Cybersecurity ethics grows in urgency as the digital landscape continues to transform society. What should cybersecurity professionals — the front-line defense against threats — know about cybersecurity ethics?
Cybersecurity capabilities have improved thanks to advancements in security technology and heightened awareness of threats. At the same time, however, cybercriminals have become more sophisticated in identifying and attacking weak points. For example, phishing, one of the oldest cybercrimes, dating back to the 1990s, continues to expand as a threat. Security firm Lookout reports that the rate of mobile phishing was highest in 2022. Also, phishing was one of the most common attacks used in internet crimes, causing more than $4 billion in losses, in 2020, according to the FBI.
Cybersecurity ethics takes center stage as cybersecurity professionals vie for an edge over criminals. Understanding the ethical implications of their work and choices is crucial to helping cybersecurity professionals balance security with other societal values.
Ethics defines right and wrong actions in specific situations and is fundamental to society. In the cyber realm, ethics serves as a guidepost for cybersecurity professionals. It helps identify the type of online behavior and conduct that harms individuals and businesses.
Ethical principles are what separate cybersecurity professionals from hackers. For example, while the latter tries to steal data, the former tries to protect it. When hackers access data, they use it for nefarious purposes. On the other hand, cybersecurity professionals, who have access to the same data, use their skills to ensure that the data’s safe and secure.
From data breaches to deepfakes, cybersecurity professionals deal with many threats. These unethical online activities have a profound impact on people and business. For example, a hacker may steal a company’s data, an act that can compromise customer data. A cybercriminal can then take that data and sell it on the dark web. Cybersecurity is vital to preserve privacy and guard against identity theft.
Cybersecurity also protects people from cybercrimes such as financial fraud. For example, consumers exchange their data with banks and financial institutions when conducting online banking. Cybersecurity helps secure financial transactions, safeguarding bank accounts and credit card information.
A breach can also disrupt regular business operations and inconvenience customers and employees — or even put regional or national infrastructure at risk. In urgent settings, such as hospitals, attacks on computer networks can harm people and impact their health.
Organizations hire cybersecurity professionals to protect their sensitive information from cyber threats, and hiring decisions for cybersecurity roles don’t come lightly. Frameworks for cyber ethics and codes of conduct may vary by organization. What’s the same is that employers look to hire trustworthy professionals with a strong ethical compass because cybersecurity professionals have access to the same data that cybercriminals wish to steal. The difference is that cybersecurity professionals adhere to cybersecurity ethics, meaning that organizations can trust them to oversee valuable information.
For cybersecurity professionals, keeping systems secure often means using privileged access to data to perform activities such as white hat hacking, also known as ethical hacking. White hat hacking describes penetrating protected systems using hacking tools and techniques to test the security of systems, networks and software. The aim is to identify security vulnerabilities. Cybersecurity research to learn how to break through the safeguards of a system enables cybersecurity professionals to build defenses against them.
White hat hacking offers an example of cybersecurity ethical issues in the profession. A white hat hacker must be trustworthy enough to safeguard the confidentiality of the information they encounter, but there have also been notable incidents in which security professionals discovered crimes or public threats that they decided to share with authorities. A solid ethical foundation can serve as the bedrock to help employees make the right decisions as they face some key cybersecurity ethical issues, as listed below.
Harm to privacy refers to an individual’s privacy becoming compromised. Negative consequences include unauthorized access, identity theft, reputational damage and distress. A cybersecurity professional’s decisions ultimately impact privacy protection. They can safeguard privacy in several ways, including implementing security measures, tools and practices; calling out designs and apps that mislead users into sharing excessive information; ensuring compliance with security frameworks; and mitigating risks.
Harm to property refers to damage to both physical and digital assets. It can lead to unauthorized access and the disruption of services. For a cybersecurity professional, prioritizing network security becomes an ethical matter. They have a responsibility to implement countermeasures, which can include risk assessments, firewalls and continuous monitoring. Failure to do so can lead to property harm caused by a cyber attack.
Determining what to invest in cybersecurity activities can be a challenge. Large companies can invest more resources to enhance their cyber defenses, improving their chances of detecting anomalies or intrusions. More important, knowing how to allocate resources is essential. Cybersecurity professionals must properly use resources for the greater good of the organization and its stakeholders. Deploying a patch for a critical software vulnerability may be costly and time consuming, but not doing so may risk a data breach that impacts millions of customers.
Companies should promptly reveal critical vulnerabilities in their software upon learning about them. This level of transparency can not only help cybersecurity professionals collaborate and share information to respond quickly to attacks but also allow customers whose data is threatened to take appropriate action to diminish their own risks.
Approaches to transparency and disclosure depend on the organization. However, the recent Consolidated Appropriations Act of 2022 offers guidance: Section 2242 notes that companies should voluntarily disclose a known cyber attack within 72 hours after its discovery.
From keeping sensitive data confidential to confronting user privacy issues in the workplace, cybersecurity professionals must find a healthy balance between safeguarding information and upholding cybersecurity ethics standards.
Cybersecurity professionals handle sensitive information, from personal customer data to a business’s proprietary information. Disclosing this data can have severe consequences, so cybersecurity professionals must never reveal confidential information, unless a significant public benefit exists for doing so.
Cybersecurity professionals are duty-bound to respond to cyber threats. Remaining vigilant is always a priority, and their response is crucial. While individuals may overlook notifications or leave their computers unattended, cybersecurity experts should never do so.
Cybersecurity professionals may encounter unethical practices within a business unit. Reporting the issue to supervisors may be the best first step. In the case of illegal activity, a cybersecurity professional may consider reporting it to authorities or the media.
Cybersecurity professionals have to balance security and user privacy. In protecting their organizations from cyber attacks, cybersecurity professionals sometimes have to access employees’ online activities. Without carefully considering user privacy, this can come close to violating a person’s rights.
Cybersecurity professionals often have unique access to sensitive data. They’re responsible for defending this data against malicious actors. This requires an understanding of ethical practices. However, the cyber realm often blurs the line between security and privacy, making it imperative for professionals to have clear codes of conduct and demonstrate trustworthiness.
By staying updated on evolving cybercrimes, enhancing competencies and pursuing advanced education, individuals can develop cybersecurity strategies and strengthen their knowledge of ethical principles.
With a curriculum that includes courses in human factors in information security and risk management, Augusta University Online’s Master of Science (MS) in Information Security Management prepares graduates to accelerate their cybersecurity career paths. A solid foundation of cybersecurity ethics knowledge can equip cybersecurity professionals to advance their careers in this critical field.
Learn more about AU Online’s MS in Information Security Management program.
Recommended Readings
How to Make a Career Change to Cybersecurity
Cybersecurity Architect: Salary, Job Description and Education
Sources:
CompTIA, Ethical Issues in Cybersecurity
FBI, FBI Releases the Internet Crime Complaint Center 2020 Internet Crime Report, Including COVID-19 Scam Statistics
Forbes, “Cybersecurity Trends & Statistics For 2023; What You Need To Know”
Infosec Resources, “Five Ethical Decisions Cybersecurity Pros Face: What Would You Do?”
Lookout, The Global State of Mobile Phishing Report
Security Intelligence, “How I Got Started: White Hat Hacker”
Security Intelligence, “Phishing Attacks Are Top Cyber Crime Threat, Easier Than Ever to Create and Deploy”
Sennovate, The Ethics of Cybersecurity: Debating the Gray Areas
Swiss Cyber Institute, A Holistic Approach to Ethical Issues in Cyber Security
Synopsis, Ethical Hacking
U.S. Congress, H.R.2471 – Consolidated Appropriations Act, 2022
