Ethical Issues in Cybersecurity

In addition to working within the confines of the law, cybersecurity professionals must also demonstrate ethical behavior.
Personal Ethical Issues
A person may act unethically and not be subject to prosecution, fines or imprisonment. This is because the action may not have been technically illegal. But that does not mean that the behavior is acceptable. Ethical behavior is fairly easy to ascertain. It is impossible to list all of the various unethical behaviors that can be exhibited by someone with cybersecurity skills. Below are just two. Ask yourself:

• Would I want to discover that someone has hacked into my computer and altered images in my social network sites?

• Would I want to discover that an IT technician whom I trusted to fix my network, told colleagues personal information about me that was gained while working on my network?

If your answer to any of these questions was ‘no’, then do not do such things to others.
Corporate Ethical Issues
Ethics are codes of behavior that are sometimes enforced by laws. There are many areas in cybersecurity that are not covered by laws. This means that doing something that is technically legal still may not be the ethical thing to do. Because so many areas of cybersecurity are not (or not yet) covered by laws, many IT professional organizations have created codes of ethics for persons in the industry. Below is a list of three organizations with Codes of Ethics:

• The CyberSecurity Institute (CSI) has published a code of ethics that you can read here.

• The Information Systems Security Association (ISSA) has a code of ethics found here.

• The Association of Information Technology Professionals (AITP) has both a code of ethics and a standard of conduct found here.

Cisco has a team devoted exclusively to ethical business conduct. Go here to read more about it. This site contains an eBook about Cisco’s Code of Business Conduct, and a pdf file. In both files is an “Ethics Decision Tree”, as shown in the figure. Even if you do not work for Cisco, the questions and answers found in this decision tree can easily be applied to your place of work. As with legal questions, in general, if you are confused about whether an action or behavior might be unethical, assume that it is unethical and do not do it. There may be someone in your company’s human resources or legal department who can clarify your situation before you do something that would be considered unethical.
Search online to find other IT-related organizations with codes of ethics. Try to find what they all have in common.