SOCIAL AND PROFESSIONAL ISSUES

Cyberattacks and Cybersecurity

Module 5
 Module 5A

The Threat Landscape

 Intended Learning Outcomes

–Discuss the categories of Cybercrime;

–Explain the principles of Computer Security;

–Enumerate the different Types of Cybercrime; and

–Know the advantages of Cybersecurity and response to Cyber attack.

 The Threat Landscape
-Confidential business data and private customer and employee information must be safeguarded, and
systems must be protected against malicious acts of theft or disruption.

-Crime committed using a computer and the internet to steal a person’s identity or illegal imports or
malicious programs.

-Cyber crime is an activity done using computers and the internet.

-Cyber security refers to the technologies and processes designed to protect computers, networks and
data from unauthorized access and attacks delivered via the internet by
cyber criminals.
 Categories of Cyber Crime

The computer as a target: Using a computer to attacks other computer (Hacking, Virus/Worms attacks, DoS
attack etc.

The computer as a weapon: Using a computer to commit real world crime e.g. credit card fraud etc.
 Why Computer Incidents Are So Prevalent?
• Increasing Complexity Increases Vulnerability

• Expanding and Changing Systems Introduce New Risks

• Increasing Prevalence of BYOD Policies

Bring your own device (BYOD) is a business policy that permits, and in some cases encourages, employees
to use their own mobile devices.

• Growing Reliance on Commercial Software with Known Vulnerabilities

In computing, an exploit is an attack on an information system that takes advantage of a particular system
vulnerability.
 Why Computer Incidents Are So Prevalent?
•Growing Reliance on Commercial Software with Known Vulnerabilities

-In computing, an exploit is an attack on an information system that takes advantage of a particular system
vulnerability.
-Often this attack is due to poor system design or implementation.
-Once the vulnerability is discovered, software developers create and issue a ―fix,‖ or patch, to eliminate the
problem.

Increasing Sophistication of Those Who Would Do Harm

-Previously, the stereotype of a computer troublemaker was that of an introverted ―geek‖ working on his or her
own and motivated by the desire to gain some degree of notoriety.
Why Computer Incidents Are So Prevalent?

Classifying perpetrators of computer crime

 Types of Exploits
• Ransomware is malware that stops you from using your computer or accessing your data until you meet
certain demands, such as paying a ransom or sending photos to the attacker.

• Virus is a piece of programming code, usually disguised as something else, that causes a computer to
behave in an unexpected and usually undesirable manner.

• Worm is a harmful program that resides in the active memory of the computer and duplicates itself.

• Trojan horse is a seemingly harmless program in which malicious code is hidden.

 Types of Exploits
• Blended threat is a sophisticated threat that combines the features of a virus, worm, Trojan horse, and
other malicious code into a single payload.

• Email spam is the use of email systems to send unsolicited email to large numbers of people.

The Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act states that it is
legal to spam, provided the messages meet a few basic requirement.

CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) software
generates and grades tests that humans can pass and all but the most sophisticated computer programs
cannot.
 Types of Exploits
• Distributed denial-of-service (DDoS) attack is one in which a malicious hacker takes over computers via
the Internet and causes them to flood a target site with demands for data and other small tasks.

• Rootkit is a set of programs that enables its user to gain administrator-level access to a computer without
the end user’s consent or knowledge.

• Advanced persistent threat (APT) is a network attack in which an intruder gains access to a network and
stays there—undetected—with the intention of stealing data over a long period of time (weeks or even
months).
 Types of Exploits
• Phishing is the act of fraudulently using email to try to get the recipient to reveal personal data.

Spear phishing is a variation of phishing in which the phisher sends fraudulent emails to a certain
organization’s employees.

• Smishing is another variation of phishing that involves the use of texting.

• Vishing is similar to smishing except that the victims receive a voice-mail message telling them to call a
phone number or access a website.
 Types of Exploits
• Cyberespionage involves the deployment of malware that secretly steals data in the computer systems of
organizations, such as government agencies, military contractors, political organizations, and manufacturing
firms.

• Cyberterrorism is the intimidation of government or civilian population by using information technology to

disable critical national infrastructure.

The Department of Homeland Security (DHS) is a large federal agency with more than 240,000 employees
and a budget of almost $65 billion whose goal is to provide for a ―safer, more secure America, which is resilient
against terrorism and other potential
threats.‖
 Common Types of Cybersecurity
Network Security protects network traffic by controlling incoming and outgoing connections to prevent threats
from entering or spreading on the network.

Data Loss Prevention (DLP) protects data by focusing on the location, classification and monitoring of
information at rest, in use and in motion.

Cloud Security provides protection for data used in cloud-based services and applications.

Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) work to identify potentially hostile
cyber activity.
 Common Types of Cybersecurity
Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) work to identify potentially hostile
cyber activity.

Identity and Access Management (IAM) use authentication services to limit and track employee access to
protect internal systems from malicious entities.

Encryption is the process of encoding data to render it unintelligible, and is often used during data transfer to
prevent theft in transit.

Antivirus/anti-malware solutions scan computer systems for known threats. Modern solutions are even able to
detect previously unknown threats based on their behavior.
 Advantage of Cybersecurity
• It will defend us from hacks and virus. It helps us to browse the safe website.

• Internet Security process all the incoming and outgoing data on our computer.

• The cyber security will defend us from critical attacks.

• The application of cyber security used in our PC needs update every week.

• The security developers will update their database every week once.
 Module 5B

The CIA Security TRIAD

 Intended Learning Outcome

–Know the actions must be taken in the event of a successful security intrusion.
 The CIA Security TRIAD
•The IT security practices of organizations worldwide are focused on ensuring confidentiality, maintaining
integrity, and guaranteeing the availability of systems and data.

•Confidentiality ensures that only those individuals with the proper authority can
access sensitive data such as employee personal data, customer and product sales data, and new product and
advertising plans.

•Integrity ensures that data can only be changed by authorized individuals so that the accuracy, consistency,
and trustworthiness of data are guaranteed.

• Availability ensures that the data can be accessed when and where needed, including during times of both
normal and disaster recovery
operations.

•Confidentiality, integrity, and availability are referred to as the CIA security triad.
 Implementing CIA at the Organization Level
•Implementing CIA begins at the organization level with the definition of an overall security strategy,
performance of a risk assessment, laying out plans for disaster recovery, setting security policies, conducting
security audits, ensuring regulatory standards compliance, and creating a security dashboard.

-Security Strategy

•Implementing CIA security at the organization level requires a risk-based security strategy with an active
governance process to minimize the potential impact of any security incident and to ensure business continuity
in the event of a cyberattack.

• Creating such a strategy typically begins with performing a risk assessment to identify and prioritize the threats
that the organization faces.

• The security strategy must define a disaster recovery plan that ensures the availability of key data and
information technology assets.
 Implementing CIA at the Organization Level
-Risk assessment

•is the process of assessing security-related risks to an organization’s computers and networks from both
internal and external threats.
• Such threats can prevent an organization from meeting its key business objectives.
•The goal of risk assessment is to identify which investments of time and resources will best protect the
organization from its most likely and serious threats.

-Disaster Recovery

•Data availability requires implementing products, services, policies, and procedures that ensure that data are
accessible even during disaster recovery operations.

•To accomplish this goal, organizations typically implement a disaster recovery plan, which is a documented
process for recovering an organization’s business information system assets—including hardware, software,
data, networks, and facilities—in the event of a disaster.
 Implementing CIA at the Organization Level
-Security Policies

•A security policy defines an organization’s security requirements, as well as the controls and sanctions needed
to meet those requirements. A good security policy delineates responsibilities and the behavior expected of
members of the organization.

• A security policy outlines what needs to be done but not how to do it. The details of how to accomplish the
goals of the policy are typically provided in separate documents and procedure guidelines.

•The SysAdmin, Audit, Network, Security (SANS) Institute’s website (www.sans

.org) offers a number of security-related policy templates that can help an organization to quickly develop
effective security policies.
 Implementing CIA at the Organization Level
-Security Audits

•Another important prevention tool is a security audit that evaluates whether an organization has a well-
considered security policy in place and if it is being followed.
•For example, if a policy says that all users must change their passwords every 30 days, the audit must check
how well that policy is being implemented.
• The audit should also review who has access to particular systems and data and what level of authority each
user has.

-Regulatory Standards Compliance

•In addition to the requirement to comply with your own security program, your organization may also be
required to comply with one or more standards defined by external parties.
•In that case, your organization’s security program must include a definition of what
those standards are and how the organization will comply.
 Implementing CIA at the Organization Level
-Security Dashboard

•Many organizations use security dashboard software to provide a comprehensive display of all key
performance indicators related to an organization’s security defenses, including threats, exposures, policy
compliance, and incident alerts.

•The purpose of a security dashboard is to reduce the effort required to monitor and identify threats in time to
take action.
 Implementing CIA at the Network Level
•The Internet provides a wide-open and well-travelled pathway for anyone in the world to reach your
organization’s network.

• As a result, organizations are continuing to move more of their business processes to the Internet to better
serve customers, suppliers, employees, investors, and business partners.

-Authentication Methods

To maintain a secure network, an organization must authenticate users attempting to access the network by
requiring them to enter a username and password; inserting a smart card and entering the associated PIN; or
providing a fingerprint, voice pattern sample, or retina scan
 Implementing CIA at the Network Level
-Firewall

•Installation of a corporate firewall is the most common security precaution taken by businesses.

•A firewall is a system of software, hardware, or a combination of both that stands guard between an
organization’s internal network and the Internet and limits network access based on the organization’s access
policy.

•A next-generation firewall (NGFW) is a hardware- or software-based network security system that is able to
detect and block sophisticated attacks by filtering network traffic dependent on the packet contents.
 Implementing CIA at the Network Level
-Routers

•A router is a networking device that connects multiple networks together and forwards data packets from one
network to another.

• Often, an ISP installs a router in a subscriber’s home to connect the ISP’s network to the network within the
home.

•Routers enable you to create a secure network by assigning it a passphrase so that only individuals who have
the passphrase can connect to your network.
 Implementing CIA at the Network Level
•- Encryption
•Encryption is the process of scrambling messages or data in such a way that only authorized parties can read
it.

• It is used to protect billions of online transactions each day, enabling consumers to order more than $300
billion in merchandise online and banks to route some $40 trillion in financial transactions each year.

•An encryption key is a value that is applied (using an algorithm) to a set of unencrypted text (plaintext) to
produce encrypted text that appears as a series of seemingly random characters (ciphertext) that is unreadable
by those without the encryption key needed to decipher it.

•There are two types of encryption algorithms: symmetric and asymmetric. Symmetric algorithms use the
same key for both encryption and decryption.

•Asymmetric algorithms use one key for encryption and a different key for decryption.
 Implementing CIA at the Network Level
-Proxy Servers and Virtual Private Networks

•A proxy server serves as an intermediary between a web browser and another server on the Internet that
makes requests to websites, servers, and services on the Internet for you.

•When you enter the URL for a website, the request is forwarded to the proxy server, which relays the request to
the server where the website is hosted. The homepage of the website is returned to the proxy server, which then
passes it on to you.
 Implementing CIA at the Network Level
-Intrusion Detection System

•An intrusion detection system (IDS) is software and/or hardware that monitors system and network resources
and activities and notifies network security personnel when it detects network traffic that attempts to circumvent
the security measures of a networked computer environment.
 Implementing CIA at the Network Level
-Authentication Methods

•For many applications, users are required to enter a username and password to gain access.

•Two-factor authentication requires the user to provide two types of credential before being able to access an
account; the two credentials can be any of the following:

• Something you know, such as a PIN or password

• Something you have, such as some form of security card or token
• Something you are, such as a biometric (for example, a fingerprint or retina scan)
 Implementing CIA at the Network Level
-User Roles and Accounts

•Another important safeguard at the application level is the creation of roles and user accounts so that once
users are authenticated, they have the authority to perform their responsibilities and nothing more.

Data Encryption

•Major enterprise systems such as enterprise resource planning (ERP), customer relationship management
(CRM), and product lifecycle management (PLM) access sensitive data residing on data storage devices
located in data centers, in the cloud, or at third-party locations.
 Implementing CIA at the End-User Level
-Security Education

•Creating and enhancing user awareness of security policies is an ongoing security priority for companies.

•Employees and contract workers must be educated about the importance

of security so that they will be motivated to understand and follow security policies.

Authentication Methods

•End users should be required to implement a security passcode that must be entered before their
computing/communications device accepts further input.
 Implementing CIA at the End-User Level
-Antivirus Software

•Antivirus software should be installed on each user’s personal computer to scan a computer’s memory and
disk drives regularly for viruses.

• Antivirus software scans for a specific sequence of bytes, known as a virus signature, that indicates the
presence of a specific virus.

-Data Encryption

•While you should already have a login password for your mobile computing device or workstation, those
measures won’t protect your data if someone steals your device
 Response to Cyberattack
-Incident Notification

•A key element of any response plan is to define who to notify and who not to notify in the event of a computer
security incident.

-Protection of Evidence and Activity Logs

An organization should document all details of a security incident as it works to resolve the incident.

-Incident Containment

The incident response plan should clearly define the process for deciding if an attack is dangerous enough to
warrant shutting down or disconnecting critical systems from the network.
 Response to Cyberattack
-Eradication

Before the IT security group begins the eradication effort, it must collect and log all possible criminal evidence
from the system and then verify that all necessary backups are current, complete, and free of any malware.

-Incident Follow-Up

-An essential part of follow-up is to determine how the organization’s security was compromised so that it does
not happen again.
 References

Blundell, B. (2020). Ethics in Computing, Science, and Engineering: A Student’s Guide to Doing Things Right 1st
ed. 2020 Edition: Springer.

Hauptman, R. (2019). The Scope of Information Ethics: Challenges in Education, Technology, Communications,
Medicine and Other Domains: McFarland.

Kizza, J.M. (2019). Ethical and Secure Computing: A Concise Module (Undergraduate Topics in Computer
Science) 2nd ed.:Springer.

Reynolds, G. (2018). Ethics in Information Technology: Cengage Learning.

Kizza, J.M (2017).Ethical and Social Issues in the Information Age 6th ed: Springer.

.
 SOCIAL AND PROFESSIONAL ISSUES

Risk and Responsibility

Module 6
 Module 6A

Computer Liability
 Intended Learning Outcomes

–Discuss the hardware and software risks involved in the use of computers in society;

–Explain how information stored on computers can be kept safe; and

–Describe how effective design can impact information technology.

 Computer Liability
Hardware Reliability Features
• failure is usually due to physical deterioration
• hardware reliability tends, more than software, towards a constant value,
• hardware reliability usually follows the „bathtub‟ principle,
• again, environment is important; a proportion of hardware faults are design
faults
 Computer Liability
Reliability Measures

There are four general ways of measuring failures against time;

• time of failure,

• interval between failures,

• cumulative failures experienced up to a given time,

• failures experienced in a time interval.

 Computer Liability
-Barriers in digital communication
1. Physical barriers
Physical barriers present different
challenges for offline versus online
communication.

Physical barriers to digital

communication include other
environmental conditions like time,
place, and medium.

Place is a barrier if you try to

communicate with people on a
channel they don‟t already use, orwhere
they aren‟t receptive to the information
you‟re trying to share.
 Computer Liability

2. Emotional barriers

An individual‟s beliefs, attitudes,

and values have a strong
influence on how they process
information.

People can easily misinterpret

digital communication, which often
does not include vocal inflections,
tone of voice, facial expressions,
body language, or other types of
visual or audio cues people rely
on to understand emotional
meaning.
 Computer Liability

3. Identity barriers

Identity barriers can lead to

miscommunications and
misunderstandings, as well as
misrepresentation of people and
their ideas.
 Computer Liability

4. Semantic barriers

Semantic barriers are about the

different interpretations of words
and symbols used to
communicate.

It can be people who speak a

different language or dialect,
have limited language proficiency,
don‟t have as much knowledge
about an issue, or use words and
symbols differently than you do.
 Computer Liability

5. Accessibility barriers

Digital communication is effective only

when people of all abilities can access
and understand information.

Photos, graphics, emoji, live

streaming, webinars, podcasts, PDFs,
videos, and other audio and visual
formats are now important parts of
how people and organizations
communicate online.
 Computer Liability

6. Attention barriers

Attention barriers are when

people miss out on what you have
to say because they are distracted
from giving your message their full
focus.

People may also be fatigued

by information overload, with little
attention span left.
 Computer Liability
7. Credibility barriers

Credibility barriers interfere

with digital communications
when people can‟t trust the
message, the messenger, or
both.
 Simple Ways To Keep Files Safe

• Regularly backup your files

• Use an external hard drive

• Store files in the cloud

• Control access to your files

• Encrypt your hard drive

 Evaluation of Safety Critical System

Based on the data on recent failures of critical systems, the following can be
concluded

• Failures become more and more distributed and often nation-wide (e.g.
commercial systems like credit card denial of authorization).

• The source of failure is more rarely in hardware (physical faults), and more
frequently in system design or end-user operation / interaction (software).
 Values in Design
-Solutions to Software Development Problems

Solid Requirements
Clear, complete, detailed, cohesive, attainable, testable requirements that are
agreed to by all players.

Realistic Schedules
Allow adequate time for planning, design, testing, bug fixing, re-testing, changes,
and documentation.

Adequate Testing
Start testing early on, re-test after fixes or changes, plan for adequate time for
testing and bug-fixing.
 Values in Design
-Solutions to Software Development Problems

Stick to Initial Requirements where Feasible

Be prepared to defend against excessive changes and additions once development
has begun, and be prepared to explain consequences.

Communication
Require walkthroughs and inspections when appropriate; make extensive use of
group communication tools – groupware, wiki‟s, bug-tracking tools and change
management tools, intranet capabilities
 Values in Design
-Solutions to Software Development Problems

Stick to Initial Requirements where Feasible

Be prepared to defend against excessive changes and additions once development

has begun, and be prepared to explain consequences.

Communication

Require walkthroughs and inspections when appropriate; make extensive use of

group communication tools – groupware, wiki‟s, bug-tracking tools and change
management tools, intranet capabilities
 What Do Computer Scientists Do?
• Develop and/or simplify algorithms
• Create new computing languages
• Determine new methods for working with computers
• Test new systems and designs
• Develop models and theories to address issues in the field
• Present findings to the scientific community
• Improve computer hardware performance
• Increase the efficiency of computer software and/or hardware
 Module 6B

Ethics and Professional

Responsibility in
Computing
 Intended Learning Outcomes

–Evaluate accountability issues in our computerized society; and

–Discuss the ethical, legal and social issues regarding the risk and responsibility for
public information.
 Responsibilities of computing professionals
toward society
• Understand what success means

• Include users (such as medical staff, technicians, pilots, office workers) in the
design and testing stages to provide safe and useful systems

• Do a thorough, careful job when planning and scheduling a project and when
writing bids or contracts

• Design for real users and be inclusive

 Responsibilities of computing professionals
toward society
• Don‟t assume existing software is safe or correct

• Review and test it

• Be open and honest about capabilities, safety, and limitations of software

• Require a convincing case for safety

• Pay attention to defaults

• Develop communication skills

 Ethics and Professional Responsibility in
Computing
• Professionals tend to have clients, not customers.

• Whereas a sales clerk should try to satisfy the customer‟s desires, the
professional should try to meet the client‟s needs (consistent with the welfare of
the client and the public).

• To become a computing professional, an individual must acquire specialized

knowledge about discrete algorithms and relational database theory, and
specialized skills such as software development techniques and digital system
design.

• Computing professionals usually learn this knowledge and acquire these skills
by earning a baccalaureate degree in computer science, computer engineering,
information systems, or a related field.
 Ethics and Professional Responsibility in
Computing
What Is Moral Responsibility in Computing? -In the early 1980s, Atomic
Energy of Canada Limited (AECL) manufactured and sold a cancer radiation
treatment machine called the Therac-25, which relied on computer software to
control its operation. Between 1985 and 1987, the Therac-25 caused the deaths
of three patients and serious injuries to three others.

We can use the Therac-25 case to distinguish between four different kinds of
Responsibility.

Causal responsibility
Responsibility can be attributed to causes: for example, “the tornado was
responsible for damaging the house.” In the Therac-25 case, the proximate
cause of each accident was the operator, who started the radiation treatment.
 Ethics and Professional Responsibility in
Computing
Role responsibility
An individual who is assigned a task or function is considered the responsible
person for that role. In this sense, a foreman in a chemical plant may be
responsible for disposing of drums of toxic waste, even if a forklift operator
actually transfers the drums from the plant to the truck.

Legal responsibility
An individual or an organization can be legally responsible, or liable, for a
problem. That is, the individual could be charged with a crime, or the
organization 5 could be liable for damages in a civil lawsuit.

Moral responsibility
Causal, role, and legal responsibilities tend to be exclusive: if one individual is
responsible, then another is not.
 Ethics and Professional Responsibility in
Computing
What Are the Responsibilities of Computing Professionals?

Responsibilities to Clients and Users

-Whether a computing professional works as a consultant to an individual or as

an employee in a large organization, the professional is obligated to perform
assigned tasks competently, according to professional standards.

-Computing professionals enjoy considerable freedom in deciding how to meet

the specifications of a computer system. Provided that they meet the minimum
performance requirements for speed, reliability, and functionality.
 Ethics and Professional Responsibility in
Computing
Responsibilities to Employers
-Most computing professionals work for employers. The employment
relationship is contractual: the professional promises to work for the employer in
return for a salary and benefits.

Responsibilities to Other Professionals

-While everyone deserves respect from everyone else, when professionals
interact with each other, they should demonstrate a kind of respect called
collegiality.
-Because clients cannot adequately evaluate the quality of professional service,
individual professionals know that their work must be evaluated by other
members of the same profession.
-This evaluation, called peer review, occurs in both practice and research.
 Ethics and Professional Responsibility in
Computing
Responsibilities to the Public

-According to engineering codes of ethics, the engineer‟s most important obligation

is to ensure the safety, health, and welfare of the public. Although everyone
must avoid endangering others, engineers have a special obligation to ensure
the safety of the objects that they produce.

-Computing professionals share this special obligation to guarantee the safety

of the public, and to improve the quality of life of those who use computers and
information systems.
 Ethics and Professional Responsibility in
Computing
Responsibilities to the Public

-The responsibility to educate the public is a collective responsibility of the

computing profession as a whole; individual professionals might fulfill this
responsibility in their own ways.

- Examples of such public service to include advising a church on the purchase

of computing equipment, and writing a letter to the editor of a newspaper about
technical issues related to proposed legislation to regulate the Internet.
 References
Evaluation of Safety Critical System. (2020). Retrieved from
https://www.powershow.com/view1/7dc2f-ZDc1Z/Safety-
Critical_Systems_3_Hardware_Software_powerpoint_ppt_presentation
What Do Computer Scientists Do?. (2019). Retrieved from
https://study.com/articles/Computer_Scientist_Job_Description_Duties_and_Require
ments.html
Solutions to Software Development Problems. (2018). Retrieved from
https://www.360logica.com/blog/five-common-solutions-to-software-development-
problems
Barriers in digital communication. (2018).
https://www.govloop.com/community/blog/7-barriers-digital-communication/
Simple Ways To Keep Files Safe. (2014). Retrieved from
https://boston.cbslocal.com/2014/01/27/business-security-5-simple-ways-to-keep-
files-safe/
 References
Hardware and Software Reliability. (2013). Retrieved from
https://www.slideshare.net/sandeeppatalay/software-and-hardware-reliability
Bathtub Curve for hardware reliability. (2008). Retrieved from
https://www.researchgate.net/figure/Bathtub-curve-for-hardware-
reliability_fig1_228732541
Evaluation of Safety Critical System. (2020). Retrieved from
https://www.powershow.com/view1/7dc2f-ZDc1Z/Safety-
Critical_Systems_3_Hardware_Software_powerpoint_ppt_presentation
Ethics and Professional Responsibility in Computing.(2019). Retrieved from
https://www.onlineethics.org/Resources/ethics-and-professional-responsibility-in-
computing.aspx
 SOCIAL AND PROFESSIONAL ISSUES

Ethical Decisions in
Software Development
Module 7
 Module 7A

Software Quality
 Intended Learning Outcomes

–Explain the use of high quality software in the business system;

–Enumerate the types of Software Product Liability; and

–Understand the ethical practices of the users.

 Strategies for Engineering Quality Software

High-quality software systems

- easy to learn and use because they perform quickly and efficiently;
- meet their users’ needs; and
- they operate safely and reliably so that system downtime is kept to a
minimum.

Software defect
-is any error that, if not removed, could cause a software system
to fail to meet its users’ needs.

Software quality
- the degree to which a software product meets the needs of its
users.
 Strategies for Engineering Quality Software
Quality management
-focuses on defining, measuring, and refining the quality of the development
process and the products developed during its various stages.

-The objective of quality management is to help developers deliver high-quality

systems that meet the needs of their users.

-A primary cause of poor software quality is that many developers do not know
how to design quality into software from the very start; some simply do not take the
time to do so.

-To develop high-quality software, developers must define and follow a set of
rigorous software engineering principles and be committed to learning from past
mistakes.
 The Importance of Software Quality
-A business information system is a set of interrelated components—including
hardware, software, databases, networks, people, and procedures—that collects
and processes data
and disseminates the output.

-Another type of business information system is the decision support system

(DSS), which is used to improve decision making in a variety of industries.

-A DSS can be used to

• develop accurate forecasts of customer demand,
• recommend stocks and bonds for an investment portfolio,
• schedule shift workers.
 The Importance of Software Quality

-Software is also used to control many industrial processes.

-Software is also used to control the operation of many industrial and consumer
products.

-As a result of the increasing use of computers and software in business, many
companies are now in the software business whether they like it or not.
 Software Product Liability
-The liability of manufacturers, sellers, lessors, and others for injuries caused by
defective products is commonly referred to as product liability.

-If a software defect causes injury or loss to purchasers, lessees, or users of the
product, the injured parties may be able to sue as a result.

-Software product liability claims are typically based on strict liability, negligence,
breach of warranty, or misrepresentation—sometimes in combination with one
another.

-Strict liability means that the defendant is held responsible for injuring another
person, regardless of negligence or intent.
 Software Product Liability
-Negligence is the failure to do what a reasonable person would do, or doing
something that a reasonable person would not do.

-A warranty assures buyers or lessees that a product meets certain standards of

quality.

Warranty requires that the following standards be met:

• The goods must be fit for the ordinary purpose for which they are used.
• The goods must be adequately contained, packaged, and labeled.
• The goods must be of an even kind, quality, and quantity within each unit.
• The goods must conform to any promise or affirmation of fact made on the
container or label.
• The quality of the goods must pass without objection in the trade.
• The goods must meet a fair average or middle range of quality.
 Software Product Liability

-If the product fails to meet the terms of its warranty, the buyer or lessee can sue for
breach of warranty.

-Software suppliers frequently write warranties to attempt to limit their liability in the
event of nonperformance.

-Although a certain software application may be warranted to run on a given

machine configuration, often no assurance is given as to what that software
will do.
 Module 7B

Strategies for Developing

quality Software
 Intended Learning Outcomes

-Understand the essential components of a Software development methodologies.

–Understand the potential ethical issues do software manufacturers facing; and

–Understand the ethical practices of the users.

 Strategies for developing Quality Software
Software Development Methodologies
-Developing information system software is not a simple process;

-A methodology defines activities in the software development process and the

individual and group responsibilities for accomplishing these activities

-A methodology also offers guidelines or managing the quality of software during

the various stages of development.

Software Development Methodology

Source Line: Course Technology/Cengage Learning.

 Strategies for developing Quality Software

-The waterfall system development model is a sequential, multistage system

development process in which development of the next stage of the system cannot
begin until the results of the current stage are approved or modified as necessary.

-Under the agile development methodology, a system is developed in iterations

(often called sprints) lasting from one to four weeks.

- Agile development concentrates instead on maximizing the team’s ability to deliver

quickly and respond to emerging requirements.
Strategies for developing Quality Software

Waterfall system development model

Strategies for developing Quality Software

Agile system development methodology

 Strategies for developing Quality Software
Pros and cons of waterfall and agile

Quality assurance (QA) - refers to methods within the development process that are designed to guarantee reliable
operation of a product.
 Software Testing
-Software is developed in units called subroutines or programs.

-One approach to QA is to test the code for a completed unit of software by actually
entering test data and comparing the results to the expected results in a process
called dynamic testing.

There are two forms of dynamic testing:

• Black-box testing involves viewing the software unit as a device that has
expected input and output behaviors but whose internal workings are unknown
(a black box).

• White-box testing treats the software unit as a device that has expected input
and output behaviors.
 Software Testing
Types of Software Testing

• Static testing-Special software programs called static analyzers are run

against new code.

• Integration testing-After successful unit testing, the software units are

combined into an integrated subsystem.

• System testing-After successful integration testing, the various subsystems

are combined to test the entire system as a complete entity.

• User acceptance testing-Independent testing is performed by trained end

users to ensure that the system operates as they expect.
 Key Issues in Software Development

-Safety-critical system is one whose failure may cause human injury or death.

-The key to ensuring that these additional tasks are completed is to appoint a
system safety engineer, who has explicit responsibility for the system’s safety.
 Key Issues in Software Development

-The hazard log is used at each stage of the software development process to
assess how it has accounted for detected hazards.

-However, the safety engineer must keep in mind that his or her role is not simply
to produce a hazard log but rather to influence the design of the system to
ensure that it operates safely when put into use.
 Key Issues in Software Development

-Risk is the potential of gaining or losing something of value. Risk can be

quantified by three elements:

• a risk event
• the probability of the event happening
• the impact (positive or negative) on the business outcome if the risk does
actually occur

-Risk management is the process of identifying, monitoring, and limiting risks to a

level that an organization is willing to accept.
 Key Issues in Software Development

Strategies for addressing a particular risk include the following:

1. Acceptance - When the cost of avoiding a risk outweighs the potential loss of a
risk, an organization will likely accept the risk.

2. Avoidance - An organization may choose to eliminate the vulnerability that gives

rise to a particular risk in order to avoid the risk altogether.

3. Mitigation - Risk mitigation involves the reduction in either the likelihood or the
impact of the occurrence of a risk.
 Key Issues in Software Development

Strategies for addressing a particular risk include the following:

4. Redundancy- is the provision of multiple interchangeable components to

perform a single function in order to cope with failures and errors.

5. Transference - A common way to accomplish risk transference is for an

individual or an organization to purchase insurance, such as auto or business
liability insurance.

Reliability is a measure of the rate of failure in a system that would render it

unusable over its expected lifetime
 Quality Management Standards

-The International Organization for Standardization (ISO), founded in 1947, is a

worldwide federation of national standards bodies from 161 countries. The
organization issued its 9000 series of business management standards in 1988.

-ISO 9001 family of standards serves as a guide to quality products, services, and
management.

-ISO 9001:2008 provides a set of standardized requirements for a quality

management system.

-Over 1 million organizations in more than 175 countries have ISO 9001
certification.
 Quality Management Standards

-To obtain this coveted certificate, an organization must submit to an examination

by an external assessor and must fulfill the following requirements:

• Have written procedures for all processes

• Follow those procedures

• Prove to an auditor that it has fulfilled the first two requirements; this proof can
require observation of actual work practices and interviews with customers,
suppliers, and employees.
 Quality Management Standards
-Failure mode and effects analysis (FMEA) is an important technique used to
develop ISO 9001-compliant quality systems by both evaluating reliability and
determining the effects of system and equipment failures.

-Failure mode describes how a product or process could fail to perform the desired
functions described by the customer.
 References
Blundell, B. (2020). Ethics in Computing, Science, and Engineering: A Student’s Guide to Doing Things
Right 1st ed. 2020 Edition: Springer.

Hauptman, R. (2019). The Scope of Information Ethics: Challenges in Education, Technology,

Communications, Medicine and Other Domains: McFarland.

Kizza, J.M. (2019). Ethical and Secure Computing: A Concise Module (Undergraduate Topics in
Computer Science) 2nd ed.:Springer.

Reynolds, G. (2018). Ethics in Information Technology: Cengage Learning.

Kizza, J.M (2017).Ethical and Social Issues in the Information Age 6th ed: Springer.

Whitmant, M. Mattord, H. (2017). Principles of Information Security 6th Edition: Cengage Learning.
.