1 of 56

Threat Detection Analysis

Module 6 – Privacy, Ethics, and Legal Boundaries in Threat Detection

Privacy • Ethics • Law

Prof Justin Pineda, CISSP, CISM

2 of 56

Session Flow

• Pre-work activity and case review

• Discussion of difficult real-world scenarios

• Privacy concepts and schools of thought

• Ethics concepts and schools of thought

• Legal boundaries and controversial debates

• Summary, knowledge check, and reflection

Suggested Image

A clean 3D timeline infographic showing the session progression from pre-work to reflection.

Prof Justin Pineda, CISSP, CISM

3 of 56

Learning Objectives

• Explain major privacy concepts relevant to monitoring and detection.

• Distinguish legal compliance from ethical justification.

• Compare privacy and ethics schools of thought.

• Apply structured reasoning to difficult threat detection cases.

Suggested Image

A modern classroom presentation scene with objectives displayed on a large screen.

Prof Justin Pineda, CISSP, CISM

4 of 56

Motivation – Why This Matters in Threat Detection

• Threat detection depends on visibility into systems, users, and behavior.

• That same visibility may expose personal, confidential, or sensitive information.

• Analysts need more than technical skill; they need disciplined judgment.

• In practice, the hardest decisions are often legal and ethical, not technical.

Suggested Image

A split scene with a SOC dashboard on one side and a person's private digital life on the other.

Prof Justin Pineda, CISSP, CISM

5 of 56

Pre-Work Instructions (1.5 Hours)

• Students review assigned cases before class.

• For each scenario, decide whether the action is legal, ethical, both, or neither.

• Write a short justification for your answer.

• Be ready to defend your decision during discussion.

Suggested Image

A realistic desk scene with case printouts, notes, a laptop, and a pen.

Prof Justin Pineda, CISSP, CISM

6 of 56

Guide Questions for the Pre-Work

• What is the security objective?

• What personal or sensitive data is involved?

• Was there notice, consent, or policy basis?

• Is the action necessary and proportionate?

• Would you approve it as a SOC manager?

Suggested Image

A conceptual image of question marks floating over logs, compliance forms, and security dashboards.

Prof Justin Pineda, CISSP, CISM

7 of 56

Scenario 1 – Silent Employee Monitoring

• A SOC deploys software that captures screenshots at intervals.

• The same tool records browser history, USB activity, and selected application usage.

• Employees were not clearly informed that this monitoring exists.

• The stated reason is insider threat prevention.

Suggested Image

A realistic office workstation with faint overlays of screenshots, browser tabs, and monitoring icons.

Prof Justin Pineda, CISSP, CISM

8 of 56

Discussion Questions – Scenario 1

Is this legitimate security monitoring or workplace surveillance?

Does company ownership of devices justify deep visibility?

Should employees always be informed?

Would transparency weaken the control?

Suggested Image

An office scene where ordinary employee activity is invisibly being monitored.

Prof Justin Pineda, CISSP, CISM

9 of 56

Scenario 2 – Recording Without Consent

• A security analyst suspects insider fraud involving two employees.

• The analyst records a conversation without consent.

• The goal is to preserve evidence and protect the organization.

• The act may help the investigation but may also violate rights.

Suggested Image

A close-up of a smartphone recording in a meeting room, with a subtle red recording indicator.

Prof Justin Pineda, CISSP, CISM

10 of 56

Discussion Questions – Scenario 2

Is it okay to record without consent for the good of more people or the organization?

Does preventing financial loss justify the method?

Would your answer change if the loss involved millions?

What if the evidence is useful but unlawfully obtained?

Suggested Image

A morally ambiguous scene with a compliance officer, a recorder, and blurred office figures.

Prof Justin Pineda, CISSP, CISM

11 of 56

Scenario 3 – Hack Back

• A company traces an intrusion to an attacker-controlled system.

• The security team proposes disrupting or deleting attacker tools.

• The intent is immediate containment and deterrence.

• The risk is escalation, misattribution, or harm to third parties.

Suggested Image

A cyber conflict scene showing attacker and defender networks with bidirectional arrows.

Prof Justin Pineda, CISSP, CISM

12 of 56

Discussion Questions – Scenario 3

Is it ethical to hack back?

Should private companies ever retaliate digitally?

What if attribution is wrong?

Does urgency justify questionable actions?

Suggested Image

A dramatic digital battlefield visual where a defender is deciding whether to counterattack.

Prof Justin Pineda, CISSP, CISM

13 of 56

From Instinctive Answers to Structured Reasoning

Students often disagree because they are using different assumptions. We now introduce privacy, ethics, and law as structured lenses for analysis.

Prof Justin Pineda, CISSP, CISM

14 of 56

What Is Privacy?

• In ordinary language, privacy is often associated with being left alone.

• In digital systems, privacy also concerns information flows, access, and control.

• Threat detection raises privacy questions because monitoring reveals behavior.

• Privacy is not only about secrecy; it is also about boundaries and appropriate use.

Suggested Image

A close-up photograph of a silhouette behind frosted glass with digital lock and identity icons.

Prof Justin Pineda, CISSP, CISM

15 of 56

Why Privacy Matters in Threat Detection

• Logs can reveal habits, relationships, location, and personal patterns.

• Monitoring affects trust between organizations and users.

• Poorly designed monitoring can chill speech, autonomy, and normal behavior.

• Security teams must protect systems without treating everyone as a suspect.

Suggested Image

A visual of user activity logs transforming into a detailed behavioral profile.

Prof Justin Pineda, CISSP, CISM

16 of 56

School of Thought 1 – Privacy as Control Over Information

• This view treats privacy as control over collection, use, sharing, and retention of data.

• It is influential in data protection and consent-based thinking.

• Notice, access, correction, and deletion make sense under this framework.

• The core question is whether the person has meaningful control.

Suggested Image

A clean infographic showing a person controlling data flows through permission switches and access controls.

Prof Justin Pineda, CISSP, CISM

17 of 56

Discussion – Privacy as Control

If employees 'consent' through a mandatory policy, do they really control their information?

Is forced consent still meaningful consent?

Suggested Image

A conceptual image of a user clicking 'I agree' while surrounded by unavoidable policy screens.

Prof Justin Pineda, CISSP, CISM

18 of 56

School of Thought 2 – Privacy as a Derivative Right

• In this view, privacy is tied to dignity, autonomy, liberty, association, and personhood.

• Privacy matters because it supports other rights and freedoms.

• The harm may not be just data collection itself, but loss of human freedom.

• This view is useful when monitoring changes how people think or behave.

Suggested Image

A symbolic image of a person standing between legal rights icons such as speech, dignity, and liberty.

Prof Justin Pineda, CISSP, CISM

19 of 56

Discussion – Privacy as a Derivative Right

If monitoring discourages honest communication or association, is the privacy harm greater than the data collection itself?

Should privacy be protected even when nothing 'secret' is exposed?

Suggested Image

An image of people becoming silent or cautious because of visible monitoring.

Prof Justin Pineda, CISSP, CISM

20 of 56

School of Thought 3 – Privacy Through Torts and Harms

• This approach focuses on wrongful acts and recognizable harms.

• Examples include intrusion upon seclusion or harmful disclosure of private facts.

• The question becomes: what wrong was done and what harm resulted?

• This lens is practical in legal disputes and remedies.

Suggested Image

A professional legal-themed visual showing private space, intrusion, and harm symbols.

Prof Justin Pineda, CISSP, CISM

21 of 56

Discussion – Tort-Based Privacy

If no one has yet suffered visible damage, is there still a privacy violation?

Should privacy only matter once harm becomes obvious?

Suggested Image

A conceptual courtroom visual where hidden intrusion is weighed against visible harm.

Prof Justin Pineda, CISSP, CISM

22 of 56

School of Thought 4 – Privacy as Contextual Integrity

• This view argues that privacy depends on appropriate information flows within a context.

• The same information may be acceptable in one setting but inappropriate in another.

• Privacy violations occur when norms of context are broken.

• This is highly relevant to incident response, HR, education, healthcare, and SOC operations.

Suggested Image

A refined infographic showing the same data moving across different contexts: HR, SOC, medical, and legal.

Prof Justin Pineda, CISSP, CISM

23 of 56

Discussion – Contextual Integrity

If a SOC analyst encounters private chats during a malware investigation, does the investigative context justify access?

When does context excuse or fail to excuse intrusion?

Suggested Image

A blurred chat application seen through the frame of a forensic investigation screen.

Prof Justin Pineda, CISSP, CISM

24 of 56

Comparing the Privacy Schools of Thought

• Control asks whether the person meaningfully controls information.

• Derivative-rights thinking asks what human freedom is being protected.

• Tort-based thinking asks what wrong and harm occurred.

• Contextual integrity asks whether the information flow fits the setting.

Suggested Image

A four-quadrant comparison graphic for control, rights, harms, and contextual integrity.

Prof Justin Pineda, CISSP, CISM

25 of 56

Checkpoint – Which Privacy Lens Fits Best?

When evaluating silent employee monitoring, which privacy theory gives the strongest analysis?

Could more than one lens be correct at the same time?

Suggested Image

A classroom discussion visual with privacy theories represented as labeled panels.

Prof Justin Pineda, CISSP, CISM

26 of 56

From Privacy to Ethics

Privacy theories explain what is at stake. Ethics helps us decide what should be done.

Prof Justin Pineda, CISSP, CISM

27 of 56

What Is Ethics in Cybersecurity?

• Ethics concerns what ought to be done, not only what is allowed.

• Cybersecurity professionals often have privileged access to sensitive material.

• Ethical failure can occur even when no law is broken.

• Good security practice includes moral discipline and restraint.

Suggested Image

A cybersecurity analyst at a workstation reflecting on a difficult professional decision.

Prof Justin Pineda, CISSP, CISM

28 of 56

Why Ethics Matters in Threat Detection

• Analysts can access email, files, communications, and behavioral telemetry.

• Tools built for protection can be misused for curiosity, control, or abuse.

• Detection decisions affect trust, legitimacy, and organizational culture.

• Ethics matters most when technical access exceeds ordinary authority.

Suggested Image

A modern SOC environment with sensitive information visible but intentionally blurred.

Prof Justin Pineda, CISSP, CISM

29 of 56

Ethical School 1 – Deontology

• Deontology focuses on duties, principles, and rights.

• Some actions may be wrong even if they produce useful results.

• This approach emphasizes fairness, rules, and respect for persons.

• It is often associated with professional obligations and non-negotiable boundaries.

Suggested Image

A polished image of rules, duties, and principle-based decision paths.

Prof Justin Pineda, CISSP, CISM

30 of 56

Deontology Applied to Threat Detection

• Recording without consent may be wrong even if it uncovers fraud.

• Violating privacy rights may be objectionable regardless of outcome.

• The means matter, not just the result.

• This lens is strong where rights and duties are central.

Suggested Image

A symbolic image of a clear red boundary line over questionable investigative methods.

Prof Justin Pineda, CISSP, CISM

31 of 56

Discussion – Deontological View

If an action violates a person's rights, can it still be justified by a beneficial outcome?

Should some lines never be crossed in a SOC?

Suggested Image

A strict rule-based visual with a security shield beside a 'do not cross' line.

Prof Justin Pineda, CISSP, CISM

32 of 56

Ethical School 2 – Utilitarianism

• Utilitarianism evaluates actions by consequences and overall benefit.

• The best action is often framed as the one producing the greatest good for the greatest number.

• This way of thinking is common in security trade-off reasoning.

• It can justify difficult actions if the expected benefit is large enough.

Suggested Image

A scale or decision tree comparing collective harms and benefits across many people.

Prof Justin Pineda, CISSP, CISM

33 of 56

Utilitarianism Applied to Threat Detection

• Intrusive monitoring may appear justified if it protects thousands of users.

• Recording without consent may seem acceptable if it prevents major loss.

• Hack back may look attractive if it stops widespread harm quickly.

• The risk is sacrificing the rights of a few in the name of many.

Suggested Image

A digital risk-benefit visualization comparing individual harm with organizational protection.

Prof Justin Pineda, CISSP, CISM

34 of 56

Discussion – Utilitarian View

Is it acceptable to violate one person's privacy if doing so protects 10,000 customers?

Who gets to decide whose interests count more?

Suggested Image

A dramatic infographic of one individual's privacy weighed against many protected users.

Prof Justin Pineda, CISSP, CISM

35 of 56

Deontology vs Utilitarianism

• Deontology emphasizes duties, rules, and rights.

• Utilitarianism emphasizes outcomes, consequences, and net benefit.

• Deontology resists ethical shortcuts; utilitarianism allows flexible trade-offs.

• In practice, security teams often mix both intuitively.

Suggested Image

A side-by-side comparison graphic: rules and rights on one side, outcomes and trade-offs on the other.

Prof Justin Pineda, CISSP, CISM

36 of 56

Ethical Dilemma

Is it okay to violate one person's privacy to protect many others?

Answer once using deontology and once using utilitarianism.

Suggested Image

A split decision graphic showing two competing ethical lenses.

Prof Justin Pineda, CISSP, CISM

37 of 56

Optional Third Lens – Virtue Ethics

• Virtue ethics asks what a good professional would do.

• It emphasizes character traits such as integrity, prudence, courage, and restraint.

• This lens is useful in cybersecurity because not every case is covered by policy.

• It asks not only 'what action is right?' but 'what kind of person are you becoming?'

Suggested Image

A professional ethics image centered on character, judgment, and trusted leadership.

Prof Justin Pineda, CISSP, CISM

38 of 56

Discussion – Virtue Ethics

Even if an action is legal and beneficial, would a trustworthy analyst do it?

What kind of professional do we want in a SOC?

Suggested Image

A thoughtful analyst looking at a difficult case, with integrity-related icons around them.

Prof Justin Pineda, CISSP, CISM

39 of 56

Legal Boundaries

Law is not the whole answer, but it sets critical constraints on monitoring, evidence, and data handling.

Prof Justin Pineda, CISSP, CISM

40 of 56

Legal Frameworks in Threat Detection

• Threat detection operates within privacy law, labor rules, contracts, and sector regulations.

• Legal issues affect collection, storage, access, sharing, and retention of data.

• Evidence may also face admissibility concerns depending on how it was obtained.

• What is technically possible may still be legally unsafe.

Suggested Image

A polished image of legal books, compliance icons, and a cybersecurity shield.

Prof Justin Pineda, CISSP, CISM

41 of 56

Philippine Context – Data Privacy Act of 2012

• Personal data must be processed lawfully and for a legitimate purpose.

• Processing should be proportionate and supported by safeguards.

• Access must be controlled and retention should be justified.

• Security teams are not exempt simply because their purpose is defense.

Suggested Image

A Philippine-themed data privacy visual with compliance and security elements.

Prof Justin Pineda, CISSP, CISM

42 of 56

Monitoring, Consent, and Policy

• Organizations often rely on acceptable use policies, notices, and employment agreements.

• These may support monitoring, but they do not justify unlimited intrusion.

• Meaningful notice and proportionality still matter.

• Policy can support legality, but it does not settle ethics.

Suggested Image

A realistic corporate policy acknowledgment screen beside monitoring indicators.

Prof Justin Pineda, CISSP, CISM

43 of 56

Critical Question

If a monitoring practice is legal under policy or contract, does that automatically make it ethical?

Is legality only the minimum floor?

Suggested Image

A visual comparing a legal checklist against a separate ethical scale.

Prof Justin Pineda, CISSP, CISM

44 of 56

Controversial Discussions

We now revisit difficult questions using the privacy and ethics frameworks introduced earlier.

Prof Justin Pineda, CISSP, CISM

45 of 56

Government Backdoors in Encryption

• Strong encryption protects citizens, businesses, and governments.

• Law enforcement may request exceptional access or backdoors.

• Security experts warn that any deliberate weakness can be abused.

• The debate is between investigative access and universal security.

Suggested Image

Two encrypted devices connected by a lock, with a shadowy master key hovering nearby.

Prof Justin Pineda, CISSP, CISM

46 of 56

Questions – Encryption Backdoors

Should governments have a master key to encrypted communications?

Can a backdoor ever be safe?

Should national security override privacy?

Suggested Image

A clean cyber visual of end-to-end encryption with a contested access point.

Prof Justin Pineda, CISSP, CISM

47 of 56

Mass Surveillance vs National Security

• Mass surveillance promises broad visibility into possible threats.

• It may also normalize suspicion, chill speech, and enable abuse.

• Supporters argue it helps prevent catastrophic attacks.

• Critics ask whether security purchased through constant observation is compatible with freedom.

Suggested Image

A wide cityscape at night with CCTV, telecom towers, and flowing metadata overlays.

Prof Justin Pineda, CISSP, CISM

48 of 56

Questions – Surveillance Debate

If mass surveillance prevents attacks, is it justified?

How much freedom are we willing to trade for security?

Who watches the watchers?

Suggested Image

A conceptual image of citizens moving under visible and invisible surveillance systems.

Prof Justin Pineda, CISSP, CISM

49 of 56

Monitoring Employees' Personal Social Media

• Organizations may monitor public posts to detect leaks, insider threats, or reputational risks.

• But off-duty expression may still belong to a person's private sphere.

• Public visibility does not automatically erase ethical concern.

• This debate centers on fairness, legitimacy, and proportionality.

Suggested Image

A realistic smartphone social media feed with subtle compliance and insider threat overlays.

Prof Justin Pineda, CISSP, CISM

50 of 56

Questions – Social Media Monitoring

Does public posting remove privacy expectations?

Should employers monitor off-duty behavior?

Should security teams judge risk through personal expression?

Suggested Image

A blurred social media screen viewed through a corporate monitoring lens.

Prof Justin Pineda, CISSP, CISM

51 of 56

Revisited Case – Hack Back

Now that we have discussed privacy, ethics, and law: is hack back still justifiable?

Would your answer differ under deontology and utilitarianism?

Suggested Image

A cyber retaliation visual with uncertainty around attribution and collateral damage.

Prof Justin Pineda, CISSP, CISM

52 of 56

Revisited Case – Recording Without Consent

After applying privacy theories and ethical frameworks, is recording without consent for the good of the organization ever acceptable?

Where would you draw the line?

Suggested Image

A difficult compliance scenario with recording, evidence, and rights in tension.

Prof Justin Pineda, CISSP, CISM

53 of 56

Summary of Core Concepts

• Privacy has multiple theories, not just one definition.

• Ethics offers different decision frameworks, especially deontology and utilitarianism.

• Legal compliance and ethical acceptability are not the same.

• Threat detection requires judgment, restraint, and justification.

Prof Justin Pineda, CISSP, CISM

54 of 56

Knowledge Check

• Which privacy theory emphasizes control over data?

• Which ethical school focuses on outcomes?

• Which framework emphasizes duties and rights?

• Why does legality not automatically resolve ethics?

Suggested Image

A clean quiz-style classroom slide with cybersecurity-themed icons.

Prof Justin Pineda, CISSP, CISM

55 of 56

Applied Reflection – You Are the SOC Manager

• Would you approve silent monitoring?

• Would you approve recording without consent?

• Would you approve hack back?

• Justify each decision using one privacy theory and one ethical theory.

Suggested Image

A decision-making scene where a SOC manager reviews difficult cases on a large screen.

Prof Justin Pineda, CISSP, CISM

56 of 56

Key Takeaways – What Did You Learn?

• What concept changed your mind today?

• Which ethical lens do you naturally use?

• Where would you draw the line in threat detection?

• What kind of cybersecurity professional do you want to become?

Suggested Image

A reflective closing slide showing students, a presentation screen, and icons for privacy, ethics, and security.

Prof Justin Pineda, CISSP, CISM