Day 16 - May 16 - Ethics in Cybersecurity
- Elizabeth Rasnick
- May 19, 2023
- 2 min read
This morning I gave a talk about ethics and cybersecurity to the Northwest Florida chapter of the Association of Certified Fraud Examiners. They were having professional training and wanted to include a session on ethics. I find this proactive approach incredibly refreshing and was happy to serve. Here is some of what we discussed this morning.
Ethics play a central role in cybersecurity. Security, of any kind, is protection against harm. A sense of security requires trust in that protection. Whenever trust is present, ethics serve to guide how to establish and maintain that trust. Breaches of trust damage our belief in the infrastructures, systems, and society.
In the cybersecurity field, we abide by multiple layers of ethics. We adhere to the ethical codes of our certifying organizations ((ICS)2, CompTIA, EC-Council, etc.), our professional associations (WiCyS, ISACA, AFCEA, etc.), and our workplace (UWF, Google, Florida, etc.). Ethics, as they should be, are taken very seriously in cybersecurity. Many of the certifying organizations will revoke the certifications of anyone who breaches their code of ethics.
Remember the CIA triad from Day 2? Here they are again. Violations of any one of those three pillars constitutes a breach of trust. Confidentiality is violated when anyone, other than those authorized to access data are permitted to, gain access. Morgan Stanley Smith Barney LLC, in September 2022, was ordered by the SEC “to pay $35 million for failing to appropriately protect the records and information of 15 million customers.” This case shows that even the courts take such violations seriously. Compromises of data integrity and accessibility are addressed similarly by the courts.
This brings us to an interesting distinction between laws and ethics. Laws are controls human behavior that vary by municipality, potentially carry penalties, and are enforceable by courts. Ethics are aspirations for human behavior. Participation is optional and enforcement is limited. We should expect those custodians of your data and networks to behave in an ethical manner, that is the higher standard.
Ethics need to be taken seriously and discussed on a regular basis. Having someone read and sign a code of ethics once, never to be revisited, belittles their value. We need to have regular discussions about our ethics and the challenges to them that we face if we truly want them to carry weight in our everyday lives.
留言