Ethics in InfoSec
Download
Report
Transcript Ethics in InfoSec
Karly Stinedurf
What
is Ethics?
The Ten Commandments of Computer Ethics
Frameworks/Standards of Ethics
Ethics and Education
Deterring Unethical Behavior
Organizational Liability
Managing Investigations in the Organization
How
humans ought to act
Rules we should live by
Willingness to do the right thing
A common understanding of what is
appropriate behavior
Various definitions of what “ethical”
behavior is, based on individual beliefs
Communities frame ethical choices
Important for Information Security
professionals
https://www.youtube.com/watch?v=3fMLIMa
Pw0I
1. Don’t use computers to hurt others
2. Don’t interfere with other peoples use of computers
3. Don’t view the contents of other peoples computers
without permission
4. Don’t steal using a computer
5. Don’t use a computer as a tool to fabricate information
6. Don’t illegally copy or use software
7. Don’t use a computer or computer-based resource
without explicit permission or without paying for it
8. Don’t steal someone’s intellectual property
9. Don’t remain ignorant or unconscious to the effect that
computers have on society as a whole and on those
individuals using them
10. Don’t devalue humanity by using computers in ways
that disrespect others
Normative Ethics- the study of what makes
actions right or wrong- how should people act?
Meta-ethics- the study of the meaning of ethical
judgments and properties- what is right?
Descriptive ethics- the study of the choices that
have been made by individuals in the past- what
do others think is right?
Applied Ethics- approach that applies moral
codes to actions drawn from realistic situationshow to define how we use ethics in practice
Deontological ethics- study of the rightness or
wrongness of intentions and motives as opposed
to consequences- define a person’s ethical duty
Utilitarian approach- an ethical action is one that
results in the most good, or least harm- links
consequences to choices
Rights approach- the ethical action is one that best
protects and respects the moral rights of those
affected by the action
Fairness or justice approach- ethical actions are
those that have outcomes that regard all human
beings equally, or incorporate a degree of fairness
Common good approach- the complex relationships in
society are the basis of a process founded on ethical
reasoning that respects and has compassion for all
others- common welfare
Virtue approach- ethical actions should be consistent
with ideal virtues such as honesty, courage,
compassion, generosity, tolerance, love, etc…
Key
factor in establishing ethics in an
organization
InfoSec employees may not know what is
unethical in a technical situation
Scenarios should be used to simulate
practical situations
Creates low-risk, ethical employees
A student at a university learned to use an expensive
spreadsheet program in her accounting class. The
student would go to the university computer lab and
use the software to complete her assignment. Signs
were posted in the lab indicating that copying
software was forbidden. One day, she decided to
copy the software anyway to complete her work
assignments at home.
A student suspected and found a loophole in her
university’s computer security system that allowed
her to access other students’ records. She told the
system administrator about the loophole, but she
continued to access other records until the problem
was corrected two weeks later.
https://www.youtube.com/watch?v=0mUxMp
MTT28
Three
categories of unethical behavior in
organizations:
Ignorance- not knowing the law
Accident- making a mistake
Intent- criminal/unethical state of mind
Three
methods of deterrence:
Fear of penalty
Probability of being caught
Probability of penalty being administered
Liability-
an entity’s legal obligation
Liability for an action can lead to restitution
or payment
An organization increases liability when it
refuses to take proper measures to ensure
ethical behavior
Due diligence
Long-arm jurisdiction
Internal
investigations regarding computer
ethics are often completed using digital
forensics
Has to be substantial evidence to take action
Documenting, preserving, identifying, and
extracting evidence
Digital forensics is used for two purposes
related to ethics:
To investigate allegations of digital malfeasance
To perform root cause analysis
When
investigators discover evidence they
should notify management and recommend
contacting law enforcement
Organization approaches to digital forensics
Protect and forget
Apprehend and prosecute
Whitman,
M. E. Mattord, H. J. (2014)
Management of Information Security. (4th
ed.) Stamford, CT: Cengage Learning.