrc.nist.gov/publications/PubsSPs.html
https://www.hhs.gov/hipaa/for-professionals/security/laws-
regulations/index.html
https://www.dhs.gov/fisma
https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

onitoring and Auditing
Once a security breach is detected, the following steps may be
taken:
o Review event logs
o Review variations from the baseline performance
o Use Intrusion Detection Systems (IDS)
o Research security resources to gather information
o Look for common symptoms of a specific attack
o E-mail
o Voice-mail broadcast
o Shut down affected servers
o Remove affected computers from network
o Remove network from the Internet
o Preserve the evidence
o External attacks
protocols can enter the perimeter network and
the private
network
o Internal attacks

clean backup
o Maintain service pack versions
o Run intrusion detection systems
o Review event logs regularly
nt logon events
o Collect and record attack details
o Perform a postmortem meeting
o Develop an action plan for future attacks
o Modify the security policy and security plan as needed
Threats
Figure 2. Typical threats.
Disasters
Disasters include natural and man-made disasters. These
include: tornado, hurricane, earthquake, fire,
bombings, and bioterrorism.

Humans
Human activity creates a number of threats to computer
security.
llowing company policy
passwords
tricks on legitimate users of a
computer system, in order to obtain information he needs to
gain access to the system
-sharing policies with business partnerships
Malicious Code
Malicious
Code
Description
Virus A code fragment that copies itself into a larger program,
modifying that program. It
executes only when its host program begins to run. It can
reproduce immediately or can
be triggered by a particular event, such as a date.
Worm Typically an independent program and copies itself from

one computer to another,
usually over a network.
Trojan Horse A code fragment that hides inside a program and
performs a disguised, unauthorized
function.
Bomb A type of Trojan Horse, used to release a virus, a worm,
or other system attack. It is
planted by a system developer and is triggered when a particular
date, time, or condition
occurs.
Trap Door A mechanism that is built into a system by its
designer or programmer. It provides the
designer a way to circumvent the normal access to the
application. Unfortunately these
can be left in the system and allow unauthorized access to the
system.
Spoof A program that tricks an unsuspecting user into giving
away privileges.
Hoax A program that claims that it is malicious code, but does
not do harm to the
system. Instead, it wastes time while security engineers
determine there is no threat.
Spyware A program that resides on your computer, captures all
of your activities, and then sends
the information to a company or hacker for their use.
Ransomware Malicious software that typically encrypts the
victim’s file making them no longer
accessible and demands a ransom to decrypt the files.

E-Commerce Dangers
misrepresentation of identities
or other facts in order to obtain something of value. With a
proper security system in
place, the consumer will be able positively to authenticate the
identity of the e-
commerce business and the business will be able to identify the
consumer
before performing the transaction. Identity theft constitutes a
current, serious example
of fraud perpetrated through unauthorized access to personal
information on the
Internet.
system. The financial
transactions may be altered if one can modify the data during
transit. Cryptographic
message digests can indicate whether a message has been
tampered with.
-of-service attack involves
preventing one from accessing
data by confusing or overloading the related computers or
networking equipment.
Transmission Control Protocol (TCP) is a communication
protocol commonly used on the
Internet for many kinds of communication. TCP SYN flooding
attack is a threat that
involves denial of service launched on the Internet. With TCP
SYN flooding attack,
hackers attempt to open so many TCP connections with a server
that it results in denial

of additional incoming connections. Interactive Web
technologies such as Java,
JavaScript, and ActiveX increase the difficulty of preventing
denial-of-service attacks.
With these Web technologies, a denial-of-service can be easily
embedded in programs.
Controls and Defenses
Policy, Processes, and Procedures
A security policy:
and network usage
security incidents
procedures
Data Backups and Hot Sites
Data backup protects not only against physical disasters but also
against equipment failure,
data theft, data modification and data corruption. Obviously the
backup site must be remote
from the primary database to avoid a common disaster. Backup
media include tape, at lower
cost, and disk, at higher cost. Backup frequency may be
periodic, as in once a week, or
continuous, as in a site that mirrors the primary site.

Communication with the backup site may
vary from physical transport to high-speed telecommunications
links. The type of backup needs
to be matched to the requirements of company or individual.
Backup frequency depends on the
acceptable data loss that might occur between the last recovery
point and a failure. The speed
and sophistication of recovery depends on the acceptable down
time. The cost of the backup
and recovery system should not greatly exceed the risk. Here,
risk is taken to be the amount of
the possible loss times the probability of its occurrence.
Access Control
Access control can take a variety of forms. "Firewall" or "proxy
server" software provides access
control for computers connected to the Internet. Access control
can involve using transmission
cables that cannot be tapped. Access control can also involve
requiring authentication prior to
allowing a computer to make known the content of certain data
files.
Forms of the latter type of access control are the following:
Strong Passwords
Passwords are critical to preventing unauthorized access to the
network and applications.
Therefore, passwords should be difficult to guess. They should

be eight or more characters and
a combination of capital and small letters, numbers, and special
characters. Passwords should
be changed regularly and frequently.
Microsoft provides recommendations for creating and using
strong passwords at the following
URL.
http://www.microsoft.com/protect/yourself/password/create.msp
x
Microsoft also provides a free password checker. To check the
strength of your password, use
the following URL:
http://www.microsoft.com/protect/yourself/password/checker.m
spx
Single Sign-On (SSO)
Many organizations are implementing Single Sign-On
technology. This technology consolidates
all user passwords into one. The user can access all applications
with only one login to the
network. Some organizations require two- or three-factor
authentication when using single
sign-on technology.
Three Factor Authentication

that individuals are who
they say they are.
-factor
authentication requires
the use of a password
(something you know), a
token (something you
have), and biometric data
(something you are).
Figure 3. Authentication Factors
Trusted Transactions
Before the Internet, most security measures focused on
Perimeter Security for an
organization. Technologies included firewalls, anti-virus
software, intrusion detection, and e-
mail scanning.
In the early 2000s, people hesitated to use the Internet for
banking, on-line shopping and other
transactions that involved sending financial or credit card
information over the Internet. There
was insufficient confidence in the technology that the data
would reach its destination without
being alter or intercepted.
E-Commerce enabled by the Internet requires trusted
transactions. E-Commerce has moved
transactions away from the organization to integrated
transactions between the customer, the
business, the supplier and the payer. In order to do this, security

measures had to be in place to
create trust.
http://www.microsoft.com/protect/yourself/password/create.msp
x
http://www.microsoft.com/protect/yourself/password/checker.m
spx
In other words, Internet transactions require
-repudiation
Cryptography (or Encryption)
Cryptography can satisfy many of the security requirements for
trusted transactions.
Cryptography involves the use of codes and ciphers in order to
transmit information so that
access is restricted to the intended recipient. The primary
objective of cryptography is to allow
two or more users to communicate securely over an insecure
medium, for example, the
Internet. The information to be transmitted, called plaintext, is
encrypted using a
predetermined key to generate the ciphertext. The ciphertext is
transmitted over the insecure
medium to the receiver, who recovers the plaintext using a
cryptographic key and algorithm.
Cryptosystems can be classified into two categories: (1)

symmetric key cryptosystems and (2)
public key cryptosystems.
1. Symmetric Key Cryptosystems. These have the same problem
as unconditionally secure
codes. The key to decode the message must be transported to the
desired recipient
without a chance of falling into the wrong hands.
2. Public Key Cryptosystems. These provide a means to move
information in a secure
fashion without the need to secretly transmit a decoding key.
The disadvantage is that it
requires a large amount of computing to code and decode a
lengthy message.
Symmetric key and public key cryptography systems together
possess the necessary
characteristics to perform security for a wide variety of
systems, including secure e-commerce,
e-mail, and World Wide Web (WWW) interactivity. Today's
secure Internet data movements
are based on the following concepts:
for a symmetric code with a
reasonable amount of computing effort.
using the fast symmetric
key system.
Commonly Encountered Symmetric Codes
Data Encryption Standard. In 1977, the National Institute of

Standards and Technology (NIST)
published the Data Encryption Standard (DES). DES is a block
cipher algorithm. DES has 64-bit
block size (ciphertext is 64 bits in length). The DES key is 56
bits in length. DES was last reviewed
in 1993 and was approved for unclassified applications until
1998. Although DES is widely used,
it is no longer secure and must be replaced with more robust
algorithm.
Advanced Encryption Standard. The Advanced Encryption
Standard (AES) algorithm succeeded
DES. AES is a symmetric block cipher algorithm. AES has 128-
bit block size. AES has variable key
size (128, 192, or 256 bits). AES is more secure than DES.
Rijndael (pronounced as Rhine-Doll)
was selected as the algorithm. Conformance testing was done in
the summer 2001. The
standard will be reevaluated every five years.
Public Key Infrastructure (PKI)
PKI can be used for Internet e-business security, improve user
confidence in using the Internet
for transactions, and to implement trusted transactions.
PKI ensures the following conditions.
Confidentiality: Is the data private?
User authentication: Are you who you say you are?
Non-repudiation: Are you the only one who could have

made this transaction?
Data integrity: Has the data been tampered with?
PKI Technology includes the following features.
Digital Certificate
Binds user's identity to public key in
a digital form
Registration Authority (RA)
Security Officers of PKI
Administrator of PKI
Certificate Authority (CA)
Establishes trust
Issues digital certificates
Validates owner's identity
Certificate Revocation List (CRL)
List of all revoked certificates
Time revocation
Reason for revocation
Directories and X.500
Public repositories
Complete Public Key Infrastructure
Automates the management of digital certificates, public
keys, and private keys
Digital Certificates
Digital certificates provide a mechanism to connect the identity

of a subject (an individual,
company, or computer) to a public cryptographic key in a way
that can be trusted and verified.
To provide digital certificates, a certain entity called a trusted
party is responsible for verifying a
set of credentials in accordance with a predefined policy. If
approved, the subject's public key
and credentials are digitally coded and signed using the trusted
party's private key to form a
certificate. The certificate can then be distributed in a public
manner, and the identity
associated with a public key can be authenticated by decoding
the certificate with the trusted
party's public key and verifying the signature on it. Digital
certificates are issued by trusted
parties called Certification Authorities (CA).
Digital Signatures
Many public key algorithms can provide authentication, data
integrity, and nonrepudiation.
Since public key algorithms compute slowly, algorithms to
obtain a summary or "fingerprint" of
the plaintext are desirable. These algorithms are known as
message digests or hash functions. A
hash function processes an input of arbitrary length and
produces a fixed size output. Secure
message digests or hash functions possess three essential
mathematical properties.
1. Every input bit influences every output bit.

2. If a single input bit is changed, every output bit has a 50
percent chance of changing.
3. Given an input and corresponding hash, it should be
computationally unfeasible to find
another input with the same hash.
Common message hash functions include: MD2, MD4, MD5,
MD6, SHA, SHA-1, SHA-2 and SHA-
3. MD2, MD4, and MD5 were developed by Ronald Rivest of
RSA Data Security. These are 128-
bit digests.
A digital signature may be created and sent along with a
message to achieve authentication and
to assure data integrity and nonrepudiation. The sender, say,
Alice, applies a hash function H to
her plaintext message m to create the message digest,
represented symbolically by Hm. This
means that H operates on m. Alice then operates on Hm with her
certified private key A to
produce the encrypted message digest AHm. She sends AHm to
the recipient, say Bob, along
with m. Bob recovers Hm by operating on AHm with Alice's
certified public key A*. Symbolically,
A*AHm = Hm, since A* just undoes A. Bob then separately
operates on the received plaintext
message m' with H to obtain Hm'. If Hm' = Hm, Bob is sure that
(1) the message came from Alice
and (2) it was not tampered with in transmission, and (3) Alice
cannot disavow it.
Security Considerations

Privacy
Although privacy and security are related, they are not
identical. Privacy pertains to an
individual's right to limit disclosure of personal information. It
is an implied right, rather than an
expressed one, flowing from the U.S. Constitution. Security
pertains to data, which may contain
information about individuals. If personal and consumer data
are protected, so is personal and
consumer privacy. Thus, businesses go to great lengths, on line
and off, to guarantee the
confidentiality of such data. However, to assure the security of
a computer system, it may be
necessary to observe the usage of it by individuals, thus
infringing upon their complete privacy.
It may be necessary to conduct a background check of
prospective employees to assess their
character and habits, again infringing upon their privacy. In a
larger sense, the government
finds it necessary to conduct wiretaps under warrant and to
perform other surveillance to
provide national security.
Intellectual Property
One of the striking features of intellectual property—that is,
creative works of writing and
music—in digital form is its cost asymmetry. What this means
is that the Beatles incurred a
substantial cost to supply the first unit of intellectual property,
say, the digital master of Sgt.

Pepper's Lonely Hearts Club Band. Yet the marginal cost—the
cost of producing and distributing
one more copy of it—is trivial. Therein lies the root of our
intellectual property problems. First,
how can we pay for the first unit? Then how should we price the
subsequent units? The record
companies say that the subsequent units must be priced enough
over their marginal cost to pay
for the first unit. The users say that the subsequent units should
be priced at their marginal
cost, namely almost nothing. The record companies achieve
their goal through their monopoly
on production and distribution granted by the copyright law.
But when the digital age makes
copying and distribution almost free, the users face irresistible
temptation to break the
monopoly, as the original Napster did.
Such issues as this led to the concept of Digital Rights
Management (DRM). Here producers
used various methods of coding and encryption to restrict
copying and distribution of
intellectual property. Successful efforts to break the DRM codes
led, among other reasons, to
the rewrite of the copyright laws as the Digital Millennium
Copyright Act of 1998 (DMCA). In
one controversial provision, DMCA made it a crime to defeat
DRM codes. About the best we
can say here is that the issue still simmers. Nevertheless,
producers and distributors are having
some success in persuading users to pay a little for their music
and videos. Apple's iTunes
testifies to that.

Equitable User Access
Under the heading of equitable user access, the concept of the
digital divide looms large. The
more affluent individuals of this country and the world have
access to personal computers and
broadband that bring benefits of information and productivity.
The less affluent individuals of
this country and the world lack this access and these benefits.
Clearly a positive feedback
operates to enhance the skills and achievements of those with
access, whereas that feedback is
lacking for those without access. United States policy
recognizes this problem in a limited way.
The Federal Communications Commission administers a so-
called Universal Service Fund.
Telecommunications carriers must contribute a portion of their
revenue to the fund. The fund's
monies are then made available (1) to subsidize the price of
telephone service to high cost
areas (like rural or mountainous settlements),(2) to provide core
telephone service to low
income individuals, (3) to help schools and libraries pay for
advanced telecommunications
services, and (3) to help rural health care facilities pay for the
same.
The International Telecommunication Union works to increase
the penetration of
telecommunications services to developing countries.

The MIT Media Lab has now achieved production of "One
Laptop per Child," a bare bones
computer costing only $100, operable even in regions without
electric power. Intel and other
organizations are following suit with competitive offerings.
Beyond these efforts, little is really being addressed.
Net Neutrality
Net neutrality has two sides -- those in favor and those against.
Those in favor of the principle argue that the genius of the
Internet is its complete neutrality
with respect to those who supply content, those who consume
content, and the content itself.
Because all the intelligence is "at the edges" of the network in
the terminal devices, anyone can
display his bright idea or videos of his trained seal; others can
seize upon that idea and develop
it or criticize it. In this way information and innovations are
spread around with the result of
raising the economic and cultural level of the nation.
Those against the principle argue that the nature of content has
greatly expanded since the
Internet's early days. Some content deserves more priority than
others. Some content deserves
more speed or reliability than others. Some users, such as
Google and Yahoo, pump more
volume into the Internet than others. To accommodate these
diverse needs, new investment in
the facilities and capabilities of the Internet are needed.

Therefore, pricing for some content
and some users should be higher to finance such investment.
Apart from these principles is the practical fact that some
users—even individual users—and
some content use up more of Internet capacity than others. An
example is file sharing of videos
through the BitTorrent protocol. This recently became
troublesome for Comcast, in that five
percent of the users on its network consumed 70 percent of the
capacity. Such lopsided use
could degrade service for the other 95 percent of the users
sharing the network, suggesting
that Comcast should have the right to manage such traffic in the
interests of its customers and
its business. Fortunately, it was in the mutual interest of both
Comcast and BitTorrent to agree
on a traffic management solution that ameliorated the problem.
No legislative resolution of the issue has occurred to date,
although the U.S. Congress is still
concerned.
Regulatory Considerations
Some aspects of information technology are regulated.
Historically the most important portion
is the telephone industry, especially the local exchange.
Accordingly, we volunteer a few salient

points about regulation.
You run into regulations every day. When you drive your
automobile to work, you follow a set
of regulations for driving --observe the speed limit, stay right
except to pass, and so forth. You
have paid a tax for your tags, which you must have to drive
your vehicle on the streets, and you
have a driver's license, which you obtained by initially passing
written and "behind-the-wheel"
tests. You have probably renewed your license by taking an eye
test, or perhaps another
written test. You enter a restaurant knowing, at least
subconsciously, that the meat you will eat
was inspected by the Department of Agriculture, its weight
measured on a scale calibrated by
the division of weights and measures, and prepared in a kitchen
inspected by the local
department of health. Regulation permeates daily life.
Fundamentally, regulations are adopted to protect the public.
These regulations are designed
to help in a variety of circumstances. Some regulations go to
safety, like those governing foods
and drugs. Others go to economics, like those governing prices.
For example, the market may
not be efficient enough to prevent one competitor from holding
enough market share to
dictate prices to consumers. In such a case, the company may be
said to have monopoly power.
Regulation is developed to prevent an abuse of such market
power, perhaps by setting rates, or
at least by limiting them.

Markets in which there are many buyers and sellers characterize
perfect competition. Each
transaction in the marketplace has a relatively small bearing
upon the overall market and each
transaction is a small component of overall market volume.
Products differ, and consumers may
choose the characteristics of the products they want from among
a wide range of suppliers.
Consumers or purchasers will have a high degree of information
on which to base choices. They
may use product specifications, price, and other criteria to make
their market choice. Choosing
one supplier over another does not disadvantage them. When
these conditions are met, supply
and demand are in equilibrium and determine the market price.
The opposite of competition is monopoly, such as existed
formerly in many parts of the
telephone industry. In a monopoly environment, choice is
substantially reduced. There are
fewer choices of suppliers, of products or services, and of
criteria for choosing products. In a
pure monopoly there is but a single supplier. That supplier
could then control supply in such a
way to maximize profit. It turns out that maximum profit occurs
at a smaller supply and higher
price than would occur under perfect competition. The
monopoly supplier has no incentive to
reduce costs in order to cut prices. In addition, there is a net
transfer of wealth from consumer
to supplier, much like a hidden tax. To prevent such abuses of
their monopoly position, price

regulation is imposed on firms that are necessarily
monopolistic, like electrical power
distribution and the local exchange telephone companies. The
regulation seeks to set prices
approximately equal to those that would occur under
competition.
The more specific goals of economic regulation are to produce
efficiency by limiting providers
to prudent costs and investments, maintaining low prices for
consumers, and curbing abuses of
monopolistic or dominant firms. In addition, regulation meets
certain social goals, such as
nondiscrimination, consumer protection, and targeting of
populations in need. Even in the
"competitive market" provisions of the Telecommunications Act
of 1996, there remain
priorities for telecommunications development. Education and
libraries, for example, are
identified as priorities for investment and for government
funding, even under this so-called
"deregulatory" act.
Another fundamental reason for economic regulation is to
ensure fairness. Markets, as the
more or less abstract and impersonal entities they are, can
determine price but not equity. If
you want a telephone, you must pay the going rate. If the supply
of telephones is less than the
demand, the price will likely go up. If the cost of doing
business in, say, a rural area is greater
than in an urban area because there are fewer customers for
each mile of (expensive) copper
wire laid to provide the service, there is a natural tendency to
charge more because of the

higher cost associated with this group of customers. So if the
market fails to provide equity to
rural subscriber, regulation is needed.
Beyond economic regulation, U.S. laws have been enacted to
regulate disclosure of personal
data, privacy of electronic communications, credit reporting,
spam, and child pornography,
among other topics. These laws, unfortunately, are having but
moderate effect.
To summarize, regulation is needed when there is market
failure. Examples of market failure
are safety risks, excessive price, low quality, limited choice,
lack of innovation, and
concentration of supply with consequent power to control the
market and inhibit competition.
Conclusions
Security must protect information in every state it is in,
transmission, storage, and processing.
Technical controls are one aspect of security and include
firewalls, intrusion detection systems
or anti-virus software. It can be looked at in terms of people,
process and technology. People
must be trained and understand what to do in order to prevent
security breaches. Policy and
processes should be established to ensure a consistent,
measurable, repeatable performance of
good security behavior. The following graphic show the

various aspects of a comprehensive
security program.
Figure 4. Security Dimensions.
People should be considered in terms of, for example, adequate
security clearances, proper
hiring practices, the need for proper security training and
others. Policy and Process should be
examined in terms of disciplined patch management policies and
procedures, a disaster
recovery / business continuity plan, establishment of a security
steering committee and a sound
incident management system. Technology involves the tools
and procedures to fend off any
attacks -- both external and internal attacks. Insider threats are
responsible for over 75% of the
security breaches.
Therefore, one should take a holistic view of security in order
to protect information while at a
particular facility, while it is mobile, and while it is in use from
a remote location. Data must be
protected in all states, transmission, storage, and processing.
Security must address the human
element to avoid against intentional or unintentional security
breaches. A strong security
program includes a combination of technology, policy and
process, and people.

IT Ethics and Responsible Conduct
Ethical Use of Data
The U.S. Government, businesses, organizations, social media,
and recent developments such as the
Internet of Things are generating an increasing amount of data.
There are new capabilities to gather,
analyze, disseminate, and preserve large amounts of data that
make it possible to learn more about an
individual without their knowledge or consent. According to
PCAST in May 2014, “the term privacy
encompasses not only the famous 'right to be left alone' or
keeping one’s personal matters and
relationships secret, but also the ability to share information
selectively but not publicly.” (P. 13.) As our
ability to collect data, combine multiple data sources, and
analyze the data to gain new knowledge
expands, the ethical use of data collected must be a conscious
decision made by anyone that owns and
processes data.
The concern for privacy as new technology becomes available is
not new. In the late 90’s, the American
Civil Liberties Union (ACLU) was concerned about the
government assigning everyone a national ID.
During that time, many databases were accessed by a key. A
key is a unique identifier that allows
information stored in a record to be directly accessed.
Individuals were concerned that the government
may use the national ID to link databases together and use the
new information to limit personal
freedom. In George Orwell’s book, 1984, he writes about the
government monitoring your activities.

The phrase “Big Brother is Watching You,” became a popular
phrase to describe the invasion of one’s
privacy by the government. A video, Ordering a Pizza in the
Future, shows the privacy concerns of a
national ID which could be used if systems were linked
together.
Today, 'right to privacy' concerns now include data collected by
the government or other organizations.
A national ID or a key to join related records is no longer
needed. We have learned with Snowden’s
exposure of the NSA monitoring how intrusive government
monitoring can be. There are claims that
our government reads the content of our emails, file transfers,
and live chats from the social media we
use in order to protect national security. Facebook performed a
“social experiment” where it controlled
content in individual Facebook pages to determine whether or
not receiving negative content affected
one’s mood. Facebook did not gain prior consent to perform
this experiment.
Data is being collected and stored in a manner that supports the
ability for one to access the data and
perform data analytics on a question or need that was not the
original intent of the data collection. This
can occur by over collection of data or by "data fusion." Over
collection of data is caused by a design
that intentionally or unintentionally collects information
unrelated to its stated purpose. Data fusion
occurs when different data sources are accessed through
advanced analytics capability and pattern
recognition to find a new meaning from the information other
than the original intent of the data
collection.

Benefits can be gained from gleaning new information for the
data. However, the proper use of data
must be considered. Listed below are examples where
information itself is beneficial but can be used in
a way that is potentially harmful and something an unsuspecting
individual may not like to be disclosed.
Here are examples:
http://www.youtube.com/watch?v=RNJl9EEcsoE
electronic health records and genomic
information. This could lead to improved treatments for a
disease, but it could also lead to
disqualifications for insurance or jobs.
company that requires certain
employees to drive trucks. The company logo is marked on the
trucks. This company has a
strict zero tolerance policy regarding drinking while on the job.
One particular driver showed up
late to work. The company accessed the GPS located that was
installed on the truck and
discovered that the employee parked the truck behind a night
club all night. The drive did not
know the GPS device was installed on the truck. The company
did not like the company image
portrayed by their truck parked outside the night club. The
company deduced that because the
truck was parked outside a night club and the driver was late to
work, that the driver must have
been drinking. The driver was let go.

o Would you consider this an invasion of privacy or a company
that was very prudent in
ensuring the safety of its workers and reputation of the
company? What might have
been the original intent of putting GPS tracking devices on
company vehicles? Prior to
GPS technology, the company might never have known the
whereabouts of the
employee.
coupon for the cat food I fed to my cat
and thanked me for being a loyal customer. On the surface, this
seems like a good idea. I get a
discount on what I buy and the producer sells more products.
But what if my purchases were
something less benign than cat food? The retailer Target
inferred that a teenage customer was
pregnant and began sending her coupons intended to be useful
for her. Unfortunately, her
father saw the coupons and determined that his daughter was
pregnant.
-based
tracking devices on vehicles without
the driver's knowledge. Some argue that placing such a device
on a vehicle constitutes a
"search" under the Fourth Amendment which may be illegal if
there is no probable cause.
Privacy concerns are caused by the increasing amount of data
being collected and analyzed. Over
collection of data and data fusion can provide the opportunity to
learn unintended information from our
data. This new knowledge and wisdom can both beneficial and

harmful. As our ability to collect data,
combine multiple data sources, and analyze the data to gain new
knowledge expands, the ethical use of
data collected must be a conscious decision made by anyone
that owns and processes data.
References
Cohn, Marjorie (2014). Beyond Orwell’s Worst Nightmare.
Retrieved from
http://www.globalresearch.ca/big-brother-is-watching-you-
beyond-orwells-worst-
nightmare/5367023
Center for Internet Security. CIS Controls. Retrieved from.
https://learn.cisecurity.org/20-controls-
download
Ellenberg, Jordan (2014). Making (a Huge Number of Users
(Very Slightly) Sad. Retrieved from:
http://www.slate.com/articles/technology/do_the_math/2014/06/
facebook_study_the_iffy_et
hics_of_making_a_huge_number_of_people_very_very.html
beyond-orwells-worst-nightmare/5367023
beyond-orwells-worst-nightmare/5367023
facebook_study_the_iffy_ethics_of_making_a_huge_number_of
_people_very_very.html

facebook_study_the_iffy_ethics_of_making_a_huge_number_of
_people_very_very.html
Moghaddasi, H. (2015) Reasons on Support of Data Secirotu
and Deata Security Management as Tow
Independent Concepts: A New Model. Retrieved from:
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5090776/
President’s Council of Advisors on Science and Technology
(PCAST) (2014). Big Data and Privacy. A
Technological Perspective. Retrieved from:
http://www.whitehouse.gov/sites/default/files/microsites/ostp/P
CAST/pcast_big_data_and_pri
vacy_-_may_2014.pdf
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5090776/
CAST/pcast_big_data_and_privacy_-_may_2014.pdf
CAST/pcast_big_data_and_privacy_-_may_2014.pdf

Security and Ethical Challenges Contributors Kim Wanders.docx

Recommended

Recommended

More Related Content

Similar to Security and Ethical Challenges Contributors Kim Wanders.docx

Similar to Security and Ethical Challenges Contributors Kim Wanders.docx (20)

More from edgar6wallace88877

More from edgar6wallace88877 (20)

Recently uploaded

Recently uploaded (20)

Security and Ethical Challenges Contributors Kim Wanders.docx