III. Ethics and Professionalism

There are several ways of identifying and deciding ethical issues. One of the most common ways of categorizing these approaches is the rules vs. consequences criteria. The first argues that our actions should be guided by general rules or principles: do not harm; tell the truth; do not steal; respect for persons. The second argues that we should assess the “rightness” of an action or decision by the consequences that will likely result. Most commonly the second approach identifies some “value” or values, and measures the actions by the extent to which these values are or are not enhanced, or progress made toward certain goals, such as a better life for all.

On reflection is should be clear that there is no consensus about which of these is the more appropriate.

The foundation of all security systems is formed by moral principles and practices of those people involved and the standards of the profession. That is, while people are part of the solution, they are also most the problem. Security problems with which an organization may have to deal include: responsible decision making, confidentiality, privacy, piracy, fraud & misuse, liability, copyright, trade secrets, and sabotage. It is easy to sensationalize these topics with real horror stories; it is more difficult to deal with the underlying ethical issues involved.

A. Ethics

1. Ethics and Responsible Decision-Making

The foundation of all security systems is formed by moral principles and practices of those people involved and the standards of the profession. That is, while people are part of the solution, they are also most the problem. Security problems with which an organization may have to deal include: responsible decision making, confidentiality, privacy, piracy, fraud & misuse, liability, copyright, trade secrets, and sabotage. It is easy to sensationalize these topics with real horror stories; it is more difficult to deal with the underlying ethical issues involved.

The student should be made aware of his individual responsibility in making ethical decisions associated with information security.

2. Confidentiality & Privacy

Computers can be used symbolically to intimidate, deceive or defraud victims. Attorneys, government agencies and businesses increasingly use mounds of computer generated data quite legally to confound their audiences. Criminals also find useful phony invoices, bills and checks generated by the computer. The computer lends an ideal cloak for carrying out criminal acts by imparting a clean quality to the crime.

The computer has made the invasion of our privacy a great deal easier and potentially more dangerous than before the advent of the computer. A wide range of data are collected and stored in computerized files related to individuals. These files hold banking information, credit information, organizational fund raising, opinion polls, shop at home services, driver license data, arrest records and medical records. The potential threats to privacy include the improper commercial use of computerized data, breaches of confidentiality by releasing confidential data to third parties, and the release of records to governmental agencies for investigative purposes.

The basic law that protects our privacy is the Fourth Amendment to the United States Constitution, which mandates that people have a right to be secure in homes and against unreasonable search and seizure. In addition, many laws have been enacted to protect the individual from having damaging information stored in computerized databases.

3. Piracy

Microcomputer software presents a particular problem since many individuals are involved in the use of this software. Section 117 of the copyright laws, specifically the 1980 amendment, deals with a law that addresses the problem of backup copies of software. This section states that users have the right to create backup copies of their software. That is, users may legally create a backup copy of software if it is to be held in archive. Many software companies provide a free backup copy to users that precludes the need for to users purchase software intended to defeat copy protection systems and subsequently create copies of their software. If the software purchased is actually leased, you may in fact not even be able to make backup copies of the software. The distinction between leasing and buying is contained within the software documentation. The copyright statement is also contained in the software documentation. The copyright laws regarding leased material state that the leasor may say what the leaseholder can and cannot do with the software. So it is entirely up to the owner of the software as to whether or not users may make backup copies of the software. At a time when federal laws relating to copyright protection are evolving, several states are considering legislation that would bar unauthorized duplication of software.

The software industry is prepared to do battle against software piracy. The courts are dealing with an increasing number of lawsuits concerning the protection of software. Large software publishers have established the Software Protection Fund to raise between $500,000 and $1 million to promote anti-piracy sentiment and to develop additional protection devices.

4. Fraud & Misuse

The computer can create a unique environment in which unauthorized activities can occur. Crimes in this category have many traditional names including theft, fraud, embezzlement, extortion, etc. Computer related fraud includes the introduction of fraudulent records into a computer system, theft of money by electronic means, theft of financial instruments, theft of services, and theft of valuable data.

5. Liability

Under the UCC, an express warranty is an affirmation or promise of product quality to the buyer and becomes a part of the basis of the bargain. Promises and affirmations made by the software developer to the user about the nature and quality of the program can also be classified as an express warranty. Programmers or retailers possess the right to define express warranties. Thus, they have to be realistic when they state any claims and predictions about the capabilities, quality and nature of their software or hardware. They should consider the legal aspects of their affirmative promises, their product demonstrations, and their product description. Every word they say may be as legally effective as though stated in writing. Thus, to protect against liability, all agreements should be in writing. A disclaimer of express warranties can free a supplier from being held responsible for any informal, hypothetical statements or predictions made during the negotiation stages.

Implied warranties are also defined by the UCC. These are warranties that are provided automatically in every sale. These warranties need not be in writing nor do they need to be verbally stated. They insure that good title will pass to the buyer, that the product is fit for the purpose sold, and that it is fit for the ordinary purposes for which similar goods are used (merchantability)..

6. Patents and Copyright Law

A patent can protect the unique and secret aspect of an idea. It is very difficult to obtain a patent compared to a copyright (please see discussion below). With computer software, complete disclosure is required; the patent holder must disclose the complete details of a program to allow a skilled programmer to build the program. Moreover, a United States software patent will be unenforceable in most other countries.

Copyright law provides a very significant legal tool for use in protecting computer software, both before a security breach and certainly after a security breach. This type of breach could deal with misappropriation of data, computer programs, documentation, or similar material. For this reason the information security specialist will want to be familiar with basic concepts of to copyright law.

The United States, United Kingdom, Australia, and many other countries have now amended or revised their copyright legislation to provide explicit copyright laws to protect computer program. Copyright law in the United States is governed by the Copyright Act of 1976 that preempted the field from the states. Formerly, the United States had a dual state and Federal system. In other countries, such as Canada, the courts have held that the un-revised Copyright Act is broad enough to protect computer programs. In many of these countries the reform of copyright law is actively underway.

7. Trade Secrets

A trade secret protects something of value and usefulness. This law protects the unique and secret aspects of ideas, known only to the discoverer or his confidants. Once disclosed the trade secret is lost as such and can only be protected under one of the following laws. The application of trade secret law is very important in the computer field, where even a slight head start in the development of software or hardware can provide a significant competitive advantage.

8. Sabotage

The computer can be the object of attack in computer crimes such as the unauthorized use of computer facilities, alternation or destruction of information, data file sabotage and vandalism against a computer system. Computers have been shot, stabbed, short-circuited and bombed.

B. Laws and Legislation

The types and numbers of security laws and legislation at all governmental levels are expanding rapidly. Often, we forget that such legislation may affect each of us, as well as the organization. For more information see module four: “Information Systems Security Laws and Legislation”.

The following items should be discussed in terms of both Ethics and Law. Where do Ethics and Law converge? Are they the same? The foundations of all secure systems are the moral principles and practices and the professional standards of all employees of the organization, i.e., while people are part of the solution, they are also most of the problem. The following issues are examples of security problems which an organization may have to deal with:

C. Professionalism

Students should be encouraged to become involved professionally while they are in school and to continue their professional involvement throughout their career. Several societies and professional organizations are concerned with security, including:

  • The Computer Security Institute
  • Computer Professionals for Social Responsibility
  • Data Processing Management Association
  • Security Management Magazine
  • Licensing and Certification

a. Institute For Certification of Computer Professionals

b. IISSCC (ISC2)

In addition, there are two government agencies actively involved in the professionalism. The first is the National Computer Security Center that hosts the National Computer Security Conference each year. The second is NIST that has an outreach charter. Discuss Costs and benefits of professional participation.

NIATEC National Science Foundation Information Assurance Directorate Department of Homeland Security CISSE Scholarship For Service