Professional Documents
Culture Documents
Objectives
Explain the role of ethics in information assurance Identify the fundamental elements of a professional code of conduct Define and apply an ethical system (we can go through it quickly if youd like)
Ethics
Information practitioners need guidance in correct behavior
Especially essential because the commodity is abstract and information assurance professionals have unprecedented access Anonymity, intangibility, and evolution of the technology, increase ethical grey areas Distance and lack of physical knowledge/contact with victim also make cyberspace unique Technological advances usually come without ethical instructions Ethical violations of cyberspace occur regularly without widespread recognition or response
Nobody has thought through what a particular capability or activity represents in terms of right and wrong
What is Ethics?
A global term describing the system by which individuals distinguish right from wrong
Ethical systems describe the duties and behaviors commonly considered correct for a given circumstance
Documented by an ethical guideline that aids in behavior evaluation and as a framework to judge behavior
It is essential for the information profession to consider, adopt, and use ethical guidelines
Without ethical guidance it is difficult to expect effective control of information workers behavior
Concern: There is not a single universally recognized code of conduct for the information assurance profession
Few formally agreed-on definitions of the knowledge or competencies Certification that attests to an individuals ability to think critically about an identified problem space provides the most valid proof of competence
Information Ethics
Deals with the ethical questions that relate to the use of information assets
Explores and evaluates the development of ethical principles in information assurance Examines ethical concepts that support information assurance theory and practice, as well as their relevance to everyday information security work
Information Ethics
Four areas where guidance about ethical behavior should be provided:
Invasion of privacy Unauthorized appropriation of information Breach of confidentiality Loss of integrity
Invasion of Privacy
Invasion of privacy is a common violation
The act of obtaining information to breach an individuals reasonable expectation of privacy
Legally, the Bill of Rights does not guarantee a right to privacy from other individuals except in specific cases
Invasion of Privacy
Ethics of invading your privacy for profits: the data mine
Data aggregation and data mining augments an organizations ability to understand its customers better
These methods may intrude too far into personal lives
Solution is to build an understanding across society and grapple with the essential questions:
What is the limit to the acquisition and use of knowledge by institutions? What can other people know without violating your privacy?
Invasion of Privacy
Invading the privacy of your employees
Employer may reasonably monitor its employees
It is implied that people who come to work, have sacrificed some of their rights to privacy for the good of the organization
The organization has an unstated right to oversee employee behavior and communications on the job
More subtle activities which are not violations if used within the scope of work:
Keylogging of employees Observing them through workplace video cameras and closed-circuit television
Unauthorized Appropriation
Unauthorized appropriation use of a computer to obtain something under false pretenses
A crime if an item of concrete value is taken An ethical compromise where the value is either intangible or cannot be estimated Typically takes place when another persons intellectual property is either stolen or misused
Misappropriation of intellectual property presupposes that an identified piece of intellectual property exists
Ethics of Confidentiality
Breach of confidentiality can be intentional or unintentional
Disclosure of private information is a matter of civil and even criminal liability in some states
Two well-known examples of the way federal legal system addresses breach of confidentiality:
Health Insurance Portability and Accountability Act (HIPAA)
The first comprehensive federal protection for the privacy of personal health information
Ethics of Integrity
Integrity implies that the information is correct
Information has not been accidentally or maliciously altered or destroyed
Ethics of Integrity
Unintentional errors
Represented by incorrect or missing values Ethical response to the inevitable inaccuracy:
Error-trapping functions in the system Embedding rigorous audit and control mechanisms
Intentional errors
Sources
Insider who alters data to portray the facts of a given situation incorrectly Insider who accepts and records incorrect information Outsider who hacks into the system in order to change the integrity of its data
Ethics of Integrity
Exercising due care
Characterized by a careful attention to detail in the process of:
Designing Assessing Updating Monitoring data and systems