1. Laudon, 2018), global investment in information technology

1.                 
Why organizations are heavily reliant on
information systems.

Information technology and organizations stimulus
each other depend on organization’s structure, business processes, politics, culture,
environment and management decisions. IT security should be viewed as a
necessary cost of doing business. In the work on IT and information security
with companies in a wide range of industries, including banking, insurance,
defense, aerospace, industrial goods, energy, raw materials telecommunications,
and logistics, have identified a number of other actions that executives can
take to improve the companies’ chances of success. To rival and success in
global market, information technology is important in competitive environment. (Kenneth C. Laudon, Jane P. Laudon, 2018), global investment
in information technology has expanded by 30 percent in the period 2005 to
2015. IT investment now accounts for an estimated 20 percent of all capital
investment.

Information
systems are transforming business as mobile digital platform, systems used to
improve customer experience, respond to customer demand, reduce inventories,
growing online newspaper readership, expanding e-commerce and internet
advertising, new federal security and accounting laws. Firms contribute heavily
in information systems to get six strategic business objectives. There are
operational excellence, new products, services, and business models, customer
and supplier intimacy, improved decision making, competitive advantage and
survival. IT platform can top to changes in business objectives and strategies.
Businesses rely on information systems to help them achieve their goals and to
attain higher profitability. Information systems improved decision making from
accurate information. To achieve the greater efficiency and productivity, the
tool of information technology is an important. IS support organization to
achieve competitive advantage as delivering better performance, charging less
for superior products, responding to customers and suppliers in real time
(Examples: Apple, Walmart, UPS).

Competitiveness was very often
increased because of great cost savings and better service to clients.
Communication and inter organizational systems seemed to be very important in
this respect. Now a day, organizations are in the rival for improving
their capability in order to survive in the global market. To make effective
and timely decisions that best achieves their organization goals more easy to
get from using the appropriate information of internal and external sources. (Karim, 2011).

(Karim, 2011),
stated
that “information is an arrangement of people, data, process, and
information technology that interact to collect, process, store and provide as
output the information needed to support an organization,” “If the
relevant information required in a decision-making process or an organization
planning is not available at the appropriate time, then there is a good change
to be a poor organization planning and priority of needs, inappropriate
decision-making and defective programming”, (Adebayo, 2007).

In
postindustrial organizations, authority progressively relies on knowledge and
competence rather than formal positions with sufficient information technology.
Because of the difficulty to sustain competitive advantage, organization needs
to be continuous innovation. In order to stay ahead system performing strategic
may become tools for survival and firm value chains. The reasons to why the
information system is critical are operation excellence, new products,
services, and business models, customer and supplier affection, improved
decision making, competitive advantage, survival.

 

2.                 
Outline
the various types of security threats to any information systems.

Internet
is becoming the domain platform for life in the 21st century.
Organization face related situation and must struggle with their specific
probable threats. The aim of computer security
professionals is to attain protection of valuable information and system
resources. A division can be made between the security of system resources and
the security of information or data as the system security, and the information
security or data security. System security is the protection of the hardware and
software of a computer system against malicious programs (Spinello, R. and Tavani, H., 2001). Most of the
businesses make risk identification, assessment, and mitigation a high
priority. There is a specific type of threat today for which many companies. Information security is a serious
problem for individuals and organizations because it indications to unlimited
financial losses. Information systems are exposed to different types of
security risks. The type of damage caused by security threats are different as
database integrity security breaches, physical destruction of entire
information systems facility caused by fire, flood, etc. The sources of those
threats can be unwanted activities of reliable employees, hacker’s attack,
accidental mistakes in data entry, etc. Information systems are vulnerable
because of the accessibility of networks can breakdowns hardware problems,
unauthorized changes and programming errors software problems, disasters, use
of networks outside of firm’s control, and loss of portable devices (Kenneth C. Laudon, Jane P. Laudon, 2018). Risks come from
easily by using network open to anyone, size of internet mean abuses can have
wide impact, interruption and attachments with malicious software from email.
Security is breached easily from radio frequency bands easy to scan. And using service
set identifiers, identify access points, broadcast multiple times, can be
identified by sniffer programs, war driving, eavesdroppers drive by buildings
and gain access to network and resources.

Malware (malicious software) as viruses
and worms can operate on their own without attaching to other computer program
files and can spread much more rapidly than computer viruses. Worms and viruses
spread by drive-by download and destroy data and programs. Malware that comes
with a downloaded file that a user intentionally or unintentionally requests by
E-mail, IM attachments, hackers, request malicious files without user
intervention, delete files, transmit files, install programs running in the
background to monitor user action, & potentially convert the smartphone into
a robot in a botnet to send e-mail & text messages to anyone, mobile device
malware and social network malware.

Hackers & crackers make intentional
disruption, damage of website or information system gain unauthorized access by
finding weaknesses computer systems. Hackers flood a network server or Web
server with many thousands of false communications for spoofing for redirecting
a Web link to an address different from the intended one. It’s very damaging
and difficult to detect. An extremely serious threat because
they can be used to launch very large attacks using many different techniques.
Computers as targets of crime for breaching the confidentiality of protected
computerized data and computer may be instrument of crime theft of trade
secrets or unauthorized copying of software or copyrighted intellectual
property, such as articles, books, music, and video, schemes to defraud, using
e-mail for threats or harassment intentionally attempting to intercept
electronic communication, illegally accessing stored electronic communications,
including e-mail and voice mail, transmitting or possessing child pornography
using a computer. Hackers may be aim for identity
theft as used information to obtain credit, merchandise, or services in the
name of the victim and phishing, evil twins, pharming, click fraud,
cyber-terrorism, cyber-warfare. The sources of threat can be inside or outside
the attacked system. The organizations and their security systems are usually
focused on protecting themselves from threats that are origin from outside the
system. The threats that are coming from inside are often not considered.
Because the way it is possible to determine from what we are protecting
information system, it is possible to more efficiently use limited resources.

 

3.                 
Examine the impacts of ransomware on business
organizations.

It will not be amazing if ransomware
change in a few years. “The
Bitcoin Connection with the exception of some ransomware families that
demand high amounts, ransomware alternates typically ask for 0.5?5 Bitcoins (as
of 2016) in exchange for a decrypt key. This is important for two reasons—some
variants increase the ransom as more time elapses with nonpayment, and the
Bitcoin exchange rate is on the rise. In January 2016, 1 BTC was worth US$431.
Bitcoin’s value has risen dramatically since then, topping out at US$1,082.55
at the end of March, 2017” (web link 3).

 Ransomware is a type of malware that uses
malicious codes to intrude the system before users notice it, to encrypt important
files, to require money using encrypted files as a criminal,
and to give fiscal damages to users. The rapid growth of the mobile market has
been the main target of hackers to obtain illegal gains by using ransomware.
The market share of Korea’s Android OS is approximately 80%of the total share
of smartphone market as shown in Table 1. Compared to other OS such as iOS,
Windows Phone, or Blackberry, Android holds a high market share close to
monopoly, while the others combined have less than 15% share in the mobile
device market (web link 1). The share of the Android platform is so high that
the platform is the main target of ransomware attacks. Damage cases of
Android-based smartphones are continuously growing recently. Traditional
vaccine system can detect a system if it is infected with ransomware and cure
it. However, it cannot prevent attacks by ransomware without obtaining
information on the  ransomware. In
addition, files cannot be recovered without the encryption key because files
are already encrypted even if the traditional vaccine system can remove the ransomware
(web link 2). Users can avoid infections by updating the vaccine system from
time to time. However, this method has limited efficacy. Existing vaccine
system can detect ransomware using intrusion detection method based on files (D. Kim and S.
Kim, 2015).
However, this approach cannot detect modified ransomware with new patterns
because it can only prevent ransomware based on analysis information of the ransomware.
Therefore, an active instead of a passive prevention method is urgently
required.   

TABLE 1: Smart device operating system market share

Source: “Worldwide
Quarterly Mobile Phone Tracker,” IDC, August 2015.

4.         Prepare a prevention and risk mitigation
plan to organizations so that the organizations are well prepared to overcome
future attacks.

Organizations have very
treasured information assets to protect. Poor security and control may result
in critical allowed liability. Failed computer systems can lead to significant
or total loss of business function. Business must protect not only their information
assets but also those of stakeholders. An organization can be held liable for
unnecessary risk and harm created if the organization fails to take appropriate
protective action to prevent loss of confidential information (Kenneth C. Laudon, Jane P. Laudon, 2018). Security threats come
not only outside from organization but also originate inside an organization. A
security breach may cut into a firm’s market value almost immediately.
Information system controls may be automated or manual controls unique to each
computerized application. To protect the information systems, organization determines
level of risk to firm if specific activity or process is not properly
controlled in organization as types of threat, probability of occurrence during
year, potential losses, value of threat and expected annual loss. Ranks
information risks, identifies acceptable security goals, and identifies
mechanisms for achieving these goals. Set up policies for drives acceptable use
policy (AUP).

 The primary attack technology may or may not cross the firewall
as they are executed. Technology isn’t the only source for
security risks. Psychological and sociological aspects are also involved (Ponemon Institude, July 2016). Management sets identifying
valid users and controlling access to prevent, respond to cyber attacks and
data breaches. Monitor the occurrence of possible cyber attacks and set up
policies and procedures for employees to follow depend on each company business
unit as IT, Human Resources, Legal. The organization should invest in security
equipment and procedures to deter or prevent cyber attacks. These include the
most up to date IT protection measures, for example: having the company’s
database on a different web server than the application server, applying the
latest security patches, protecting all passwords, using read-only views of
documents and materials when possible, maintaining strict input validation,
developing network security architecture, monitoring activities and procedures
of third-party contractors with access to the computer system (whether direct
or remote), performing network scans to assess activity on the network,
comparing outbound network traffic to baseline operations, choosing names for
tables and fields that are difficult to guess.

If organization face
systems break down, make a plan for recovery disaster as devises plans for
restoration of disrupted services, focuses on restoring business operations
after disaster. Assess financial and organizational impact of each threat by
auditing. After analyzing and planning, should audit and control information
systems and security information systems. 
The most important tools and technologies for safeguarding information
systems are identity management software, authentication, firewall, Intrusion
detection system, antivirus and antispyware software, unified threat management
(UTM) systems, Wired Equivalent Privacy (WEP) security, Wi-Fi Protected Access
(WPA2) specification. In recent years, new and increased use of technologies
such as mobile devices, social media and cloud computing has increased the risk
posed by cyber criminals. Two methods of encryption are symmetric key
encryption and public key encryption. Firms must ensure providers provide
adequate protection and need to include key factors in Service level agreements
(SLAs) before signing with a cloud service provider to security in the cloud. Security
policies should include and cover any special requirements for mobile devices. Quickly
containing any attacks and minimizing any financial and reputational harm. Some
companies delegate responsibility for computer systems security to their chief
information officer who is usually responsible for protecting access to a
company’s information technology (IT) system and the privacy and security of
information on that system. ?

Individual or
organization may receive threats from individuals requesting to have hacked its
computer systems submission to return stolen confidential information in
exchange for property. Companies can determine whether the extortionist has
done what he claims by isolating areas that may be affected to determine if
they have been compromised. And determine the feasibility of restoring critical
systems where a denial of service attack affects critical infrastructure. This
includes assessing whether restoring service will negatively affect collecting
evidence in the investigation and document all aspects of the investigation and
secure and preserve all evidence, including logs of critical system events.
According (NTT Group , 2016), if seventy-seven percent of
organizations lack a recovery plan, then may be their resources would be better
spent on protective measures. That’s why companies should detect the attack in
its early stages. The cyber incident response plan should address the recovery
of the company’s computer systems by both: Eliminating the vulnerabilities
exploited by the attacker and any other identified vulnerabilities and bringing
the repaired systems back online. If systems are restored, management should
evaluate how the response the executed the response plan and consider whether
the cyber incident response plan can be improved.

Where an internal
investigation leads to evidence of the attacker’s possible identity, companies
should consider preparing formal referrals to law enforcement for possible
criminal prosecution. Companies considering this course of action can retain
white collar crime or intellectual property counsel to guide them through the
investigation, referral and criminal proceedings. The outcome of a criminal
prosecution may depend on the
company’s ability to provide evidence and testimony. Therefore should be
prepared to help the prosecutor present complex computer crime evidence to a
judge and jury.

 

5.         As
an employee of a highly connected and globalized world, highlight and
critically those ethical issues that may arise from using connected devices an
organization.

Ethical analysis of security and privacy
issues in information technology largely takes place in computer ethics which
appeared in the 1980s (Herman T. Tavani , 2004) . Computer ethics
analyzes right and responsibilities of computer professionals and computer
users. Ethical issues in public policy for information technology development
and use. Many privacy disputes in today’s society result from tensions between
people’s right to privacy and state and corporate interests in surveillance. The
employee and organization must know the basic concepts of ethic as
responsibility, accountability, and liability and should well-known and
understood to Laws, with an ability to appeal to higher authorities. The
confuse as a person is injured by a machine controlled by software, it is should
be or not such as is it wrong for business to read
their employee’s e-mail and is it ethically allowable for computer users to
copy copyrighted software? Ethic is mostly
concerned with rights, harms and interests, it will be considered what privacy
is, why it is important and how it is impacted by information technology.  Ethical issues require ethic or ethical
analysis. Ethical analysis aims to get clear on the facts and values in such
cases, and to find a balance between the various values, rights and interests
that are at stake and to propose or evaluate policies and courses of action.

 In Western societies respect of a right to personal
privacy. “The right to privacy was first defended by the American justices
Samuel Warren and Louis Brandeis, who defined privacy as “the right to be let
alone” (Warren, S. and Brandeis, L, 1890). Privacy is held to be
valuable for several reasons. It is held to be important because it is believed
to protect individuals from all kinds of external threats, such as defamation,
ridicule, harassment, manipulation, blackmail, theft, subordination, and
exclusion. In the information society, privacy protection is realized through
all kinds of information privacy laws, policies and directives, or data
protection policies. Along with privacy and property laws, new
information technologies are challenging existing liability laws and social
practices for holding individuals and institutions accountable (Kenneth C. Laudon, Jane P. Laudon, 2018).

The ethics importance of computer
security will be assessed, as well as the relation between computer security
and national security. Information security is customarily defined as concerned
with the protection of three aspects of data: their confidentiality, integrity
and availability. Computer security poses ethical issues by exploring the
relation between computer security and rights, harms and interests. The most
observable damage that can occur from breaches of computer security is economic
harm. When system security is dented, valuable hardware and software may be
damaged service may become unavailable, resulting in losses of time and
resources. That because breaches of information security may come at an even
higher economic cost. Stored data may also have personal, cultural or social value,
as opposed to economic value, that can be lost when data is corrupted or lost.
Any type of loss of system or data security is moreover likely to cause some
amount of psychological or emotional damage.

Compromises of the confidentiality of
information may cause additional harms and rights violations. Third parties may
compromise the confidentiality of information by accessing, copying and
disseminating it. Such actions may, first of all, violate property rights,
including intellectual property rights.

In addition to violations of property
and privacy rights, breaches of confidentiality may also cause a variety of
other harms resulting from the dissemination and use of confidential information,
a firm damages its reputation, and compromises of the confidentiality of online
credit card transactions undermines trust in the security of online financial
transactions and harms e-banking and e-commerce activity. Compromises of the
availability of information can, when they are prolonged or intentional,
violate freedom rights, specifically rights to freedom of information and free
speech. Freedom of information is the right to access and use public
information. Security systems may be so protective of information and system
resources that they discourage or prevent stakeholders from accessing
information or using services but it may also be discriminatory: they may wrongly
exclude certain classes of users from using a system, or may wrongly privilege
certain classes of users over others.

A recent concern in computer and
national security has been the possibility of cyberterrorism, which is defined
by Herman Tavani as the execution of “politically motivated hacking operations
intended to cause grave harm, that is, resulting in either loss of life or
severe economic loss, or both” (Herman T. Tavani , 2004). A distinction
between cyberterrorism and other kinds of cyberattacks may be found in its
political nature: cyberterrorism consists of politically motivated operations
that aim to cause harm. Ethical analysis of privacy and security issues in
computing can help computer  professionals
and users recognize and resolve ethical dilemmas and can yield ethical policies
and guidelines for the use of information technology.