Ethics and cybersecurity awareness in organizational practice

Introduction
The case of publicly traded company TechFite reveals a substantial number of ethically questionable activities being committed by the company’s Applications Divisions. Not only are their accusations of theft of proprietary information but also evidence of conflicts of interest, dummy accounts used to gain escalation of privilege, and security omissions that cannot be justified. This paper will address the ethical issues for cybersecurity that relate to the case of TechFite, discuss ethically questionable behaviors and omissions of people who fostered the unethical atmosphere, and examine ways to mitigate problems and enhance security awareness at the company.
Ethical Issues for Cybersecurity
When it comes to establishing ethical guidelines in cybersecurity, the main concerns focus on protecting data. Whether it is in health care, finance, or tech, data security has to be the number one issue—and that means confidentiality, integrity and access all have to be secured, according to the Information Systems Security Association International (ISSA, 2018). In the case of TechFite, a number of ethical issues have cropped up with regards to confidentiality, integrity and access. Before examining them, however, it is helpful to examine the guidelines one by one.
Ethical Guidelines
Privacy is the basic umbrella ethical issue that governs most ethical guidelines in information security (Shinder, 2005). All clients have a reasonable expectation to privacy with respect to their proprietary information. That is the reason clients sign non-disclosure agreements. Protecting information, therefore, is a key ethical responsibility in information security. Keeping client information segregated is important—for example, by using a Chinese wall. Limiting administrative rights within the department and allowing access to only be granted by using certain computers where activity can be monitored is another guideline that should be standard throughout the industry (GIAC, 2018).
Justification and Examples
The reason that privacy serves as the underlying foundation of all ethical guidelines related to information security is that the very essence of information security is rooted in the concept of keeping information out of the hands of people who should not have access to it. The digital age has allowed for information flows to be made possible in ways that are easier today than ever before; however, that ease comes with a price, which is the risk of information flows being hacked. The guiding ethical principle in IS is that information should be protected so that it is shared only with those who have permission to see it. An example of this can be seen in the health care industry, where patients’ rights are affirmed in HIPAA law, which stipulates that all patient information must be protected by health care facilities that store it digitally. When Anthem Blue Cross had 78 million patient records hacked, it was a major disaster that showed just how important the fundamental ethical principle of privacy is in the field of Information Security (Lord, 2018).
Within the field, there are certain guidelines that should be followed as well—such as protecting proprietary information, using basic security systems like Chinese walls, and so on. As Brewer and Nash (1989) point out, “it should be noted that in the United Kingdom the Chinese Wall requirements of the UK Stock Exchange have the authority of law and thus represent a mandatory security policy whether implemented by manual or automated means” (p. 206). In other words, these basic guidelines are actually recognized as laws in many parts of the world where ethical practice in IS is virtually mandated by government.
Behaviors and Omissions
The behaviors and omissions of behaviors at TechFite that fostered the unethical practices were numerous in the case study. IT Security Analyst Nadia Johnson was one of the main culprits, but not the only one. Johnson showed that when it came to protecting the company against external threats, the firm had done well. However, the problem of documentation of internal threats was an issue. In short, there was no documentation. External threats were mitigated. Internal threats were quite another story, and there were far too many omissions and behaviors permitted by Johnson to believe that, ethically speaking, the Applications Division was in a healthy state. There was zero description of whether accounts had been audited, whether the division was monitoring for escalation of privilege, whether data loss prevention was actually being enforced, and whether internal network traffic was being monitored. All of these issues should have been described in detail in internal reports—but they were not—which indicates a serious ethical transgression and omission on the part of Johnson, as she was overseeing the division.
There was also no analysis of the process used to secure proprietary information of present clients, past clients and future clients. All data was evidently stored together, where anyone at any computer in the division could gain access to it. There was no Chinese Wall. There was no distinction between privilege and duty. Every workstation had administrative rights, meaning all information could be accessed from anywhere.
The head of the Applications Division—Jaspers—also engaged in behavior that is ethically questionable. He and Johnson apparently have a close relationship, as shown on social media. Jaspers routinely praises Johnson to her boss. If Johnson is conducting oversight on Jaspers, the latter should not be giving gifts to the former—but the company has no policy about relationships between IT Security staff and the individuals who are overseen by them—which is another major problem, as it indicates that the company is okay with conflicts of interest arising.
Johnson had never audited the client list database. Three client corporations were shell companies owned by a friend of Jaspers named Lee. Jaspers created accounts that he used to discuss dumpster diving and trash surveillance with non-clients of the company. Essentially, Jaspers was engaged in unethical, non-transparent activity and was bribing Johnson to look the other way. The systems were also compromised by system penetration software. Senior analyst Sarah Miller, like Jaspers, is engaged in covert and illegal surveillance, in terms of scanning other companies’ networks. The fake accounts operated by Jaspers have also obtained escalation of privilege outside the division and have gained access to HR and finance.
Factors that Led to Lax Ethical Behavior
The factors that led to the lax ethical behavior include the close relationship between Johnson and Jaspers, which should not be permitted at the company on the grounds of conflicts of interest arising. Another factor was the lack of segregation between divisions: every workstation and worker had full administrative rights to access data, making escalation of privilege possible and easy. The company had no Chinese Wall in place to protect proprietary information of clients. The company did not engage in background checks of its employees—i.e., analyze social media to see if any unethical or potentially unethical relationships had formed. The company had no policy in place to prevent conflicts of interest from arising between division leaders.
There were also never any audits conducted and no internal assessments made to see who was doing what on the network. Johnson was engaged in very poor oversight in this respect. Audits with respect to external threats were not an issue. The problem was that internal auditing was not being conducted. The lack of monitoring of the system network also allowed for analysts like Miller to engage in unethical activity by surveying competitors’ networks.
Ways to Mitigate Problems and Build Security Awareness
Building security awareness is absolutely essential for a company like TechFite. There is little sense of any such awareness with Johnson and either she is woefully uninformed about what should constitute adequate IT security from an internal standpoint or she is deliberately looking the other way and allowing negligent practices and unethical activity to be an established norm at the company. Whatever the case may be, security awareness is something that needs to be increased.
Two Information Security Policies
One policy that may have prevented or reduced the criminal activity, deterred the negligent acts, and decreased the threats to intellectual property at TechFite would be to establish a Chinese Wall. As Brewer and Nash (1989) point out, “the Chinese Wall policy combines commercial discretion with legally enforceable mandatory controls. It is required in the operation of many financial services organizations” (p. 206). By having a Chinese Wall in place, the company would mitigate the risk of escalation of privilege, dummy accounts accessing data, full administrative rights being abused at workstations, and proprietary information being stolen from within. The way in which a Chinese Wall works is quite simple: it essentially prevents conflicts of interest from arising because possible conflicts are eliminated by the fact that access to datasets is severely limited by groups. Brewer and Nash (1989) put it this way: “access to data is not constrained by attributes of the data in question but by what data the subject already holds access rights to. Essentially, datasets are grouped into ‘conflict of interest classes’ and by mandatory ruling all subjects are allowed access to at most one dataset belonging to each such conflict of interest class; the actual choice of dataset is totally unrestrained provided that this mandatory rule is satisfied” (p. 207). By segmenting and segregating conflict of interest classes, the company eliminates the ability of internal operators to harvest proprietary information of various clients and farming out that information to the highest bidder outside the system.
Another policy that may have prevented or reduced the criminal activity, deterred the negligent acts, and decreased the threats to intellectual property would be to conduct routine network monitoring and internal auditing of account activity. Monitoring of network activity would have revealed that penetration and scanning activity was being conducted on various different companies, indicating unethical harvesting of data by employees within the company. Auditing of accounts would have revealed that individuals were engaged in fraudulent activity regarding payments for these unethical activities via off-the-books methods.
Key Components of Security Awareness Training and Education (SATE) Program
User risk is one of the biggest factors in security issues—and security awareness training can help to eliminate user risk by focusing on the following key components:
1. Information should be conveyed as simply as possibly. The trick here is to engage in micro training—this means that the SATE program should focus on conveying terse, concise information in the same manner in which people communicate information on Twitter. This is the social media age, and people are used to sending and receiving text messages that distill information down to its most essential points. People do not want long, drawn out explanations. They want the basic information in as few words as possible.
2. When it comes assessing effectiveness, metrics matter. This means that it is important to ensure that everything is measured. Everything refers to the activities of users who are receiving training. Measurements should look at practices workers engage in, such as whether they are following training protocol and adhering to ethical standards.
3. Training should be user-specific. This means that, just as in health care where patient-centered care is viewed as a best practice approach, user-centered training should be conducted to ensure that the specific needs of the trainees are met. Tone should adapted to meet high-risk users’ needs, and low-risk vs. high-risk groups should be separated so that time is not wasted by giving material in an aggressive tone to a group that does not require it.
4. Content should be entertaining and delivered in an effective manner. In other words, no message will get through if the material is not presented in an appealing way. By turning the training into a type of game, the trainees can become more immerse and like active learners than would be the case were the material presented in a passive learning method.
5. Simulate a situation. This allows the trainees to see first hand and to experience what it is like to be part of a situation where security awareness can pay off and yield dividends in the form of right action (Patrick, 2018).
Each of these components could easily be implemented at TechFite. The first would not be an issue, as everyone can related to easily understandable statements. The second would show what users are doing right and what they are continuing to do wrong. The third would be appropriate in terms of tailoring the training to meet the requirements of the individual groups. The third would allow the message to be received well. The fifth would ensure that the learners obtain the necessary experience they should have so as to be able confidently to apply the lessons received in training to the real world of the workplace.
Communicating the Program
The SATE program would need to be communicated within the larger context of transformational leadership. The purpose of the training would be to accomplish a change in the workplace. Transformational leadership can allow for that change to be accomplished by having a vision of the change developed and communicated to workers. That vision should be justified with logic and reason so that the workers understand why the change is required. This will help to prevent resistance from occurring. The training could also include an opportunity for trainees to ask questions in an open format manner or in an anonymous manner in case some employees have sensitive issues that they want addressed but want to do so without fearing the risk of blowback.
The program should also not be communicated in a hostile manner. The trainees should be respected as it is not necessarily going to be their fault that the security in the company has grown so lax. However, some issues will have to be addressed directly, such as why a Chinese Wall is being installed and why monitoring of network activity will become a norm at the company. Employees should be made aware of the reality of the situation, the ethical principles guiding the changes, and why these ethical principles must matter. Part of the communication of the program to employees at TechFite must be squarely rooted in establishing the justification of the program’s relevance so that employees are not befuddled by its purpose.
Justification of the Program’s Relevance
The relevance of the SATE program to mitigating the unethical and unsafe practices and activities of the workers at TechFite is based on the fact that without security awareness there can be no real understanding of what is at risk. The employees at the firm have to realize that by engaging in unethical and potentially criminal activity (i.e., by stealing or sharing unauthorized access to proprietary information) they are endangering both the company and themselves. There can be no security without understanding what has to be secured.
The SATE program would help to explain what needs to be secured so that there is no confusion on the matter. Through the various approaches it takes—whether by messaging in the form of Twitter communications, using games to make the training more effective, stimulating and pro-active; or by adapting the tone of the training to meet the individual needs of the high-risk and low-risk groups that are cultivated for the purposes of the training exercise—the program can make certain that the purpose of security awareness is to keep those records safe from prying eyes. This is the only possible way to create a culture of security awareness and safety within the company of TechFite.
Conclusion
TechFite is in a position where information security is not being pursued within its departments and divisions. The person in charge of oversight is not conducting the types of audits and monitoring needed to make sure internal threats are mitigated. The necessary infrastructure—such as a Chinese Wall—is not in place to prohibit snooping and accessing of proprietary information. These omissions are bad enough, but there is also unethical activity among the workers, which indicates that there is a definite and deliberate plan among some to engage in unethical behavior. The primary way to prevent this type of behavior and such omissions would be to implement two specific policies that address the activity and omissions. The first would be to create a Chinese Wall around the proprietary information. This would enable the first primary principle of ethics in information systems to be reached. That principle is the need to protect and safeguard all private data. The second would be to implement a system of network monitoring and account auditing. This would ensure that the entire system is not being used recklessly or in a manner that would endanger the reputation of the company. Workers who engaged in unethical behavior would be identified and disciplined. The company currently has no conflict of interest policy in place—and the Chinese Wall would help to address that issue; but at the same time it is important that workers be made to understand the reason they are all that—and that reason is not so that they can steal IP but rather that they can protect it.

References
Brewer, D. F., & Nash, M. J. (1989, May). The Chinese wall security policy.
In Proceedings. 1989 IEEE Symposium on Security and Privacy (pp. 206-214). IEEE.
GIAC. (2018). Code of ethics. Retrieved from https://www.giac.org/about/ethics
ISSA. (2018). Code of ethics. Retrieved from https://www.issa.org/page/CodeofEthics
Lord, N. (2018). Top 10 Biggest Healthcare Data Breaches of All Time. Retrieved from
https://digitalguardian.com/blog/top-10-biggest-healthcare-data-breaches-all-time
Patrick, N. (2018). 9 signs your security awareness training is failing. Retrieved from
https://peoplesec.org/category/security-awareness-training-and-education-sate/
Shinder, D. (2005). Ethical issues for IT security professionals. Retrieved from
https://www.computerworld.com/article/2557944/ethical-issues-for-it-security-professionals.html