Karly Stinedurf

 What is Ethics?  The Ten Commandments of Computer Ethics  Frameworks/Standards of Ethics  Ethics and Education  Deterring Unethical Behavior  Organizational Liability  Managing Investigations in the Organization

 How humans ought to act  Rules we should live by  Willingness to do the right thing  A common understanding of what is appropriate behavior  Various definitions of what “ethical” behavior is, based on individual beliefs  Communities frame ethical choices  Important for Information Security professionals

 Pw0I Pw0I

 1. Don’t use computers to hurt others  2. Don’t interfere with other peoples use of computers  3. Don’t view the contents of other peoples computers without permission  4. Don’t steal using a computer  5. Don’t use a computer as a tool to fabricate information  6. Don’t illegally copy or use software  7. Don’t use a computer or computer-based resource without explicit permission or without paying for it  8. Don’t steal someone’s intellectual property  9. Don’t remain ignorant or unconscious to the effect that computers have on society as a whole and on those individuals using them  10. Don’t devalue humanity by using computers in ways that disrespect others

 Normative Ethics- the study of what makes actions right or wrong- how should people act?  Meta-ethics- the study of the meaning of ethical judgments and properties- what is right?  Descriptive ethics- the study of the choices that have been made by individuals in the past- what do others think is right?  Applied Ethics- approach that applies moral codes to actions drawn from realistic situations- how to define how we use ethics in practice  Deontological ethics- study of the rightness or wrongness of intentions and motives as opposed to consequences- define a person’s ethical duty

 Utilitarian approach- an ethical action is one that results in the most good, or least harm- links consequences to choices  Rights approach- the ethical action is one that best protects and respects the moral rights of those affected by the action  Fairness or justice approach- ethical actions are those that have outcomes that regard all human beings equally, or incorporate a degree of fairness  Common good approach- the complex relationships in society are the basis of a process founded on ethical reasoning that respects and has compassion for all others- common welfare  Virtue approach- ethical actions should be consistent with ideal virtues such as honesty, courage, compassion, generosity, tolerance, love, etc…

 Key factor in establishing ethics in an organization  InfoSec employees may not know what is unethical in a technical situation  Scenarios should be used to simulate practical situations  Creates low-risk, ethical employees

 A student at a university learned to use an expensive spreadsheet program in her accounting class. The student would go to the university computer lab and use the software to complete her assignment. Signs were posted in the lab indicating that copying software was forbidden. One day, she decided to copy the software anyway to complete her work assignments at home.  A student suspected and found a loophole in her university’s computer security system that allowed her to access other students’ records. She told the system administrator about the loophole, but she continued to access other records until the problem was corrected two weeks later.

 MTT28 MTT28

 Three categories of unethical behavior in organizations:  Ignorance- not knowing the law  Accident- making a mistake  Intent- criminal/unethical state of mind  Three methods of deterrence:  Fear of penalty  Probability of being caught  Probability of penalty being administered

 Liability- an entity’s legal obligation  Liability for an action can lead to restitution or payment  An organization increases liability when it refuses to take proper measures to ensure ethical behavior  Due diligence  Long-arm jurisdiction

 Internal investigations regarding computer ethics are often completed using digital forensics  Has to be substantial evidence to take action  Documenting, preserving, identifying, and extracting evidence  Digital forensics is used for two purposes related to ethics:  To investigate allegations of digital malfeasance  To perform root cause analysis

 When investigators discover evidence they should notify management and recommend contacting law enforcement  Organization approaches to digital forensics  Protect and forget  Apprehend and prosecute

 Whitman, M. E. Mattord, H. J. (2014) Management of Information Security. (4th ed.) Stamford, CT: Cengage Learning.