James Landon Linderman
43.1 INTRODUCTION: THE ABCs OF COMPUTER ETHICS
43.1.1 Why an Ethics Chapter in a Computer Security Handbook?
43.1.2 How Much Time Do You Have for This Chapter?
43.2.1 Principle 1: Ethics Counts
43.2.2 Principle 2: Ethics Is Everybody's Business
43.2.3 A Test: Put Yourself in Another's Shoes
43.3.1 Principle 3: Stakeholders Dictate Ethics
43.3.2 Principle 4: Traditional Principles Still Apply
43.3.4 A Guideline Approach: Ask!
43.3.5 Another Guideline Approach: An Ethics Officer
43.4.1 Principle 5: Ethics Need Not and Should Not Be a Hassle
43.4.2 Principle 6: Ethics Policies Deserve Formality
43.4.3 Principle 7: Ethics Policies Deserve Review
43.4.4 Principle 8: Anticipate
43.4.6 An Approach: Stock Taking
In an information age, many potential misuses and abuses of information create privacy and security problems. In addition to possible legal issues, ethical issues affect many groups and individuals—including employees and customers, vendors, consultants, bankers, and stockholders—who have enough at stake in the matter to confront and even destroy an organization over ethical lapses. As is so often the case, consciousness raising is at the heart of maintaining control.
In this chapter, the term “ethics” refers to a system of moral principles that relate to the benefits and harms of particular actions and to the rightness and wrongness of motives and ends of these actions. The major sections cover principles of ethics, tests to help recognize ethical and unethical behavior, and approaches to help ensure good ethical conduct.
Section 43.2 requires only one minute to read, but it forms the foundation of this chapter and of a lifelong concern for one of the most important requisites of a valued career and of a civilized society. Ethics matters, and here are the ABCs:
Section 43.2 Awareness (a one-minute primer)
Section 43.3 Basics (a 10-minute summary)
Section 43.4 Considerations (a 100-minute study)
Section 43.5 Details (a lifetime of ongoing commitment)
The sections that follow distill some of the most important issues.
Increasingly, society is holding individuals and organizations to higher ethical standards than in the past; for example, in recent years, many countries have passed privacy legislation, conflict-of-interest restrictions for public officials, and full-disclosure laws for candidates for a variety of public offices. People, individually and collectively, really want to trust others. Two corollaries to the principle that ethics counts are:
In other words, good ethical behavior usually is appreciated by society, and bad ethical behavior almost always is frowned on and punished—sooner or later.
A second important principle is that good ethics flourishes best when everyone works at it, both in practicing good ethics and in holding others to do so. The reverse of this is also true: Those who practice bad ethics, or choose to ignore the bad ethics of others, are truly part of the problem. Ethics is inescapably everybody's business.
One of the best evaluators of whether certain behavior is ethical or not invites you to put yourself in the other person's shoes and ask the role-reversal question: “What if I were on the receiving end of the behavior in question?” This variant of the time-honored golden rule translates to “If I wouldn't like it done to me I probably shouldn't do it to others.”
One of the best guidelines to help ensure good ethical behavior is to let your stakeholders in on what you are doing or are about to do. Good ethics flourishes in the light of day; bad ethics ultimately relies on concealment. Disclosure buys you two forms of peace of mind: First, you're being openly honest; second, if others do not like it, you have at least given them the opportunity to express their concerns.
For example, consider organizational policy about managers reading employee e-mail. Almost any policy (anywhere from aggressive intervention to complete hands off) is likely to be ethical if and only if employees are made aware of it.
The expansion of Section 43.2 that follows elaborates on the basic principles enunciated there.
Stakeholders are defined as any individuals or groups with something at stake in the outcome of a decision. In the world of business, stockholders are almost always stakeholders; employees, customers, suppliers, and even competitors are often stakeholders too. How a decision harms or benefits stakeholders is a major ethical consideration. Effects on stakeholders are so important that the best place to start looking at the ethics of a decision is to identify stakeholders and just what it is they have at stake. Decisions will invariably affect individuals and groups, often in opposite ways: Some may stand to gain, others to lose or suffer. The effects and trade-offs raise the principal ethics concerns.
Recent generations are not the first to raise questions and develop ideas about ethics, although the concept of business ethics has been mocked as an oxymoron and only recently promoted in academia as a valuable area of study. High technology has complicated some issues, but these fundamental principles still apply:
The point is that even though modern technology has created new opportunities for unethical behavior and new motivations for good ethical behavior, it has not been necessary to develop new principles to deal with ethics. For example, many of the principles (including politeness) governing the behavior of door-to-door sales still apply to Internet push technology.
In Section 43.2.3, we suggested the “other's shoes test” as an excellent evaluator of whether certain behavior is ethical or not. Here we introduce three other tests. The first two are negative in the sense of suggesting that behavior is inappropriate; the third is positive and suggests that the behavior in question is ethical.
Section 43.2.4 endorsed disclosure as one of the best guidelines to help ensure good ethical behavior. This simply means letting your stakeholders in on what you are doing, or about to do. Having done so, it then becomes an appropriate guideline to ask those stakeholders for their permission (or acquiescence, or at least acknowledgment) before you proceed. This can be in the form of allowing stakeholders to opt out of certain policies. Many stakeholders prefer an opt-in approach rather than a default assumption of acceptability, particularly if that assumption is nonintuitive or otherwise obscure.
An example of this approach to ethical behavior is the legally enforced requirement in many countries to ask customers for permission to use their personally identifiable information for purposes other than the original defined functions. Typically, customers have either to opt out of information sharing or opt in to such use of their information.
In other cases, stakeholders such as employees or shareholders may disagree with the ethical implications of proposed actions. They can then argue against the proposals to the extent possible. The ultimate option for such stakeholders is to withdraw; employees can resign and shareholders can sell their shares. If the proposed actions are perceived as illegal, critics can become whistle-blowers and report the suspected illegality to law enforcement and regulatory officials.
Designating an individual to serve as a full- or part-time ethics officer in an enterprise is a powerful proactive way to help ensure good ethical behavior. Many large organizations now consider this a position on the top management team. But even small organizations can formally delegate such responsibilities on a part-time basis; they need not require much time and energy of the individual involved. In all cases, the common objectives include:
This section discusses some issues of management style in promulgating and enforcing ethics.
The last thing one wants with business ethics is hassle. An organization's ethics policies should not be obscure, complicated, onerous, or an obstacle to getting things done. The keys to avoiding hassles include:
Employees should not have to guess what constitutes acceptable behavior, nor should they be encumbered by anxiety, guilt, or fear. Individuals should be able to gain clarification on matters before, during, or after events without delay and without fear of being considered a nuisance. Questions about ethics issues deserve unbiased answers, without the presumption that there has been a breach of ethical conduct or that ulterior motives are involved.
Whenever an individual is uncomfortable with a situation or a potential situation, whether he or she is directly involved or not, and particularly if “whistle blowing” implicates others or even organizational policy, that discomfort needs to be addressed. Even if the individual is wrong and should not be concerned, the discomfort should be dispelled. If the individual is right and there is a legitimate concern, the organization should resolve the issue in a way that does not put the whistle-blower on the spot but rather indicates support for such disclosure.
Like other important policies, an organization's ethics policies deserve formality:
Anything less than the foregoing suggests confusion at best, and lip service at worst. Formality should not mean bureaucracy or piles of manuals. Consistent with the fifth principle of avoiding hassles, documentation should be brief and clear, and directed at simplifying matters rather than complicating them. The preparation and presentation of policies should reflect a process of thoughtful, high-priority consideration.
A corollary of this principle is peer participation. Policies that ultimately rely on organizational support are best developed and disseminated with peer involvement.
Perhaps the only thing as dangerous as ignorance when it comes to policy is complacency. This is as true of ethics policies as it is of any other organizational policy. In particular, to assume everyone in an organization is on board with policy is naive at best. Review offers a type of preventive maintenance whereby policies and their promulgation are reconsidered with an eye to improvement.
Any organizational policy requires subscription on the part of the members of the organization. Understanding of, and compliance with, any policy suffers a dangerous tendency to lapse when a policy simply gathers dust. Even an occasional mention and discussion of ethical issues or principles during meetings can breathe new life into old policy.
Just as a corollary of Principle 6 was peer participation in the formalization of policy, so is peer involvement a corollary of policy review. Such peer review not only facilitates fresh insights into policy, but the process itself represents a powerful educational opportunity.
Few people relish the prospect of a serious breach of organizational ethics, particularly if matters reach the point of embarrassing publicity or even legal action. It is better to contemplate the worst scenarios in advance rather than to deal with them without preparation and after the fact. Wishful thinking often deters an organization from including appropriate issues in formal policy. This must not be permitted to happen.
It is better to address tough issues head on than to take anything for granted. The two best ways of doing so are to:
Sometimes the other tests discussed (other's shoes, mom, eye-team, market) can result in fuzzy or ambiguous analysis. It may be hard to put yourself in someone else's shoes, especially if different individuals would have widely different reactions to your behavior. And sometimes your family and friends, the general public, or your customers could be neutral or divided in their reactions. The so-called smell test does not require quantitative or even qualitative estimations; it simply relies on your intuition as to whether the behavior in question “smells fishy.” In other words, if you catch yourself seeking justifications, or feel a bit uncomfortable even thinking about the implications, the ethics may be as bad or poor as they smell.
Where can an organization start with all this if it has not already done so? Things usually start with a concerned individual (you?) doing some stock taking and consciousness raising. Questions for you and others in your organization to consider follow. If you like the answers, then your organization is ethically aware. If you do not like the answers, your organization must deal with the issues you have uncovered.
For each of these questions, the issue of how one knows must be raised. Ambiguous, confusing, or unreliable knowledge of what is or is not going on should raise red flags of concern. Discomfort with such knowledge may be symptomatic of underlying problems with ethics.
The stock taking just suggested should translate into action steps for your organization. Here are a few suggested actions to get started.
As with security awareness, ethical awareness needs freshness and repetition.
One of the best ways for individuals and organizations to keep up with matters of good ethics is to spread the job around. Do not try to shoulder the effort alone; it will likely overwhelm any one individual, and collective thinking is valuable in these matters. Without abrogating individual responsibilities, charging the right person with the job of ethics officer will certainly help to keep the enterprise on an appropriate ethical course. A growing number of periodicals, both professional and of general interest, include articles involving ethics. Reading and then discussing them with your peers can be invaluable. Additionally, there has been an increase in the number of Web sites addressing ethical issues. See Section 43.6.
Keeping on top of organizational ethics is important because it is the right thing to do. Contemporary business practice embraces the idea of an extended value chain where entities such as customers and suppliers, traditionally seen as outside organizational boundaries, are now viewed as partners. Strategic alliances are being formed with these entities, and keeping business partners satisfied and confident is now a strategic necessity. Souring the relationship by a breach of ethics is completely inconsistent with sound business practices. Even if customers and suppliers are not formally viewed as business partners, they are still essential to doing business and are not to be taken for granted. At the very least, given the range of alternative choices available today, unfair exploitation and other forms of unethical practice expose an organization to outright abandonment.
Finally, in the spirit of total quality management, whereby everyone in the enterprise is seen to contribute to its success or failure, your enterprise can be said to be counting on you. The converse may also be true: Your job and your future career may well depend on the success of your enterprise. The good ethics of your organization reflect favorably on you and your colleagues, but bad ethics will have an opposite effect.
A list of a few books and Web sites that will be helpful to readers seeking further discussion of ethical decision making in general, and ethics in business and high technology follows.
Australian Institute of Computer Ethics. www.businessit.bf.rmit.edu.au/aice/index.htm.
Barger, R. N. “In Search of a Common Rationale for Computer Ethics,” 1994; www.nd.edu/~rbarger/common-rat.html.
Computer Ethics Institute. www.computerethicsinstitute.org.
Cavazos, E., and G. Morin. Cyberspace and the Law: Your Rights and Duties in the On-Line World. Cambridge, MA: MIT Press, 1996.
Computer & Information Ethics Resources on Center for Applied Ethics, University of British Columbia. www.ethicsweb.ca/resources/.
Computer Ethics. “Cyberethics.” http://cyberethics.cbi.msstate.edu/.
Computer Ethics. “ThinkQuest.” http://library.thinkquest.org/26658/?tqskip=1
Cyber Citizen Partnership. Information Technology Association of America (ITAA) & Department of Justice (DoJ). www.cybercitizenpartners.org/.
Cyberangels. www.cyberangels.org/.
Cyberspacers (kids' site). www.cyberspacers.com/home.html.
EpistemeLinks. Philosophy Resources on the Internet—Computer Ethics. http://tinyurl.com/33kduz.
Ethics and Information Technology (journal). www.springer.com/computer/programming/journal/10676.
Floridi, L. “Information Ethics: On the Philosophical Foundations of Computer Ethics.” Version 2.0, 1998; www.wolfson.ox.ac.uk/~floridi/ie.htm.
Forester, T., and P. Morrison. Computer Ethics: Cautionary Tales and Ethical Dilemmas in Computing. Cambridge, MA: MIT Press, 1990.
Institute for Global Ethics. www.globalethics.org/.
Johnson, D. O. Computer Ethics, 3rd ed. New York: Prentice Hall, 2000.
Kabay, M. E. “Hacker Tips Published in Wall Street Journal.” Network World Security Strategies, August 28, 2007; www.networkworld.com/newsletters/sec/2007/0827sec1.html.
Kabay, M. E. “Ethical Decision-Making: Identifying the Ethical Issue,” Network World Security Strategies, August 30, 2007; www.networkworld.com/newsletters/sec/2007/0827sec2.html.
Kabay, M. E. “Ethical Decision-Making: Using Formal and Informal Guidelines,” Network World Security Strategies, September 4, 2007; www.networkworld.com/newsletters/sec/2007/0903sec1.html.
Kabay, M. E. “Ethical Decision-Making: Principles, Rights and Duties, and Intuitive Cues,” Network World Security Strategies, September 6, 2007; www.networkworld.com/newsletters/sec/2007/0903sec2.html.
Kabay, M. E. “Incident Response: Don't Lie,” Network World Security Strategies, October 23, 20/07; www.networkworld.com/newsletters/sec/2007/1022sec1.html.
Kallman, E. A., and J. P. Grillo. Ethical Decision Making and Information Technology: An Introduction with Cases, 2nd ed. New York: McGraw-Hill, 1996.
Lessig, L., D. Post, and E. Volokh. “Cyberspace Law for Non-Lawyers.” Published via e-mail, 1997; www.ssrn.com/update/lsn/cyberspace/csLlessons.html
Online Ethics Center for Engineering and Science. http://onlineethics.org/.
Orlando, J., and M. E. Kabay. “Social Engineering in Penetration Testing: Cases,” Network World Security Strategies, October 25, 2007; www.networkworld.com/newsletters/sec/2007/1022sec1.html.
Project NEThics at the University of Maryland. www.inform.umd.edu/CompRes/NEThics/ethics.
Schumacher, P., and M. E. Kabay. “Social Engineering in Penetration Testing: Intimidation,” Network World Security Strategies, November 8, 2007; www.networkworld.com/newsletters/sec/2007/1105sec2.html.
Schumacher, P., and M. E. Kabay., “Social Engineering in Penetration Testing: Overload and Fascination,” Network World Security Strategies, November 13, 2007; www.networkworld.com/newsletters/sec/2007/1112sec1.html.
Spinello, R. Case Studies in Information and Computer Ethics. New York: Prentice Hall, 1996.
Tavani Bibliography of Computing, Ethics, and Social Responsibility, Mississippi State University. http://cyberethics.cbi.msstate.edu/biblio.
University of British Columbia Centre for Applied Ethics. www.ethics.ubc.ca
Web Wise Kids. www.webwisekids.com/.
18.118.12.50