ethics in tech general Flashcards
1
Q
Black hat hacker
A
Someone who violates computer or Internet security maliciously or for illegal personal gain (in contrast to a white hat hacker who is someone who has been hired by an organization to test the security of its information systems)
2
Q
Cracker
A
An individual who causes problems, steals data, and corrupts systems
3
Q
Malicious insider
A
An employee or contractor who attempts to gain financially and/or disrupt a company’s information systems and business operations
4
Q
Industrial spy
A
An individual who captures trade secrets and attempts to gain an unfair competitive advantage
5
Q
Cybercriminal
A
Someone who attacks a computer system or network for financial gain
6
Q
Hacktivist
A
An individual who hacks computers or websites in an attempt to promote a political ideology
7
Q
Cyberterrorist
A
Someone who attempts to destroy the infrastructure components of governments, financial institutions, and other corporations, utilities, and emergency response units
8
Q
Why are computer incidents so prevalent?
A
bring your own device (BYOD) policies
a growing reliance on software with known vulnerabilities
and the increasing sophistication of those who would do harm have caused a dramatic increase in the number, variety, and severity of security incidents
9
Q
zero-day exploit
A
a cyberattack that takes place before the security community and/or software developers become aware of and fix a security vulnerability.
10
Q
deontology
A
emphasizes moral obligation and describes principles that govern action,
the Ethics of Logical Consistency and Duty,
11
Q
virtue ethics
A
focus on human character as the centre of moral activity
12
Q
communitarianism
A
centers on the interdependence we have for all of life and people
13
Q
utilitarianism
A
greatest benefit for the greatest number of people, happy consequences
14
Q
“finding the mean” in virtue ethics
A
acting virtuously requires a balance between excess and deficiency.
15
Q
utility in utilitarianism
A
utility is the greatest happiness principle, hard to determine what consequences should be considered
16
Q
ransomware
A
malware that stops you from using your computer or accessing your data until you meet certain demands, such as paying a ransom or sending photos to the attacker.
17
Q
virus
A
a piece of programming code, usually disguised as something else, that causes a computer to behave in an unexpected and usually undesirable manner.
18
Q
worm
A
Unlike a computer virus, which requires users to spread infected files to other users, a worm is a harmful program that resides in the active memory of the computer and duplicates itself. Worms differ from viruses in that they can propagate without human intervention, often sending copies of themselves to other computers by email. A worm is capable of replicating itself on your computer so that it can potentially send out thousands of copies of itself to everyone in your email address book.
19
Q
trojan horse
A
a seemingly harmless program in which malicious code is hidden. A victim on the receiving end of a Trojan horse is usually tricked into opening it because it appears to be useful software from a legitimate source,
20
Q
blended threat
A
a sophisticated threat that combines the features of a virus, worm, Trojan horse, and other malicious code into a single payload.
21
Q
How to spam legally?
A
spammers cannot disguise their identity by using a false return address, the email must include a label specifying that it is an ad or a solicitation, and the email must include a way for recipients to indicate that they do not want future mass mailings.
22
Q
DDos Attack
A
a malicious hacker takes over computers via the Internet and causes them to flood a target site with demands for data and other small tasks. A DDoS attack does not involve infiltration of the targeted system. Instead, it keeps the target so busy responding to a stream of automated requests that legitimate users cannot get in—the Internet equivalent of dialing a telephone number repeatedly so that all other callers hear a busy signal.
23
Q
root kit
A
a set of programs that enables its user to gain administrator-level access to a computer without the end user’s consent or knowledge.
24
Q
APT or advanced persistent threat
A
a network attack in which an intruder gains access to a network and stays there—undetected—with the intention of stealing data over a long period of time (weeks or even months). Attackers in an APT must continuously rewrite code and employ sophisticated evasion techniques to avoid discovery.
25
spear phishing
a variation of phishing in which the phisher sends fraudulent emails to a certain organization's employees
26
Department of Homeland Security
a large federal agency with a budget of $65 billion whose goal is to provide for a "safer, more secure America which is resilient against terrorism and other threats."
27
Computer Fraud and Abuse Act (U.S. Code Title 18, Section 1030)
Addresses fraud and related activities in association with computers, including the following:
Accessing a computer without authorization or exceeding authorized access
Transmitting a program, code, or command that causes harm to a computer
Trafficking of computer passwords
Threatening to cause damage to a protected computer
28
Fraud and Related Activity in Connection with Access Devices Statute
Covers false claims regarding unauthorized use of credit cards
29
Stored Wire and Electronic Communications and Transactional Records Access Statutes
Focuses on unlawful access to stored communications to obtain, alter ot prevent unauthorized access to electronic communication while it is in electronic storage.
30
USA Patriot Act
defines cyber-terrorism and associated penalties
31
CIA Triad
confidentiality- only those with proper authority can access sensitive data
integrity- data can only be changed by authorized individuals
availability- data can be accessed where and when its needed
32
Layered security solution
The key to prevention of a computer security incident is to implement a layered security solution to make computer break-ins so difficult that an attacker eventually gives up or is detected before much harm is inflicted. In a layered solution, if an attacker breaks through one layer of security, another layer must then be overcome.
Organization, Network, Application and End User
33
risk assessment
the process of assessing security-related risks to an organization’s computers and networks from both internal and external threats. Such threats can prevent an organization from meeting its key business objectives
34
reasonable assurance
managers must use their judgment to ensure that the cost of control does not exceed the system’s benefits or the risks involved.
35
disaster recovery plan
a documented process for recovering an organization’s business information system assets—including hardware, software, data, networks, and facilities—in the event of a disaster.
36
business continuity plan
an organization should conduct a business impact analysis to identify critical business processes and the resources that support them. The recovery time for an information system resource should match the recovery time objective for the most critical business processes that depend on that resource. Some business processes are more pivotal to continued operations and goal attainment than others. These processes are called mission-critical process
37
What does a good security policy do?
delineates responsibility and the behaviour expected of members of the organization
38
What does a security audit do?
evaluates whether an organization has a well-considered security policy in place and if it is being followed.
39
Bank Secrecy Act of 190
Requires financial institutions in the United States to assist U.S. government agencies in detecting and preventing money laundering
40
Federal Information Security Management Act (44 U.S.C. § 3541, et seq.)
Requires each federal agency to provide information security for the data and information systems that support the agency’s operations and assets, including those provided or managed by another agency, contractor, or other source
41
Foreign Corrupt Practices Act (15 U.S.C. § 78dd-1, et seq.)
Makes certain payments to foreign officials and other foreign persons illegal and requires companies to maintain accurate records
42
Gramm-Leach-Bliley Act (Public Law 106-102)
Governs the collection, disclosure, and protection of consumers’ nonpublic personal information or personally identifiable information
43
Health Insurance Portability and Accountability Act (Public Law 104–191)
Regulates the use and disclosure of an individual’s health information
44
Payment Card Industry Data Security Standard (PCI DSS)
Provides a framework of specifications, tools, measurements, and support resources to help organizations ensure the safe handling of cardholder information
45
Sarbanes-Oxley Act (Public Law 107–204 116 Stat. 745)
Protects shareholders and the general public from accounting errors and fraudulent practices in the enterprise
46
NGFW vs standard firewall
Protects shareholders and the general public from accounting errors and fraudulent practices in the enterprise
47
encryption key
a value that is applied (using an algorithm) to a set of unencrypted text (plaintext) to produce encrypted text that appears as a series of seemingly random characters (ciphertext) that is unreadable by those without the encryption key needed to decipher it.
48
transport layer security (TLS)
a communication protocol or system of rules that ensures privacy between client and server
49
intrusion detection system (IDS)
software and/or hardware that monitors system and network resources and activities and notifies network security personnel when it detects network traffic that attempts to circumvent the security measures of a networked computer environment (see Figure 3-7). Such activities usually signal an attempt to breach the integrity of the system or to limit the availability of network resources.
50
Antivirus software scans for a specific sequence of bytes, known as a __________________ , that indicates the presence of a specific virus.
virus signature
51
what must be done before eradication of a cyber attack?
incident containment, and collection and log of all possible criminal evidence of the attack
52
What is a MSSP?
a managed security service provider (MSSP) , which is a company that monitors, manages, and maintains computer and network security for other organizations. MSSPs include such companies as AT&T, Computer Sciences Corporation, Dell SecureWorks, IBM, Symantec, and Verizon. MSSPs provide a valuable service for IT departments drowning in reams of alerts and false alarms coming from VPNs; antivirus, firewall, and IDSs; and other security-monitoring systems. In addition, some MSSPs provide vulnerability scanning and web blocking and filtering capabilities.
53
right of privacy
“the right to be left alone—the most comprehensive of rights, and the right most valued by a free people.”*
54
Fair Credit Reporting Act
regulates the operations of credit reporting bureaus, including how they collect, store, and use credit information. The act, enforced by the U.S. Federal Trade Commission,
55
Right to Financial Privacy Act (1978)
protects the records of financial institution customers from unauthorized scrutiny by the federal government
56
Gramm-Leach-Bliley Act (1999)
was a bank deregulation law that repealed a Depression-era law known as Glass-Steagall, included three key rules that affect personal privacy, financial privacy, safeguards, and pretexting rules
57
Fair and Accurate Credit Transactions Act (2003)
allows consumers to request and obtain a free credit report once each year from each of the three primary consumer credit reporting companies
58
Health Insurance Portability and Accountability Act (1996)
designed to improve the portability and continuity of health insurance coverage; to reduce fraud, waste, and abuse in health insurance and healthcare delivery; and to simplify the administration of health insurance.
59
The American Recovery and Reinvestment Act (2009)
a wide-ranging act passed in 2009 that authorized $787 billion in spending and tax cuts over a 10-year period. Title XIII, Subtitle D, of this act (known as the Health Information Technology for Economic and Clinical Health Act, or HITECH) included strong privacy provisions for electronic health records (EHRs), including banning the sale of health information, promoting the use of audit trails and encryption, and providing rights of access for patients. It also mandated that each individual whose health information has been exposed be notified within 60 days after discovery of a data breach.
60
Family Educational Rights and Privacy Act (1974)
a federal law that assigns certain rights to parents regarding their children’s educational records. These rights transfer to the student once the student reaches the age of 18, or earlier, if he or she attends a school beyond the high school level. These rights include:
the right to access educational records maintained by a school;
the right to demand that educational records be disclosed only with student consent;
the right to amend educational records; and
the right to file complaints against a school for disclosing educational records in violation of FERPA.
61
Children’s Online Privacy Protection Act (1998)
any website that caters to children must offer comprehensive privacy policies, notify parents or guardians about its data collection practices, and receive parental consent before collecting any personal information from children under 13 years of age. COPPA was implemented in 1998 in an attempt to give parents control over the collection, use, and disclosure of their children’s personal information; it does not cover the dissemination of information to children.
62
Title III of the Omnibus Crime Control and Safe Streets Act (1968; Amended 1986)
also known as the Wiretap Act , regulates the interception of wire (telephone) and oral communications. It allows state and federal law enforcement officials to use wiretapping and electronic eavesdropping, but only under strict limitations. Under this act, a warrant must be obtained from a judge to conduct a wiretap.
63
The Foreign Intelligence Surveillance Act (1978)
describes procedures for the electronic surveillance and collection of foreign intelligence information in communications between foreign powers and the agents of foreign powers. foreign intelligence is information relating to the capabilities, intentions, or activities of foreign governments or agents of foreign governments or foreign organizations.
64
Executive Order 12333 (1981)
Executive Order 12333, which was issued by President Reagan in 1981 and has been amended several times, identifies the various U.S. governmental intelligence-gathering agencies (see Table 4-2) and defines what information can be collected, retained, and disseminated by these agencies. Under Executive Order 12333, intelligence-gathering agencies are allowed to collect information—including message content—obtained in the course of a lawful foreign intelligence, counterintelligence, international drug, or international terrorism investigation, as well as incidentally obtained information that may indicate involvement in activities that may violate federal, state, local, or foreign laws. This tangential collection of U.S. citizen data—even when those citizens are not specifically targeted—is forbidden under FISA. Thus, there is an unresolved conflict between Executive Order 12333 and FISA.
65
Electronic Communications Privacy Act (1986)
The Electronic Communications Privacy Act (ECPA) (18 U.S.C. § 2510-22) deals with three main issues:
(1)
the protection of communications while in transfer from sender to receiver;
(2)
the protection of communications held in electronic storage; and
(3)
the prohibition of devices from recording dialing, routing, addressing, and signaling information without a search warrant.
66
Communications Assistance for Law Enforcement Act (1994)
was passed by Congress in 1994 and amended both the Wiretap Act and ECPA. CALEA was a hotly debated law because it required the telecommunications industry to build tools into its products that federal investigators could use—after obtaining a court order—to eavesdrop on conversations and intercept electronic communications. Such a court order can only be obtained if it is shown that a crime is being committed, that communications about the crime will be intercepted, and that the equipment being tapped is being used by the suspect in connection with the crime.
67
USA PATRIOT Act (2001)
as passed just five weeks after the terrorist attacks of September 11, 2001. It gave sweeping new powers to both domestic law enforcement and U.S. international intelligence agencies, including increasing the ability of law enforcement agencies to search telephone, email, medical, financial, and other records. It also eased restrictions on foreign intelligence gathering in the United States.
68
Foreign Intelligence Surveillance Act Amendments Act (2004)
In 2004, Congress amended the FISA to authorize intelligence gathering on individuals not affiliated with any known terrorist organization (so-called lone wolves), with a sunset date to correspond with certain key provisions of the USA PATRIOT Act.
69
Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008
granting NSA expanded authority to collect, without court-approved warrants, international communications as they flow through U.S. telecommunications network equipment and facilities. The targets of the warrantless eavesdropping had to be “reasonably believed” to be outside the United States; warrants were still required to monitor wholly domestic communications
70
USA Freedom Act (2015)
The USA Freedom Act was passed following startling revelations by Edward Snowden (a former government contractor who copied and leaked classified information from the NSA in 2013 without authorization) of secret NSA surveillance programs. Here is a partial list of those revelations:*
, *
U.S. phone companies had been providing the NSA with all of their customers records, not just metadata (when each call was made and to what number).
The NSA had been spying on over 120 world leaders, including German chancellor Angela Merkel, a U.S. ally.
The NSA has developed a variety of tools to circumvent widely used Internet data encryption methods.
An NSA team of expert hackers called the Tailored Access Operations hack into computers worldwide to infect them with malware.
The FISA Court reprimanded the NSA for frequently providing misleading information about its surveillance practices.
The USA Freedom Act terminated the bulk collection of telephone metadata by the NSA. Instead, telecommunications providers are now required to hold the data and respond to NSA queries on the data.
71
Organisation for Economic Co-Operation and Development for the Protection of Privacy and Transborder Flows of Personal Data (1980)
The OECD’s fair information practices, established in 1980, are often held up as the model for ethical treatment of consumer data. These guidelines are composed of the eight principles summarized in Table 4-3. The OECD guidelines were nonbinding and as a result data privacy laws still vary widely across its member countries.
72
European Union Data Protection Directive (1995)
requires any company doing business within the borders of the countries comprising the European Union (EU) to implement a set of privacy directives on the fair and appropriate use of information
73
General Data Protection Regulation (GDPR)
designed to strengthen data protection for individuals within the EU by addressing the export of personal data outside the EU, enabling citizens to see and correct their personal data, and ensure data protection consistency across the EU.
74
Freedom of Information Act (1966; Amended 1974)
The Freedom of Information Act (FOIA) grants citizens the right to access certain information and records of federal, state, and local governments upon request. FOIA is a powerful tool that enables journalists and the public to acquire information that the government is reluctant to release.
75
Privacy Act (1974)
The Privacy Act establishes a code of fair information practices that sets rules for the collection, maintenance, use, and dissemination of personal data that is kept in systems of records by federal agencies. It also prohibits U.S. government agencies from concealing the existence of any personal data record-keeping system.
76
The Identity Theft and Assumption Deterrence Act
makes identity theft a federal crime, with penalties of up to 15 years of imprisonment and a maximum fine of $250,000.
77
What is cyberloafing?
is defined as using the Internet for purposes unrelated to work such as posting to Facebook, sending personal emails or Instant messages, or shopping online. It is estimated that cyberloafing costs U.S. business as much as $85 billion a year. Some surveys reveal that the least productive workers cyberloaf more than 60 percent of their time at work.*
78
slander
oral defamatory statement
79
libel
written defamatory statement
80
Communications Decency Act 1996
Its primary purpose was to allow free competition among phone, cable, and TV companies. The act was broken into seven major sections or titles. Title V of the Telecommunications Act was the Communications Decency Act (CDA) , aimed at protecting children from pornography. The CDA imposed $250,000 fines and prison terms of up to two years for the transmission of “indecent” material over the Internet.
81
Child Online Protection Act 1998
COPA states that “whoever knowingly and with knowledge of the character of the material, in interstate or foreign commerce by means of the World Wide Web, makes any communication for commercial purposes that is available to any minor and that includes any material that is harmful to minors shall be fined not more than $50,000, imprisoned not more than 6 months, or both.”
82
Ashcroft v. American Civil Liberties Union
The ruling made it clear that COPA was unconstitutional and could not be used to shelter children from online pornography.
83
SLAPP
A strategic lawsuit against public participation (SLAPP) is employed by corporations, government officials, and others against citizens and community groups who oppose them on matters of public interest.
84
doxing
involves doing research on the Internet to obtain someone’s private personal information—such as home address, email address, phone numbers, and place of employment—and even private electronic documents, such as photographs, and then posting that information online without permission.
85
anonymous remailer service
which uses a computer program to strip the originating header and/or IP number from the message. It then forwards the message to its intended recipient—an individual, a chat room, or a newsgroup—with either no IP address or a fake one, ensuring that the header information cannot be used to identify the author
86
John Doe Lawsuit
a lawsuit filed against an anonymous entity
87
Hate speech
persistent and malicious harassment aimed at a specific person
88
intellectual property
works of the mind—such as art, books, films, formulas, inventions, music, and processes—that are distinct and owned or created by a single person or group. It is protected through copyright, patent, and trade secret laws
89
copyright
the exclusive right to distribute, display, perform, or reproduce an original work in copies or to prepare derivative works based on the work. Copyright protection is granted to the creators of “original works of authorship in any tangible medium of expression, now known or later developed, from which they can be perceived, reproduced, or otherwise communicated, either directly or with the aid of a machine or device.
90
How long does copyright term protect authors?
endures for life of the author plus 70 years
91
Four factors when deciding whether a particular use of copyrighted property is fair and can be allowed without penalty:
The purpose and character of the use (such as commercial use or nonprofit, educational purposes)
The nature of the copyrighted work
The portion of the copyrighted work used in relation to the work as a whole
The effect of the use on the value of the copyrighted work
92
Passed in 2011, the Leahy-Smith America Invents Act , which amends Title 35 of the U.S. Code, represented a major change in the U.S. patent law. Under this law, the U.S. patent system changed from a “first-to-invent” to a _____________________________ system
“first-inventor-to-file”
93
The U.S. Supreme Court has ruled that three classes of items cannot be patented:
abstract ideas, laws of nature, and natural phenomena.
94
utility patent
issued for the invention of a new and useful process, machine, manufacture, or composition of matter, or a new and useful improvement thereof, it generally permits its owner to exclude others from making, using, or selling the invention for a period of up to twenty years from the date of patent application filing, subject to the payment of maintenance fees
95
design patent
issued for a new, original, and ornamental design embodied in or applied to an article of manufacture
96
prior art
the existing body of knowledge available to a person of ordinary skill in the art
97
If a court determines that the infringement is intentional it can award up to ___________ times the amount of the damages claimed by the patent holder
three
98
Trade secret laws protect more technology worldwide than patent laws do, in large part because of the following key advantages:
There are no time limitations on the protection of trade secrets, as there are with patents and copyrights.
There is no need to file an application, make disclosures to any person or agency, or disclose a trade secret to outsiders to gain protection. (After the USPTO issues a patent, competitors can obtain a detailed description of it.) Hence, no filing or application fees are required to protect a trade secret.
Although patents can be ruled invalid by the courts, meaning that the affected inventions no longer have patent protection, this risk does not exist for trade secrets.
99
Uniform Trade Secrets Act
The UTSA defines a trade secret as “information, including a formula, pattern, compilation, program, device, method, technique, or process, that:
Derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by, persons who can obtain economic value from its disclosure or use, and
Is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.”
100
The Economic Espionage Act
imposes penalties of up to $10 million and 15 years in prison for the theft of trade secrets.
101
Defend Trade Secrets Act of 2016
amended the EEA to create a federal civil remedy for trade secret misappropriation.
102
non disclosure clause
departing employees cannot take copies of computer programs or reveal the details of software owned by the firm.
103
reverse engineering
the process of taking something apart in order to understand it
104
for and against RE
unethical bc they do not actually own the right to the software, good bc coders can make next gen tools more easily
105
competitive intelligence vs industrial espionage
Competitive intelligence analysts must avoid unethical or illegal actions, such as lying, misrepresentation, theft, bribery, or eavesdropping with illegal devices. Table 6-4 provides a manager’s checklist for running an ethical competitive intelligence operation.
106
trademark
a logo, package design, phrase, sound, or word that enables a consumer to differentiate one company’s products from another’s. Consumers often cannot examine goods or services to determine their quality or source, so instead they rely on the labels attached to the products.
107
nominative fair use of trademark:
defendant must show three things:
that the plaintiff’s product or service cannot be readily identifiable without using the plaintiff’s mark,
that it uses only as much of the plaintiff’s mark as necessary to identify the defendant’s product or service, and
that the defendant does nothing with the plaintiff’s mark that suggests endorsement or sponsorship by the plaintiff.
108
cybersquatters
registered domain names for famous trademarks or company names to which they had no connection, with the hope that the trademark’s owner would eventually buy the domain name for a large sum of money.
109
quality management
focuses on defining, measuring, and refining the quality of the development process and the products developed during its various stages. These products—including statements of requirements, flowcharts, and user documentation—are known as a deliverable . The objective of quality management is to help developers deliver high-quality systems that meet the needs of their users
110
A ___________ is a set of interrelated components
business information system
111
What is a DSS?
decision support system, which is used to improve decision making in a variety of industries. A DSS can be used to develop accurate forecasts of customer demand, recommend stocks and bonds for an investment portfolio, or schedule shift workers in such a way as to minimize cost while meeting customer service goals.
112
product liability
The liability of manufacturers, sellers, lessors, and others for injuries caused by defective products is commonly referred to as product liability
113
strict liability
means that the defendant is held responsible for injuring another person, regardless of negligence or intent. The plaintiff must prove only that the software product is defective or unreasonably dangerous and that the defect caused the injury. There is no requirement to prove that the manufacturer was careless or negligent, or to prove who caused the defect.
114
waterfall system
a sequential, multistage system development process in which development of the next stage of the system cannot begin until the results of the current stage are approved or modified as necessary. This approach is referred to as a waterfall process because progress is seen as flowing steadily downward (like a waterfall) through the various stages of the development.
115
agile development
a system is developed in iterations (often called sprints) lasting from one to four weeks
116
black box testing
viewing the software unit as a device that has expected input and output behaviors but whose internal workings are unknown (a black box)
117
white box testing
treats the software unit as a device that has expected input and output behaviors but whose internal workings, unlike the unit in black-box testing, are known.
118
static testing
This is a software-testing technique in which software is tested without actually executing the code. It consists of two steps—review and static analysis.
119
unit testing
this involves testing individual components of code (subroutines, modules, and programs) to verify that each unit performs as intended. Unit testing is accomplished by developing test data that ideally force the code to execute all of its various functions and user features. As testers find problems, they modify the code to work correctly.
120
integration testing
After successful unit testing, the software units are combined into an integrated subsystem that undergoes rigorous testing to ensure that the linkages among the various subsystems work successfully.
121
system testing
—After successful integration testing, the various subsystems are combined to test the entire system as a complete entity.
122
user acceptance testing
—Trained end users conduct independent user acceptance testing to ensure that the system operates as they expect.
123
CMMI Initital
Process is ad hoc and chaotic; organization tends to overcommit and processes are often abandoned during times of crisis.
124
CMMI Managed
Projects employ processes and skilled people; status of work products is visible to management at defined points.
125
CMMI Defined
Processes are well defined and understood and are described in standards, procedures, tools, and methods; processes are consistent across the organization.
126
CMMI Quantitatively managed
Quantitative objectives for quality and process performance are established and are used as criteria in managing projects; specific measures of process performance are collected and statistically analyzed.
127
CMMI optimizing
Organization continually improves its processes; changes are based on a quantitative understanding of its business objectives and performance needs.
128
safety critical system
one whose failure may cause human injury or death.
129
system safety engineer
has explicit responsibility for the system’s safety
130
annualized loss expectancy
is the estimated loss from this risk over the course of a year.
131
risk management
the process of identifying, monitoring, and limiting risks to a level that an organization is willing to accept
132
5 strategies for addressing risk:
acceptance- cost of avoidance is worse than cost of risk so it is accepted
avoidance- choose to eliminate the risk
mitigation- reduce likelihood of risk
redundancy- provision of multiple interchangeable components to perform a single function
transference- insurance, transfer the risk
133
_________ has to do with the capability of the system to continue to perform, ___________ has to do with the ability of the system to perform in a safe manner.
reliability, safety
134
ISO 9001 family of standards guide
serves as a guide to quality products, services, and management. ISO 9001 provides a set of standardized requirements for a quality management system. In 2015, more than 1.5 million ISO 9001 certificates were issued to organizations around the world
135
failure mode and effects analysis (FMEA)
an important technique used to develop ISO 9000–compliant quality systems by both evaluating reliability and determining the effects of system and equipment failures.
136
Health Information Technology for Economic and Clinical Health Act (HITECH)
incentivize physicians and hospitals to implement such systems. Under this act, increased Medicaid and Medicare reimbursements are made to doctors and hospitals that demonstrate “meaningful use” of EHR technology.
137
machine learning
involves computer programs that can learn some task and improve their performance with experience.
138
robotics
a branch of engineering that involves the development and manufacture of mechanical or computer devices that can perform tasks that require a high degree of precision or that are tedious or hazardous for human beings, such as painting cars or making precision welds.
139
natural language processing
an aspect of artificial intelligence that involves technology that allows computers to understand, analyze, manipulate, and/or generate “natural” languages, such as English
140
machine learning components
a model, a parameter, and a learner
141
health information exchange
the process of sharing patient-level electronic health information between different organizations.
142
clinical decision support (CDS)
a process and a set of tools designed to enhance healthcare-related decision making through the use of clinical knowledge and patient-specific information to improve healthcare delivery.
143
computerized provider order entry (CPOE) system
enables physicians to place orders (for drugs, laboratory tests, radiology, physical therapy) electronically, with the orders transmitted directly to the recipient.
144
Telehealth
employs electronic information processing and telecommunications to support at-a-distance health care, provide professional and patient health-related training, and support healthcare administration.
145
three forms of telemedicine
store and forward telemedicine
live telemedicine
remote monitoring
146
SORNA
The Sex Offender Registration and Notification Provisions (SORNA) of the Adam Walsh Child Protection and Safety Act of 2006 improved on the Wetterling Act by setting national standards that govern which sex offenders must register and what data must be captured
147
The First Amendment of the U.S. Constitution protects the right of freedom of expression from government interference; however, it does not prohibit free speech interference by __________________.
private employers+
148
selection bias
in which we do not choose a sample randomly and hence our estimates of a population are inaccurate.
149
Weblining
the practice of offering services such as home loans or insurance on a selective basis, making them unavailable to the residents of neighborhoods that are predominantly poor or are ethnic minorities
150
What did Cowgill reveal about the sources of bias
Cowgill et al. found no evidence that minority or low-implicit-bias workers generate better, less biased predictions. Conversely, better data leads to better predictions, and as Cowgill et al. found in their study, so does a simple intervention that reminds workers, “As you write your algorithm, please be mindful that your training data set may originate in a biased social system. Adjusting your algorithm to account for discrimination in hiring, self-sorting of applicants, or other sources of such bias could improve your accuracy on the test set. You will be evaluated only on the accuracy of your predictions on the test set.” Cowgill et al. found that this warning serves as a reminder about the main point of the first part of this chapter: that data is not value-neutral and that we must carefully reflect on what the data is, where it comes from, and why it was collected, before we leverage that data (or decide not to) in the design and development of new systems.
151
ethics washing
a cover-up or facade to hide unethical behavior
152
cognitive bias
heuristic or shortcut that one may use to make decisions, possibly irrationally.
These can be both positive (e.g., the optimism bias may incline you to believe that things will work out) or negative (e.g., the base rate bias that leads us to focus on salient, specific instances instead of more general trends
153
deontology
Deontological ethics focuses on the adherence to moral rules or duties. In IT ethics, a deontologist would evaluate actions based on whether they comply with established ethical principles, regardless of the outcomes
154
Consequentialism
Consequentialism, particularly utilitarianism, evaluates actions based on their outcomes or consequences. In IT ethics, a consequentialist would consider the overall impact of an action on all stakeholders to determine its ethicality
155
Virtue Ethics
Virtue ethics emphasizes the character and virtues of the moral agent rather than specific actions. In IT ethics, a virtue ethicist would focus on cultivating moral virtues like honesty, integrity, and fairness within IT professionals.
156
Relativism
Ethical relativism suggests that moral standards are culturally or individually based and that no one moral framework is universally applicable. In IT ethics, a relativist might argue that ethical practices can vary depending on cultural, social, or organizational norms
