The impact of information systems on ethical issues in e-banking

¶ … Information System on Ethical and Moral issues in an E-Society within the Banking Sector in South Africa

Phishing is the practice of obtaining someone else's personal information for the purpose of committing a crime, either at that time or sometime in the future. Protecting one's personal information from theft has become a key issue in the online banking community. Banks in South Africa have been hit hard recently by an unprecedented rash of cyber crime. Experts in the field struggle to find solutions to this rising trend. The customer is a key component in the fight against cyber crime. The proposed research study will explore issues related to the knowledge level of the customer regarding cyber crime and how to stop it. It will also address the division of responsibility between the bank and the customer in helping to curb cyber crime.

The Impact of Information System on Ethical and Moral issues in an E-society within the Banking Sector in South Africa

INTRODUCTION

The need for Information Security (IS) is not a concept that became a concern as a direct result of the Internet. The need to protect one's personal information has been a concern as long as business has been around. The only difference between today and the days of old are that information is much more difficult to protect than it was in the past. In the past, there were only a few threats and it took a great deal of effort to obtain the information. The job of the Highwayman was not as easy as the job of the common hacker of today. For instance, information now travels across cable networks and via satellite transmissions at the speed of light. It is much easier to intercept and use personal information.

The speed and ease with which information can be obtained by those who would use it for criminal purposes is frightening to the average person. Criminals can steal millions of customer records in a single effort. This is of particular concern to the banking industry, where the theft of personal information could mean that the accounts of their customers are compromised. Not only would the bank be liable for the financial risks of their customers, the loss of reputation and trust would be devastating. Therefore, IS represents one of the greatest challenges that the banking industry faces today. Their survival depends on the ability to protect the sensitive information of their customers.

The need to keep records safe not only presents legal and logistical challenges, it presents many moral challenges as well. These moral and ethical issues are not new and have been around since the beginning of time. However, with the ease of theft and the scale on which these crimes occur, these ethical and moral issues have an even greater impact on society and the banking industry. The following will address the legal and moral issues involved in an e-society, particularly as it pertains to the online banking industry in South Africa.

Recently, the banking industry in South Africa has faced many challenges concerning a lack on security in the online banking industry (Cawley, 2010). The distance of the customer from the bank teller is one of the key aspects of telephone and online banking. The need for additional security in these situations is one of the key necessary provisions. Banks in Europe, the Far East and the U.S.A. have made these changes with little problem. However, in South Africa, IS problems have become rampant. In the first months of 2010, nearly 900 fraudulent banking websites were shut down in South Africa, many of them were close spoofs of large corporate banking sites (Cawley, 2010).

Few will disagree that it is unethical and immoral to steal someone's information for the purpose of taking money from another person's account. Long before the Internet, thieves has means to steal bank account information for the purpose of fraudulently taking money from them, Some of these measures included stealing purses or looking over someone's shoulder while they wrote a check. Just because it occurs on the Internet does not make it any less of a crime. Just because it occurs on a larger scale does not make it any more or less moral than when it occurred to individuals. It still represents the crime that is of moral and ethical consideration.

Phishing sites are one type of cybercrime that represents out fraud. This crime is similar to the conn artist who misrepresents themselves for the purpose of stealing information so that they can pose to be that person. The problem with phishing sites and other spoof sites is that as soon as one is shut down, scammers can easily just upload the same look alike to another IP address and they are up and running again in no time. The intent of phishing and spoof sites is never benevolent. It is always with criminal intent as the underlying purpose behind the activity.

Banks typically take proactive measures to take down phishing sites as soon as they are discovered. However, it is not always possible for the banks, or the legal system to stop phishing. One of the most important steps in preventing fraud is to educate customers about these sites, how to recognize them and how to avoid them. A lack of awareness and security in the South African online banking industry has been key problems in the ability to curb the problem (Cawley, 2010).

The only way that an account can be reliably hacked and emptied is for the customer to divulge certain information. Humans are the most important link in the security chain. For this reason, the research will focus on what can be done to increase awareness and security regarding the divulgence of personal information in the South African population. The problem is that many consumers feel that 100% of the responsibility for preventing cybercrime lies with the banking institution. They feel that their accounts should be safe with little or no effort on their part. This attitude presents a key moral dilemma in the online banking community.

The real question is who is to blame when a phishing site steals information and wrecks havoc on a bank's customers. This research will explore upon whom the blame should fall in the prevention of cybercrime. Many legal and ethical issues arise when confronted by these issues. This research will explore current legislation and bank policies to see if they have adequately addressed these moral and ethical issues.

1.1 PROBLEM STATEMENT

The problem of Information Security has become an issue or great concern to the South African banking industry. Issues regarding IS impact issues of privacy, social issues, security issues, and e-deviance within the banking sector. This research will address the problem of the impact of information security from an ethical and moral standpoint in an increasingly e-oriented society. This study will explore the problem of how these problems are addressed within the legal framework and traditions of South African culture. It will examine who is to blame for the prevention of cybercrime and the current state of legislation and policies in keeping up with them.

1.2 RESEARCH OBJECTIVES

This research will pursue the following objectives as they relate to the research topic.

1. The research will determine the level of confidence of South African banking customers in the level of security in online banking.

2. The research will explore the attitudes of the South African population in the moral obligation to keep their information safe and who has the weight of the moral obligation to protect personal information.

3. The research will explore the moral and ethical division of responsibility between the South African online banking customer and the banking institution for maintaining customer information security.

4. The research will explore the perceived level of e-deviance and immoral behavior in the online banking industry in South Africa.

5. The research will explore the level of knowledge about phishing, spoof sites, password security, and other actions that they can take to keep their information safe.

6. The research will explore the willingness of the South African online banking customer community to take on a greater ethical and moral responsibility for the security of their own personal information through education.

7. The legislative and banking policy landscape regarding the ethical and moral issues regarding information security will be a key objective of this study.

2. BACKGROUND

Information security in South Africa has drawn much media attention recently. Much of the media hype has focused on privacy, security and compliance with reducing the risk of customer information being compromised. As was discussed in the Introduction of this study, problems in South Africa have been reported to be worse than in other countries that have adopted online banking. The question that must be raised focuses on why the problem is so bad in South Africa, least much more so than in other countries around the world.

As the movement towards global networking and banking continues, South Africa will have to improve their system so that they are up to the standards of the rest of the world. They have a moral obligation to the South African people in this area for many reasons. First, they have an obligation to make certain that they can participate in the global economy to give their citizens the same chances for advancement as other nations. Secondly, they have a moral obligation to do everything possible to keep their citizens safe.

When one discusses the topic of security in Information and Communication Technology (ICT), much of the discussion focuses on the technology itself. Currently, the South African banking industry is attempting to establish standards that represent best practices in information security (Tshinu, Botha, and Herselman, 2008). These measures currently focus on the technological aspects of information security. However, the development of industry-wide best practices must take all sources of vulnerability into consideration, including the moral and ethical responsibility to keep information safe.

Therefore, the development of best practices cannot ignore the human factor in security and the division of responsibility between the banking institutions and the banking customers. This research will help it professionals in the banking industry to focus on all of the factors that affect information security, including human factor. The human factor cannot be ignored in the development of standards that pose a solution to the problems regarding information security in the South African banking system. One of the key issues is the shifting of responsibility in crime preventions. The citizens want to feel safe and as if they do not have to worry about their personal information. However, banks cannot do it without them. The citizens must take on a greater responsibility and help banks to fulfill their moral responsibility to keep their information safe. This research will argue that crime prevention is everyone's moral and ethical responsibility.

The scope of the problem is huge and affects all players in the banking industry. The size of the thefts that have occurred are overwhelming. In July of 2009, an SMS scandal involving Vodacom customers amounted in a multimillion-rand SMS authentication scam (the Star, 2009). This scam was one of the largest of its kind and demonstrates that even advanced SMS authentication processes are still vulnerable. They are a step above the username and password systems, but this crime demonstrates that even these systems are still vulnerable.

This scam was carried out using email and phishing to get the customer to divulge their username and password. The scammers masqueraded as a trustworthy source that fooled many customers. In this case, the customer was the one who took actions that caused the crime. If the banks are doing everything possible to prevent phishing sites, the question could be raised as to if they responsible when a customer voluntarily provides the phisher with information that leads to theft. The incidents of cyber crime that are occurring in South Africa are massive, both in the number of them that are occurring and in the amount of rands that are being compromised. This would be similar to a question of whether someone else is responsible if a person breaks into a house using a door that was left unlocked intentionally by the occupant. In these circumstances should the insurance pay. In many cases, they do not. So why should someone else pay for damage caused by information provided to a phisher? These are the moral and ethical questions that must be asked in order for South Africa to be ready for the leap into the global market. The scope of the problem makes it an important topic for study. The scope of the problem and the need to bring South Africa up to global standards is a key reason for the conduct of this study.

3. THEORETICAL FRAMEWORK

The theoretical framework is a group of unifying ideas that will govern the research process. The key guiding principle of the study will focus on the need to enhance the human factor in online banking security. It will focus on the need to balance the technological aspects of IS with the human factors. It will provide guidelines for the development of best practices that can be used by the South African banking industry to improve information security across the entire sector. It will address the questions of moral and ethical responsibility as outlined in the previous sections. The theoretical framework of the study is based on the guiding principle that increasing awareness regarding personal information, combined with the necessary technological advances will provide the best solution to improving information security in South Africa.

4. RESEARCH METHODOLOGY

Research into the field of information security has the goal of tracking current moral and ethical issues and responses, as well as providing guidance as to how to improve security in the future. It will focus on who should be responsible for cybercrime prevention and the moral and ethical issues of responsibility in cybercrime. IS security can be a difficult topic from a research perspective. One of the key reasons is that we only know about cyber crime when someone gets caught. It is difficult to determine if new policies, educational programs, or technology are actually having an effect on a reduction in cyber crime, or if criminals are simply getting better at avoiding detection. From a research perspective, this aspect of the phenomenon makes it a difficult topic to study.

In addition to this difficulty, it is difficult to attach causality to new programs, as there are many factors that could affect rises or falls in cyber crime that are not related to the element bring researched. The purpose of this research study is to explore the moral and ethical issues of information security in South Africa.

We discussed that information security is a combination of technology and education. The human factor and the need to keep personal information private were found to be a key factors in the prevention of information theft. Therefore, this study will use a survey methodology to explore the knowledge level and daily practices regarding information security in the South African people. It will also explore their use of and knowledge of available technology to help prevent cyber crime from occurring. It will address their feelings about their part in the moral and ethical responsibility to do their part to prevent cybercrime. It will address how they feel their banks are fulfilling their moral and ethical obligations to do as much as they can to prevent cybercrime. It will also explore cultural aspects of South African that could affect the feeling of who is responsible for the prevention of cybercrime. One example of these cultural dimension is the feeling of individuality vs. As communal perspective on crime prevention.

The purpose of the research is not only to gain insight into the current state of the situation, but also to offer suggestions for improvement in the future. Therefore, the survey will explore the potential effectiveness of programs that may help to improve password security in the future. The research takes into account the multiple factors that were found to be a factor in curbing cyber crime in the banking industry in South Africa, particularly regarding online banking and the moral and ethical obligation to prevent cybercrime.

The study will address the moral issues involved in information security from the user end of security. The sharing of passwords and usernames, or at least the failure to take proper precautions to protect them is believed to be a key component in the ability to protect online bank accounts. The ease with which phishers can obtain usernames and passwords through spoof sites, or through offering some small token in exchange for usernames and passwords is disturbing (Cawley, 2010). The end user was found to be responsible for security breeches more than technology. Therefore, this research methodology will focus on improving information security from the perspective of the end user. It will focus on the need to instill a sense of responsibility for their own cyber safety from the perspective of the end user.

The development of policies and better technology to curb cyber crime is an important element in improving online security in the South African banking industry. However, they can only go so far when the end users are willingly sharing passwords and refusing to take on their moral share of the responsibility. The end user has little, if any, control over the types of security measures that are being used by banks to protect their accounts. That does not mean that end users do not need to have a basic knowledge of these systems. End users have a moral responsibility to have a basic knowledge of the technological measures and policies that will help to protect their account. This will allow them to choose their online banking institutions wisely. The survey methodology to be used in this research study will allow the researcher to explore end user knowledge regarding protecting their online accounts from a technological and personal level. It will also review the current legislative and policies of 20 major banking institutions in South Africa in regards to how they are addressing the moral and ethical issues surrounding information security. Therefore, it will directly address the goals and intended research questions for the study.

4.1 METHOD of DATA SELECTION

The method of data selection to be used for the study must reflect the primary goals and intentions of the research study. In this study, the goal of the study is to find ways to improve a feeling or moral responsibility for information security among online banking customers in South Africa. It was discovered that through an exploration of relevant literature that end users pose a major threat to security through either willingly, or being deceived into sharing personal information, usernames and passwords. Therefore, the sample population for the study will be drawn from a sample pool of online banking customers in South Africa.

Participation in the survey will be solicited from the general population at several different sites at several different banking institutions in South Africa. Permission to conduct the study will be obtained from the proper banking authority at the institution. Once their permission has been obtained, they will be asked to help distribute and collect the research data. Incentive for the participation of the institutions will be through the knowledge that they can learn from the study results regarding measures that they can take to improve information security, thus increasing consumer confidence in their institution.

A target population of at least 500 participants from five different banking institutions will be the goal of the study. The sample population will be random and the researcher will not have control over the sample population. Surveys will be placed in bank lobbies with a sign that explains the survey and its importance. The sign will ask customers to participate in the survey under their own free will. They can choose to participate or not to participate in the survey as they choose. It is expected that study participants will see the value and importance of the study and will be willing to participate. It is expected that the final sample population will include a wide variety of demographic groups and will reflect the general population of South African online banking customers.

4.2 INSTRUMENTS/TECHNIQUES to BE USED

The study will use an empirical quantitative study method to determine the level of knowledge of the South African people regarding cyber crime. Many questionnaires exist that explore a similar topic. For instance, Haley (2010) has developed a survey questionnaire that explores the willingness to share and knowledge of Symantec users regarding password strength and willingness to share them with others. It will also examine how much responsibility they feel for information security and how much they feel is the bank's responsibility. This survey will be used in the development of the survey to be used in this research study. Haley's survey will be used as inspiration in the development of the research study, but it will not be used verbatim. The researcher will develop his or her own survey instrument for this study.

In keeping with the goals of this study, the survey will address the level of knowledge of the participants regarding various types of technology that are available to keep their personal information safe in the online banking community in South Africa. It will also address the moral and ethical responsibility for keeping their information safe, particularly in relation to the division of this responsibility between themselves and the banking institution. This information is an important factor in the ability to keep banking information safe, but it was found that customer actions were a key threat in the ability to keep information safe, This demonstrate a lack of feeling of moral responsibility for their own information safety and their own action. Therefore, a majority of the survey questions will focus on this element of the research problem.

4.3 METHODOLOGICAL LIMITATIONS

As with any random sample survey, several potential limitations exist that may create difficulty in the application of the sample data to real-world situations. The first is internal validity of the survey. As the researcher is developing the survey, it is considered an untested instrument. Therefore, the researcher will have to take extra statistical considerations to make certain that the validity of the study is preserved. Statistical measures will be taken to ensure the internal validity of the survey.

Several factors that are beyond the researcher's control that may affect the internal validity of the study. For instance, if the sample population is found to have a high percentage of a certain demographic category, it could create skewness in the sample population. One example of such a factor may be the educational level of the population. If the study contains participants with a generally higher educational level, it would be expected that they might be more knowledgeable about information security than a population with a lower average educational level. Another factor that may affect the internal validity of the study is the average age of the survey participants. It would be expected that those of a lower age would be more tech savvy than those in higher demographic categories.

In addition to these potential threats to the internal validity of the study, external threats to the validity of the study also exist. One of the key factors that may limit the ability to apply the study results to the general population are cultural characteristics. The cultural characteristics of online banking customers may limit the ability to apply the study to the general population. Firstly, this population is expected to be more tech savvy than those that do not yet participate in online banking. Secondly, the cultural limitations may exist within South African culture that will limit the ability to apply the study results to a larger, international population. It will only be valid for South Africa or culturally similar groups.

4.4 METHODOLOGICAL SIGNIFICANCE

The methodological significance of these threats to the validity of the study is that it can affect the accuracy of the data analysis. Internal threats to the validity of the study will be examined through statistical means during the data analysis portion of the study. For instance, the internal validity of the study will be supported through the use of Crohnbachs' alpha and cross tabulation of various demographic groups. In terms of cultural threats to the external validity of the study, these will have to be considered in the application of the study results to future research studies.

4.5 DATA ANALYSIS STRATEGY

The data analysis strategy of the study will be tailored to the format of the study. A number of different survey question formats will be used. Therefore, appropriate data analysis methods will be used. The data will be analyzed in aggregate using descriptive statistical methods. However, categorical analysis of various demographic groups will also be used in order to determine if biases exist in the sample population. This categorical analysis many also provide additional information regarding the potential target population for educational measures to reduce information compromise in the future. The data will be presented in graphs and tables that will make the data easy to understand for the end user.

The legislative landscape and banking policy data will be compared and discussed using qualitative methods and a discussion format. It will formulate suggestions and observations based on these observations. This portion of the data analysis will be subjective in nature.

4.6 ETHICAL ISSUES

In any research project, one must consider any ethical issues that may be present in the research design. This study does not pose any potential physical or mental harm to the participants, if they feel uncomfortable with any part of the study, they can choose not to participate.

This research explores issues regarding information security. It will not ask the participants to supply any information other than demographic information that will be used to categorize the sample results. They will not be asked for any information that could be used to identify individual study participants. They will not be asked to write out any part of the survey using their own handwriting.

After the surveys are completed, they can be slipped through a slit in a secured box so that no one else can identify or see their answers. Data will be analyzed in aggregate and no information will be able to be linked to any particular study participant. After the required number of surveys have been collected from the participating banking institutions, the surveys will be locked away securely by the bank representative until they can be picked up by the researcher for analysis. They will be kept in a locked, secured location until the final research has been accepted, then they will be destroyed.

4.7 SOURCES of INFORMATION

The topic of information security in the online banking community in South Africa has been a topic of interest in the mass media recently. At the current time, little academic information is available on the subject. However, there is considerable information regarding the importance of password security, information security, and other related topics. This research will rely on academic sources as the primary source of information. However, mass media sources will be consulted to gain depth into the situation, as it applies specifically to South Africa. The research will use current legislation and banking policies of 20 banks in order to review how it addresses the ethical and moral dilemmas that the banking industry in South African currently faces regarding information security.

5. LITERATURE REVEW

It has been suggested that the problems with information security among online banking customers in South Africa represents one of the worst scenarios for computer security in the world. Many hypotheses have been proposed as to why the situation is to desperate in South Africa, when many countries have instituted online banking with considerably fewer problems. In order to answer this question, the researcher will explore current media coverage of the topic, as well as academic sources of information.

According to a recent survey on computer crime and information security in South Africa, network based attacks have become rare due to the used of more secure firewalls (Stander, Dunnet, & Rizzo 2009, p. 218). The introduction of ISO/IEC 17799 standards requires that South African computing systems meet basic global standards. It was found that on a global basis, larger organizations tend to have greater resources to devote to information security than small organizations (Stander, Dunnet, & Rizzo 2009, p. 218). Online banking customers, including those using ATM's are extremely concerned about e-security and the security of their personal information (Goldstick, a. & Dagada, R. 2009. p. 118). The research highlights the important of bringing South African banking systems up to global standards if they wish to compete on a global level.

Phishing presents one of the greatest challenges to information security. Evidence suggests that phishing is a growing problem on a global basis (Frauenstein, E. And von Solms, R. 2009, p. 254). People are now considered to be the weakest link in computer and system security (Frauenstein, E. And von Solms, R. 2009, p. 255; Steyn, Kruger & Drevin, 2007, p. 201). The Code Practice for Information Security Management, otherwise known as ISO 27002, provides guidance as to how organizations can protect themselves from phishing attacks and improve their security management (ISO/IEC 27002, 2010).

While standards and guidelines can help to improve awareness of the problems associated with phishing, the ability to end phishing is to make customers aware of what they can do to protect themselves from becoming the victim of phishing emails. In order to resolve the problem of phishing, guidelines must match current phishing techniques and provide guidance as to how to make consumers aware of these types of attacks and how to respond to them (van der Merwe, a., Loock, M., & Dabrowski, M., 2005, p. 249).

Consumers are the last element in the fight against phishing. They are the ones who must ultimately make the decision as to what is a legitimate contact from their bank and what is a spoof. However, Paypal has demonstrated that companies can take many measures to make certain that phishing emails do not make it to their customers in the first place (Barrett, 2008).

Unfortunately, phishing is expected to increase. One of the most recent methods is to steal an ATM card as it comes out of the slot and to quickly run it through a skimming device that stores the information (Knowler, 2010, p. 2). Social networking sites are a favorite venue for phishing scammers (elamb security, 2010). Recent scam involving a supposed tax refund from the South African Revenue Service snagged information from millions of users through a spoof website (Christenson, 2010). These are only a few examples of the methods used by phishers to extract information from their victims.

Banks are beginning so institute new and innovative solutions to end phishing. The Standard Bank now provides free anti-phishing software that can also protect against online attack by malware (BigNews Staff, 2010). Banks in South Africa are aggressively pursuing security issues concerning ATM security (Wong, 2010). The introduction of smart cards represents the latest in the fight against phishing scams using ATM cards (Chou, JS., Huang, CH, & Chen, Y. 2010; Chen, Y., Chou, JS., & Huang, CH, 2010). These are only a few of the attempts that are being made to curb phishing in the online banking industry.