Add to collection(s) Add to saved
  1. Social Science
  2. Psychology
  3. Social Psychology

Slide 1 - McGraw Hill Higher Education

Information Assurance for the Enterprise: A Roadmap to Information Security, by Schou and Shoemaker
Chapter 16
Information Ethics and
Codes of Conduct
McGraw-Hill/Irwin
Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved.
Objectives
Explain the role of ethics in information
assurance
 Identify the fundamental elements of a
professional code of conduct
 Define and apply an ethical system

16-2
Ethics

Information practitioners need guidance in correct
behavior




Especially essential because the commodity is abstract
and information assurance professionals have
unprecedented access
Anonymity, intangibility, and evolution of the technology,
increase ethical grey areas
Technological advances usually come without ethical
instructions
Ethical violations of cyberspace occur regularly without
widespread recognition or response
• Nobody has thought through what a particular capability or
activity represents in terms of right and wrong
16-3
What is Ethics?

A global term describing the system by which
individuals distinguish right from wrong

Ethical systems describe the duties and behaviors
commonly considered correct for a given circumstance
• Documented by an ethical guideline that aids in behavior
evaluation and as a framework to judge behavior

Ethics benefit information assurance because they are
applied morality
• They are logical assumptions about how moral principles should
be applied in practice
• They represent an understanding of what is morally correct
• They become legal systems when the morality they capture is
formalized into law
16-4
Ethics and Information Assurance

Although abstract, the requirement for an ethical
system is a critical part of information assurance
Ethics establishes the foundation of group trust
and trustworthiness
 Policies should be formulated based on the
ethical values of the organization while not
contradicting the principles of individuals
 An established ethical standard guides the
preservation of confidentiality, integrity, and
availability
 Ethical standard must be clearly articulated and
understood throughout the organization

16-5
Ethics and Technology

Technology has advanced at a rate that exceeds
society’s ability to decide about its
appropriateness

Data-mining industry is an example of
organizations operating without an ethical
compass
• Privacy concerns and the question of the ethics


It is essential for the information profession to
consider, adopt, and use ethical guidelines

16-6
More grey areas are likely to develop
Without ethical guidance it is difficult to expect
effective control of information workers’ behavior
Practical Ethical Systems: Enforcing
Proper Individual Behavior

A communal set of values provides the
framework to ensure that individual decisions
reflect the group’s common ethical principles
It assumes that all actions that constitute
unacceptable behavior can be recognized
 Group values have to be formally documented
 Formal documentation of the values is an ethical
code of conduct
 Ethical code of conduct is the organization’s
standard of behavior
 Codes of conduct dictate the duties and
obligations of individuals relative to group norms

16-7
Enforcing Behavior Norms: Aligning
Personal and Group Perspectives

Group norms are the measuring stick for evaluating
individual behavior




16-8
Formally documented codes of conduct dictate the
minimal moral tone and actions of an organization
Ethical systems delineate the correct choices for
individuals relative to the group norms
Properly designed ethical systems always provide a
concrete reference for decision making as well as an
explanation of the consequences of deviation
In practical applications of codes of ethics, an explicit
enforcement mechanism is a necessity
Ensuring Professional Conduct

Professional codes of conduct define the values
and beliefs of a profession
Communicate the formal models that make up
the norms a group has chosen to adopt
 Those models are based on each organization’s
understanding of correct professional behavior


Professional codes of conduct are essential in
information assurance because:

16-9
They cover a broad range of fundamental
concerns raised by the ever-increasing and
changing technology
Establishing a Basis: Formal Codes of
Conduct for Cyberspace

A formal code for cyberspace was published 1989 –
sponsored by the Network Working Group of the Internet
Activities Board (IAB)
 To reinforce its authority in the area, the IAB was
renamed the Internet Architecture Board in 1992
 IAB directive “Ethics and the Internet” (RFC 1087)
outlines five principles – which state that it is unethical:
• To seek to gain unauthorized access to the resources of the
Internet
• To disrupt the intended use of the Internet
• To waste resources through such actions
• To destroy the integrity of computer-based information
• To compromise the privacy of users
16-10
Establishing a Basis: Formal Codes of
Conduct for Cyberspace


Organized religion has even weighed in on the ethical use
of the Internet
 Personal responsibility in governing acceptable use
National bodies who have established formal codes of
conduct:
 The Association for Computing Machinery (ACM)
 The Institute for Electrical and Electronics Engineers
(IEEE)
• These codes are specific to the profession
• They communicate the ethical responsibility of information
professionals to perform their duties in a capable manner
• They set the minimum expectations with respect to the level of
capability required
• They serve as a basis for judging whether that standard has been
adequately met
16-11
Establishing a Basis: Formal Codes of
Conduct for Cyberspace

Professional societies that stipulate codes of
ethical practice:
The Information Systems Audit and Control
Association (ISACA)
 The International Information Systems Security
Certifying Consortium (ISC)
 The SANS Institute


16-12
Concern: There is not a single universally
recognized code of conduct for the information
assurance profession
Certification: Ensuring Professional
Capability

Certification is a method of identifying individuals
committed to ethical behavior


Standard level of professional competence
Certifications based on a number of representative
common bodies of knowledge (CBK)
• No single system guarantees that the practitioner responsible for
protecting an organization’s information is competent


16-13
Few formally agreed-on definitions of the knowledge or
competencies
Certification that attests to an individual’s ability to think
critically about an identified problem space provides the
most valid proof of competence
Certification: Ensuring Professional
Capability

Determining the value of a certification:








16-14
How long has the certification been in existence?
Does the certification organization’s process conform to
established standards?
How many people hold the certification?
How widely respected is the certification?
Does the certificate span industry boundaries?
What is the probability that 5 or 10 years from now, the
certificate will still be useful?
Does the certification span geographic boundaries?
Does the certification require attestation to a defined
ethical behavior?
Information Ethics


Deals with the ethical questions that relate to the use of
information assets
 Explores and evaluates the development of ethical
principles in information assurance
 Examines ethical concepts that support information
assurance theory and practice, as well as their relevance
to everyday information security work
A timely and important area because:


Traditional philosophical frame of reference is out of date
Information technology has extended capabilities beyond:
• Traditional moral and philosophical realms
• Precedents and principles of our legal system
16-15
Information Ethics

Four areas where guidance about ethical
behavior should be provided:
Invasion of privacy
 Unauthorized appropriation of information
 Breach of confidentiality
 Loss of integrity

16-16
Invasion of Privacy

Invasion of privacy is a common violation


16-17
The act of obtaining information to breach an
individual’s reasonable expectation of privacy
Legally, the Bill of Rights does not guarantee a
right to privacy from other individuals except in
specific cases
Invasion of Privacy

Ethics of invading your privacy for profits: the data mine

Data aggregation and data mining augments an
organization’s ability to understand its customers better
• These methods may intrude too far into personal lives

Other instances of intrusion:
• Placing tracking cookies surreptitiously on computers
• Credit-monitoring services
• Telephone tapping

Solution is to build an understanding across society and
grapple with the essential questions:
• What is the limit to the acquisition and use of knowledge by
institutions?
• What can other people know without violating your privacy?
16-18
Invasion of Privacy

Invading the privacy of your employees

Employer may reasonably monitor its employees
• It is implied that people who come to work, have
sacrificed some of their rights to privacy for the good
of the organization
• The organization has an unstated right to oversee employee
behavior and communications on the job
• More subtle activities which are not violations if used
within the scope of work:
• Keylogging of employees
• Observing them through workplace video cameras and
closed-circuit television
16-19
Unauthorized Appropriation

Unauthorized appropriation – use of a computer
to obtain something under false pretenses
A crime if an item of concrete value is taken
 An ethical compromise where the value is either
intangible or cannot be estimated
 Typically takes place when another person’s
intellectual property is either stolen or misused


16-20
Misappropriation of intellectual property
presupposes that an identified piece of
intellectual property exists
Ethics of Confidentiality

Breach of confidentiality can be intentional or
unintentional


Disclosure of private information is a matter of civil and
even criminal liability in some states
Two well-known examples of the way federal legal
system addresses breach of confidentiality:

Health Insurance Portability and Accountability Act
(HIPAA)
• The first comprehensive federal protection for the privacy of
personal health information

Family Educational Rights and Privacy Act, 1974
(FERPA)
• Limits the personal information that educational institutions can
release to the public
16-21
Ethics of Integrity

Integrity implies that the information is correct


The ethical issue can be characterized by a
legal term, “false light”

16-22
Information has not been accidentally or
maliciously altered or destroyed
A circumstance where information that is being
kept either is false or harmfully misrepresents
something about the individual
Ethics of Integrity

Unintentional errors
Represented by incorrect or missing values
 Ethical response to the inevitable inaccuracy:

• Error-trapping functions in the system
• Embedding rigorous audit and control mechanisms

Intentional errors

Sources
• Insider who alters data to portray the facts of a given
situation incorrectly
• Insider who accepts and records incorrect information
• Outsider who hacks into the system in order to change
the integrity of its data
16-23
Ethics of Integrity

Exercising due care

Characterized by a careful attention to detail in
the process of:
•
•
•
•

Designing
Assessing
Updating
Monitoring data and systems
A statement of due care
• To protect the organization from liability concerns as
well as to ensure good ethical practice
16-24
Related documents
Secondary Value Influences
Secondary Value Influences
Research Ethics - Swansea University
Research Ethics - Swansea University
Exploring the Concept of Organizational Integrity
Exploring the Concept of Organizational Integrity
Personal Ethics Statements - knead-2
Personal Ethics Statements - knead-2
Code of Ethics Policy - Gadsden State Community College
Code of Ethics Policy - Gadsden State Community College
A model for ethical decision-making
A model for ethical decision-making
Download