Thursday, January 15, 2009

What Would You Do?

1. You are the CEO of a three-year-old software manufacturer that has several products and annual revenues in excess of 500 million dollars. You've just received a recommendation from the manager of software development to hire three notorious crackers to probe your software products in an attempt to identify any vulnerabilities. The reasoning is that if anyone can find a vulnerability in your software, they can. This will give your firm a head start on developing parches to fix the problems before anyone can exploit them. You're not sure, and feel uneasy about hiring people with criminal records and connections to unsavory members of the hacker/cracker community. What would you do?

2. You have just been hired as an IT security consultant to "fix the security problem" at Acme United Global Manufacturing. The company has been hacked mercilessly over the last six months, with three of the attacks making headlines for the negative impact they have had on the firm and its customers. You have been given 90 days and budget of 1 million dollars. Where would you begin, and what steps would you take to fix the problem?

3. You are the CFO (Chief Finance Officer) of a midsized manufacturing firm. You have heard nothing but positive comments about the new CIO (Chief Information Officer) you hired three months ago. As you observe her outline what needs to be done to improve the firm's computer security, you are impressed with her energy, enthusiasm, and presentation skills. However, your jaw drops when she states that the total cost of computer security improvements will be 300, 000 dollars. This seems like a lot of money for security, given that your firm has no major incident. Several other items in the budget will either have to be dropped or trimmed back to accommodate this project. In addition, the 300, 000 dollars is above your spending authorization and will require approval by the CEO. This will force you to defend the expenditure, and you are not sure how to do this. You wonder if this much spending on security is really required. How can you sort out what really needs to be done with out appearing to be micromanaging or discouraging the new CIO?

4. Your friend just told you that he is developing a worm to attack the administrative systems at your college. The worm is "harmless" and will simply cause a message - "Let's party!" - to be dispalyed on all workstations on Friday afternoon at 3 p.m. By 4 p. m., the virus will erase itself and destroy all evidence of its presence. What would you say or do?

5. You are the vice president of application development for a small but rapidly growing software company that produces patient billing applications for doctor's offices. During work on the next release of your firm's one and only software product, a small programming glitch has been uncovered in the current release that could pose a security risks to users. the probability of the problem being discovered is low, but if exposed, the potential impact on your firm's 100 or so customers could be substantial: hackers could access private patient data and change billing records. The problem will be corrected in the next release, but you are concerned about what should be done for the users for the current release.

The problem has come at the worsts possible time. The firm is seeking approval for a 10 million dollars loan to raise enough cash to continue operations until revenue from the sales of its just released product offsets expenses. In addition, the effort to communicate with users, and develop and distribute the patch, and to deal with any fallout will place a major drain on your small development staff, delaying the next software release at least one month. You have a meeting with the CEO this afternoon; what course of action will you recommend?
(Source: Thomson Asian Edition; Ethics in Information Technology 2nd Edition; George Reynolds.)