Ethics are a critical part of any defined cybersecurity strategy. They are moral principles, and without proper framing, cybersecurity professionals could be left indistinguishable from black-hat criminals. Cybersecurity professionals think, perceive, and perform operations in the most ethical way to defend the IT infrastructure from non-ethical cybercriminals. By adhering to certain ethics, cybersecurity personnel are bound to offer various norms and rules that could be challenging in their aim of cyber defense.
Researchers and professionals of cybersecurity face difficulties while performing in a highly adversarial industry.
Can a botnet researcher take control of a compromised machine as an act of defense, or do they just control the structure? Can vulnerability be disclosed to the public before a vendor patches it? Is it good to buy exploits from cybercriminals if it is done in the interest of the public? Should we counter-attack criminals who are exploiting our data? Though many questions arise in real-life scenarios, each one of them is just as complex. The guidelines on cybersecurity ethics are either unilateral or defacto.
How cybersecurity and ethics are involved with the other
Cybersecurity does not seem to be tightly connected with ethical values unless there is a pledge from the industry to stop cybercriminals from gaining unauthorized access by any means necessary. In a real situation, a few ethical values rule cybersecurity:
Confidentiality: The information, process, or any security related news should be kept confidential for it to be an ethical act. Confidentiality is the most critical element of security, and maintaining it is critical. Various types of threats like phishing, vishing, insider, etc. try to interfere with the confidential nature of the business. The practice of BYOD (bring your own device) is a major threat to confidential data. Outside devices may be vulnerable, and allowing them to connect to the network will create a major threat.
Communication: Where confidentiality is a fundamental ethic in cybersecurity, it should not influence the confidence of the customers. For example, if a breach is kept confidential and is later revealed by a news agency or a third-party vendor, the customers’ trust factor is affected. There should be a defined ethic on when an organization should notify customers about the potential breach and what role it plays in the face of an incident.
Authority standardizing ethics: The most critical challenge here is that there are no global standards in placet. There is no binding authority in cybersecurity that defines the principles of what, where, when, how much, and why. While nations have laid a set of rules on dealing with private and confidential data as well as other security ethics, they are restricted only to geographical boundaries. For example, the latest amendment to GDPR as defined by EU can be considered as a good initiative in laying down ethical norms. . However, these rules do not pertain beyond the EU region.
Prominent ethical issues in cybersecurity
So, what are the problems that make IT security managers to work overtime? The three most prominent ethical issues in cybersecurity are –
Incident Response (IR)– Dealing with customers during incident response is the most prominent ethical issues for the security team. When, how, and where to inform customers about the breach is an ethical matter to be defined. The extent of the breach investigation, actions that your business can take when you are a victim of a breach, information to be shared with the stakeholders, and steps to prevent the breach in future, are few prominent IR issues to be addressed.
Encryption issues – The rights and obligations when a government agency requests encrypted information of your business. The process to store encrypted information and the extent of encrypting and storing the business information forms part of cybersecurity ethics.
Roles and responsibilities – Defining the roles in your cybersecurity department along with the responsibilities associated with each of these roles are again prominent ethical issues. The degree of personal responsibility contributing towards combating security breaches is more an individual choice and not mandatory.
The cybersecurity landscape is dynamic, and therefore, it expands and shifts every year. It is the responsibility of education bodies to have implicit ethical behavior as a part of the curriculum so that individuals can implement such practices during their career in cybersecurity.
EC-Council University offers both bachelor and master level degree programs – Bachelor of Science in Cyber Security (BSCS) and Master of Science in Cyber Security (MSCS). The curriculum of the program is framed as per recent cybersecurity requirements, techniques and managerial abilities, and the same are imparted in keeping ethics in mind.