Introduction
The case of publicly traded company TechFite reveals a substantial number of ethically questionable activities being committed by the company’s Applications Divisions. Not only are their accusations of theft of proprietary information but also evidence of conflicts of interest, dummy accounts used to gain escalation of privilege, and security omissions that cannot be justified. This paper will address the ethical issues for cybersecurity that relate to the case of TechFite, discuss ethically questionable behaviors and omissions of people who fostered the unethical atmosphere, and examine ways to mitigate problems and enhance security awareness at the company.

Ethical Issues for Cybersecurity

When it comes to establishing ethical guidelines in cybersecurity, the main concerns focus on protecting data. Whether it is in health care, finance, or tech, data security has to be the number one issue—and that means confidentiality, integrity and access all have to be secured, according to the Information Systems Security Association International (ISSA, 2018). In the case of TechFite, a number of ethical issues have cropped up with regards to confidentiality, integrity and access. Before examining them, however, it is helpful to examine the guidelines one by one.

Ethical Guidelines

Privacy is the basic umbrella ethical issue that governs most ethical guidelines in information security (Shinder, 2005). All clients have a reasonable expectation to privacy with respect to their proprietary information. That is the reason clients sign non-disclosure agreements. Protecting information, therefore, is a key ethical responsibility in information security. Keeping client information segregated is important—for example, by using a Chinese wall. Limiting administrative rights within the department and allowing access to only be granted by using certain computers where activity can be monitored is another guideline that should be standard throughout the industry (GIAC, 2018).

Justification and Examples

The reason that privacy serves as the underlying foundation of all ethical guidelines related to information security is that the very essence of information security is rooted in the concept of keeping information out of the hands of people who should not have access to it. The digital age has allowed for information flows to be made possible in ways that are easier today than ever before; however, that ease comes with a price, which is the risk of information flows being hacked. The guiding ethical principle in IS is that information should be protected so that it is shared only with those who have permission to see it. An example of this can be seen in the health care industry, where patients’ rights are affirmed in HIPAA law, which stipulates that all patient information must be protected by health care facilities that store it digitally. When Anthem Blue Cross had 78 million patient records hacked, it was a major disaster that showed just how important the fundamental ethical principle of privacy is in the field of Information Security (Lord, 2018).

Within the field, there are certain guidelines that should be followed as well—such as protecting proprietary information, using basic security systems like Chinese walls, and so on. As Brewer and Nash (1989) point out, “it should be noted that in the United Kingdom the Chinese Wall requirements of the UK Stock Exchange have the authority of law and thus represent a mandatory security policy whether implemented by manual or automated means” (p. 206). In other words, these basic guidelines are actually recognized as laws in many parts of the world where ethical practice in IS is virtually mandated by government.

Behaviors and Omissions

The behaviors and omissions of behaviors at TechFite that fostered the unethical practices were numerous in the case study. IT Security Analyst Nadia Johnson was one of the main culprits, but not the only one. Johnson showed that when it came to protecting the company against external threats, the firm had done well. However, the problem of documentation of internal threats was an issue. In short, there was no documentation. External threats were mitigated. Internal threats were quite another story, and there were far too many omissions and behaviors permitted by Johnson to believe that, ethically speaking, the Applications Division was in a healthy state. There was zero description of whether accounts had been audited, whether the division was monitoring for escalation of privilege, whether data loss prevention was actually being enforced, and whether internal network traffic was being monitored. All of these issues should have been described in detail in internal reports—but they were not—which indicates a serious ethical transgression and omission on the part of Johnson, as she was overseeing the division.

There was also no analysis of the process used to secure proprietary information of present clients, past clients and future clients. All data was evidently stored together, where anyone at any computer in the division could gain access to it. There was no Chinese Wall. There was no distinction between privilege and duty. Every workstation had administrative rights, meaning all information could be accessed from anywhere.

The head of the Applications Division—Jaspers—also engaged in behavior that is ethically questionable. He and Johnson apparently have a close relationship, as shown on social media. Jaspers routinely praises Johnson to her boss. If Johnson is conducting oversight on Jaspers, the latter should not be giving gifts to the former—but the company has no policy about relationships between IT Security staff and the individuals who are overseen by them—which is another major problem, as it indicates that the company is okay with conflicts of interest arising.

Johnson had never audited the client list database. Three client corporations were shell companies owned by a friend of Jaspers named Lee. Jaspers created accounts that he used to discuss dumpster diving and trash surveillance...
The relevance of the SATE program to mitigating the unethical and unsafe practices and activities of the workers at TechFite is based on the fact that without security awareness there can be no real understanding of what is at risk. The employees at the firm have to realize that by engaging in unethical and potentially criminal activity (i.e., by stealing or sharing unauthorized access to proprietary information) they are endangering both the company and themselves. There can be no security without understanding what has to be secured.

The SATE program would help to explain what needs to be secured so that there is no confusion on the matter. Through the various approaches it takes—whether by messaging in the form of Twitter communications, using games to make the training more effective, stimulating and pro-active; or by adapting the tone of the training to meet the individual needs of the high-risk and low-risk groups that are cultivated for the purposes of the training exercise—the program can make certain that the purpose of security awareness is to keep those records safe from prying eyes. This is the only possible way to create a culture of security awareness and safety within the company of TechFite.

Conclusion

TechFite is in a position where information security is not being pursued within its departments and divisions. The person in charge of oversight is not conducting the types of audits and monitoring needed to make sure internal threats are mitigated. The necessary infrastructure—such as a Chinese Wall—is not in place to prohibit snooping and accessing of proprietary information. These omissions are bad enough, but there is also unethical activity among the workers, which indicates that there is a definite and deliberate plan among some to engage in unethical behavior. The primary way to prevent this type of behavior and such omissions would be to implement two specific policies that address the activity and omissions. The first would be to create a Chinese Wall around the proprietary information. This would enable the first primary principle of ethics in information systems to be reached. That principle is the need to protect and safeguard all private data. The second would be to implement a system of network monitoring and account auditing. This would ensure that the entire system is not being used recklessly or in a manner that would endanger the reputation of the company. Workers who engaged in unethical behavior would be identified and disciplined. The company currently has no conflict of interest policy in place—and the Chinese Wall would help to address that issue; but at the same time it is important that workers be made to understand the reason they are all that—and that reason is not so that they can steal IP but rather that they can protect it.