The information in this learning resource applies to a broad spectrum of career fields and professions. Our focus, however, is the application of the principles of ethics when working as a cybersecurity professional, whether in a paid or unpaid (volunteer) capacity. We address ethics and ethical decision making in this project because individuals, businesses, and governments have ethical obligations, including the obligation to protect information from unauthorized disclosures such as data breaches, theft, espionage, etc. (Steen, 2013). These ethical obligations apply to how information is collected, processed, stored, used, and transmitted. Such information may be gathered about citizens, subjects, customers, employees, vendors, competitors, and society in general. Cybersecurity professionals also have ethical obligations with respect to the use of an organization's assets and responsibilities to protect those assets from harm or loss.
There are several ethical principles that cyber professionals must be aware of and that they should practice as they perform their work. The first principle is the obligation to put forth one’s best efforts in a principal-agent relationship (Principal and Agent, 2018). The contract or cooperative agreement between the client and the consulting services provider (organization) defines the specifics of the relationship between these two parties. The client is the principal and the organization is the agent. Cyber professionals may, at times, take on the role of agent when they are performing work as an unpaid volunteer consultant contributing expertise under a pro bono relationship. In general, the agent performs actions on behalf of the principal and those actions are governed by (a) the contract, (b) the ethical standards of the profession (ISC2, 2021), and (c) society at large (Reynolds, 2018).
The concept of duty or obligation arises from Kantian ethics (Misselbrook, 2013) and includes our second set of ethical principles. Kant’s approach to ethics was one of reason and reasoned thought. The approach focuses on the individual’s actions in response to duty as the determinant of rightness or wrongness. Ethicists describe this type of ethics as deontological. The universal principle embedded in Kant’s theory of ethics is that the highest duty is the duty to respect others’ humanity. It is from this duty that we derive the duty of care in the performance of a consultant’s work. Duty of care can be extended to include duty to inform, which is an obligation to provide information that allows an individual, in this case a client, to make decisions based on adequate information. Within the cybersecurity profession, duty to inform includes informing clients that certain actions or failure to perform actions may increase risk, which could result in significant harm to the client’s organization (ISC2, 2021).
Utility Theory (Utilitarianism)
A third set of ethical principles that consultants must be aware of is utilitarianism (utility theory) and its subbranches, act-utilitarianism and rule-utilitarianism (Quinn, 2009). Utilitarianism is the branch of ethics that focuses on the outcomes of a person’s actions as the determinant of rightness or wrongness. Under utilitarianism, the right decision is the one that results in the greatest good for the greatest number of people. Act-utilitarianism judges rightness by looking at the net effect of the outcome of a decision. Jeremy Bentham framed this as “The greatest good for the greatest number of people.” In contrast, rule-utilitarianism holds that the way to achieve the greatest good is by adopting good rules and then following those rules when making decisions.
In cybersecurity, the profession tends to rely more on a rule-utilitarian approach to achieve goodness or beneficial outcomes. We adopt and implement standards and guidelines that define actions, which results in greater, more robust security that protects assets and infrastructures. The profession also uses the act-utilitarian approach. For example, a decision to allocate budget to purchase network defense hardware may require that the organization delay or defer upgrading workstations for some employees. Defending the network would be judged as benefiting the organization as a whole, while upgrading workstations would be judged as benefiting a smaller number of employees. A consultant may need to apply both the rule-utilitarian approach and the act-utilitarian approach to justify recommended solutions to a client. Neither approach is inherently right or wrong. What is important is that decision makers understand how their ethical perspectives influence their choices.
Normative Business Ethics
Our fourth set of ethical principles—normative business ethics—work hand in hand with duty and utility (Smith & Hasnas, 1999). These normative principles set standards for ethical behavior that are specific to businesses and similar organizations. These principles focus our decision making on “who” when calculating benefits or harm (for example, when for performing a cost-benefit analysis for various options or choices). You may already be very familiar with these approaches to decision making: stakeholder theory, stockholder theory, and social contract theory. We also need to consider the principles of equality, equity, and egality as they apply to the impact of decisions upon individuals and groups. Let’s take a deeper look at each of these approaches and how they can be applied to decision making for cybersecurity.
Stakeholders are a collection of individuals and groups who have a stake, or vested interest, in the outcomes of a decision. Stakeholders are those who will be impacted—for good or for worse—by that decision (Donaldson & Preston, 1995; Smith & Hasnas, 1999). In the context of a company or business, stakeholders may include owners, executives and managers, and employees of a business or organization. Insurance companies, banks (lenders), and other financial institutions may also be stakeholders, depending on the type of decision under consideration. Stakeholder groups may also include customers, contractors, and vendors who do business with the company or organization. In making determinations of benefit and harm, the decision makers may need to consider how much of a stake each group of stakeholders has and how much importance their wants and needs should be given when calculating a cost-benefit analysis or determining which choices should be selected prior to making a decision.
Stockholders are those who have an ownership interest in the company (Smith & Hasnas, 1999). In a sole proprietorship, there is a single owner. In a partnership, there are multiple owners and the partnership agreement defines the percentage of the company that is owned by each individual partner. In a stock corporation, whether publicly or privately held, each unit of stock represents ownership of a portion of the corporation. Under stockholder theory, the rightness of a decision is measured by the potential benefit or harm that could occur and impact the stockholder’s financial interests in the company. For example, failure to comply with a law or regulation could result in a fine that must be paid by the company. Ultimately, the owners of the company will receive lower returns on their invested capital (money) because of this avoidable cost. Under Stockholder Theory, the correct or right choice would be to avoid the unnecessary expense (the fine) by complying with the law or regulation.
Social Contract Theory
Social contract theory has two main parts—the government and the governed (society) (Smith & Hasnas, 1999). A social contract is a tacit agreement among members of society about standards for acceptable behavior (actions) and is implemented through governmental actions such as policies, laws, and regulations. The rightness of an individual’s action is determined by compliance with societal norms, including those norms which require that all members of society follow the rule of law.
For a business, the social contract establishes expectations and requirements for how the business will interact with society and applies to all actions which impact the society in which the business operates. How it treats customers, how it treats employees, how it treats the land and other resources that are shared with residents of the surrounding area—these are some types of decisions and behaviors that social contract theory guides.
Fairness and Justice: Equality, Equity, and Egality
The concepts of equity, equality, and egality can be used in a policy-making context to evaluate policy-based solutions to business problems. However, it can be difficult to distinguish between equality, equity, and egality. (Oppenheim (1970) provides a comprehensive examination of these principles and their interrelationships.) Equality is focused more on opportunity to benefit than actual outcome or received benefit. Everyone receives the same opportunity to benefit, but the outcomes are dependent upon how that opportunity is used or acted upon. Equity is needs based. Everyone receives opportunity to benefit based upon their needs or their starting point, with the goal of maximizing the sameness of outcomes. Egality is when everyone receives exactly the same benefits or outcomes.
When making decisions, especially when allocating resources, questions of fairness can arise (Oppenheim, 1970; Quinn, 2009). How do we determine what is fair? Is equal the same as fair? Whose definitions of fairness should be accepted and used? We find some answers to this in John Rawls’s principles of justice, which Rawls proposed be used to extend society’s social contract (Quinn, 2009). These principles require that all members of society have a fair and equal opportunity to benefit. But, in some circumstances, an egalitarian solution where everyone gets the same is a better or more ethical solution. And, sometimes, fairness is more appropriately defined by considerations of equity or a needs- based solution. Here is an example where three different solutions for deploying firewalls throughout an enterprise have been proposed. Without factoring technical considerations, which solution would you consider to be the most ethical? Why?
|Proposed Alternative Solutions for Network Defense Problem||Principle|
|1. Every network segment gets a firewall (benefit) that costs the same (equality of opportunity) but may have differing features or capacities (differing outcomes).||Equality|
|2. Every network segment gets a firewall (benefit) capable of handling its projected peak load (need). Cost is not a primary consideration.||Equity|
|3. Every network segment gets the exact same model firewall (benefit). (Equal inputs giving equal benefits)||Egality|
Which solution would you have chosen before reading about equality, equity, and egality? Would your decision be blind to the “who”? Would you choose solution 3 and buy the most affordable firewall that meets the minimum, or “average” performance requirements? What if one network segment was for the business office of a hospital (which needs to transmit claims to insurance companies) and another network segment was for the radiology department (which needs high bandwidth to send images to offsite doctors for analysis)? Does this additional knowledge change your decision? Does it change the ethics or goodness of your choice? Consider this: if the person making the technology recommendations was not aware of the differential needs of these two departments, the outcome of the firewall selection process might significantly and adversely impact patient care.
There is one final thing to be aware of: when ethics labels are attached, those labels may affect and possibly change the decision maker’s choices. If you are going to make arguments based on your judgment about whether a choice would have ethical or unethical outcomes, it is important to provide appropriate and well-researched business cases. The person making recommendations must understand the rationale behind the recommendations (what requirements set was used) and ensure that rational decision-making processes are applied, including performing a cost-benefit analysis to support financial decisions.
As cybersecurity professionals, we must act in ethical ways and apply the principles of ethics in our decision making. But we also need to be aware that the language of ethics can be off-putting in a discussion of business matters. How we communicate information is as important as what we mean to say or the reasons why we hold certain opinions or make certain choices. Using terms such as cost-benefit analysis and fairness may be better received than using the underlying theoretical terms, e.g., utilitarianism and equality, equity, or egality.
Before we end our discussion of ethics and decision making, we need to address the problem of negligence, or failure to apply prudence or adequate care when performing work for a client or employer (Quinn, 2009; Reynolds, 2018). The concept of negligence is an outgrowth of duty ethics. A determination of negligence requires examination of the outcomes of actions. Intention may be considered as a mitigating factor, but intent to do good does not excuse harmful results. Negligence arises when an individual’s actions do not meet professional standards of performance or otherwise fail the reasonable person test. In the context of the consulting engagement, we must consider the possible outcomes or results of an action in the performance of one’s duties. The consultant must ensure that their actions will not result in an accusation of negligence, since such matters are actionable under civil law and could result in a lawsuit with damages awarded to the harmed party (e.g., the client). Terms related to negligence include the following:
- malfeasance—intentional or deliberate actions which are wrong or against the law
- misfeasance—doing a “right” action but in a manner than results in harm
- nonfeasance—intentionally not taking an action required by law which results in harm
Cite this resource as the following:
King, V., & DeGrazia, B. (2022). Ethics and ethical decision making—a CYB 670 learning resource. Adelphi, MD: University of Maryland Global Campus.
Donaldson, T. & Preston, L. E. (1995). The stakeholder theory of the corporation: Concepts, evidence, and implications. The Academy of Management Review, 20(1), 65–91.
ISC2. (2021). Code of ethics. https://www.isc2.org/ethics
Misselbrook, D. (2013). Duty, Kant, and deontology. British Journal of General Practice, 63(609). https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3609464/
Oppenheim, F. E. (1970). Egalitarianism as a descriptive concept. American Philosophical Quarterly, 7(2), 143–152. http://ezproxy.umgc.edu/login?url=https://www.jstor.org/stable/20009343
Principal and Agent. (2018). Funk & Wagnalls New World Encyclopedia, 1. http://ezproxy.umgc.edu/login?url=https://search.ebscohost.com/login.aspx?direct=true&db=funk&AN=pr134600&site=eds-live&scope=site&profile=edsebook
Quinn, M. (2009). Ethics for the information age (3rd ed.). Pearson Education.
Reynolds, G.W. (2018). Ethics in information technology (6th ed.). Cengage Learning.
Smith, H. J., & Hasnas, J. (1999). Ethics and information systems: The corporate domain. MIS Quarterly, 23(1), 109–127. https://doi-org.ezproxy.umgc.edu/10.2307/249412
Steen, M. (2013, February 1). Cyber security and the obligations of companies. Markkula Center for Applied Ethics at Santa Clara University. https://www.scu.edu/ethics/focus-areas/business-ethics/resources/cyber-security-and-the-obligations-of-companies/