Ethical Dilemma Information Security and Privacy

Question: Discuss about theEthical Dilemmafor Information Security and Privacy. Answer: Introduction The data breach of 500 million users of Yahoo raised an ethical concern of information security and privacy. Ethics are used to different right from wrong. Consequentialism identifies consequences of an action and if they are harmful to humans, the act is considered unethical. Deontologist identify some moral duties of citizens or people providing or using ICT services in this case that have to be followed otherwise the act would be considered unethical. The consequences of data breaches and the lack of privacy and security in the case of Yahoo data breach case raises ethical questions on both grounds. Information security concerns about three aspects of data and that include confidentiality, integrity and availability. When confidentiality is compromised, it can lead to violation of privacy which is against ethical principles. In addition to this violation, compromise of confidentiality can also cause additional harm if the private data that is obtained gets misused. In case of Yahoo, the company did not reveal that the data was hacked for 2 years and that time was long enough for hackers to use the confidential information of Yahoo users for their benefits. They could have launched phishing attacks or done other forms of cyber crimes using the users information(Petkovic?, Jonker, Brey, 2007). Analysis using Doing Ethics Technique (DET) DET is a technique that can be used for analysis of the ethical situation of the current case. For this, eight ethics related questions have to be answered about the case in view including: What is going on? There was a data of 500 million users of Yahoo that was stolen by a state sponsored hacker in October 2016. This was the biggest data breach in the history of ICT. Although, Yahoo claims that no financially sensitive information of the users was stolen, yet the user names, email IDs , passwords, secret questions and other private information was stolen which could affect the yahoo users(Fiegerman, 2016). What are the facts? Some important facts of the case include: Email IDs, passwords, secret questions, birthday details and other non-sensitive information of 500 million yahoo users was stolen The attack was launched by a state sponsored hacker Yahoo was going through a stage of acquisition when Verizon had offered it a purchase price of $4.83 billion The hacking had been going on since 2014 but was disclosed by Yahoo only after two years It was the biggest data breach of century after the MySpace data breach of 360 million users What are ethical and non-ethical issues? Some ethical issues that were raised by the case included: Violation of confidentiality and privacy of Yahoo users Violation of security parameters pose risk to users Yahoos silence for two years that went without disclosure of hack posed another ethical question asking if a company should keep their interests before their users(Cantrell, Salido, Hollebeke, 2012) Some non-ethical issues could also be identified as follows: The data breach affected the deal of Verizon that was planning to acquire Yahoo as it kept the deal on hold and the data breach was likely to affect the deal size The data that was hacked had to be remediated which costs a major amount to the victim organization Due to data hack, personal information of users can get misused or they can face phishing or other types of malicious attacks(DET, 2016) Who is affected? Yahoo email users were affected by the incident. What are issues and implications? Implications of the data breach could be: Email IDs can face spam or phishing attacks that can expose Yahoo users to more severe attacks if they end up disclosing more sensitive information over emails. Phishing attacks can also be used to trick users into password change for which user may end up clicking a malicious code that can download virus into their machines(The Ethics of Data Sharing: A guide to best practices and governance, 2016) Personal user details can be used to create fake accounts or hackers can pose as users before banks causing danger to both banks and users(ACT, 2008). What can be done about it? Users can be protected in two ways - either they become aware themselves and use more secure options of using systems or company can provide their users with better security features like mobile based login or two factor authentication. What are the options? For users to take control and strengthen their security, they can: Use more complex passwords containing alphanumeric characters Make security questions difficult to answer Ensure that passwords are changed in specific durations to avoid(LOHRMANN, 2016) If a company has to strengthen its security systems, they can take following actions: They can force security policies that are stricter such as forcing users into creating only complex passwords They can implement security features into email service such as spam blocking, two factor authentications and more The service provider can give additional methods for login that are not obvious and not easy to login such as login through a mobile number Companies can create awareness in users about security and send guiding emails to them for training(Dwork, Hardt, Pitass, O., Zemel, 2011) Companies can monitor and track user activities over emails such as use of IP, number of emails sent in a day and so on to identify abnormal patterns such that users can be warned of possible attacks. ICT service provider of emails can block sending of files that have extensions that can possibly be harmful such as .exe Which option is best and why? Users are normally not very serious and may not even be aware of the consequences of their actions and thus, the best approach would be that the ICT service provider itself makes the policies stricter and guide users into making their email accounts more secure. The service provider can do a lot of things to make users aware of the threats, consequences of their actions and keep them updated on the possible harmful activities on their accounts. Companies being expert in their own systems would better understand when a user is required to be educated and what settings can cause harm to accounts such that they make appropriate recommendations to users to create awareness(Bonneau, 2010). References ACT. (2008). Teachers code of professional practice. ACT. Bonneau, J. (2010). The science of guessing: analyzing an anonymized corpus of 70 million passwords. University of Cambridge. Cantrell, B., Salido, J., Hollebeke, M. V. (2012). Industry needs to embrace data ethics: heres how it could be done . Microsoft. DET. (2016). Standard of Practice. DET. Dwork, C., Hardt, M., Pitass, T., O. R., Zemel, R. (2011). Fairness through awareness. Fordham Law. Fiegerman, S. (2016, October 23). Yahoo says 500 million accounts stolen. Retrieved from CNN News: https://money.cnn.com/2016/09/22/technology/yahoo-data-breach/ LOHRMANN, D. (2016, October 2). After Massive Yahoo Data Breach: Have We Learned Anything? Retrieved from Government Technology: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/after-massive-yahoo-data-breach-have-we-learned-anything.html Petkovic?, M., Jonker, W., Brey, P. (2007). Ethical Aspects of Information Security and Privacy. Springer. (2016). The Ethics of Data Sharing: A guide to best practices and governance. Accenture.