According to Mason (1986), the four principles of the information age are accuracy, property, accessibility and privacy. Accuracy refers to the authenticity of information and how they affect a person's or group's life. Property refers to ownership. Who owns the information that one gives to bank? Is it the bank or the person who gives the information? In addition to these, the principle of accessibility suggests the right or privilege to obtain information, store it and retrieve it. Privacy is the safeguarding of one's information so that it is restricted to only those legally permitted to view the information recorded.
The importance of safeguarding one's information is vital to the integrity of the information provided to banks. Equally essential is the need to protect oneself from fraud and the potential impact especially when the fraud is due to cyber activities that could be prevented through education as well as property protection of bank's computer infrastructure and network. According to Gulati (2009), global losses due to fraud involving credit card as well as electronic crime associated with ATM have gone over the one billion dollar mark as reported by the ATM Association. Of this worldwide fraud, the UK account for about 1% (Gulati, 2009). While this figure may seem very small, it runs into millions of pounds and the psychological and social cost is immeasurable.
Research Aim and Questions
The aim of this research is to investigate ethical issues that are salient to possible computer virus attack on the network of a banking firm in the United Kingdom. With millions of adults having internet banking access, it is very important that the ethical issues associated with banking and virus attack are clarified. The research questions include the following:
- What would the ethical considerations of a computer virus attack be?
- What are the legal implications?
- What are the economic implications of computer virus attack?
- Does it damage confidence in the system?
Attempt would be made to answer these questions during the research project by seeking to collect information from Bank A in the UK.
Increasing number of adults and children in the United Kingdom now regularly use the internet for various purposes. One of the current main purposes is banking and banking information. The following charts and tables indicate internet access in the United Kingdom since 2002. With increasing number of people using internet banking by 2008, the possibility of computer virus attack increases.
Character of Financial Institution Network Attack
Attack on computer network of banks and personal computer with the purpose of stealing personal information has been a growing problem over the years. According Bayles (2001) target cases of attack one computer network can be on computer-based military control network, attack on utility network or one on banking system network. For the military, adversary's intentions are to disable any ability to communicate within and without and to break the command and control structure of the opposing force (Bayle, 2001). Utility such as electrical generation can also be attacked in an adversary situation to break the will of an opposing side or a competitor (Cohen, 1993). The use of network facilities for banking has made banking network as well as personal computer used for banking transactions target for fraudsters intending to steal from others. There is also the bigger picture of attack on a nations' banking system by its adversary during confrontation in order to undermine its currency and create fear in the mind of those using the system (Goulter, 1991). Malicious attack on financial targets whether personal or national can have devastating effect on those affected by it either directly or indirectly.
Ethical Consideration of Virus Attack
A computer virus is a programme that infects a computer by copying itself from one computer to another through an executable code. This could be through the internet, floppy disk, compact disk, and other storage accessories (Szor, 2005). Use of computer virus to attack financial network has serious consequences and therefore ethical consideration. According to Wyne (2010), it is difficult to define one set of ethics that covers all the users of computers. There are many ethical questions to answer including how can computer virus attack in a military campaign or in civilian situation be justified? Does it not distort the four pillars of the information? In military campaign there are divergent views about virus attack on the financial sector of the 'enemy'. While some see it as legitimate, others see it as the employment of weapons of mass destruction (Barnett, 1998). Whatever the views and circumstances of computer virus attacks are on the banking sector or on one's personal banking information, it might be breaking the four pillars of the information age; therefore, it does have ethical questions regarding accuracy of information, whose property is the infected information, how does accessibility affect people's ability to function as well as does privacy matters?
Legal Implications of Virus Attack
Virus attacks on a computer network or a personal system lead to paralysis of the computer network or the personal system. The legal aspects or implications of a virus attack on banking network or one's personal banking transactions have been defined through various legal instruments including the Computer Misuse Act 1996. This could be a basic hacking offence or modification without authorisation offence (Overill, 1998). According to Overill (1998), contravention of the Computer Misuse Act 1996 carries a five-year prison sentence or a combination of prison sentence and an unlimited fine. The Council of Europe has over the years sought to harmonise legal principles on the misuse of computer within the European Union has been instrumental in this process. The EU Convention on Cybercrime recognises the need for international cooperation on the issue of cybercrime. But more than that it is mindful of the need for governments and others to ensure that there is a balance between the interests of enforcing the law as well as continuous respect for the rights of people defined in various conventions on the protection of human rights (Council of Europe, 2001). The legal aspects of virus attack on a banking network or one's personal system for accessing one's bank account leaves questions to be answered. In what way does virus attack and the attending consequences affect the provision of the human rights act on privacy? How does this sit with the freedom of information act? The seemingly contradictory messages of the various laws regarding such crimes require clarification.
Economic Implications of Virus Attack
At the heart of most infrastructural development these days are the economic questions. Lewis (2006) refers to this as the computer networks and critical infrastructures. Given the sensitive nature of the banks and their computer network, they are considered part of the critical infrastructure. In the United States, lists of industries have been identified and place on the critical list including food, water and health systems. In addition to these, there is also information and communication technology, banking and finance as well as energy which include electrical, nuclear, oil and dam). Other critical infrastructural included in this list include the following: transportation, defence, postal and shipping entities. Given the long list of critical infrastructures, what are the possible economic implications if one of these is attacked using computer virus?
Research Method Discussion
According to Galpin et al (1999), research skills are essential for any academic and they can greatly enhance one's profession. Various skills are needed to do research including critical thinking, literature survey, critical reading and the ability to summarise. There is also the need to be able to identify one's research questions, ability to do comparative work and an understanding of different research methods among other skills (Galpin et al, 1999). Demeyer (2010) in seeking to identify various methods research in computer science suggests the following: feasibility study, pilot case, comparative study, literature survey, formal model and simulation. The application of each of these depends on what the nature of the research.
It is important to remember however that all research is underpinned by a philosophical believe and that this philosophy determines which method is chosen by the researcher (Demeyer, 2010). This philosophy can either be positivistic or interpretative paradigm (Berglund et al, 2007). In this research, the interpretative paradigm will be employed in this research. According to Berntsen et al (2004), a research is interpretative when the assumption is that one's knowledge is gained through social construction. These social constructions can include language, consciousness, shared meanings, documents and other materials. Interpretative methods usually involve qualitative methods providing the basis of the data collected and the analysis of that data.
According to Walsham (1993), considering the interpretative philosophical stance, one would say that the most appropriate empirical research method is the in-depth case study. Yin (1994) authoritative work on case study provides the backdrop of most case study work. According to Yin (1994), a case study is a research method that involves an inquiry into "contemporary phenomenon within its real-life context, especially when the boundaries between phenomenon and context are not clearly evident" (Yin, 1994, p. 13). Investigating the ethical issues associated with virus attack on banking computer network would require an in-depth case study. This research will be based in a bank with the permission of the bank manager.
Data analysis will take the form of both qualitative and quantitative. Data collected on incidents of virus infection will be turned in descriptive statistics to ensure provide a sense of the proportion of data or information within the banking system that are likely to be attacked in such malicious way. Miles and Huberman (1999) suggest that that this process is counting. Counting can also be used for qualitative data through the development of data matrix based on the themes coming out of the research questions. During the analysis of documentary data obtained, data matrix will be constructed related to the themes of the research questions that will be used to determine trends in virus effect and the ethical issues link to these. Greenbank et al (2009) suggest that data matrices can be used to summarise and categorise data around the various themes of a research.
The plan above is a provisional plan subject to modification given the circumstances of the pattern that is taken by the research methods and the challenges associated with the collection of data. As can be seen from the plan, this work is likely to last for three months. The substantive part of it will be done both in June and July. Most reading will take place in May.
The four ethical principles of the information age are privacy, accuracy, property and accessibility (Mason, 1986). Attacks of any kind on a computer network including computer virus attack leaves the system vulnerable and susceptible to ensuring that these ethical principles are adhere to. The current nature of banking and other strategic services and there dependents on computer network requires some investigations into the ethical nature of virus attack either on the network of these services directly or on the users network. In military conflict, there are some tendencies to attack adversary's network in order to paralyse the system. If these are civilian targets and they are likely to affect non-combatants leading to the question of how ethical are these attacks? Given the malicious attacks that are sometimes carried out by hackers seeking to collect information about people, how does their action set with the four pillars the information age? In what way does the ethical pillars of the information age becomes invalid?
This research will seek to investigate ethical issues associated with virus attack on banking network using the interpretative research paradigm. The in-depth case study as described by Yin (1994) will be employed in this process. This will mainly involve qualitative approach and data collection. It is endeavoured that analysis will give some information on how ethical issues of attack on a system's network can be interpreted given the four ethical principles of the information age. The proposed timetable above indicates that this project will be undertaken within a three-month period with most of the empirical data collection done within a banking environment.
- ONS (2008) Internet Access 2008 Households and Individuals, Office of National Statistics Media Office, Cardiff
- Gulati, V.P. (2009) Workshop Position Statment: Cyber Security Challenges for the Financial Sector, Tata Consultancy Services Ltd, Hyderabad, Andhra Pradesh, India
- Galpin, V., Hazelhurst, S., Mueller, C. and Sanders, I. (1999) Introducing Research Methods to Computer Science Honours Students, Department of Computer Science, University of Witwatersrand, South Africa
- Berntsen, K. Sampson, J. and Osterlie, T. (2004) Interpretive Research Methods in Computer Science, Norwegian University of Science and Technology, Trondheim
- Walsham, G. (1993) Interpreting Information Systems in Organisations, John Wiley and Sons, London
- Yin, R.K (1984), Case Study Research: Design and Methods, Sage, Beverly Hills, CA
- Dermeyer, S. (2010) Research Methods in Computer Science, University of Antwerp, Belgium
- Mason, R. O. (1986) "Four Ethical Issues of the Information Age", Management Information Systems Quarterly, Vol. 10, No. , pp. 5 - 12
- Szor, P. (2005) The Art of Computer Virus Research and Defence, Addison-Wesley: Boston
- Lewis, J. A. (2006) Cybersecurity and Critical Infrastructure Protection, Centre for Strategic and International Studies
- Overill, R. E. (1998) Reacting to Cyberintrusions: Technical, Legal and Ethical Issues, International Centre for Security Analysis, King's College London
- Bayles, W. J. (2001) "The Ethics of Computer Network Attack", Parameters, Spring 2001, pp. 44 - 58
- Council of Europe (2001), Convention on Cybercrime, Council of Europe
- Wyne, M. F. (2010) "Modular Approach for Ethics", US-China Education Review, Feb 2010, Vol. 7, No. 2 Serial 63
- Cohen, E. A. (1993) Gulf War Air Power Survey, Department of the Air Force, Washington
- Barnett, R. W. (1998) Information Operations, Deterrence and the Use of Force, Naval War College
- Miles, Matthew B. & Huberman, A. Michael (1994), Qualitative Data Analysis, Thousand Oaks: Sage
- Greenbank, P., Penketh, C. Schofield, M. and Turjansky, T. (2009) "The Undergraduate Dissertation:'Most likely you go your way and I'll go mine", International Journal for Quality and Standard, pp. 1 - 24