Transcript Ethics in InfoSec

Karly Stinedurf
 What
is Ethics?
 The Ten Commandments of Computer Ethics
 Frameworks/Standards of Ethics
 Ethics and Education
 Deterring Unethical Behavior
 Organizational Liability
 Managing Investigations in the Organization
 How
humans ought to act
 Rules we should live by
 Willingness to do the right thing
 A common understanding of what is
appropriate behavior
 Various definitions of what “ethical”
behavior is, based on individual beliefs
 Communities frame ethical choices
 Important for Information Security
professionals
 https://www.youtube.com/watch?v=3fMLIMa
Pw0I










1. Don’t use computers to hurt others
2. Don’t interfere with other peoples use of computers
3. Don’t view the contents of other peoples computers
without permission
4. Don’t steal using a computer
5. Don’t use a computer as a tool to fabricate information
6. Don’t illegally copy or use software
7. Don’t use a computer or computer-based resource
without explicit permission or without paying for it
8. Don’t steal someone’s intellectual property
9. Don’t remain ignorant or unconscious to the effect that
computers have on society as a whole and on those
individuals using them
10. Don’t devalue humanity by using computers in ways
that disrespect others
Normative Ethics- the study of what makes
actions right or wrong- how should people act?
 Meta-ethics- the study of the meaning of ethical
judgments and properties- what is right?
 Descriptive ethics- the study of the choices that
have been made by individuals in the past- what
do others think is right?
 Applied Ethics- approach that applies moral
codes to actions drawn from realistic situationshow to define how we use ethics in practice
 Deontological ethics- study of the rightness or
wrongness of intentions and motives as opposed
to consequences- define a person’s ethical duty






Utilitarian approach- an ethical action is one that
results in the most good, or least harm- links
consequences to choices
Rights approach- the ethical action is one that best
protects and respects the moral rights of those
affected by the action
Fairness or justice approach- ethical actions are
those that have outcomes that regard all human
beings equally, or incorporate a degree of fairness
Common good approach- the complex relationships in
society are the basis of a process founded on ethical
reasoning that respects and has compassion for all
others- common welfare
Virtue approach- ethical actions should be consistent
with ideal virtues such as honesty, courage,
compassion, generosity, tolerance, love, etc…
 Key
factor in establishing ethics in an
organization
 InfoSec employees may not know what is
unethical in a technical situation
 Scenarios should be used to simulate
practical situations
 Creates low-risk, ethical employees


A student at a university learned to use an expensive
spreadsheet program in her accounting class. The
student would go to the university computer lab and
use the software to complete her assignment. Signs
were posted in the lab indicating that copying
software was forbidden. One day, she decided to
copy the software anyway to complete her work
assignments at home.
A student suspected and found a loophole in her
university’s computer security system that allowed
her to access other students’ records. She told the
system administrator about the loophole, but she
continued to access other records until the problem
was corrected two weeks later.
 https://www.youtube.com/watch?v=0mUxMp
MTT28
 Three
categories of unethical behavior in
organizations:



Ignorance- not knowing the law
Accident- making a mistake
Intent- criminal/unethical state of mind
 Three



methods of deterrence:
Fear of penalty
Probability of being caught
Probability of penalty being administered
 Liability-
an entity’s legal obligation
 Liability for an action can lead to restitution
or payment
 An organization increases liability when it
refuses to take proper measures to ensure
ethical behavior
 Due diligence
 Long-arm jurisdiction
 Internal
investigations regarding computer
ethics are often completed using digital
forensics
 Has to be substantial evidence to take action
 Documenting, preserving, identifying, and
extracting evidence
 Digital forensics is used for two purposes
related to ethics:


To investigate allegations of digital malfeasance
To perform root cause analysis
 When
investigators discover evidence they
should notify management and recommend
contacting law enforcement
 Organization approaches to digital forensics


Protect and forget
Apprehend and prosecute
 Whitman,
M. E. Mattord, H. J. (2014)
Management of Information Security. (4th
ed.) Stamford, CT: Cengage Learning.