Security Fundamentals: Ethics in Cybersecurity
By Edward J. Hawkins, II
For most organizations, those professionals that work in support roles are typically the most trusted within the organization due to the nature of their work. The nature of these roles typically requires an organization to put the utmost faith and trust in the professional and therefore the professional must have the utmost sense of ethics.
These roles can be administrative, research and development, information technology based, or any other role that allows for individuals to have access to organizational or personal information. Therefore, it is the responsibility of the organization to ensure that the highest levels of ethical standards are not only in place but also adhered to.
However, the difficulty in this is in the development of ethical standards and policies that are in line with the organizational leadership, standards, policies, and regulations for ethical behavior. Keith Willett, in his book Information Assurance Architecture, does identify that one business driver for many organizations is to show legal compliance with laws such as Sarbanes-Oxley Act of 2002.
So, what determines what is ethical and are all ethical standards equal? Well, to be fair, there are multiple ethical standards, but there are two main categories of these standards. These categories, while not standard to ethical teaching and literature, are: personal and professional. The reason that they are not standard to typical teaching and literature is due to how they are internalized by the individual.
By taking a moment to examine these two categories, we can gain understanding into why an individual may become a whistleblower or commit fraud. The misalignment of personal and professional ethics can result in either situation. This concept of personal and professional ethical standards is not new and was highlighted Joseph L. Badaracco, Jr. in his 1998 article “The Discipline of Building Character”, however, he does not directly attribute the separation of standards.
Instead, Mr. Badaracco uses ethical situations to describe how deeply rooted a person’s ethical standards can be when faced with ethical dilemmas and how they overcame them. Many people may rely on their upbringing as the basis of their personal ethics, but organizations will probably utilize a code of ethics as the source for their employees.
Dr. Schou and Mr. Hernandez, in the Information Assurance Handbook, define a code of ethics as ethical guidelines. When personal and professional ethics are in conflict with each other, there is a higher chance for the individual to take actions that may negatively affect the party in which they are in conflict.
With the understanding that everyone will prescribe to two sets of ethics, albeit similar, we need to understand how these standards are applied to the world of Cybersecurity, and to whom they apply. Herman Tavani asked this question, among others, in his book Ethics and Technology: Controversies, Questions, and Strategies for Ethical Computing. When you boil everything down, the invasiveness of computers, the Internet, and the intertwining of them in our daily lives has allowed for the facilitation of many classical ethical dilemmas to have new tools and mediums to interact with.
For example, bullying still exists on the Internet, only now it is known as Cyberbullying, and stalking exists as Cyberstalking. Then there is the ethical problem of whether certain medicines or drugs should be made available on the Internet and how they should be distributed. Another hotly debated issue is that of the originality of content.
In the world of professional and academic writing plagiarism can end careers for the individual caught. In Cybersecurity, with the number of brain-dump websites out there, the lack of ethical standards could mean the difference between catching an attacker or causing the organization to lose millions of dollars resulting from a successful compromise.
For an organization, a core concept for anyone working in their information technology sector is that of trust. It is that trust that gained through mutually agreeable behaviors. However, to ensure that the network is as secure as possible, the security posture must not trust anyone and verify everyone is acting in an ethical manner as prescribed by policy.
If policy violations are discovered, the question must be asked, “Is the violated policy ethically flawed?” or “Was there an ethical misalignment that led to the policy violation?” The answers to these questions will come down to how the organizational leadership views ethics and their observed behaviors towards the policies.