You are on page 1of 24

CNS 394 - Unit 2

Information Ethics and Codes of Conduct

Objectives
Explain the role of ethics in information assurance Identify the fundamental elements of a professional code of conduct Define and apply an ethical system (we can go through it quickly if youd like)

Ethics
Information practitioners need guidance in correct behavior
Especially essential because the commodity is abstract and information assurance professionals have unprecedented access Anonymity, intangibility, and evolution of the technology, increase ethical grey areas Distance and lack of physical knowledge/contact with victim also make cyberspace unique Technological advances usually come without ethical instructions Ethical violations of cyberspace occur regularly without widespread recognition or response
Nobody has thought through what a particular capability or activity represents in terms of right and wrong

What is Ethics?
A global term describing the system by which individuals distinguish right from wrong
Ethical systems describe the duties and behaviors commonly considered correct for a given circumstance
Documented by an ethical guideline that aids in behavior evaluation and as a framework to judge behavior

Ethics benefit information assurance because they are applied morality


They are logical assumptions about how moral principles should be applied in practice They represent an understanding of what is morally correct They become legal systems when the morality they capture is formalized into law Which is a large problem right now:
What are the laws of cyberspace? Based on what? Where is Cyberspace?

Ethics and Information Assurance


Although abstract, the requirement for an ethical system is a critical part of information assurance
Ethics establishes the foundation of group trust and trustworthiness Policies should be formulated based on the ethical values of the organization while not contradicting the principles of individuals Question: What if the organizations ethical system is in conflict with an individuals? An established ethical standard guides the preservation of confidentiality, integrity, and availability Ethical standard must be clearly articulated and understood throughout the organization

Ethics and Technology


Technology has advanced at a rate that exceeds societys ability to decide about its appropriateness
Data-mining industry is an example of organizations operating without an ethical compass
Privacy concerns and the question of the ethics

More grey areas are likely to develop

It is essential for the information profession to consider, adopt, and use ethical guidelines
Without ethical guidance it is difficult to expect effective control of information workers behavior

Practical Ethical Systems: Enforcing Proper Individual Behavior


A communal set of values provides the framework to ensure that individual decisions reflect the groups common ethical principles
It assumes that all actions that constitute unacceptable behavior can be recognized Group values have to be formally documented Formal documentation of the values is an ethical code of conduct Ethical code of conduct is the organizations standard of behavior Codes of conduct dictate the duties and obligations of individuals relative to group norms

Enforcing Behavior Norms: Aligning Personal and Group Perspectives


Group norms are the measuring stick for evaluating individual behavior
Formally documented codes of conduct dictate the minimal moral tone and actions of an organization Ethical systems delineate the correct choices for individuals relative to the group norms Properly designed ethical systems always provide a concrete reference for decision making as well as an explanation of the consequences of deviation

In practical applications of codes of ethics, an explicit enforcement mechanism is a necessity

Ensuring Professional Conduct


Professional codes of conduct define the values and beliefs of a profession
Communicate the formal models that make up the norms a group has chosen to adopt Those models are based on each organizations understanding of correct professional behavior

Professional codes of conduct are essential in information assurance because:


They cover a broad range of fundamental concerns raised by the ever-increasing and changing technology

Establishing a Basis: Formal Codes of Conduct for Cyberspace


A formal code for cyberspace was published 1989 sponsored by the Network Working Group of the Internet Activities Board (IAB)
To reinforce its authority in the area, the IAB was renamed the Internet Architecture Board in 1992 IAB directive Ethics and the Internet (RFC 1087) outlines five principles which state that it is unethical:
To seek to gain unauthorized access to the resources of the Internet To disrupt the intended use of the Internet To waste resources through such actions To destroy the integrity of computer-based information To compromise the privacy of users

Establishing a Basis: Formal Codes of Conduct for Cyberspace


Organized religion has even weighed in on the ethical use of the Internet
Personal responsibility in governing acceptable use

National bodies who have established formal codes of conduct:


The Association for Computing Machinery (ACM) The Institute for Electrical and Electronics Engineers (IEEE)
These codes are specific to the profession They communicate the ethical responsibility of information professionals to perform their duties in a capable manner They set the minimum expectations with respect to the level of capability required They serve as a basis for judging whether that standard has been adequately met

Establishing a Basis: Formal Codes of Conduct for Cyberspace


Professional societies that stipulate codes of ethical practice:
The Information Systems Audit and Control Association (ISACA) The International Information Systems Security Certifying Consortium (ISC) The SANS Institute

Concern: There is not a single universally recognized code of conduct for the information assurance profession

Certification: Ensuring Professional Capability


Certification is a method of identifying individuals committed to ethical behavior
Standard level of professional competence Certifications based on a number of representative common bodies of knowledge (CBK)
No single system guarantees that the practitioner responsible for protecting an organizations information is competent

Few formally agreed-on definitions of the knowledge or competencies Certification that attests to an individuals ability to think critically about an identified problem space provides the most valid proof of competence

Certification: Ensuring Professional Capability


Determining the value of a certification:
How long has the certification been in existence? Does the certification organizations process conform to established standards? How many people hold the certification? How widely respected is the certification? Does the certificate span industry boundaries? What is the probability that 5 or 10 years from now, the certificate will still be useful? Does the certification span geographic boundaries? Does the certification require attestation to a defined ethical behavior?

Information Ethics
Deals with the ethical questions that relate to the use of information assets
Explores and evaluates the development of ethical principles in information assurance Examines ethical concepts that support information assurance theory and practice, as well as their relevance to everyday information security work

A timely and important area because:


Traditional philosophical frame of reference is out of date Information technology has extended capabilities beyond:
Traditional moral and philosophical realms Precedents and principles of our legal system

Information Ethics
Four areas where guidance about ethical behavior should be provided:
Invasion of privacy Unauthorized appropriation of information Breach of confidentiality Loss of integrity

Invasion of Privacy
Invasion of privacy is a common violation
The act of obtaining information to breach an individuals reasonable expectation of privacy

Legally, the Bill of Rights does not guarantee a right to privacy from other individuals except in specific cases

Invasion of Privacy
Ethics of invading your privacy for profits: the data mine
Data aggregation and data mining augments an organizations ability to understand its customers better
These methods may intrude too far into personal lives

Other instances of intrusion:


Placing tracking cookies surreptitiously on computers Credit-monitoring services Telephone tapping

Solution is to build an understanding across society and grapple with the essential questions:
What is the limit to the acquisition and use of knowledge by institutions? What can other people know without violating your privacy?

Invasion of Privacy
Invading the privacy of your employees
Employer may reasonably monitor its employees
It is implied that people who come to work, have sacrificed some of their rights to privacy for the good of the organization
The organization has an unstated right to oversee employee behavior and communications on the job

More subtle activities which are not violations if used within the scope of work:
Keylogging of employees Observing them through workplace video cameras and closed-circuit television

Unauthorized Appropriation
Unauthorized appropriation use of a computer to obtain something under false pretenses
A crime if an item of concrete value is taken An ethical compromise where the value is either intangible or cannot be estimated Typically takes place when another persons intellectual property is either stolen or misused

Misappropriation of intellectual property presupposes that an identified piece of intellectual property exists

Ethics of Confidentiality
Breach of confidentiality can be intentional or unintentional
Disclosure of private information is a matter of civil and even criminal liability in some states

Two well-known examples of the way federal legal system addresses breach of confidentiality:
Health Insurance Portability and Accountability Act (HIPAA)
The first comprehensive federal protection for the privacy of personal health information

Family Educational Rights and Privacy Act, 1974 (FERPA)


Limits the personal information that educational institutions can release to the public

Ethics of Integrity
Integrity implies that the information is correct
Information has not been accidentally or maliciously altered or destroyed

The ethical issue can be characterized by a legal term, false light


A circumstance where information that is being kept either is false or harmfully misrepresents something about the individual

Ethics of Integrity
Unintentional errors
Represented by incorrect or missing values Ethical response to the inevitable inaccuracy:
Error-trapping functions in the system Embedding rigorous audit and control mechanisms

Intentional errors
Sources
Insider who alters data to portray the facts of a given situation incorrectly Insider who accepts and records incorrect information Outsider who hacks into the system in order to change the integrity of its data

Ethics of Integrity
Exercising due care
Characterized by a careful attention to detail in the process of:
Designing Assessing Updating Monitoring data and systems

A statement of due care


To protect the organization from liability concerns as well as to ensure good ethical practice

You might also like