Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
By
Rich Mumley
INTRODUCTION
This paper covers just a few of the many ethical dilemmas facing the world of cyber
security. Leadership in the cyber security realm is made more difficult because of ethical
issues that increase in complexity at the same rate as new cyber-based threats enter the
world. Chief Information Security Officers (CISOs) often do not last more than a couple
of years with any one company because of data breaches, be they known or unknown.
a unique position to gain wisdom from the executive, administrative, and technical
Initially, this paper presents a review of six case studies faced in the world of information
technology. Commentary on these six case studies will provide insight into ethical
theories applied to these quandaries. After these six case studies comes a series of four
interviews, designed to mesh real-world cyber security expert opinion with four of the six
the presented case studies, interviews, and overall impressions from the Organizational
Ethics course.
A PROFESSIONAL ETHICAL ANALYSIS 3
A recent MIT Technology Review article details the efforts of a big data analytics
company named Cambridge Analytica, which claims to use behavioral science insights
in helping political candidates tailor their campaign messages according to the recipient’s
“personality.” “Like other big-data analysis companies,” the article notes, “it categorizes
voters on the basis of demographics and issues, but it appears to be the first to add
personality typing to the mix. The company says it has assessed the personalities of all
And how were those personalities assessed? According to the article, which is titled “How
Before answering the questions below, please review this article about ethical decision-
making, different ethical perspectives, and the considerations that we should keep in
Should people who attempt to answer the questionnaire be advised, ahead of time, that
the data collected from those questionnaires will be used to improve the targeting of
political messaging?
includes under the header “How will we use information about you?”: “The information we
collect will be used in order to gain insight into the behavior of the whole population. We,
or our research partners may contact you for direct marketing or research purposes.” Is
of other people who don’t choose to answer such questionnaires (profiles based on
“commercially or publicly available data points” about those others). Is the assessment of
personalities by extrapolation ethical? Why, or why not? If you do have concerns about
this practice, are they rooted in perceptions of fairness? The question of autonomy?
Commentary: This case was chosen because the methods of Cambridge Analytica fail
the tests of deontological business reasoning. Donaldson and Werhane (2008) ask three
Let us answer these questions. Part of this dilemma is that existing rules regarding data
protection are often vague and unable to evolve at the speed that data miners can
circumvent these rules. There is no protection against creation of data using extrapolation
smaller sample size, and are a quite common research method. And to those companies
rationalizing this creation of data, that is their rationale. However, this created data
becomes a very different thing when it is attached to your name, and that is where an
ethical violation occurs. These rules of data creation are not fair to everyone. The data
not give your permission for it to be collected, and therefore your privacy has been
breached.
We learn in Hypponen’s Three Types of Online Attack (2011), “any right we give away,
we give away for good.” If we do not combat this type of data aggression and treat it as
what it really is, which is libelous if false and theft if true, we are in essence allowing it to
happen. If we do so enough, we will never get that privacy back, as it will become more
and more common. The rules do not hold universally right now, but they just may if this
behavior is allowed to stand. As for the third rule asking if all persons are treated with
A PROFESSIONAL ETHICAL ANALYSIS 6
equal respect, that answer is self-evident. Creating data attached to personal information
based off of data collected by questionable means has no manner or equality or respect
attached to it.
Raicu, I. (2016). The “Goodbye Fears Monster”. Retrieved on February 20, 2017 from
https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/the-goodbye-fears-
monster/
You might know (or remember) that some little kids find it difficult to fall asleep at night
because of various fears that prey on them in the quieter, darker pre-sleep environment.
The “Goodbye Fears Monster,” a new toy currently under development by the Metell toy
Fears Monster” (we’ll refer to it as “GFM” for short) is soft, roly-poly, and comes in a
variety of colors; what makes it unique, however, are its interactive features. The toy is
When a fearful child is about to go to sleep, he or she is supposed to press GFM’s belly
button (which is, actually, a button); that action turns on the toy’s microphone (which is
hidden by its fur). The child is then encouraged to tell the “monster” all of his or her fears.
Once the child stops speaking, the monster replies, “I will eat all of those fears! Nom nom
nom. There. They’re gone. Are you worried about anything else?” The process is
supposed to repeat until the child says he or she has no more worries to detail. At that
A PROFESSIONAL ETHICAL ANALYSIS 7
point, GFM gently replies, “Well, then, now we can close our eyes and go to sleep in
The child’s statements are recorded, and all of the recordings are made available to the
child’s parents (they are sent directly to the child’s parents’ phones, via a companion app).
the interactive toy will allow young children to express fears that they might not
otherwise disclose to anyone;
reassured by their fears being “eaten” by the friendly toy, children might sleep
better (which, of course, would allow parents to sleep better, too);
the recordings will give parents new insights into their child’s thinking.
The Metell company also promises to share the recordings (at no cost) with child
psychology researchers, in the hope that the data collected will promote the development
As part of the promotion of this new (rather expensive) toy, the toy makers propose to
distribute free GFMs to children living in homeless shelters throughout the San Francisco
Bay Area.
What ethical issues do you spot in this scenario? How might these issues be perceived
through the ethical prisms of utilitarianism, rights, justice, virtue, and the common good?
Commentary: This case reflects a classic example of public good for potentially
unscrupulous private means. The Metell company is clearly housing the data in their
private data cache, as they “promise to share the recordings (at no cost) with child
psychology researchers”. They are also giving these recording bears away to children
A PROFESSIONAL ETHICAL ANALYSIS 8
living in homeless shelters. What a generous company! They must not understand that
businesses are meant to make money. Unless they have another way to bring in revenue,
that is. That revenue stream is your data, the analysis of which can sell for millions
because of its potential alone. Once we download the app onto our phone, agreeing to
forgo our right the privacy of this data in exchange for the service provided, Metell owns
the information.
In Ethical Issues in Business, Donaldson and Werhane (2008) tell us of Aristole’s theory
of virtue ethics, noting: “in action where a choice is possible, one exercises moral virtue
by restraining harmful desires and cultivating beneficial ones” (p. 10). In other words, it
is not just the action, such as building a cuddly bear to help kids get over their fears, that
defines the ethical standard. It is in the intent that the character of the actor is revealed,
and this is where Metell fails the ethical test. Were this company “doing the right thing”
in terms of data privacy, they would not be capturing data at all. There would be no app
to download, and there would be no request to waive right to data privacy in the name of
Raicu, I. (2017). Targeting a Broken Heart. Retrieved on February 20, 2017 from
https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/targeting-a-broken-
heart/
On February 3rd, Facebook’s “People Insights” blog published a post titled “What Mends
a Broken Heart on Facebook.” In it, the company’s researchers detailed insights that they
A PROFESSIONAL ETHICAL ANALYSIS 9
had gathered by examining “how the break-up moment influenced the online behaviors
of people across France, the Netherlands, Poland, the United Arab Emirates and the
United Kingdom who indicated on Facebook that they recently went through a break up.”
One of their findings was that “there could be a gap between the break up itself and the
Facebook post announcing it. During the two weeks before and the two weeks after their
break-up announcement,” they explained, users “accepted more than one invitation to an
event 40% more than [during] the 60 days before and 60 days after their announcement.”
The researchers also noted that “’Healing,’ ‘detox,’ ‘drowning sorrows,’ ‘binge watching’
and ‘suffering’ are just some of the words and phrases that are more pronounced in men’s
posts before they mark themselves ‘Single.’ The same types of words and phrases are
As to what helps people get over a breakup, Facebook researchers wrote that “[g]aining
new experiences… seems to be more therapeutic than buying things.” Under the
subhead “What it means for marketers,” the post then asks, “How can brands be a part
of the journey to help mend people’s broken hearts?” Suggested answers include
“Empathize with them” and “Offer them new experiences.” The post concludes by
experience new things or take up a new hobby can help you reach this group with a
Is it ethical for Facebook to mine its users’ posts for signals that those users are about to
go through a break up? Is it ethical for the company to then help its clients target their ads
How might Facebook’s actions be perceived through the ethical prisms of utilitarianism,
rights, justice, virtue, and the common good? For more on those perspectives, see
“Thinking Ethically.”
Commentary: While this case and “Goodbye Fears Monster” have quite a bit of
similarities in terms of virtue ethics applications, this case was chosen to represent how
utilitarianism can be slanted to appear logically sensible, but ultimately fallible when
applied to the cyber security world. As long as the public at large allows companies like
Facebook to stand on the argument that they are doing us a favor with analytical studies
such as this one, seemingly to help us make better choices (buying products?) and
therefore maximizing our happiness, these companies will continue to push our data
boundaries.
The day I went to Amazon to look at a wrench, then logged into Facebook and saw an ad
for the same wrench was well, a heart-wrenching day. I had seen the movie Minority
Report just a few weeks before that, where the main character John Anderton, is hounded
by personalized ads from every direction as he walks around the city. These ads all
gather his identity by scanning his eyes, which are just a different method of bio-
identification, like fingerprints. I thought this concept was disturbing, but a ways off due
Little did I realize, my keyboard was serving as those eyes, and just by the act of walking
around the Internet, I was getting my eyes scanned everywhere I went. Advertising
companies, from the dawn of their existence, have always justified themselves by saying
A PROFESSIONAL ETHICAL ANALYSIS 11
they “help people”. A utilitarian concept, to be certain. But even in utilitarianism, there is
conflict with this approach. An act utilitarian measures consequence in terms of how
much perceived good they will do (Donaldson & Werhane, 2008, p. 5). Yet, a rule
utilitarian in our case above would contradict this data collection activity by applying the
question of how much good the activities of Facebook would do if everyone took that
same approach as a rule. Suddenly, Facebook themselves is subject to the same data
mining, and would be fighting against just how “good” the practice really is!
Marcus is a computer engineer who has recently developed an app which helps users
Information about the user is stored in this app, including what prescriptions they are
taking and how frequently they schedule doctor’s appointments. As the developers of the
information so they can better target ads and app suggestions to the users. Marcus
understands that he is part of a company, but also feels that the privacy of the app users
How does Marcus determine how much of the user’s information should be shared with
Commentary: This case was chosen to illustrate where laws and statues that apply to
conventional records privacy, such as HIPPA, get a bit gray in terms of data mining and
application of business analytics to that data. While HIPPA does a great job of outlining
what constitutes personal health information, and when it can and cannot be shared with
varying degrees of consent, it does not explicitly cover data used for mining that is not
disclosed outside the company warehousing the data itself. Technically, no data has
been shared outside of the company, so privacy has not been violated by the letter of the
law. However, the gray area exists as to whether the marketing department of a company
itself.
To sift through this ethical gray area, we can use theory about the Dominant Model of
Business (Donaldson & Werhane, 2008). This passage postulates that the dominant
by its insistence on trading information for revenue. While Freeman tells us that the
dominant model is resistant to change because, basically, people like money and don’t
want to give up their potential to make more of it, he does provide basis that this dominant
model is also not consistent with the law. “The law has evolved over the years to give de
facto standing to claims groups if groups other than stockholders” (pp. 40-42). The law
sides with the consumer in cases such as this, not with those who’s interest is first and
A PROFESSIONAL ETHICAL ANALYSIS 13
represent the interests of the consumers, and he has every right to do so.
Tan, J. (2015). May the Truth be with You. Retrieved on February 20, 2017 from
https://www.scu.edu/ethics/focus-areas/more/engineering-ethics/engineering-ethics-
cases/may-the-truth-be-with-you/
Catherine is a new hire at a startup that produces LCD displays for large venues, such
as shopping malls. Part of her job requires her to troubleshoot malfunctioning displays.
One day, a shopping mall reported that two display units out of twelve had stopped
working from their installation three months prior. The customer also noted serial and
revision numbers on the two units were different from the rest of the units.
At the job site, Catherine inspected the displays and realized her company had sold units
that were from a bad batch (i.e. group of displays that did not have over 50% yield during
manufacturing). Catherine wanted to tell the site why the units failed, but recognized that
if she disclosed this information, the site would be eligible to receive replacement displays
at no additional cost. On the other hand, if she blamed the failing units on a weaker cause,
such as improper installation, her company would be able to charge the site for
replacement units.
Catherine knew her manager would want her to choose the option that would minimize
the company’s losses; however, she wanted to be honest with the site as they were one
Commentary: In this case study, our protagonist need only ask the Kantian ethical
litmus: “could I wish that everyone in the world would follow this principle under relatively
similar conditions?” (Donaldson & Werhane, 2008, p. 8). If everyone in the world lied
about the reasons for poor quality in their products, then the quality of the products
produced could never be trusted. Consumers would cease to purchase these products,
and those companies that practiced the untruthfulness would fold. Therefore, it is ethical
practice to tell the truth about quality issues and work to remedy their infractions.
Consumers must be able to trust the quality of the goods they provide.
In addition, we can take a consequentialist approach here and ask ourselves what good
it does to lie when the truth may well be found out down the road, especially if there is
some sort of data trail about the situation. The possibility of losing a small amount of face
with one customer, versus the potential of a public relations ripple caused by nefarious
dealings that get pushed out to social media seems like an easy choice from this utilitarian
perspective as well.
Raicu, I. (2015). Removing a Search Result. Retrieved on February 20, 2017 from
https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/removing-a-search-
result-an-ethics-case-study/
Sometime in the early 1980s, a woman is raped, and a suspect is caught. The woman
decides to allow her name to be used in media coverage of the attack because she wants
to combat the stigma that rape victims face. She is young, and she wants to be brave.
A PROFESSIONAL ETHICAL ANALYSIS 15
The trial of the suspect garners some coverage in the local media but none beyond that.
The woman struggles with the trauma of the experience, but moves on. Her job takes her
to Europe, where she gets married; while she lives in London, she returns to her
hometown in the U.S. to visit family multiple times each year. Thirty years later, her family
members and her oldest friends know that she was once raped, but her employer, co-
workers, neighbors, and more recent friends do not—or, at least, she doesn’t tell them.
One day, however, in 2015, she reads an article that advises readers to Google their own
names in order to see what others would see if they were to run such a search (as
employers, doctors, and other people increasingly do). She does that. She finds that the
third entry that comes up in the Google search on her name is an article from her
hometown’s local newspaper, written during the rape trial, detailing the rape case. Her
The woman is upset; after all these years, she would like to be able to disclose her rape
when and if and to whomever she wants. She has heard about a recent decision of the
European Court of Justice, which allows individuals residing in Europe to submit requests
to Google asking the company to remove certain results from searches on their
names (not all searches—only those involving their names as search terms), if those
purposes of the processing.” The ruling requires Google to also consider the public
interest in retaining the particular result in the search, as it decides whether or not to fulfill
The woman submits Google’s online form to request the removal of the link to the article
Should Google comply? What are the factors that shape your decision?
Commentary: Our final case study focuses on an issue that every single person on the
planet faces. You can live your entire life “off the grid”, but if you interface with the public
in any way, you are in danger of being in a search engine somewhere. It could be a photo
of you taken in a subway, or a piece of gum with your DNA on it that was left on a garbage
can. Unless you live your entire life in solitude and are declared legally deceased, you’re
Such is the situation with the woman described in this case. On one hand, Google has
posted a policy to which they adhere to for removing information from their engine, and
to those, the woman’s request meets none of them. The posting is of a periodical, not of
the woman herself. When she made the decision to put her name in the newspaper, she
forfeited the right to privacy of the situation that the article described. That the information
is more easily searchable is irrelevant. A company could hire a private investigator that
could have found out the details of her situation with standard investigation tactics of
articles with those cities. It is much easier than people think. The search engine just
makes it easier. I do hate to side with the big guy in this case, but I can’t help but do so.
Google’s mission statement is “Don’t Be Evil”. In this situation, they are right if they
A PROFESSIONAL ETHICAL ANALYSIS 17
choose not to remove it as one cannot unprint a newspaper or unwrite a book – keeping
Should Google choose to remove it, that may set a precedent against journalistic integrity
that would go against both Kantian and utilitarian approaches. Journalistic integrity is a
social norm because people have the right to access information that is public domain. If
we start removing information from the ether, however painful the information may be to
one person, the basis for providing that information – that it is public domain – is violated.
From a Kantian standpoint, if all began removing information, we would soon have no
information left, so that is not a logical approach. From a utilitarian perspective, the
information is there for the greater good of humanity, albeit at the expense of a single
individual.
A PROFESSIONAL ETHICAL ANALYSIS 18
METHOD
Four interviews were conducted, each referencing a case outlined in this paper.
and cyber security specifically in their professional careers. They were also chosen
of demographics.
Questions open with a query of the interviewee’s opinions on the referenced case to gain
an understanding of their viewpoint. Numbered pieces of paper, 1-6, were placed in front
of the interviewee to choose from, removing any interviewer-case bias. While starting out
broadly, questions focus down to case specifics and their ethical quandaries. Finally,
each subject is asked to relay a personal experience related to the case, or present
another ethical dilemma along the same theme that they have had to overcome. This line
of questioning allows the interviewee to warm to the subject matter without directing the
conversation towards any one ethical theory or viewpoint, yet still providing a body of
1. After reading the case study, what are your initial thoughts?
3. Can you tell me about your current company’s approach to ethical conduct
policies and how you view those efforts?
A PROFESSIONAL ETHICAL ANALYSIS 19
4. Do you feel as though your personal data and privacy are a part of this ethical
code of conduct? Why or why not?
5. Knowing what you know about your company’s security posture, tell me about
your job and how this posture (or absence of it) affects you?
6. How secure do you feel that your data and privacy are in the world as a whole?
Why do you feel that way?
7. Looking back at the ethical case you read, can you make any connections
between it and your thoughts on cyber security at work or home?
8. Can you share a personal experience that relates to the case you read, or think
of a related ethical dilemma in which you’ve been involved?
A PROFESSIONAL ETHICAL ANALYSIS 20
RESULTS
The following are the results from the interview sessions with the four participants:
Mr. Faxon is the Chief Information Security Officer (CISO) for a leading precious metals
mining corporation. He has been with the company in this capacity for nearly two years.
His career in cyber security began as an infrastructure engineer for a Fortune 500
over the course of his tenure. James completed his MBA at SMU in Dallas, Texas, and
1. After reading the case study, what are your initial thoughts?
This lady, Catherine, is in a situation many of us face every day. Especially at the
executive level. The higher up you go in a company, the more you are asked to
make decisions in the name of profit, but at the expense of morals. It isn’t always
a direct ask of you, but it’s there. As long as we are compensated bonuses based
on our profit center’s performance against budget, it’s always going to be there. I
hate to say it, because I’m not one to shy away from money personally, but if we
want to be empowered to make the right moral decisions, maybe we need to figure
out another way to be bonused out so we don’t think about company profit over
what’s right.
Not really. Well, except that the lady in the story is also stuck in the situation where
she is looking for approval from her boss to possibly continue on with her career.
So, for her, it’s getting the double-whammy of screwing a customer over and lying
to them, but she also isn’t sure if she should bring this up to her boss or not. The
boss might get upset that she was thinking of acting unethically in the first place –
who knows?
3. Can you tell me about your current company’s approach to ethical conduct policies
and how you view those efforts?
Our company is very serious about ethical conduct, to the point that we have
training seminars for employees and the employee handbook addresses it and
requires sign-off. These are all great, but when I came in here as the CISO, it
became apparently very quickly that we did not have the information security side
of the house in check when it came to ethics. Hell, there wasn’t even an
information security group before I got here – they had gotten rid of everyone. So,
it’s understandable. But, part of what we are doing here is maturing processes
and how to respond in questionable situations is a rising concern people have
when talking about cyber security. We are working on some policies right now to
help people out, saving them from having to make decisions based on little or no
information.
An example would be having an acceptable use policy that the user has to click
and acknowledge before they can remotely access the company. This policy
states that they must have virus scanning on their machine, and checks to see if
it’s there. If it isn’t, the connection is rejected. People don’t realize that connecting
to another data source without protecting your computer is actually a breach of
information security ethics. You are not doing your part to protect the data going
A PROFESSIONAL ETHICAL ANALYSIS 22
to and from your computer without virus scanning on your machine. Just about
anyone that uses a computer knows about viruses, so it is irresponsible not to
protect yourself and others. With our acceptable use policy, we take that problem
out of the users’ hands so they have one less thing to worry about. It also keeps
our data safer in the process.
5. Do you feel as though your personal data and privacy are a part of this ethical code
of conduct? Why or why not?
It would be hard to sit here as a CISO and say that it isn’t, especially with what I’ve
already said.
6. Knowing what you know about your company’s security posture, tell me about your
job and how this posture (or absence of it) affects you?
7. How secure do you feel that your data and privacy are in the world as a whole? Why
do you feel that way?
The world is a scary place. It’s like in “Men In Black”, where Will Smith goes on
the interview at the beginning and sees the aliens in the coffee room. After that,
his whole world changes. Sometimes I wish I were more ignorant about data
protection, but then I ask myself, knowing what I know, could I ever go back to just
handing over my information to any yahoo that asks for it? No way.
A PROFESSIONAL ETHICAL ANALYSIS 23
8. Looking back at the ethical case you read, can you make any connections between it
and your thoughts on cyber security at work or home?
One thing I can think of is the possibility of Catherine’s situation to blow up in her
face if she lies to the customer. There will almost certainly be a data trail, whether
it’s email, texts, whatever. Whichever path she chooses, there were probably be
a record, so she needs to make sure she does what she thinks is right.
9. Can you share a personal experience that relates to the case you read, or think of a
related ethical dilemma in which you’ve been involved?
What’s tough in the cyber security world is that we have to be very secretive,
sometimes lying in order to protect information that can be a risk if exposed. That’s
a lot like Catherine’s situation – she is faced with lying to protect her company’s
interests. The difference with her though is that she doesn’t seem to know for sure
how her boss would react if she were honest to the customer; she is just
speculating. Even though it says she knows her manager would want her to
choose the option that would minimize loss, I bet you that if she told her boss that
in an email, the boss would probably act as though they would never say such a
thing! That’s the power of a recordable, archivable medium. It gives us security,
but at the same time it takes away privacy.
Mr. Kauffman has spent a thirty-plus year career in Information Technology, currently in
a senior management role with a Fortune 500 aerospace company. Over the course of
his career, he has excelled in Vice President, CTO and Director roles in IT management.
His undergrad studies in Computer Science were completed as LSU, with graduate
1. After reading the case study, what are your initial thoughts?
The path to hell is paved with good intentions. Or these guys are wolves in sheep’s
clothing. Pick your analogy. I don’t feel like this company - Metell or whatever –
has the right intentions in mind when there has to be an app involved to pull the
information through a phone. It can be done like a tape recorder on the bear. No
need to put it through the cloud unless you’re planning on keeping the data for
some other reason.
Hell yes it does. Companies like this are springing up all over the place.
Pretending to be doing good, but it’s pretty transparent if you’re in IT what they are
actually up to. We all know the money is in the data these days. The bear could
be a break-even product and they’d still make millions selling the data to private
companies.
3. Can you tell me about your current company’s approach to ethical conduct policies
and how you view those efforts?
It’s pretty much cookie-cutter stuff here. Basically, we have an ethical code of
conduct that employees have to sign off on, but it’s not really engrained in the
culture of the company. It’s just another box they check to remove liability.
4. Do you feel as though your personal data and privacy are a part of this ethical code
of conduct? Why or why not?
No, we haven’t done anything specific for infosec or anything like that. We have a
disclaimer when people log onto their computers that they are using a company
A PROFESSIONAL ETHICAL ANALYSIS 25
piece of equipment and need to act accordingly, but nothing specific to keeping
data that’s on the machine on that machine. Instead we try to block methods of
moving data around, like people using google drive or personal email.
5. Knowing what you know about your company’s security posture, tell me about your
job and how this posture (or absence of it) affects you?
Well, most of my time with infrastructure is spent chasing issues that come up
because of people doing stupid stuff on the network. Sometimes, it’s even my own
guys that are boneheads and not realizing it – they don’t put in change requests
and just change stuff, then it breaks and everyone goes nuts. That’s an overlooked
part of information security. We have processes for documentation for a reason,
and it’s not just because we get audited. Documenting changes we make keeps
us from making mistakes in the infrastructure that can open holes for the bad guys
to get in.
6. How secure do you feel that your data and privacy are in the world as a whole? Why
do you feel that way?
I don’t trust anyone, but yet here I am giving my credit card to anyone online I want
to buy something from. You can’t get away from it anymore if you want to be a
part of society. I don’t like people a whole lot, so I don’t mind being a little bit of a
hermit sometimes, but I also like to eat and buy stuff. And since crime isn’t going
away any time soon, it’s safer not to carry cash, so I pay with a card anywhere I
can.
7. Looking back at the ethical case you read, can you make any connections between it
and your thoughts on cyber security at work or home?
I have two grown daughters, so I understand what it’s like to want to know what
they are thinking. Believe me, it would have been nice to have a little bear around
A PROFESSIONAL ETHICAL ANALYSIS 26
that I could play back and hear what they told it. But at the same time, they are
supposed to have an idea of what privacy is and I want them to have that. They
need to know that you need to keep some stuff private, because information has
value. As soon as you give up that valuable information, you lose it forever, so
you need to be really careful with what you share.
8. Can you share a personal experience that relates to the case you read, or think of a
related ethical dilemma in which you’ve been involved?
When we were kids, we used to have a tape recorder that we’d tape stuff on and
play it backwards because we thought it was a trip. Well, we got braver and braver
about what we’d record, and decided to put some swears on it to play backwards
and see how they sounded. My aunt found the tape recorder and played our
swears, about knocked our teeth out for it, too. But we felt strangely betrayed, kind
of like people must feel when their journals are read. I’d say that’s why you don’t
need a recording bear sitting around your house if you’re a kid. It’s one thing if you
are a kid that’s off the rails and need to have an eye kept on you so you don’t raise
hell, but if you’re a good kid, that’s just one more piece of privacy that you’re losing.
for a leading precious metals mining corporation. Her main duties include the
communications and training materials. In her free time, Gwendolyn loves doing
1. After reading the case study, what are your initial thoughts?
Figures that I’d get the one about the woman getting assaulted and I’m the only
woman you’re interviewing. I saw a lot of crazy stuff when I was a cop. It’s hard
to see people go through these sorts of things and not have some emotion about
it – that’s part of why I left.
Sure, we don’t have any privacy any more. Google didn’t ask her for permission
to use her name, or probably even ask permission to include the newspaper article
in its search engine. It just crawls the web and grabs information. But you sure
have to sign a user agreement to use their services.
3. Can you tell me about your current company’s approach to ethical conduct policies
and how you view those efforts?
We’re trying. They already have employee training and it’s part of the culture here.
We’re hoping to add our own cyber security training to it very soon. Boy were they
surprised when the boss told them that there was such a thing as information
security ethics that were separate from the usual ethics they were worried about.
4. Do you feel as though your personal data and privacy are a part of this ethical code
of conduct? Why or why not?
Not for the most part, although there are some places where they address not
taking company information home. That’s a start. But we have a long way to go.
5. Knowing what you know about your company’s security posture, tell me about your
job and how this posture (or absence of it) affects you?
A PROFESSIONAL ETHICAL ANALYSIS 28
Well I know we have a lot of gaps. If we didn’t, we wouldn’t have a huge program
to fix them. I also know I get hundreds of people every time I send out a phishing
email. I spend a ton of time on communicating out the users, whether its
information about the program, lunch and learns, or other stuff we have going on.
And I do love to fake them out with those phishing emails! I figure the more
authentic they are, the better the lesson I am teaching.
6. How secure do you feel that your data and privacy are in the world as a whole? Why
do you feel that way?
Well, take this poor girl in the example you showed me. God forbid anything
happen to us these days. We’ll have to hear about it forever. I can’t decide if that’s
a bad thing or a good thing in the long run. Maybe we are better off being exposed
for everything we are or are not. But that only makes sense in a society where
people aren’t so judgmental I guess? Otherwise you are just airing everyone’s
dirty laundry.
7. Looking back at the ethical case you read, can you make any connections between it
and your thoughts on cyber security at work or home?
8. Can you share a personal experience that relates to the case you read, or think of a
related ethical dilemma in which you’ve been involved?
Sure, I have an ethical dilemma for you, and it’s one I face every day. It’s the
dilemma of oversaturating people with information in the name of “security”. We
A PROFESSIONAL ETHICAL ANALYSIS 29
have no real idea what’s enough and what isn’t. We are like overprotective
mothers telling our children not to go outside because someone might snatch them
up in a van. There are so many questions to think about when we put our
communications. How much is too much? What do we say to grab their attention
and not turn them off on the subject? And the real ethical problem at the root of it
all is that there is so much more to cyber security ethics that is not defined yet, so
we are making a lot of this stuff up on the fly. Is that really ok?
Khaled is a consulting cyber security threat analyst for a Fortune 500 security company.
After a military career focusing in information technology, Khaled has moved to the private
sector to track down cyber-terrorism actors and protect clients from their threats. He has
asked that more information not be included to prevent social engineering of his identity.
1. After reading the case study, what are your initial thoughts?
That’s pretty fucked up shit right there. That’s why I’m not on Facebook, LinkedIn
or none of that stuff. I don’t need people social engineering me trying to figure out
what kind of cereal I like.
Yes and no. I use data every day to predict threats to my clients, so how different
am I really from Facebook? Maybe it’s the reason I am doing what I do versus
the reason they are doing what they do. I’m trying to fight crime and these assholes
are out here trying to sell me a new car the day I break up with my girlfriend.
A PROFESSIONAL ETHICAL ANALYSIS 30
3. Can you tell me about your current company’s approach to ethical conduct policies
and how you view those efforts?
I don’t talk to my employer much. They let me do my thing and don’t bother me.
Since I am a consultant, we don’t worry about that stuff – if I don’t like what’s going
on with them, I’ll just go get my paycheck from someone else. I do know one thing,
though. When you are working in a company full of hackers, you know shit is going
to be on the level.
4. Do you feel as though your personal data and privacy are a part of this ethical code
of conduct? Why or why not?
5. Knowing what you know about your company’s security posture, tell me about your
job and how this posture (or absence of it) affects you?
One thing we always do is have a secure portal for customer documents, we don’t
share them over email. That’s just a safety thing – if customers want to email them
around, they are welcome to do so, it’s their information. But we are not going to
be responsible for that.
6. How secure do you feel that your data and privacy are in the world as a whole? Why
do you feel that way?
Like I said before, I am not on Facebook, LinkedIn, Twitter or any of that shit. I
don’t want them having my information. So I’m already better off than most people
when it comes to data privacy. I have a separate email account, separate bank
account and separate credit card I do all of my online stuff with, so I know easily if
A PROFESSIONAL ETHICAL ANALYSIS 31
there is a security problem. And if there is, it won’t affect me the way it would other
people. Even with all of this though, some people still have my social security
number because I have a loan on my house and on my car, so it’s not airtight. You
know people can look up the social security numbers of dead military and forge
accounts using that shit? They usually don’t hold up long, but any length of time
is enough for skilled actors to do bad things.
7. Looking back at the ethical case you read, can you make any connections between it
and your thoughts on cyber security at work or home?
I think I’ve made that pretty clear at this point. I could tell you a hundred stories of
people getting socially engineered and not having the first clue about it. With that
story you showed me, it’s like Facebook is saying, “well everyone else can do it”,
so they are doing it, too. That doesn’t make it okay…what if everyone else DID do
it? Facebook would be pissed and probably try to patent or license their technique
for invading your privacy. Like I said, it’s fucked up!
8. Can you share a personal experience that relates to the case you read, or think of a
related ethical dilemma in which you’ve been involved?
I’ll tell you a story about social engineering and ethics. Like I said, I have a hundred
of them. So I knew this guy out at Siemens. He was in their cyber security
department. This guy puts every little piece of cyber security training he’s gone
through with Siemens out on his LinkedIn. You know what that tells a skilled actor?
These are the possible attack vectors with Siemens. Else, why is the guy going to
get training in them? Sure, he might just be going to get training to get training,
but chances are companies are not going to pay for a laundry list of training for a
guy when they are getting nothing in return. Chances are that if the guy has gone
and gotten training in PKI cert setup, that the company is weak there and it can be
exploited. People don’t think about shit like that, Rich. They dump as much
information as they can out on the Internet and wonder why some guy is running
A PROFESSIONAL ETHICAL ANALYSIS 32
around buying a bunch of shit with their credit card one day. Or why their computer
is so damned slow and always churning when it’s brand new – it’s probably infected
with some garbage they picked up while they were on a porn site.
The ethical question is how do you function in today’s society without giving up
some information, and how much is too much? How do we decide, when there
are no real rules out there to tell us what’s right and what’s wrong? Cyber security
is about protecting data and responding to incidents. There is not much out there
that says “do this, but don’t do this, because XYZ will happen”. The threats are
always changing, so the industry needs to figure out a way to put some guidelines
in place that can change with it, instead of having to update their basic shit every
month.
A PROFESSIONAL ETHICAL ANALYSIS 33
DISCUSSION
Around a year and a half ago, I was passed up for a promotion to manage the Project
as to why I was not chosen, and in fact, the hiring manager told me he thought he may
be making a mistake by hiring someone else. Still a part of the PMO, I received the new
PMO manager’s resume by email to get an idea of his background. It took only a glance
to see that this candidate had relatively little relevant experience, but he did have an “Ed”
next to his name. Regardless of “fitness for the task”, I had no college degree. It was at
that moment that I decided to never again let that be a determining factor in my career
path into executive leadership. It was only a few weeks before I enrolled into the
Organizational Leadership program with ASU, and the only reason it took me that long
My hope for every class I’ve taken is that I am not spending money on something I could
have learned by buying a book and just reading it. I have tried to be an empty cup and
go into each class with an open mind, which is harder to do the older we get. I can
unequivocally say, without hyperbole, that this Organizational Ethics course has been the
most enlightening course I have taken so far at ASU. My cup started empty and has been
refilled each week, though there have been some challenges to overcome. It is with this
With the eventual goal of a technology-related CxO role with a company that is doing real
good in the world come challenges that arise when people and technology meet. The
A PROFESSIONAL ETHICAL ANALYSIS 34
nebulous matter of cyber security ethics is no exception. No matter how far removed from
cyber security a technology issue may seem, there is always a data-related element to
the employment of said technology. That there is data involved means that data must be
secured, and so the need for information security in some way will apply. As information
is absorbed into the Internet like water into a sponge, an application of cyber security
Throughout this paper, one may notice the terms “cyber security” and “information
security”. While these are often used interchangeably, to those in the industry, they are
tree and forest. The forest of cyber security goes beyond the boundaries of traditional
information security to include not only the protection of information resources, but also
that of other assets, including the person him/herself. In cyber security, the human factor
attack. This additional dimension has ethical implications for society as a whole, since the
responsibility (von Solms & van Niekerk, 2013, p. 1). Being in complete agreement with
this viewpoint is perhaps is why I gravitate toward Kant’s theories on duty and social
contracts. However, that does not mean other ethical perspectives have fallen by the
wayside in the commentaries on each presented ethical case. It is our ethical duty to
present other viewpoints in contention to our own, else we cannot make credible
judgements.
For example, each interview conducted brought to light points I had not considered during
views, citing their agreement in terms of what is useful to arrive at what action to take, Mr.
A PROFESSIONAL ETHICAL ANALYSIS 35
Faxon went straight for the perspective of the dominant managerial model in his answers.
As an executive, seeing those with power cling to it and profit from it (including himself),
he has a perspective that I likely will not possess until I reach the executive point in my
career. In his words, “I’m not one to shy away from money personally, but if we want to
be empowered to make the right moral decisions, maybe we need to figure out another
way to be bonused out so we don’t think about company profit over what’s right.”
power structure. His was that of someone near the center, yet his view makes perfect
sense.
Mr. Faxon also brought to light an ethical perspective on our responsibility to protect our
technology that transmits data, such as a laptop or an iPhone. He views transmitting data
across platforms when we do not protect our side as an unethical practice, because we
are not taking care of our end of the contract implied when we connect to someone else.
It reminds me of the town gossip that runs around telling everyone they can about other
peoples’ business, without any type of filter as to what is said. Some of that information
can be horribly infectious. The same goes for us when we spread a virus that could have
been prevented with the proper protection. I completely agree with his perspective, and
am glad to see he has taken that dilemma out of the hands of the user by enforcing cyber
In contrast, the interview with Mr. Kauffman was much more aligned with my commentary
regarding Case 2. We both agreed that the company producing the bear that transmits
what children say to it over to parents via their private cloud is lacking in moral character.
While I have the advantage of being able to frame it in the context of virtue ethics, David
A PROFESSIONAL ETHICAL ANALYSIS 36
nailed it when he said that the company was “a wolf in sheep’s clothing”, adding “I’d say
you don’t need a recording bear sitting around the house if you’re a kid.” He sees the
issue as one of data privacy from the adult’s perspective (agreeing with the end-user
agreement and surrendering their right to private information), as well as from the child’s:
“if you’re a good kid, that’s just one more piece of privacy that you’re losing” (Personal
communication, 2017).
Gwen Morgan’s interview was a bucket of cold water to the face. Every time I chat with
her, she gives me nuggets of detail that are just fascinating, and this interview was no
different. We came down on completely different sides of the fence on whether Google
should process a woman’s request to be removed from their search engine in Case 6.
Surprisingly, I felt compelled to lean more towards the utilitarian viewpoint, though
deontological arguments asking “if everyone did it, is it still ethical” seem to apply as well.
Gwen answers these by noting “Google is the world’s biggest gossip” (Personal
communication, 2017). She feels as though they have outreached their morality in terms
of data manipulation. I can’t say that she’s entirely wrong, either. Ethics should be called
“the study of what’s both right and wrong at the same time.”
Finally, Khaled. I knew what I was getting into when I interviewed him, and I wanted his
unique perspective. Khaled would not allow me to divulge is entire name, as he feels this
document may at some point enter into the Internet ether and somehow become socially
should probably listen to him, regardless of how paranoid it may seem! Khaled was able
goals. Yet, at the same time, he sees the lack of morality in Facebook’s intent versus his
own: “I’m trying to fight crime and these assholes are out here trying to sell me a new car
the day I break up with my girlfriend.” (Personal communication, 2017). He has a valid
point. While I approached Case 3 with a rule utilitarian lens, weighing the consequences
of adopting a rule exemplifying that action that applies to everyone (Donaldson &
Werhane, 2008, p. 5), Khaled was decidedly Kantian in his response, speaking (candidly)
To me, the sum of these additional insights makes them more valuable than if they each
via Donaldson and Werhane (2008): “we can only know what a man thinks if he tells us
his thoughts, and when he undertakes to express them, he must really do so, or else
there can be no society for men” (p. 110). The purpose of conversation is to exchange
information, and if I am not learning anything other than what I already know, how ethical
With cyber security evolving at the speed of technology, perhaps the one approach that
was not discussed in this paper is the one that pairs best with this change velocity:
Dewey’s approach to pragmatism. As the lines of what are “good” and “right” at the same
rate the line between technology and man is blurred, embracing an ethical philosophy
that eschews traditional boundaries for the achievement of a way of living that enables
ethical conduct (Donaldson & Werhane, 2008, p. 88) should be our goal. Pragmatism at
its base identifies ethical responses within the context of each situation, rather than
applying hard and fast tenets to all. Cyber security walks the fine line between privacy
versus security, generally requiring the application of context to define what is best for
A PROFESSIONAL ETHICAL ANALYSIS 38
any situation. Cyber security is also more of a framework and approach to securing data
and the people that utilize it. Therefore, it only makes sense to employ an ethical model
that is by its very definition, a pragmatic approach to framing ethical situations with the
goal of harmony for all involved. It is with this tool in the ethical toolbox, along with many
others I’ve found as a result of our course, that I will continue down my career path to
REFERENCES
10. Raicu, I. (2016). The “Goodbye Fears Monster”. Retrieved on February 20,
2017 from https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/the-
goodbye-fears-monster/
11. Raicu, I. (2017). Targeting a Broken Heart. Retrieved on February 20, 2017
from https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/targeting-
a-broken-heart/
12. Tan, J. (2015). May the Truth be with You. Retrieved on February 20, 2017 from
https://www.scu.edu/ethics/focus-areas/more/engineering-ethics/engineering-
ethics-cases/may-the-truth-be-with-you/
13. von Solms, R., & van Niekerk, J. (2013). From information security to cyber
security. computers & security, 38(97), e102. Retrieved February 23, 2017 from
http://www.profsandhu.com/cs6393_s16/solms-2013.pdf
A PROFESSIONAL ETHICAL ANALYSIS 40