Ethics in Cyber Security

What is Ethics?
• Ethics typically refers to a set of principles or standards that guide
individuals or groups in determining what is right or wrong, good or
bad behavior in a particular context or society.
• Ethics often involve considerations of fairness, justice, honesty, and
responsibility.
• They can be derived from various sources such as religious beliefs,
philosophical theories, cultural norms, or professional codes of
conduct.
What is Morality?
• Morality, on the other hand, pertains to an individual's personal
beliefs about right and wrong behavior.
• It often involves deeply held convictions about what is morally
permissible or impermissible based on one's values, upbringing, and
personal experiences.
• Morality influences how individuals make decisions and navigate
ethical dilemmas in their lives.
 Ethics vs Morality
Ethics Morality

The word Ethics originated from the Greek word ethos. The word Morals originated from the Latin word Mos. The
The meaning of ethos is a character. meaning of Mos is custom.

Legal guidelines and professional rules govern ethics. The When it comes to the acceptability of morality it
acceptability of ethics is confined within a particular transcends the norms laid down by culture.
space and time frame.

Ethics are dependent on the prism of others. Morality is seen from the perspective of an individual.

If the contexts are different, then the ethics could be Change in morality depends on the difference in the
different. Hence there is some degree of flexibility in beliefs of an individual.
ethics.
 Ethics vs Morality
Ethics Morality

Ethics are followed because society has decided it is the Morality is followed because a person believes that it is
right course of action. the right course of action.

A person who follows the ethical principles need not There could be situations where a moral person violates
necessarily have strong moral values, in fact, there are ethics to maintain to uphold his moral values.
even possibilities that he may not have any morals.

Ethics is something usually associated in the field of law, Morality has a religious connotation.
medicine or business. Ethics does not have a religious
connotation.
What’s Cybersecurity Ethics?

• Ethics defines right and wrong actions in specific situations and is

fundamental to society.
• In the cyber realm, ethics serves as a guidepost for cybersecurity
professionals.
• It helps identify the type of online behavior and conduct that harms
individuals and businesses.
What’s Cybersecurity Ethics?

• Ethical principles are what separate cybersecurity professionals from

hackers.
• For example, while the hacker tries to steal data, the cybersecurity
professional tries to protect it.
• When hackers access data, they use it for nefarious purposes. On the
other hand, cybersecurity professionals, who have access to the same
data, use their skills to ensure that the data’s safe and secure.
Importance of Cybersecurity
• From data breaches to deepfakes, cybersecurity professionals deal with many
threats. These unethical online activities have a profound impact on people
and business. For example, a hacker may steal a company’s data, an act that
can compromise customer data. A cybercriminal can then take that data and
sell it on the dark web. Cybersecurity is vital to preserve privacy and guard
against identity theft.
• Cybersecurity also protects people from cybercrimes such as financial fraud.
For example, consumers exchange their data with banks and financial
institutions when conducting online banking. Cybersecurity helps secure
financial transactions, safeguarding bank accounts and credit card
information.
• A breach can also disrupt regular business operations and inconvenience
customers and employees — or even put regional or national infrastructure at
risk. In urgent settings, such as hospitals, attacks on computer networks can
harm people and impact their health.
Ethical Responsibilities of Cybersecurity Professionals

• Organizations hire cybersecurity professionals to protect their sensitive

information from cyber threats, and hiring decisions for cybersecurity
roles don’t come lightly.
• Frameworks for cyber ethics and codes of conduct may vary by
organization. What’s the same is that employers look to hire
trustworthy professionals with a strong ethical compass because
cybersecurity professionals have access to the same data that
cybercriminals wish to steal.
• The difference is that cybersecurity professionals adhere to
cybersecurity ethics, meaning that organizations can trust them to
oversee valuable information.
Ten Commandments of Computer Ethics
From the Computer Ethics Institute
• Thou shalt not:
• Use a computer to harm other people
• Interfere with other people's computer work
• Snoop around in other people's computer files
• Use a computer to steal
• Use a computer to bear false witness
• Copy or use proprietary software (w/o paying)
Ten Commandments of Computer Ethics
• Use other people's computer resources without authorization or
proper compensation
• Use other people's intellectual output without consent
• Think about the social consequences of the program you are
writing or the system you are designing
• Always use a computer in ways that ensure consideration and
respect for fellow humans
Deterring Unethical and Illegal Behavior
• InfoSec personnel should do everything in their power to deter
unethical and illegal acts
• Using policy, education and training, and technology as controls to
protect information
• Categories of unethical behavior
• Ignorance
• Accident
• Intent
Deterring Unethical and Illegal Behavior (cont’d.)
• Deterrence
• Best method for preventing an illegal or unethical activity
• Examples: laws, policies, and technical controls
• Laws and policies and their associated penalties only deter if three
conditions are present:
• Fear of penalty
• Probability of being caught
• Probability of penalty being administered
DEVELOPING INFORMATION MANAGEMENT
POLICIES
E-policies typically include:
• Ethical computer use policy
• Information privacy policy
• Acceptable use policy
• Email privacy policy
• Internet use policy
• Anti-spam policy
Ethical Computer Use Policy
• Ethical computer use policy – contains general principles to guide
computer user behavior

• The ethical computer user policy ensures all users are informed of the
rules and, by agreeing to use the system on that basis, consent to
abide by the rules
Ethical Computer Use Policy
• Information is a valuable corporate asset
• The CIO is steward of corporate information
• The CIO is responsible for information access
• The CIO is responsible for preventing information destruction
• The CIO is responsible for information management practices and
policies
• The CIO must execute the information management policies
Information Privacy Policy
• The unethical use of information typically occurs “unintentionally”
when it is used for new purposes

• Information privacy policy - contains general principles regarding

information privacy
Information Privacy Policy
• Information privacy policy guidelines
• Adoption and implementation of a privacy policy
• Notice and disclosure
• Choice and consent
• Information security
• Information quality and access
Acceptable Use Policy
• Acceptable use policy (AUP) – a policy that a user must agree to
follow in order to be provided access to a network or to the Internet

• An AUP usually contains a nonrepudiation clause

Acceptable Use Policy
• Will not violate any laws
• Will not break the security
• Will not post commercial messages
• Will not perform nonrepudiation
• Will not send spam
Email Privacy Policy
• Organizations can mitigate the risks of email and instant messaging
communication tools by implementing and adhering to an email
privacy policy

• Email privacy policy – details the extent to which email messages

may be read by others
Email Privacy Policy
• Should compliment ethical computer use policy
• Defines who are legitimate email users
• Identifies backup procedures
• Explains legitimate grounds for reading user email
• Informs email control
• Asks employees to be careful when posting organizational information
Internet Use Policy
• Internet use policy – contains general principles to guide the proper
use of the Internet
• Describes available Internet services
• Defines the purpose and restriction of Internet access
• Complements the ethical computer use policy
• Describes user responsibilities
• States the ramification for violations
Anti-Spam Policy
• Spam – unsolicited email

• Anti-spam policy – simply states that email users will not send
unsolicited emails (or spam)
Types of Cybersecurity Ethical Issues
• For cybersecurity professionals, keeping systems secure often means using
privileged access to data to perform activities such as white hat hacking,
also known as ethical hacking. White hat hacking describes penetrating
protected systems using hacking tools and techniques to test the security of
systems, networks and software. The aim is to identify security
vulnerabilities. Cybersecurity research to learn how to break through the
safeguards of a system enables cybersecurity professionals to build
defenses against them.
• White hat hacking offers an example of cybersecurity ethical issues in the
profession. A white hat hacker must be trustworthy enough to safeguard
the confidentiality of the information they encounter, but there have also
been notable incidents in which security professionals discovered crimes
or public threats that they decided to share with authorities. A solid ethical
foundation can serve as the bedrock to help employees make the right
decisions as they face some key cybersecurity ethical issues, as listed below.
Harm to Privacy

• Harm to privacy refers to an individual’s privacy becoming

compromised. Negative consequences include unauthorized access,
identity theft, reputational damage and distress. A cybersecurity
professional’s decisions ultimately impact privacy protection. They
can safeguard privacy in several ways, including implementing
security measures, tools and practices; calling out designs and apps
that mislead users into sharing excessive information; ensuring
compliance with security frameworks; and mitigating risks.
Harm to Property

• Harm to property refers to damage to both physical and digital

assets. It can lead to unauthorized access and the disruption of
services. For a cybersecurity professional, prioritizing network
security becomes an ethical matter. They have a responsibility to
implement countermeasures, which can include risk assessments,
firewalls and continuous monitoring. Failure to do so can lead to
property harm caused by a cyber attack.
Cybersecurity Resource Allocation

• Determining what to invest in cybersecurity activities can be a

challenge. Large companies can invest more resources to enhance
their cyber defenses, improving their chances of detecting anomalies
or intrusions. More important, knowing how to allocate resources is
essential. Cybersecurity professionals must properly use resources
for the greater good of the organization and its stakeholders.
Deploying a patch for a critical software vulnerability may be costly
and time consuming, but not doing so may risk a data breach that
impacts millions of customers.
Transparency and Disclosure

• Companies should promptly reveal critical vulnerabilities in their

software upon learning about them. This level of transparency can
not only help cybersecurity professionals collaborate and share
information to respond quickly to attacks but also allow customers
whose data is threatened to take appropriate action to diminish their
own risks.
Ethical Challenges Faced by Cybersecurity Professionals

• From keeping sensitive data confidential to confronting user privacy

issues in the workplace, cybersecurity professionals must find a healthy
balance between safeguarding information and upholding cybersecurity
ethics standards.

• Confidentiality
• Cybersecurity professionals handle sensitive information, from personal
customer data to a business’s proprietary information. Disclosing this
data can have severe consequences, so cybersecurity professionals must
never reveal confidential information, unless a significant public benefit
exists for doing so.
Cont.
• Threats and Risks
• Cybersecurity professionals are duty-bound to respond to cyber threats.
Remaining vigilant is always a priority, and their response is crucial. While
individuals may overlook notifications or leave their computers unattended,
cybersecurity experts should never do so.

• Balancing Security With Business Interests

• Cybersecurity professionals may encounter unethical practices within a
business unit. Reporting the issue to supervisors may be the best first step.
In the case of illegal activity, a cybersecurity professional may consider
reporting it to authorities or the media.
Cont.
• User Privacy
• Cybersecurity professionals have to balance security and user privacy.
In protecting their organizations from cyber attacks, cybersecurity
professionals sometimes have to access employees’ online activities.
Without carefully considering user privacy, this can come close to
violating a person’s rights.
key aspects of ethics in cybersecurity
• Privacy Protection: Cybersecurity professionals must
respect individuals' privacy rights and handle personal
data ethically and responsibly. This involves
implementing robust security measures to safeguard
sensitive information from unauthorized access or
misuse.
• Transparency: It's essential to be transparent about
security practices, including how data is collected,
stored, and used. Users should be informed about
potential risks and the steps taken to mitigate them.
key aspects of ethics in cybersecurity
• Fairness: Cybersecurity measures should be applied
fairly and without discrimination. This means ensuring
equal protection for all users, regardless of factors such
as race, gender, or socioeconomic status.
• Integrity: Cybersecurity practitioners should uphold
the integrity of systems and data by ensuring that they
are accurate, reliable, and tamper-proof. This includes
preventing data manipulation, unauthorized alterations,
or other forms of cyberattacks that could compromise
the trustworthiness of information.
key aspects of ethics in cybersecurity
• Continuous Learning and Improvement: Ethical
cybersecurity professionals engage in ongoing
education and training to stay updated on the latest
threats, vulnerabilities, and best practices. They
continuously improve their skills and adapt their
strategies to effectively protect against evolving cyber
risks.
• Respect for Law and Regulations: Cybersecurity
practitioners must adhere to relevant laws, regulations,
and industry standards governing the protection of data
and information systems.
key aspects of ethics in cybersecurity
• Responsible Disclosure: When cybersecurity
researchers discover vulnerabilities, they should follow
responsible disclosure practices by promptly reporting
them to the appropriate authorities or affected parties
without exploiting or publicizing them prematurely.
• Ethical Hacking: Ethical hackers, also known as white-
hat hackers, use their skills to uncover security
weaknesses in systems with the permission of the
system owners. They operate within legal and ethical
boundaries, ensuring that their actions are intended to
improve security rather than cause harm.
key aspects of ethics in cybersecurity
• Accountability: Individuals and organizations
responsible for cybersecurity must be held accountable
for their actions. This involves taking responsibility for
security breaches, promptly addressing vulnerabilities,
and implementing measures to prevent future incidents.
• Avoiding Conflicts of Interest: Cybersecurity
professionals should avoid conflicts of interest that
could compromise their objectivity or integrity. This
includes refraining from actions that prioritize personal
gain or the interests of a particular organization over
the security needs of users or the public.