Ethics in Cyber Security

Why Talk about Ethics?

A strong ethical program can help you meet your bottom line, deliver your service, and encourage growth and sustainability. Ethics help us uphold our reputation. Loss of trust can devastate a company. This article provides a guide to help uphold your values and protect your reputation.?

Cyber law is evolving, but it cannot cover every scenario. Your ethics policy is your opportunity to set a standard for your company. This may include adopting standards that are beyond those required by law.

"Once we escalate to management, there will be no day, no night." ― Mr Ernest Tan Choon Kiat

Laws

Laws are formal rules established by authorities to maintain societal order, protect resources, and ensure safety and human rights. Non-compliance can lead to penalties such as fines, loss of privileges, or imprisonment.

Morals

Morals are personal principles of right and wrong, shaped by culture, family, experiences, and religion. They guide individual behavior, and violating them can lead to internal guilt and social disapproval.

Ethics

Ethics are shared guidelines for behavior towards others, often set by community leaders. They are informed by both laws and personal morals, and breaches can result in reprimands or exclusion from the group.

“It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.” ― Stephane Nappo

What Are?Cyber Ethics?

Cyber ethics in cybersecurity involves the application of moral principles to guide the protection of digital systems and data. It ensures that cybersecurity practices are not only effective but also ethically sound. Key components include:

Corporate social responsibility?

A company claims to be socially responsible when it aligns its goals to the benefit of both itself and the environment it serves. For example, a company may reduce its carbon footprint to protect the entire community. But does it really have an impact, or is it a public relations move? ?

The ethics of surveillance and privacy

The ethics of surveillance and privacy balance security with individual rights. Ethical surveillance requires justified, limited, and transparent data collection with consent. It must be proportional, necessary, and subject to oversight to prevent abuse. Strong data security is essential to protect information. The goal is to ensure security while preserving personal freedoms and societal trust.

Algorithmic Bias: A DEI Imperative

AI can amplify existing biases if training data is not representative. This can lead to discriminatory outcomes, especially for marginalized groups. To address this, ensure diverse data, regularly audit algorithms, involve diverse teams, and develop ethical guidelines for AI development.

For instance, if we ask an AI application “What kind of person makes a good data scientist?” the AI may quickly search all the data scientists profiled on the internet, the majority of whom may be white men. It will then decide “White men make good data scientists.” This is not the most accurate conclusion. ?

Other Ethical Considerations in Cyber

Duty to the public?

Cybersecurity is a household term. That doesn’t mean people in those homes fully understand its meaning. It is the job of the cyber professional to know the threats, bad actors, risks, and their mitigations on behalf of the public. ?

Disclosing vulnerabilities?

Disclosing vulnerabilities is not often the first thing we want to do – especially if the vulnerability is not yet mitigated. But information sharing has its benefits when it can help keep the organization or larger environment safe. And sometimes, disclosure of a flaw or breach is required by law.?

Proficiency and efficiency?

Cyberspace is rapidly evolving. It takes effort to stay aware of the expanding threat vectors, attack tactics, even targeted assets. This can be timely, costly and never-ending. It is your duty to stay informed and sound the alarm if your business -- knowingly or unknowingly -- creates a vulnerability that will affect the security of its data or that of its customers.?

Investigations ?

Investigations have an ethical responsibility to be honest. ?

Audits can be targeted, comprehensive, or random. Comprehensive and truly random audits leave little need for ethical consideration. Targeted audits, on the other hand, use cyber tools to support a suspicion when the suspicion did not originate from random or comprehensive scanning. Be clear about when you will allow targeted audits, if at all. Will they require department lead approval or consensus? What are the consequences should a violation occur?

Compliance

Compliance is a double-edged sword. While it provides a clear benchmark for security and accountability, it can also hinder innovation. The increased regulatory scrutiny demands rigorous adherence to standards, but excessive focus on compliance can stifle creativity and business growth. To strike a balance, organizations must carefully weigh compliance requirements against their risk tolerance and potential business impact.

Incident response ?

Incident response can be overwhelming. Consider using maturity models to find lower and upper limits to compliance. Find an acceptable threshold your organization can afford. At a minimum, include a living document, points of contact, and procedures for response at a high level. This would identify which representative or department manages the program, takes actions, and follows up with reporting. ?

Employee ethics?

Consider this example. Your company guidelines require employees and customers to be addressed with the name and pronoun they prefer. Instead, Katie finds a way to avoid using pronouns altogether in her electronic communications.?

?You understand proper greetings and salutations mean a lot in customer service. You also wonder if the email and messaging audits could show discrimination. Would this compromise violate your ethical expectations? Would you urge her to understand that her activity represents the company and not her personal self??

Code of Ethics and Code of Conduct?

A code of conduct speaks specifically to how we conduct our behavior. It will often include specific guidelines. For example, a user will properly log out of their account each day. A user will not share their login credentials with another person. The purpose is to help the company and its employees thrive and be safe. ?

Misconduct at a higher level in the organization can have an increased cost and foster more distrust. Will you hold your C-suite to a higher ethical standard or more stringent enforcement? ?

"There are only two different types of companies in the world: those that have been breached and know it and those that have been breached and don’t know it."        

Training and Awareness?

The purpose is to bring awareness, meaning, and understanding to your ethical standards. How do your employees learn what ethics your company values? How do you know they have skills to meet your expectations in filling them? ?

Awareness is posting the ethics in a place where your employees will view them. But how will you know they understand the expectations? ?

Training is a platform to teach the skills and behaviors you want your employees to have. People with different roles may need to confirm awareness and compliance more frequently than others.?

The most effective training methods for companies are instructor-led, video based, interactive, and case studies.

Conclusion:

In conclusion, ethics play a crucial role in shaping the integrity and reputation of organizations, particularly in cybersecurity. As cyber laws evolve, companies must set ethical standards beyond legal requirements to maintain trust and accountability. Key considerations include corporate social responsibility, balancing privacy with surveillance, addressing algorithmic bias, and disclosing vulnerabilities.

Cyber professionals have a duty to protect public safety, stay proficient, and conduct honest investigations. Compliance must balance innovation and security, while employee ethics and training are vital for aligning personal behavior with organizational values. Ethics ensure long-term sustainability and resilience in an ever-evolving digital landscape.

Hope you learn from my cyber ethics article and use the insights to build stronger, more ethical cybersecurity practices that not only comply with laws but also prioritize trust, integrity, and responsibility in protecting both your organization and the public.

?

?