Sei sulla pagina 1di 40

Running head: A PROFESSIONAL ETHICAL ANALYSIS 1

A Professional Ethical Analysis:

Ethics in Cyber Security

By

Rich Mumley

Arizona State University

February 28, 2017


A PROFESSIONAL ETHICAL ANALYSIS 2

INTRODUCTION

This paper covers just a few of the many ethical dilemmas facing the world of cyber

security. Leadership in the cyber security realm is made more difficult because of ethical

issues that increase in complexity at the same rate as new cyber-based threats enter the

world. Chief Information Security Officers (CISOs) often do not last more than a couple

of years with any one company because of data breaches, be they known or unknown.

In my current role as Program Manager of a large-scale cyber security program, I am in

a unique position to gain wisdom from the executive, administrative, and technical

viewpoints of cyber security-related ethical dilemmas we face every day.

Initially, this paper presents a review of six case studies faced in the world of information

technology. Commentary on these six case studies will provide insight into ethical

theories applied to these quandaries. After these six case studies comes a series of four

interviews, designed to mesh real-world cyber security expert opinion with four of the six

cases. In closing, a discussion is presented which summarizes synthesized insights from

the presented case studies, interviews, and overall impressions from the Organizational

Ethics course.
A PROFESSIONAL ETHICAL ANALYSIS 3

REVIEW OF CASE STUDIES

Case 1: Data Collection: “Harvesting” Personalities Online

Raicu, I. (2016). Data Collection: “Harvesting” Personalities Online. Retrieved on


February 20, 2017 from https://www.scu.edu/ethics/focus-areas/internet-
ethics/resources/data-collection-harvesting-personalities-online/

A recent MIT Technology Review article details the efforts of a big data analytics

company named Cambridge Analytica, which claims to use behavioral science insights

in helping political candidates tailor their campaign messages according to the recipient’s

“personality.” “Like other big-data analysis companies,” the article notes, “it categorizes

voters on the basis of demographics and issues, but it appears to be the first to add

personality typing to the mix. The company says it has assessed the personalities of all

190 million registered voters in the United States.”

And how were those personalities assessed? According to the article, which is titled “How

Political Candidates Know If You’re Neurotic,”

Cambridge Analytica administers… questionnaires online, promoting them using ads


that promise to tell you the relative weight of your personality traits. The company says
it has used these tests to “harvest” the personalities of several hundred thousand
Americans. Even if you haven’t taken one of its tests, the company categorizes you
by extrapolating. It concludes that you tend to be, say, agreeable or neurotic by
matching statistical profiles made up of as many as 5,000 commercially or publicly
available data points about you to the statistical profiles of people who actually took
the personality tests and came out as agreeable or neurotic and so on. (It will not
discuss the particulars of these statistical matches but says the data come from
A PROFESSIONAL ETHICAL ANALYSIS 4

consumer database companies including Acxiom, Experian, Infogroup, and Aristotle,


as well as the Republican Party’s voter file.)

Before answering the questions below, please review this article about ethical decision-

making, different ethical perspectives, and the considerations that we should keep in

mind when faced with ethical issues.

Is the company’s personality-“harvesting” method ethical? Why, or why not?

Should people who attempt to answer the questionnaire be advised, ahead of time, that

the data collected from those questionnaires will be used to improve the targeting of

political messaging?

In terms of disclosure, here’s what Cambridge Analytica’s Privacy Policy currently

includes under the header “How will we use information about you?”: “The information we

collect will be used in order to gain insight into the behavior of the whole population. We,

or our research partners may contact you for direct marketing or research purposes.” Is

this disclosure sufficient? Why, or why not?

Consider the process of matching the profiles of questionnaire-takers to statistical profiles

of other people who don’t choose to answer such questionnaires (profiles based on

“commercially or publicly available data points” about those others). Is the assessment of

personalities by extrapolation ethical? Why, or why not? If you do have concerns about

this practice, are they rooted in perceptions of fairness? The question of autonomy?

Privacy rights? Other?


A PROFESSIONAL ETHICAL ANALYSIS 5

Commentary: This case was chosen because the methods of Cambridge Analytica fail

the tests of deontological business reasoning. Donaldson and Werhane (2008) ask three

questions in the moral evaluation of business (p. 9):

1) Are the rules fair to everyone;


2) Do the rules hold universally, even with the passage of time; and
3) Is every person treated with equal respect?

Let us answer these questions. Part of this dilemma is that existing rules regarding data

protection are often vague and unable to evolve at the speed that data miners can

circumvent these rules. There is no protection against creation of data using extrapolation

methods. These extrapolations are assumptions made by the companies based on a

smaller sample size, and are a quite common research method. And to those companies

rationalizing this creation of data, that is their rationale. However, this created data

becomes a very different thing when it is attached to your name, and that is where an

ethical violation occurs. These rules of data creation are not fair to everyone. The data

is no longer anonymous as it would be in conventional research methods, and you did

not give your permission for it to be collected, and therefore your privacy has been

breached.

We learn in Hypponen’s Three Types of Online Attack (2011), “any right we give away,

we give away for good.” If we do not combat this type of data aggression and treat it as

what it really is, which is libelous if false and theft if true, we are in essence allowing it to

happen. If we do so enough, we will never get that privacy back, as it will become more

and more common. The rules do not hold universally right now, but they just may if this

behavior is allowed to stand. As for the third rule asking if all persons are treated with
A PROFESSIONAL ETHICAL ANALYSIS 6

equal respect, that answer is self-evident. Creating data attached to personal information

based off of data collected by questionable means has no manner or equality or respect

attached to it.

Case 2: The “Goodbye Fears Monster”

Raicu, I. (2016). The “Goodbye Fears Monster”. Retrieved on February 20, 2017 from
https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/the-goodbye-fears-
monster/

You might know (or remember) that some little kids find it difficult to fall asleep at night

because of various fears that prey on them in the quieter, darker pre-sleep environment.

The “Goodbye Fears Monster,” a new toy currently under development by the Metell toy

company, is designed to respond to those fears. The furry, teddy-bear-like “Goodbye

Fears Monster” (we’ll refer to it as “GFM” for short) is soft, roly-poly, and comes in a

variety of colors; what makes it unique, however, are its interactive features. The toy is

designed to “listen” and respond to a child who speaks to it.

When a fearful child is about to go to sleep, he or she is supposed to press GFM’s belly

button (which is, actually, a button); that action turns on the toy’s microphone (which is

hidden by its fur). The child is then encouraged to tell the “monster” all of his or her fears.

Once the child stops speaking, the monster replies, “I will eat all of those fears! Nom nom

nom. There. They’re gone. Are you worried about anything else?” The process is

supposed to repeat until the child says he or she has no more worries to detail. At that
A PROFESSIONAL ETHICAL ANALYSIS 7

point, GFM gently replies, “Well, then, now we can close our eyes and go to sleep in

peace”—and turns off the microphone.

The child’s statements are recorded, and all of the recordings are made available to the

child’s parents (they are sent directly to the child’s parents’ phones, via a companion app).

Marketing materials that accompany GFM tell prospective customers that:

 the interactive toy will allow young children to express fears that they might not
otherwise disclose to anyone;
 reassured by their fears being “eaten” by the friendly toy, children might sleep
better (which, of course, would allow parents to sleep better, too);
 the recordings will give parents new insights into their child’s thinking.

The Metell company also promises to share the recordings (at no cost) with child

psychology researchers, in the hope that the data collected will promote the development

of new therapies or other methods to alleviate common childhood fears.

As part of the promotion of this new (rather expensive) toy, the toy makers propose to

distribute free GFMs to children living in homeless shelters throughout the San Francisco

Bay Area.

What ethical issues do you spot in this scenario? How might these issues be perceived

through the ethical prisms of utilitarianism, rights, justice, virtue, and the common good?

Commentary: This case reflects a classic example of public good for potentially

unscrupulous private means. The Metell company is clearly housing the data in their

private data cache, as they “promise to share the recordings (at no cost) with child

psychology researchers”. They are also giving these recording bears away to children
A PROFESSIONAL ETHICAL ANALYSIS 8

living in homeless shelters. What a generous company! They must not understand that

businesses are meant to make money. Unless they have another way to bring in revenue,

that is. That revenue stream is your data, the analysis of which can sell for millions

because of its potential alone. Once we download the app onto our phone, agreeing to

forgo our right the privacy of this data in exchange for the service provided, Metell owns

the information.

In Ethical Issues in Business, Donaldson and Werhane (2008) tell us of Aristole’s theory

of virtue ethics, noting: “in action where a choice is possible, one exercises moral virtue

by restraining harmful desires and cultivating beneficial ones” (p. 10). In other words, it

is not just the action, such as building a cuddly bear to help kids get over their fears, that

defines the ethical standard. It is in the intent that the character of the actor is revealed,

and this is where Metell fails the ethical test. Were this company “doing the right thing”

in terms of data privacy, they would not be capturing data at all. There would be no app

to download, and there would be no request to waive right to data privacy in the name of

getting to know your child better.

Case 3: Targeting a Broken Heart

Raicu, I. (2017). Targeting a Broken Heart. Retrieved on February 20, 2017 from
https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/targeting-a-broken-
heart/

On February 3rd, Facebook’s “People Insights” blog published a post titled “What Mends

a Broken Heart on Facebook.” In it, the company’s researchers detailed insights that they
A PROFESSIONAL ETHICAL ANALYSIS 9

had gathered by examining “how the break-up moment influenced the online behaviors

of people across France, the Netherlands, Poland, the United Arab Emirates and the

United Kingdom who indicated on Facebook that they recently went through a break up.”

One of their findings was that “there could be a gap between the break up itself and the

Facebook post announcing it. During the two weeks before and the two weeks after their

break-up announcement,” they explained, users “accepted more than one invitation to an

event 40% more than [during] the 60 days before and 60 days after their announcement.”

The researchers also noted that “’Healing,’ ‘detox,’ ‘drowning sorrows,’ ‘binge watching’

and ‘suffering’ are just some of the words and phrases that are more pronounced in men’s

posts before they mark themselves ‘Single.’ The same types of words and phrases are

more pronounced in women’s posts on the actual day of their announcement.”

As to what helps people get over a breakup, Facebook researchers wrote that “[g]aining

new experiences… seems to be more therapeutic than buying things.” Under the

subhead “What it means for marketers,” the post then asks, “How can brands be a part

of the journey to help mend people’s broken hearts?” Suggested answers include

“Empathize with them” and “Offer them new experiences.” The post concludes by

encouraging potential Facebook advertising clients: “Tracking signals of intent to travel,

experience new things or take up a new hobby can help you reach this group with a

relevant ad at the right time.”

Is it ethical for Facebook to mine its users’ posts for signals that those users are about to

go through a break up? Is it ethical for the company to then help its clients target their ads

based on this research?


A PROFESSIONAL ETHICAL ANALYSIS 10

Is what Facebook is doing different from what other companies do?

How might Facebook’s actions be perceived through the ethical prisms of utilitarianism,

rights, justice, virtue, and the common good? For more on those perspectives, see

“Thinking Ethically.”

Commentary: While this case and “Goodbye Fears Monster” have quite a bit of

similarities in terms of virtue ethics applications, this case was chosen to represent how

utilitarianism can be slanted to appear logically sensible, but ultimately fallible when

applied to the cyber security world. As long as the public at large allows companies like

Facebook to stand on the argument that they are doing us a favor with analytical studies

such as this one, seemingly to help us make better choices (buying products?) and

therefore maximizing our happiness, these companies will continue to push our data

boundaries.

The day I went to Amazon to look at a wrench, then logged into Facebook and saw an ad

for the same wrench was well, a heart-wrenching day. I had seen the movie Minority

Report just a few weeks before that, where the main character John Anderton, is hounded

by personalized ads from every direction as he walks around the city. These ads all

gather his identity by scanning his eyes, which are just a different method of bio-

identification, like fingerprints. I thought this concept was disturbing, but a ways off due

to the technology involved in eye-scanning.

Little did I realize, my keyboard was serving as those eyes, and just by the act of walking

around the Internet, I was getting my eyes scanned everywhere I went. Advertising

companies, from the dawn of their existence, have always justified themselves by saying
A PROFESSIONAL ETHICAL ANALYSIS 11

they “help people”. A utilitarian concept, to be certain. But even in utilitarianism, there is

conflict with this approach. An act utilitarian measures consequence in terms of how

much perceived good they will do (Donaldson & Werhane, 2008, p. 5). Yet, a rule

utilitarian in our case above would contradict this data collection activity by applying the

question of how much good the activities of Facebook would do if everyone took that

same approach as a rule. Suddenly, Facebook themselves is subject to the same data

mining, and would be fighting against just how “good” the practice really is!

Case 4: A Violation of Privacy

Bartlett, C. (2015). A Violation of Privacy. Retrieved on February 20, 2017 from


https://www.scu.edu/ethics/focus-areas/more/engineering-ethics/engineering-ethics-
cases/a-violation-of-privacy/

Marcus is a computer engineer who has recently developed an app which helps users

keep track of medical information, doctor’s appointments, and prescriptions.

Information about the user is stored in this app, including what prescriptions they are

taking and how frequently they schedule doctor’s appointments. As the developers of the

app, Marcus and his company have access to this information.

The marketing department requests Marcus supply them with customer-specific

information so they can better target ads and app suggestions to the users. Marcus

understands that he is part of a company, but also feels that the privacy of the app users

should be protected. Additionally, Marcus feels that as an engineer, he should be

responsible to those who use his technology.


A PROFESSIONAL ETHICAL ANALYSIS 12

How does Marcus determine how much of the user’s information should be shared with

marketing? Is this an ethical use of information or a violation of the user’s privacy?

Commentary: This case was chosen to illustrate where laws and statues that apply to

conventional records privacy, such as HIPPA, get a bit gray in terms of data mining and

application of business analytics to that data. While HIPPA does a great job of outlining

what constitutes personal health information, and when it can and cannot be shared with

varying degrees of consent, it does not explicitly cover data used for mining that is not

disclosed outside the company warehousing the data itself. Technically, no data has

been shared outside of the company, so privacy has not been violated by the letter of the

law. However, the gray area exists as to whether the marketing department of a company

constitutes an “outside entity” or must be always be considered a part of the company

itself.

To sift through this ethical gray area, we can use theory about the Dominant Model of

Managerial Capitalism illustrated by R. Edward Freeman illustrated in Ethical Issues in

Business (Donaldson & Werhane, 2008). This passage postulates that the dominant

model is centrally-focused on shareholders, as the marketing department in our case is

by its insistence on trading information for revenue. While Freeman tells us that the

dominant model is resistant to change because, basically, people like money and don’t

want to give up their potential to make more of it, he does provide basis that this dominant

model is also not consistent with the law. “The law has evolved over the years to give de

facto standing to claims groups if groups other than stockholders” (pp. 40-42). The law

sides with the consumer in cases such as this, not with those who’s interest is first and
A PROFESSIONAL ETHICAL ANALYSIS 13

foremost to enrich shareholders. In the case above, Marcus is feeling compelled to

represent the interests of the consumers, and he has every right to do so.

Case 5: May the Truth be with You

Tan, J. (2015). May the Truth be with You. Retrieved on February 20, 2017 from
https://www.scu.edu/ethics/focus-areas/more/engineering-ethics/engineering-ethics-
cases/may-the-truth-be-with-you/

Catherine is a new hire at a startup that produces LCD displays for large venues, such

as shopping malls. Part of her job requires her to troubleshoot malfunctioning displays.

One day, a shopping mall reported that two display units out of twelve had stopped

working from their installation three months prior. The customer also noted serial and

revision numbers on the two units were different from the rest of the units.

At the job site, Catherine inspected the displays and realized her company had sold units

that were from a bad batch (i.e. group of displays that did not have over 50% yield during

manufacturing). Catherine wanted to tell the site why the units failed, but recognized that

if she disclosed this information, the site would be eligible to receive replacement displays

at no additional cost. On the other hand, if she blamed the failing units on a weaker cause,

such as improper installation, her company would be able to charge the site for

replacement units.

Catherine knew her manager would want her to choose the option that would minimize

the company’s losses; however, she wanted to be honest with the site as they were one

of the company’s best customers. What should she do?


A PROFESSIONAL ETHICAL ANALYSIS 14

Commentary: In this case study, our protagonist need only ask the Kantian ethical

litmus: “could I wish that everyone in the world would follow this principle under relatively

similar conditions?” (Donaldson & Werhane, 2008, p. 8). If everyone in the world lied

about the reasons for poor quality in their products, then the quality of the products

produced could never be trusted. Consumers would cease to purchase these products,

and those companies that practiced the untruthfulness would fold. Therefore, it is ethical

practice to tell the truth about quality issues and work to remedy their infractions.

Consumers must be able to trust the quality of the goods they provide.

In addition, we can take a consequentialist approach here and ask ourselves what good

it does to lie when the truth may well be found out down the road, especially if there is

some sort of data trail about the situation. The possibility of losing a small amount of face

with one customer, versus the potential of a public relations ripple caused by nefarious

dealings that get pushed out to social media seems like an easy choice from this utilitarian

perspective as well.

Case 6: Removing a Search Result

Raicu, I. (2015). Removing a Search Result. Retrieved on February 20, 2017 from
https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/removing-a-search-
result-an-ethics-case-study/

Sometime in the early 1980s, a woman is raped, and a suspect is caught. The woman

decides to allow her name to be used in media coverage of the attack because she wants

to combat the stigma that rape victims face. She is young, and she wants to be brave.
A PROFESSIONAL ETHICAL ANALYSIS 15

The trial of the suspect garners some coverage in the local media but none beyond that.

The accused suspect is convicted and goes to prison.

The woman struggles with the trauma of the experience, but moves on. Her job takes her

to Europe, where she gets married; while she lives in London, she returns to her

hometown in the U.S. to visit family multiple times each year. Thirty years later, her family

members and her oldest friends know that she was once raped, but her employer, co-

workers, neighbors, and more recent friends do not—or, at least, she doesn’t tell them.

One day, however, in 2015, she reads an article that advises readers to Google their own

names in order to see what others would see if they were to run such a search (as

employers, doctors, and other people increasingly do). She does that. She finds that the

third entry that comes up in the Google search on her name is an article from her

hometown’s local newspaper, written during the rape trial, detailing the rape case. Her

name, of course, is included in the article.

The woman is upset; after all these years, she would like to be able to disclose her rape

when and if and to whomever she wants. She has heard about a recent decision of the

European Court of Justice, which allows individuals residing in Europe to submit requests

to Google asking the company to remove certain results from searches on their

names (not all searches—only those involving their names as search terms), if those

results are inaccurate, irrelevant, no longer relevant, or “excessive in relation to the

purposes of the processing.” The ruling requires Google to also consider the public

interest in retaining the particular result in the search, as it decides whether or not to fulfill

each individual request.


A PROFESSIONAL ETHICAL ANALYSIS 16

The woman submits Google’s online form to request the removal of the link to the article

about the rape trial from searches on her name.

Should Google comply? What are the factors that shape your decision?

Commentary: Our final case study focuses on an issue that every single person on the

planet faces. You can live your entire life “off the grid”, but if you interface with the public

in any way, you are in danger of being in a search engine somewhere. It could be a photo

of you taken in a subway, or a piece of gum with your DNA on it that was left on a garbage

can. Unless you live your entire life in solitude and are declared legally deceased, you’re

in someone’s database, somewhere.

Such is the situation with the woman described in this case. On one hand, Google has

posted a policy to which they adhere to for removing information from their engine, and

to those, the woman’s request meets none of them. The posting is of a periodical, not of

the woman herself. When she made the decision to put her name in the newspaper, she

forfeited the right to privacy of the situation that the article described. That the information

is more easily searchable is irrelevant. A company could hire a private investigator that

could have found out the details of her situation with standard investigation tactics of

finding previous addresses in public records databases and cross-referencing newspaper

articles with those cities. It is much easier than people think. The search engine just

makes it easier. I do hate to side with the big guy in this case, but I can’t help but do so.

Google’s mission statement is “Don’t Be Evil”. In this situation, they are right if they
A PROFESSIONAL ETHICAL ANALYSIS 17

choose not to remove it as one cannot unprint a newspaper or unwrite a book – keeping

the information online is not an evil act.

Should Google choose to remove it, that may set a precedent against journalistic integrity

that would go against both Kantian and utilitarian approaches. Journalistic integrity is a

social norm because people have the right to access information that is public domain. If

we start removing information from the ether, however painful the information may be to

one person, the basis for providing that information – that it is public domain – is violated.

From a Kantian standpoint, if all began removing information, we would soon have no

information left, so that is not a logical approach. From a utilitarian perspective, the

information is there for the greater good of humanity, albeit at the expense of a single

individual.
A PROFESSIONAL ETHICAL ANALYSIS 18

METHOD

Four interviews were conducted, each referencing a case outlined in this paper.

Interviewees were chosen based on their exposure to information technology in general

and cyber security specifically in their professional careers. They were also chosen

based on their representation of varying backgrounds outside of IT, as well as diversity

of demographics.

Questions open with a query of the interviewee’s opinions on the referenced case to gain

an understanding of their viewpoint. Numbered pieces of paper, 1-6, were placed in front

of the interviewee to choose from, removing any interviewer-case bias. While starting out

broadly, questions focus down to case specifics and their ethical quandaries. Finally,

each subject is asked to relay a personal experience related to the case, or present

another ethical dilemma along the same theme that they have had to overcome. This line

of questioning allows the interviewee to warm to the subject matter without directing the

conversation towards any one ethical theory or viewpoint, yet still providing a body of

opinion on the ethical situations within the cyber security realm.

1. After reading the case study, what are your initial thoughts?

2. Does the situation alarm you in any way? If so, why?

3. Can you tell me about your current company’s approach to ethical conduct
policies and how you view those efforts?
A PROFESSIONAL ETHICAL ANALYSIS 19

4. Do you feel as though your personal data and privacy are a part of this ethical
code of conduct? Why or why not?

5. Knowing what you know about your company’s security posture, tell me about
your job and how this posture (or absence of it) affects you?

6. How secure do you feel that your data and privacy are in the world as a whole?
Why do you feel that way?

7. Looking back at the ethical case you read, can you make any connections
between it and your thoughts on cyber security at work or home?

8. Can you share a personal experience that relates to the case you read, or think
of a related ethical dilemma in which you’ve been involved?
A PROFESSIONAL ETHICAL ANALYSIS 20

RESULTS

The following are the results from the interview sessions with the four participants:

Interview 1: James Faxon

Mr. Faxon is the Chief Information Security Officer (CISO) for a leading precious metals

mining corporation. He has been with the company in this capacity for nearly two years.

His career in cyber security began as an infrastructure engineer for a Fortune 500

aerospace company, where he progressively rose to the role of Director of Infrastructure

over the course of his tenure. James completed his MBA at SMU in Dallas, Texas, and

has a well-rounded educational background in information and cyber security.

Case Referenced: Case 5 – May the Truth be with You

1. After reading the case study, what are your initial thoughts?

This lady, Catherine, is in a situation many of us face every day. Especially at the
executive level. The higher up you go in a company, the more you are asked to
make decisions in the name of profit, but at the expense of morals. It isn’t always
a direct ask of you, but it’s there. As long as we are compensated bonuses based
on our profit center’s performance against budget, it’s always going to be there. I
hate to say it, because I’m not one to shy away from money personally, but if we
want to be empowered to make the right moral decisions, maybe we need to figure
out another way to be bonused out so we don’t think about company profit over
what’s right.

2. Does the situation alarm you in any way? If so, why?


A PROFESSIONAL ETHICAL ANALYSIS 21

Not really. Well, except that the lady in the story is also stuck in the situation where
she is looking for approval from her boss to possibly continue on with her career.
So, for her, it’s getting the double-whammy of screwing a customer over and lying
to them, but she also isn’t sure if she should bring this up to her boss or not. The
boss might get upset that she was thinking of acting unethically in the first place –
who knows?

3. Can you tell me about your current company’s approach to ethical conduct policies
and how you view those efforts?

Our company is very serious about ethical conduct, to the point that we have
training seminars for employees and the employee handbook addresses it and
requires sign-off. These are all great, but when I came in here as the CISO, it
became apparently very quickly that we did not have the information security side
of the house in check when it came to ethics. Hell, there wasn’t even an
information security group before I got here – they had gotten rid of everyone. So,
it’s understandable. But, part of what we are doing here is maturing processes
and how to respond in questionable situations is a rising concern people have
when talking about cyber security. We are working on some policies right now to
help people out, saving them from having to make decisions based on little or no
information.

4. <Added> What is an example?

An example would be having an acceptable use policy that the user has to click
and acknowledge before they can remotely access the company. This policy
states that they must have virus scanning on their machine, and checks to see if
it’s there. If it isn’t, the connection is rejected. People don’t realize that connecting
to another data source without protecting your computer is actually a breach of
information security ethics. You are not doing your part to protect the data going
A PROFESSIONAL ETHICAL ANALYSIS 22

to and from your computer without virus scanning on your machine. Just about
anyone that uses a computer knows about viruses, so it is irresponsible not to
protect yourself and others. With our acceptable use policy, we take that problem
out of the users’ hands so they have one less thing to worry about. It also keeps
our data safer in the process.

5. Do you feel as though your personal data and privacy are a part of this ethical code
of conduct? Why or why not?

It would be hard to sit here as a CISO and say that it isn’t, especially with what I’ve
already said.

6. Knowing what you know about your company’s security posture, tell me about your
job and how this posture (or absence of it) affects you?

That’s an interesting question because I have a pulse on a great many of the


vulnerabilities we have around here. But that isn’t the scary thing. What worries
me is what we don’t know about. A year ago, we didn’t know that some of our
phones were compromised. That was a fun day..getting called by the FBI and
being told your phones have been breached.

7. How secure do you feel that your data and privacy are in the world as a whole? Why
do you feel that way?

The world is a scary place. It’s like in “Men In Black”, where Will Smith goes on
the interview at the beginning and sees the aliens in the coffee room. After that,
his whole world changes. Sometimes I wish I were more ignorant about data
protection, but then I ask myself, knowing what I know, could I ever go back to just
handing over my information to any yahoo that asks for it? No way.
A PROFESSIONAL ETHICAL ANALYSIS 23

8. Looking back at the ethical case you read, can you make any connections between it
and your thoughts on cyber security at work or home?

One thing I can think of is the possibility of Catherine’s situation to blow up in her
face if she lies to the customer. There will almost certainly be a data trail, whether
it’s email, texts, whatever. Whichever path she chooses, there were probably be
a record, so she needs to make sure she does what she thinks is right.

9. Can you share a personal experience that relates to the case you read, or think of a
related ethical dilemma in which you’ve been involved?

What’s tough in the cyber security world is that we have to be very secretive,
sometimes lying in order to protect information that can be a risk if exposed. That’s
a lot like Catherine’s situation – she is faced with lying to protect her company’s
interests. The difference with her though is that she doesn’t seem to know for sure
how her boss would react if she were honest to the customer; she is just
speculating. Even though it says she knows her manager would want her to
choose the option that would minimize loss, I bet you that if she told her boss that
in an email, the boss would probably act as though they would never say such a
thing! That’s the power of a recordable, archivable medium. It gives us security,
but at the same time it takes away privacy.

Interview 2: David Kauffman

Mr. Kauffman has spent a thirty-plus year career in Information Technology, currently in

a senior management role with a Fortune 500 aerospace company. Over the course of

his career, he has excelled in Vice President, CTO and Director roles in IT management.

His undergrad studies in Computer Science were completed as LSU, with graduate

studies in Computer/IT Administration and Management at the University of Phoenix.


A PROFESSIONAL ETHICAL ANALYSIS 24

Case Referenced: Case 2 – The “Goodbye Fears Monster”

1. After reading the case study, what are your initial thoughts?

The path to hell is paved with good intentions. Or these guys are wolves in sheep’s
clothing. Pick your analogy. I don’t feel like this company - Metell or whatever –
has the right intentions in mind when there has to be an app involved to pull the
information through a phone. It can be done like a tape recorder on the bear. No
need to put it through the cloud unless you’re planning on keeping the data for
some other reason.

2. Does the situation alarm you in any way? If so, why?

Hell yes it does. Companies like this are springing up all over the place.
Pretending to be doing good, but it’s pretty transparent if you’re in IT what they are
actually up to. We all know the money is in the data these days. The bear could
be a break-even product and they’d still make millions selling the data to private
companies.

3. Can you tell me about your current company’s approach to ethical conduct policies
and how you view those efforts?

It’s pretty much cookie-cutter stuff here. Basically, we have an ethical code of
conduct that employees have to sign off on, but it’s not really engrained in the
culture of the company. It’s just another box they check to remove liability.

4. Do you feel as though your personal data and privacy are a part of this ethical code
of conduct? Why or why not?

No, we haven’t done anything specific for infosec or anything like that. We have a
disclaimer when people log onto their computers that they are using a company
A PROFESSIONAL ETHICAL ANALYSIS 25

piece of equipment and need to act accordingly, but nothing specific to keeping
data that’s on the machine on that machine. Instead we try to block methods of
moving data around, like people using google drive or personal email.

5. Knowing what you know about your company’s security posture, tell me about your
job and how this posture (or absence of it) affects you?

Well, most of my time with infrastructure is spent chasing issues that come up
because of people doing stupid stuff on the network. Sometimes, it’s even my own
guys that are boneheads and not realizing it – they don’t put in change requests
and just change stuff, then it breaks and everyone goes nuts. That’s an overlooked
part of information security. We have processes for documentation for a reason,
and it’s not just because we get audited. Documenting changes we make keeps
us from making mistakes in the infrastructure that can open holes for the bad guys
to get in.

6. How secure do you feel that your data and privacy are in the world as a whole? Why
do you feel that way?

I don’t trust anyone, but yet here I am giving my credit card to anyone online I want
to buy something from. You can’t get away from it anymore if you want to be a
part of society. I don’t like people a whole lot, so I don’t mind being a little bit of a
hermit sometimes, but I also like to eat and buy stuff. And since crime isn’t going
away any time soon, it’s safer not to carry cash, so I pay with a card anywhere I
can.

7. Looking back at the ethical case you read, can you make any connections between it
and your thoughts on cyber security at work or home?

I have two grown daughters, so I understand what it’s like to want to know what
they are thinking. Believe me, it would have been nice to have a little bear around
A PROFESSIONAL ETHICAL ANALYSIS 26

that I could play back and hear what they told it. But at the same time, they are
supposed to have an idea of what privacy is and I want them to have that. They
need to know that you need to keep some stuff private, because information has
value. As soon as you give up that valuable information, you lose it forever, so
you need to be really careful with what you share.

8. Can you share a personal experience that relates to the case you read, or think of a
related ethical dilemma in which you’ve been involved?

When we were kids, we used to have a tape recorder that we’d tape stuff on and
play it backwards because we thought it was a trip. Well, we got braver and braver
about what we’d record, and decided to put some swears on it to play backwards
and see how they sounded. My aunt found the tape recorder and played our
swears, about knocked our teeth out for it, too. But we felt strangely betrayed, kind
of like people must feel when their journals are read. I’d say that’s why you don’t
need a recording bear sitting around your house if you’re a kid. It’s one thing if you
are a kid that’s off the rails and need to have an eye kept on you so you don’t raise
hell, but if you’re a good kid, that’s just one more piece of privacy that you’re losing.

Interview 3: Gwendolyn Morgan

Gwendolyn is a former police officer who serves in an organizational communications role

for a leading precious metals mining corporation. Her main duties include the

understanding, creation and dissemination of information technology related

communications and training materials. In her free time, Gwendolyn loves doing

volunteer work and traveling out of the country.


A PROFESSIONAL ETHICAL ANALYSIS 27

Case Referenced: Case 6 – Removing a Search Result

1. After reading the case study, what are your initial thoughts?

Figures that I’d get the one about the woman getting assaulted and I’m the only
woman you’re interviewing. I saw a lot of crazy stuff when I was a cop. It’s hard
to see people go through these sorts of things and not have some emotion about
it – that’s part of why I left.

2. Does the situation alarm you in any way? If so, why?

Sure, we don’t have any privacy any more. Google didn’t ask her for permission
to use her name, or probably even ask permission to include the newspaper article
in its search engine. It just crawls the web and grabs information. But you sure
have to sign a user agreement to use their services.

3. Can you tell me about your current company’s approach to ethical conduct policies
and how you view those efforts?

We’re trying. They already have employee training and it’s part of the culture here.
We’re hoping to add our own cyber security training to it very soon. Boy were they
surprised when the boss told them that there was such a thing as information
security ethics that were separate from the usual ethics they were worried about.

4. Do you feel as though your personal data and privacy are a part of this ethical code
of conduct? Why or why not?

Not for the most part, although there are some places where they address not
taking company information home. That’s a start. But we have a long way to go.

5. Knowing what you know about your company’s security posture, tell me about your
job and how this posture (or absence of it) affects you?
A PROFESSIONAL ETHICAL ANALYSIS 28

Well I know we have a lot of gaps. If we didn’t, we wouldn’t have a huge program
to fix them. I also know I get hundreds of people every time I send out a phishing
email. I spend a ton of time on communicating out the users, whether its
information about the program, lunch and learns, or other stuff we have going on.
And I do love to fake them out with those phishing emails! I figure the more
authentic they are, the better the lesson I am teaching.

6. How secure do you feel that your data and privacy are in the world as a whole? Why
do you feel that way?

Well, take this poor girl in the example you showed me. God forbid anything
happen to us these days. We’ll have to hear about it forever. I can’t decide if that’s
a bad thing or a good thing in the long run. Maybe we are better off being exposed
for everything we are or are not. But that only makes sense in a society where
people aren’t so judgmental I guess? Otherwise you are just airing everyone’s
dirty laundry.

7. Looking back at the ethical case you read, can you make any connections between it
and your thoughts on cyber security at work or home?

Google is world’s largest gossip. I wouldn’t be surprised in a few years if it wasn’t


set up to just tell you stuff about people based on what you’ve found interesting in
the past. It is getting pretty close already with it looking through your gmail account
and sending you ads based on what’s in there.

8. Can you share a personal experience that relates to the case you read, or think of a
related ethical dilemma in which you’ve been involved?

Sure, I have an ethical dilemma for you, and it’s one I face every day. It’s the
dilemma of oversaturating people with information in the name of “security”. We
A PROFESSIONAL ETHICAL ANALYSIS 29

have no real idea what’s enough and what isn’t. We are like overprotective
mothers telling our children not to go outside because someone might snatch them
up in a van. There are so many questions to think about when we put our
communications. How much is too much? What do we say to grab their attention
and not turn them off on the subject? And the real ethical problem at the root of it
all is that there is so much more to cyber security ethics that is not defined yet, so
we are making a lot of this stuff up on the fly. Is that really ok?

Interview 4: Khaled (last name removed, or he would not do the interview).

Khaled is a consulting cyber security threat analyst for a Fortune 500 security company.

After a military career focusing in information technology, Khaled has moved to the private

sector to track down cyber-terrorism actors and protect clients from their threats. He has

asked that more information not be included to prevent social engineering of his identity.

Case Referenced: Case 3 – Targeting a Broken Heart

1. After reading the case study, what are your initial thoughts?

That’s pretty fucked up shit right there. That’s why I’m not on Facebook, LinkedIn
or none of that stuff. I don’t need people social engineering me trying to figure out
what kind of cereal I like.

2. Does the situation alarm you in any way? If so, why?

Yes and no. I use data every day to predict threats to my clients, so how different
am I really from Facebook? Maybe it’s the reason I am doing what I do versus
the reason they are doing what they do. I’m trying to fight crime and these assholes
are out here trying to sell me a new car the day I break up with my girlfriend.
A PROFESSIONAL ETHICAL ANALYSIS 30

3. Can you tell me about your current company’s approach to ethical conduct policies
and how you view those efforts?

I don’t talk to my employer much. They let me do my thing and don’t bother me.
Since I am a consultant, we don’t worry about that stuff – if I don’t like what’s going
on with them, I’ll just go get my paycheck from someone else. I do know one thing,
though. When you are working in a company full of hackers, you know shit is going
to be on the level.

4. Do you feel as though your personal data and privacy are a part of this ethical code
of conduct? Why or why not?

I don’t connect my computer or phone to the company network, so the conventional


stuff does not apply.

5. Knowing what you know about your company’s security posture, tell me about your
job and how this posture (or absence of it) affects you?

One thing we always do is have a secure portal for customer documents, we don’t
share them over email. That’s just a safety thing – if customers want to email them
around, they are welcome to do so, it’s their information. But we are not going to
be responsible for that.

6. How secure do you feel that your data and privacy are in the world as a whole? Why
do you feel that way?

Like I said before, I am not on Facebook, LinkedIn, Twitter or any of that shit. I
don’t want them having my information. So I’m already better off than most people
when it comes to data privacy. I have a separate email account, separate bank
account and separate credit card I do all of my online stuff with, so I know easily if
A PROFESSIONAL ETHICAL ANALYSIS 31

there is a security problem. And if there is, it won’t affect me the way it would other
people. Even with all of this though, some people still have my social security
number because I have a loan on my house and on my car, so it’s not airtight. You
know people can look up the social security numbers of dead military and forge
accounts using that shit? They usually don’t hold up long, but any length of time
is enough for skilled actors to do bad things.

7. Looking back at the ethical case you read, can you make any connections between it
and your thoughts on cyber security at work or home?

I think I’ve made that pretty clear at this point. I could tell you a hundred stories of
people getting socially engineered and not having the first clue about it. With that
story you showed me, it’s like Facebook is saying, “well everyone else can do it”,
so they are doing it, too. That doesn’t make it okay…what if everyone else DID do
it? Facebook would be pissed and probably try to patent or license their technique
for invading your privacy. Like I said, it’s fucked up!

8. Can you share a personal experience that relates to the case you read, or think of a
related ethical dilemma in which you’ve been involved?

I’ll tell you a story about social engineering and ethics. Like I said, I have a hundred
of them. So I knew this guy out at Siemens. He was in their cyber security
department. This guy puts every little piece of cyber security training he’s gone
through with Siemens out on his LinkedIn. You know what that tells a skilled actor?
These are the possible attack vectors with Siemens. Else, why is the guy going to
get training in them? Sure, he might just be going to get training to get training,
but chances are companies are not going to pay for a laundry list of training for a
guy when they are getting nothing in return. Chances are that if the guy has gone
and gotten training in PKI cert setup, that the company is weak there and it can be
exploited. People don’t think about shit like that, Rich. They dump as much
information as they can out on the Internet and wonder why some guy is running
A PROFESSIONAL ETHICAL ANALYSIS 32

around buying a bunch of shit with their credit card one day. Or why their computer
is so damned slow and always churning when it’s brand new – it’s probably infected
with some garbage they picked up while they were on a porn site.

9. <Added> So what’s the ethical piece to all of this?

The ethical question is how do you function in today’s society without giving up
some information, and how much is too much? How do we decide, when there
are no real rules out there to tell us what’s right and what’s wrong? Cyber security
is about protecting data and responding to incidents. There is not much out there
that says “do this, but don’t do this, because XYZ will happen”. The threats are
always changing, so the industry needs to figure out a way to put some guidelines
in place that can change with it, instead of having to update their basic shit every
month.
A PROFESSIONAL ETHICAL ANALYSIS 33

DISCUSSION

Around a year and a half ago, I was passed up for a promotion to manage the Project

Management Organization (PMO) of my company. There were no reasons given to me

as to why I was not chosen, and in fact, the hiring manager told me he thought he may

be making a mistake by hiring someone else. Still a part of the PMO, I received the new

PMO manager’s resume by email to get an idea of his background. It took only a glance

to see that this candidate had relatively little relevant experience, but he did have an “Ed”

next to his name. Regardless of “fitness for the task”, I had no college degree. It was at

that moment that I decided to never again let that be a determining factor in my career

path into executive leadership. It was only a few weeks before I enrolled into the

Organizational Leadership program with ASU, and the only reason it took me that long

was having to re-learn two years of Algebra in two weeks.

My hope for every class I’ve taken is that I am not spending money on something I could

have learned by buying a book and just reading it. I have tried to be an empty cup and

go into each class with an open mind, which is harder to do the older we get. I can

unequivocally say, without hyperbole, that this Organizational Ethics course has been the

most enlightening course I have taken so far at ASU. My cup started empty and has been

refilled each week, though there have been some challenges to overcome. It is with this

mental framework that I approached our final paper.

With the eventual goal of a technology-related CxO role with a company that is doing real

good in the world come challenges that arise when people and technology meet. The
A PROFESSIONAL ETHICAL ANALYSIS 34

nebulous matter of cyber security ethics is no exception. No matter how far removed from

cyber security a technology issue may seem, there is always a data-related element to

the employment of said technology. That there is data involved means that data must be

secured, and so the need for information security in some way will apply. As information

is absorbed into the Internet like water into a sponge, an application of cyber security

ethics is required for any technology in today’s world.

Throughout this paper, one may notice the terms “cyber security” and “information

security”. While these are often used interchangeably, to those in the industry, they are

tree and forest. The forest of cyber security goes beyond the boundaries of traditional

information security to include not only the protection of information resources, but also

that of other assets, including the person him/herself. In cyber security, the human factor

includes potential targets of cyber attacks or even unknowingly participating in a cyber

attack. This additional dimension has ethical implications for society as a whole, since the

protection of certain vulnerable groups (such as children), could be seen as a societal

responsibility (von Solms & van Niekerk, 2013, p. 1). Being in complete agreement with

this viewpoint is perhaps is why I gravitate toward Kant’s theories on duty and social

contracts. However, that does not mean other ethical perspectives have fallen by the

wayside in the commentaries on each presented ethical case. It is our ethical duty to

present other viewpoints in contention to our own, else we cannot make credible

judgements.

For example, each interview conducted brought to light points I had not considered during

my commentary. While I approached Case 5 with both Kantian and consequentialist

views, citing their agreement in terms of what is useful to arrive at what action to take, Mr.
A PROFESSIONAL ETHICAL ANALYSIS 35

Faxon went straight for the perspective of the dominant managerial model in his answers.

As an executive, seeing those with power cling to it and profit from it (including himself),

he has a perspective that I likely will not possess until I reach the executive point in my

career. In his words, “I’m not one to shy away from money personally, but if we want to

be empowered to make the right moral decisions, maybe we need to figure out another

way to be bonused out so we don’t think about company profit over what’s right.”

(Personal Communication, 2017). My approach was that of someone outside of the

power structure. His was that of someone near the center, yet his view makes perfect

sense.

Mr. Faxon also brought to light an ethical perspective on our responsibility to protect our

technology that transmits data, such as a laptop or an iPhone. He views transmitting data

across platforms when we do not protect our side as an unethical practice, because we

are not taking care of our end of the contract implied when we connect to someone else.

It reminds me of the town gossip that runs around telling everyone they can about other

peoples’ business, without any type of filter as to what is said. Some of that information

can be horribly infectious. The same goes for us when we spread a virus that could have

been prevented with the proper protection. I completely agree with his perspective, and

am glad to see he has taken that dilemma out of the hands of the user by enforcing cyber

security compliance on company assets.

In contrast, the interview with Mr. Kauffman was much more aligned with my commentary

regarding Case 2. We both agreed that the company producing the bear that transmits

what children say to it over to parents via their private cloud is lacking in moral character.

While I have the advantage of being able to frame it in the context of virtue ethics, David
A PROFESSIONAL ETHICAL ANALYSIS 36

nailed it when he said that the company was “a wolf in sheep’s clothing”, adding “I’d say

you don’t need a recording bear sitting around the house if you’re a kid.” He sees the

issue as one of data privacy from the adult’s perspective (agreeing with the end-user

agreement and surrendering their right to private information), as well as from the child’s:

“if you’re a good kid, that’s just one more piece of privacy that you’re losing” (Personal

communication, 2017).

Gwen Morgan’s interview was a bucket of cold water to the face. Every time I chat with

her, she gives me nuggets of detail that are just fascinating, and this interview was no

different. We came down on completely different sides of the fence on whether Google

should process a woman’s request to be removed from their search engine in Case 6.

Surprisingly, I felt compelled to lean more towards the utilitarian viewpoint, though

deontological arguments asking “if everyone did it, is it still ethical” seem to apply as well.

Gwen answers these by noting “Google is the world’s biggest gossip” (Personal

communication, 2017). She feels as though they have outreached their morality in terms

of data manipulation. I can’t say that she’s entirely wrong, either. Ethics should be called

“the study of what’s both right and wrong at the same time.”

Finally, Khaled. I knew what I was getting into when I interviewed him, and I wanted his

unique perspective. Khaled would not allow me to divulge is entire name, as he feels this

document may at some point enter into the Internet ether and somehow become socially

engineered to reveal his identity. As he is in the business of catching cyber criminals, we

should probably listen to him, regardless of how paranoid it may seem! Khaled was able

to dissect several angles of Case 3 in the middle of answering questions. He saw

Facebook as no different than himself in terms of utilizing data prediction to accomplish


A PROFESSIONAL ETHICAL ANALYSIS 37

goals. Yet, at the same time, he sees the lack of morality in Facebook’s intent versus his

own: “I’m trying to fight crime and these assholes are out here trying to sell me a new car

the day I break up with my girlfriend.” (Personal communication, 2017). He has a valid

point. While I approached Case 3 with a rule utilitarian lens, weighing the consequences

of adopting a rule exemplifying that action that applies to everyone (Donaldson &

Werhane, 2008, p. 5), Khaled was decidedly Kantian in his response, speaking (candidly)

about his duty to his fellow man.

To me, the sum of these additional insights makes them more valuable than if they each

agreed with my perspectives without so much as an exchanged word. As Kant is quoted,

via Donaldson and Werhane (2008): “we can only know what a man thinks if he tells us

his thoughts, and when he undertakes to express them, he must really do so, or else

there can be no society for men” (p. 110). The purpose of conversation is to exchange

information, and if I am not learning anything other than what I already know, how ethical

am I acting toward myself?

With cyber security evolving at the speed of technology, perhaps the one approach that

was not discussed in this paper is the one that pairs best with this change velocity:

Dewey’s approach to pragmatism. As the lines of what are “good” and “right” at the same

rate the line between technology and man is blurred, embracing an ethical philosophy

that eschews traditional boundaries for the achievement of a way of living that enables

ethical conduct (Donaldson & Werhane, 2008, p. 88) should be our goal. Pragmatism at

its base identifies ethical responses within the context of each situation, rather than

applying hard and fast tenets to all. Cyber security walks the fine line between privacy

versus security, generally requiring the application of context to define what is best for
A PROFESSIONAL ETHICAL ANALYSIS 38

any situation. Cyber security is also more of a framework and approach to securing data

and the people that utilize it. Therefore, it only makes sense to employ an ethical model

that is by its very definition, a pragmatic approach to framing ethical situations with the

goal of harmony for all involved. It is with this tool in the ethical toolbox, along with many

others I’ve found as a result of our course, that I will continue down my career path to

executive technology leadership with a steady compass to guide the way.


A PROFESSIONAL ETHICAL ANALYSIS 39

REFERENCES

1. Bartlett, C. (2015). A Violation of Privacy. Retrieved on February 20, 2017 from


https://www.scu.edu/ethics/focus-areas/more/engineering-ethics/engineering-
ethics-cases/a-violation-of-privacy/

2. Donaldson, T., Werhane, P. H., (2008). Ethical issues in business: a


philosophical approach. Upper Sadddle River: Rearson/Prentice Hall.

3. Faxon, J. (2017, Feb). Personal interview.

4. Hypponen, M. (2011). Three types of online attack. [Video].

5. Kauffman, D. (2017, Feb). Personal interview.

6. Khaled. (2017, Feb). Personal interview.

7. Morgan, G. (2017. Feb). Personal interview.

8. Raicu, I. (2016). Data Collection: “Harvesting” Personalities Online. Retrieved


on February 20, 2017 from https://www.scu.edu/ethics/focus-areas/internet-
ethics/resources/data-collection-harvesting-personalities-online/

9. Raicu, I. (2015). Removing a Search Result. Retrieved on February 20, 2017


from https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/removing-
a-search-result-an-ethics-case-study/

10. Raicu, I. (2016). The “Goodbye Fears Monster”. Retrieved on February 20,
2017 from https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/the-
goodbye-fears-monster/

11. Raicu, I. (2017). Targeting a Broken Heart. Retrieved on February 20, 2017
from https://www.scu.edu/ethics/focus-areas/internet-ethics/resources/targeting-
a-broken-heart/

12. Tan, J. (2015). May the Truth be with You. Retrieved on February 20, 2017 from
https://www.scu.edu/ethics/focus-areas/more/engineering-ethics/engineering-
ethics-cases/may-the-truth-be-with-you/

13. von Solms, R., & van Niekerk, J. (2013). From information security to cyber
security. computers & security, 38(97), e102. Retrieved February 23, 2017 from
http://www.profsandhu.com/cs6393_s16/solms-2013.pdf
A PROFESSIONAL ETHICAL ANALYSIS 40

Potrebbero piacerti anche