1 of 64

SPECIAL TOPIC:

Issues on Cybersecurity Ethics

Version x.x

<Month, Year>

2 of 64

Learning Outcomes:

LO1: Understand key ethical challenges in cybersecurity.
LO2: Explore real-world ethical dilemmas faced by cybersecurity professionals.
LO3: Apply ethical frameworks in decision-making.
LO4: Engage in discussions and practical exercises to analyze cybersecurity ethics cases.

2

3 of 64

1- Introduction to Cybersecurity Ethics

What is Ethics

Trolley Problem
Apply it to self-driving cars (Tesla)

<Insert Image>

3

4 of 64

Cybersecurity Ethics

Moral principles and standards governing the conduct of cybersecurity professionals and the practices aimed at safeguarding data, computer systems, and networks from unauthorized access, breaches, and attacks.

Why are cybersecurity ethics important?

The importance of cybersecurity ethics is best understood through its role in preserving the integrity, functionality, and reliability of human institutions and practices reliant on data, systems, and networks.

Cybersecurity professionals, in general, play a crucial role in safeguarding the lives, privacy, and well-being of individuals and communities dependent on secure digital infrastructure. But their ethical cybersecurity practices, in particular, contribute to fostering trust, stability, and innovation in the digital ecosystem, thereby enhancing societal welfare and prosperity. By upholding ethical standards, cybersecurity professionals mitigate risks and vulnerabilities and promote technology's ethical use and governance, ultimately contributing to a safer and more resilient digital environment for all stakeholders.

5 of 64

Cybersecurity Ethics encompasses

Integrity
Accountability
Privacy
Fairness
Societal well-being

Cybersecurity deals with a myriad of ethical issues that warrant close examination. Below, we'll explore some pressing concerns, focusing on the complexities surrounding privacy violations, surveillance and monitoring practices, resource allocation, and transparency and disclosure in cybersecurity ethics.

Privacy violations

With the vast amounts of personal data generated and stored electronically, cyber breaches represent a pervasive threat to individual privacy. Unauthorized access to personal data and breaches of confidentiality are not only common but also have far-reaching consequences.

These breaches expose individuals to risks such as identity theft, where their personal information is used fraudulently to commit crimes or impersonate them online. Additionally, cybercriminals exploit stolen data for financial gain through various forms of fraud, jeopardizing individuals' financial security and stability. Statistics indicate that 93% of data breaches are motivated by financial gain. Moreover, the exploitation of personal data can extend beyond financial harm, encompassing other forms of exploitation and manipulation, such as targeted phishing attacks or blackmail attempts.

Given the profound implications of privacy violations, cybersecurity measures must be implemented to mitigate these risks and safeguard individuals' sensitive information. Such measures may include encryption protocols, access controls, and regular security audits to detect and prevent unauthorized access to personal data, thereby upholding individuals' right to privacy in an increasingly digital world.

Surveillance and monitoring

Surveillance technologies and data collection methods also wield significant power, enhancing security measures and infringing individuals' privacy rights. As these technologies enable the gathering and analysis of vast amounts of personal data, ethical concerns emerge, raising questions about the ethical justification for such surveillance and the potential for misuse or abuse of collected information.

The widespread deployment of surveillance technologies, including CCTV cameras, facial recognition systems, and internet monitoring tools, can lead to a pervasive sense of surveillance and diminish individuals' expectations of privacy in both public and private spaces. Moreover, collecting personal data without consent or oversight raises concerns about the erosion of civil liberties and individual autonomy, as individuals may feel subjected to unwarranted scrutiny and surveillance by authorities or private entities.

Furthermore, the ethical implications of surveillance extend beyond mere data collection to encompass data retention, sharing, and potential misuse. The accumulation of vast troves of personal data raises concerns about data security and the risk of unauthorized access or data breaches, which can result in severe consequences such as identity theft or financial fraud. Additionally, the potential for misuse or abuse of surveillance data, whether by government agencies, corporate entities, or malicious actors, underscores the importance of establishing robust ethical frameworks and legal safeguards to govern personal information collection, storage, and use.

Cybersecurity resource allocation

Resource allocation presents one of the most significant ethical dilemmas in the field of cybersecurity. Organizations must decide how to allocate finite resources—such as time, budgetary allocations, and personnel—to a myriad of cybersecurity needs, from implementing security protocols to addressing vulnerabilities and responding to emerging threats. This necessitates ethical considerations regarding allocating resources to maximize the effectiveness of cybersecurity measures while also considering the broader interests and needs of stakeholders.

Furthermore, resource allocation's ethical challenges extend to usability and economic sustainability considerations. While bolstering cybersecurity measures is essential for safeguarding against cyber threats, overly restrictive security measures can negatively impact usability and productivity and potentially disrupt organizational operations and user experiences. What's more, investing heavily in cybersecurity initiatives may strain organizational budgets and resources, raising questions about the feasibility and sustainability of long-term security strategies.

Transparency and disclosure

Lastly, transparency and disclosure of security vulnerabilities are fundamental for empowering users to take proactive measures to safeguard their data and systems against potential threats. However, determining the appropriate extent and mode of disclosure poses ethical challenges, requiring careful consideration of the specific context and stakeholder interests.

Determining the appropriate extent of disclosure involves weighing the potential impact on affected parties, the severity of the vulnerability, and the likelihood of malicious actors exploiting it. In some cases, premature or incomplete disclosure may inadvertently expose users to greater risks, while delayed disclosure can impede efforts to address vulnerabilities.

Moreover, the mode of disclosure poses ethical dilemmas, as organizations must balance the need for transparency with concerns about causing panic or facilitating exploitation by adversaries. Effective communication strategies prioritizing clarity, accessibility, and user empowerment are essential for promoting transparency while minimizing potential negative consequences. By engaging in transparent and inclusive communication practices, cybersecurity professionals can foster trust and collaboration among stakeholders, enhancing the overall security posture of organizations and communities.

6 of 64

Cybersecurity vs. Cybercrime vs Cyber ethics

Cybersecurity defends systems and data from threats, while cybercrime involves illegal activities using technology, and cyberethics deals with the moral and legal implications of technology use

7 of 64

2.1 Privacy and Data Protection

Ethical Considerations in Data Collection

Informed Consent

Obtaining informed consent respects individuals autonomy and their right to control their personal data. Consent should be freely given.

7

Reference: (Ethical Considerations in Data Privacy and Security, 2023 )

8 of 64

2.1 Privacy and Data Collection

Ethical Considerations in Data Collection

Purpose Limitation

Define the purpose for which data is collected and ensure that data usage remains aligned with that purpose.

8

Reference: (Ethical Considerations in Data Privacy and Security, 2023 )

9 of 64

2.1 Privacy and Data Collection

Ethical Considerations in Data Collection

Data Minimization

Emphasizes the importance of collecting only the necessary data and avoiding intrusion into privacy.
Limits the potential of data breach and demonstrate respect for individuals privacy

9

Reference: (Ethical Considerations in Data Privacy and Security, 2023 )

10 of 64

2.1 Privacy and Data Collection

Ethical Considerations in Data Collection

Profiling and Discrimination

This arises when data is used to create profiles or make decisions that can impact individuals lives.

10

Reference: (Ethical Considerations in Data Privacy and Security, 2023 )

11 of 64

2.1 Privacy and Data Collection

Ethical Considerations in Data Storage and Security

Data Breaches

In the event of a data breach, organizations should uphold ethical principles such as transparency, accountability, and prompt notification to affected individuals.

11

Reference: (Ethical Considerations in Data Privacy and Security, 2023 )

12 of 64

2.1 Privacy and Data Collection

Ethical Considerations in Data Storage and Security

Data Retention

Retaining the personal data in the appropriate length of time.
When data is no longer necessary for its intended purpose, organizations should ensure its secure and irreversible deletion.

12

Reference: (Ethical Considerations in Data Privacy and Security, 2023 )

13 of 64

2.1 Privacy and Data Collection

Ethical Considerations in Data Sharing Agreements and Third Party Involvement

Data Sharing Agreements

It outlines the terms and conditions under which data is shared, establishing clear expectations, regarding data usage, security measures, and compliance with privacy regulations.

13

Reference: (Ethical Considerations in Data Privacy and Security, 2023 )

14 of 64

2.1 Privacy and Data Collection

Ethical Considerations in Data Sharing Agreements and Third Party Involvement

Vendor Management

This arises when organizations engage third-party vendor who have access to personal data.
Organizations must ensure that the vendors adhere to the same privacy and security standard upheld by the organization.

14

Reference: (Ethical Considerations in Data Privacy and Security, 2023 )

15 of 64

2.1 Privacy and Data Collection

Ethical Considerations in Data Sharing Agreements and Third Party Involvement

Data Transfers

Ensures that appropriate safeguards are in place to protect the data when it is moved to jurisdictions with different privacy standards.

<Insert Image>

15

Reference: (Ethical Considerations in Data Privacy and Security, 2023 )

16 of 64

2.1.1 Case Study: Facebook-Cambridge Analytica Scandal

A controversy that exposed the misuse of personal data for political advertising. Cambridge Analytica (CA), a UK-based data analytics firm, obtained Facebook user data without consent and used it to infleunce political campaigns, including those of Ted Cruz, Donald Trump, and the LEave-EU Brexit Campaign.

16

Reference: (Case study: Facebook–Cambridge Analytica data breach scandal, 2022 )

17 of 64

2.1.1 Case Study: Facebook-Cambridge Analytica Scandal

The revelation led to:

A $100 billion drop in Facebook’s Market Value.
Investigation by the US Federal Trade Commission (FTC) and UK authorities.
Facebook CEO Mark Zuckerberg testifying before Congress.

17

Reference: (Case study: Facebook–Cambridge Analytica data breach scandal, 2022 )

18 of 64

2.1.1 Case Study: Facebook-Cambridge Analytica Scandal

Legal & Regulatory Impact

GDPR (General Data Protection Regulation) was implemented in May 2018
Companies mishandling data faced several fines up to 4% of global revenue.
CA’s reputation suffered, leading to its shutdown in May 2018.

18

Reference: (Case study: Facebook–Cambridge Analytica data breach scandal, 2022 )

19 of 64

2.2 Hacking and Ethical Boundaries

WHITE HAT

The “ethical hackers” or “good hackers. They use their capabilities to uncover security failings to help safeguard organizations from dangerous hackers.

BLACK HAT

The criminals who break intro computer networks with malicious intent.

GREY HAT

Often look for vulnerabilities in a system without the owner’s permission or knowledge. If issues are found, they report them to the owner, sometimes requesting a small fee to fix the problem

19

Reference: (Case study: Facebook–Cambridge Analytica data breach scandal, 2022 )

WHITE HAT

They exploit computer system or network to identify their security flaws so they can make recommendations for improvement.
They can sometimes be paid employees or contractors working for companies as security specialists who attempt to find gaps in security.

BLACK HAT

motivated by self-serving reasons, such as financial gain, revenge, or simply to spread havoc. Sometimes their motivation might be ideological, by targeting people they strongly disagree with.
May also release malware that destroys files, hold computers hostage or steal sensitive information.
Hacking can operate like big business, the scale of which makes it easy to distribute malicious software.

GREY HAT

Gray hat hackers may sometimes violate laws or usual ethical standards, but they do not have the malicious intent typical of a black hat hacker.
When a white hat hacker discovers a vulnerability, they will exploit it only with permission and not tell others about it until it has been fixed. In contrast, the black hat will illegally exploit it or tell others how to do so. The gray hat will neither illegally exploit it nor tell others how to do so.

20 of 64

2.2 Hacking and Ethical Boundaries

Responsible Disclosure

A process in which security researchers or ethical hackers discover vulnerabilities, weaknesses, or flaws in software, hardware, or systems and report them to the affected organization or vendor.

20

Reference: (Why You Need Responsible Disclosure and How to Get Started, n.d )

21 of 64

2.2 Hacking and Ethical Boundaries

Unauthorized Access

when a person who does not have permission to connect to or use a system gains entry in a manner unintended by the system owner.

21

Reference: (Unauthorized Access, n.d. )

22 of 64

2.2.1 Case Study: Ethical dilemmas in penetration testing

The tension between doing the right thing for the client company (the whole), and the right thing for its staff(the individual)
The tension between choosing a structured and carefully considered strategy (structured), over a strategy that was unstructured and contingent (unstructured)

22

Reference: (Ethical Dilemmas and Dimensions in Penetration Testing, n.d.

23 of 64

2.3 Government Surveillance and Citizen Rights

Balancing National Security and Individual Privacy

Government Surveillance Programs
Legal Frameworks and Privacy Laws
Technological Innovations and Privacy Challenges
Data Collection and Intelligence Gathering
International Cooperation and Security

23

Reference: (Balancing Privacy and Security in the Digital Age,n.d.)

Government Surveillance Programs-

After 9/11, laws like the USA Patriot Act expanded surveillance powers, allowing programs such as the NSA’s bulk phone metadata collection.
Supporters argue that these efforts are vital for identifying threats, while critics highlight privacy risks, potential abuses, and a chilling effect on free speech.
The Snowden revelations ignited debates on whether targeted surveillance, stronger oversight, and encryption would be more effective and privacy-conscious alternatives.

Legal Frameworks and Privacy Laws

Privacy rights are protected under laws like the U.S. Fourth Amendment, but national security surveillance operates under different legal standards, such as FISA and the Patriot Act
Critics argue existing laws are outdated and call for stronger transparency and restrictions on government data collection.

Technological Innovations and Privacy Challenges

AI and facial recognition, enhance intelligence gathering but also risk misuse. AI and facial recognition, enhance intelligence gathering but also risk misuse
Privacy-by-design principles, encryption, and public-private collaboration can help mitigate these risks, ensuring security tools align with ethical standards.

Data Collection and Intelligence Gathering

Governments use electronic surveillance to monitor threats, but bulk data collection raises concerns about privacy violations and potential errors in intelligence databases.
Advocates recommend shifting from mass data collection to more targeted investigations, increasing oversight, and enhancing public trust through transparency and clear regulations.

International Cooperation and Security

International agreements, such as the Wassenaar Arrangement, aim to establish ethical surveillance practices. The rise of privacy regulations like the EU’s GDPR reflects growing global concerns over balancing security with personal rights.

24 of 64

2.3.1 Case Study: Edward Snowden and Mass Surveillance

Who is Edward Snowden?

Former NSA contractor and CIA employee

Whistleblower who leaked classified documents in 2013

24

Reference: (Edward Snowden: the whistleblower behind the NSA surveillance revelations, 2013)

25 of 64

2.3.1 Case Study: Edward Snowden and Mass Surveillance

What Did Snowden Reveal?

U.S. government’s mass surveillance programs

NSA’s PRISM program, collecting data from tech companies

Global surveillance efforts involving allied intelligence agencies

25

Reference: (Edward Snowden: the whistleblower behind the NSA surveillance revelations, 2013)

Snowden’s leaks uncovered several surveillance programs run by the NSA (National Security Agency) which is a U.S. intelligence agency responsible for global monitoring, collection, and processing of information and data.
One of the most significant programs was PRISM, which involved collecting data from tech giants like Google, Facebook, and Microsoft without user consent.
He also revealed that the NSA was collecting bulk phone metadata from millions of Americans, including call logs and durations.
The leaks showed that mass surveillance wasn’t just happening in the U.S. but was part of a global effort, often in collaboration with allied intelligence agencies like the UK’s GCHQ (Government Communications Headquarters) which is an agency tasked with keeping the UK safe, providing signals intelligence, and protecting information.

26 of 64

2.3.1 Case Study: Edward Snowden and Mass Surveillance

Why Did Snowden Leak the Information?

Believed the public had the right to know about mass surveillance

Concern over privacy violations and government overreach

Advocated for greater transparency and accountability

26

Reference: (Edward Snowden: the whistleblower behind the NSA surveillance revelations, 2013)

27 of 64

2.3.1 Case Study: Edward Snowden and Mass Surveillance

Consequences of the Leaks

Sparked global debates on privacy vs. security

Led to legal reforms, including the USA FREEDOM Act (2015)

Strained U.S. diplomatic relations with other countries

27

Reference: (Edward Snowden: the whistleblower behind the NSA surveillance revelations, 2013)

28 of 64

2.4 AI Automation, and Bias in Cybersecurity

What is Algorithmic Discrimination?

Bias in AI systems that leads to unfair treatment of individuals or groups

Can occur in hiring, lending, policing, healthcare, and more

Often results from biased training data or flawed algorithms

28

Reference: (What is algorithmic bias?, 2024)

29 of 64

2.4 AI Automation, and Bias in Cybersecurity

Causes of Algorithmic Bias

Biased training data

Flawed algorithm design

Lack of diversity in AI development

Feedback loops

29

Reference: (What is algorithmic bias?, 2024)

Biased training data – If historical data reflects discrimination (e.g., past hiring records that favored men over women), AI will learn and continue that bias.
Flawed algorithm design – Developers’ choices, even if unintentional, can embed bias into AI models.
Lack of diversity in AI development – When AI teams lack diverse perspectives, blind spots in development can lead to biased outcomes.
Feedback loops – AI models can reinforce existing biases by repeatedly making the same flawed predictions, making discrimination worse over time.

Examples of Algorithmic Discrimination

Hiring algorithms – Some AI hiring tools have discriminated against women by favoring resumes with traditionally male names.
Facial recognition errors – Studies have shown higher error rates for people of color, leading to wrongful identifications in law enforcement.
Biased credit scoring – AI used by banks has disproportionately denied loans to minorities, reflecting historical financial inequalities.
Predictive policing – AI crime prediction tools have unfairly targeted marginalized communities, leading to over-policing in certain areas.

30 of 64

2.4.1 Case Study: AI-driven facial recognition and bias concerns

What is AI-Driven Facial Recognition?

Technology that identifies and verifies individuals using facial features

Used in law enforcement, security, marketing, and personal devices

Relies on machine learning models trained on large datasets

30

Reference: (Biased Technology: The Automated Discrimination of Facial Recognition, 2024)

31 of 64

2.4.2 Case Study: AI-driven facial recognition and bias concerns

Bias in Facial Recognition Systems

Higher error rates for certain racial and gender groups

Women are more likely to be misclassified than men

Bias stems from imbalanced training datasets that lack diversity

31

Reference: (Biased Technology: The Automated Discrimination of Facial Recognition, 2024)

32 of 64

2.4.1 Case Study: AI-driven facial recognition and bias concerns

Real-World Consequences of Bias

Wrongful arrests

Discrimination in security screening

Privacy violations

Reduced trust in AI

32

Reference: (Biased Technology: The Automated Discrimination of Facial Recognition, 2024)

33 of 64

2.5 Insider Threats and Whistleblowing

Ethical dilemmas in exposing security flaws in an organization

Loyalty vs. Ethical Responsibility

Employees face a moral conflict between staying loyal to their employer and exposing security flaws that could harm users or the public.

Whistleblowing can lead to retaliation, job loss, or even legal action, despite ethical intentions.

33

Reference: (Why We Must Balance Ethical and Legal Requirements in the Connected World, n.d.)

34 of 64

2.5.1 Case Study: Uber’s handling of its data breach

The 2016 Data Breach Incident

Hackers accessed personal data of 57 million users and drivers.
Uber paid hackers $100,000 to keep the breach secret instead of reporting it.

34

Reference: (Uber Breach Exposes the Data of 57 Million Drivers and Users, 2017)

35 of 64

2.5.1 Case Study: Uber’s handling of its data breach

Ethical and Security Lessons

The case highlights the dangers of prioritizing reputation over transparency.

Companies must have strong cybersecurity policies and ethical disclosure practices to protect users.

35

Reference: (Uber Breach Exposes the Data of 57 Million Drivers and Users, 2017)

36 of 64

3.5.1 Ethical Frameworks and Decision-Making

Utilitarianism vs. Deontology in Cybersecurity

Ethical Guidelines and Standards:

ACM Code of Ethics, ISO 27001, GDPR, NIST guidelines

Ethical Decision-Making Models:

A structured approach to resolving ethical dilemmas

36

37 of 64

3.1.1- Utilitarianism vs. Deontology in Cybersecurity

Utilitarianism

Utilitarianism is a consequentialist theory that focuses on maximizing overall happiness or well-being. In cybersecurity, this means making decisions based on outcomes that provide the greatest benefit to the majority.

37

Reference:

An Introduction to Cybersecurity Ethics

38 of 64

3.1.2- Utilitarianism vs. Deontology in Cybersecurity

Deontology

Deontology, rooted in duty-based ethics, emphasizes that actions must follow moral principles, regardless of consequences. In cybersecurity, this means adhering to strict ethical guidelines, even if breaking them could lead to better security outcomes.

38

Reference:

An Introduction to Cybersecurity Ethics

Deontology is a duty-based ethical theory, meaning that actions must follow moral principles regardless of the outcomes.

It was developed by Immanuel Kant, who believed in absolute moral duties, such as honesty and respect for human rights.

In cybersecurity, deontology emphasizes strict adherence to ethical guidelines and professional responsibilities. Unlike utilitarianism, deontology does not justify breaking ethical rules, even if it leads to better security outcomes.

Examples are

No Backdoors Policy: A company refuses to install a government-requested backdoor in its software because it violates user privacy, even if it could help law enforcement.

No Unauthorized Access: A penetration tester refuses to hack a system without proper consent, even if it’s for a good cause.

Deontology ensures ethical boundaries are never crossed, but it can sometimes conflict with security goals when strict rules limit potential solutions.

A balance between moral duty and practical security needs is crucial in cybersecurity decision-making.

39 of 64

3.1.3- Pros and Cons Utilitarianism

39

Reference:

An Introduction to Cybersecurity Ethics

PROS	CONS
Prioritize Overall Happiness	Ignores Individual Rights and Dignity
Promotes Collective Well Being	Overlooks Minority Voices
Justifies invasive security practices (e.g., surveillance) if they lead to greater public safety.	Can justify morally questionable actions (e.g., violating privacy rights for security gains).
Supports ethical hacking when it prevents large scale cyber threats.	Risk of sacrificing individual rights for collective safety.

Pros:

Prioritizes Overall Happiness – Decisions aim to protect the majority, ensuring greater security for most people.

Promotes Collective Well-being – Cybersecurity measures focus on public safety rather than individual interests.

Justifies Invasive Security Practices – Actions like surveillance or data monitoring are acceptable if they enhance security.

Supports Ethical Hacking – Penetration testing and other proactive security measures help prevent large-scale cyber threats.

Cons:

Ignores Individual Rights and Dignity – The rights of a few may be sacrificed for the greater good.

Overlooks Minority Voices – Small groups may not have their concerns prioritized.

Can Justify Morally Questionable Actions – Privacy violations and mass surveillance could be justified under this model.

Risk of Sacrificing Individual Rights – Balancing security and personal freedoms becomes challenging.

Utilitarianism justifies strong security measures but raises concerns about privacy and ethical boundaries.

40 of 64

3.1.4- Pros and Cons Deontology

40

Reference:

An Introduction to Cybersecurity Ethics

PROS	CONS
Respects Individual Rights	Ignores Consequences
Provides Clear Ethical Guidelines	Conflicting Duties
Builds Trust and Accountability	May Not Always Align with Business Interests
Encourages Compliance with Laws and Standards	Too Rigid in Real-World Scenarios
Protects the vulnerable	Slower Decision-Making
Clear decision-making

Pros:

Respects Individual Rights – Ensures cybersecurity policies do not violate personal freedoms.

Provides Clear Ethical Guidelines – Professionals have a structured approach to decision-making.

Builds Trust and Accountability – Organizations following strict ethical guidelines are more transparent and trustworthy.

Encourages Compliance with Laws and Standards – Aligns with legal frameworks like ISO 27001 and GDPR.

Protects the Vulnerable – Prevents ethical violations that could harm individuals.

Clear Decision-Making – Ethical duties provide a consistent framework for cybersecurity actions.

Cons:

Ignores Consequences – Following strict rules may not always lead to the best security outcomes.

Conflicting Duties – Ethical obligations may contradict each other in complex cybersecurity cases.

May Not Align with Business Interests – Strict ethical adherence can create conflicts in corporate settings.

Too Rigid in Real-World Scenarios – Cyber threats evolve, but deontology may not allow flexible responses.

Slower Decision-Making – Following a rigid ethical process can delay urgent cybersecurity actions.

Deontology ensures ethical integrity but can limit flexibility in addressing cybersecurity threats.

41 of 64

3.1.5- Utilitarianism vs. Deontology in Cybersecurity

Utilitarianism

Focuses on maximizing overall benefit, even if it means sacrificing individual rights.

Deontology

Focuses on strict moral rules and duties, regardless of consequences.

Neither approach is perfect. Utilitarianism justifies security measures that protect many, while Deontology ensures ethical limits aren’t crossed. A balanced approach is best in maximizing security while respecting ethical principles.

41

Reference:

An Introduction to Cybersecurity Ethics

42 of 64

3.2.1- Ethical Guidelines and Standards: (ACM Code of Ethics)

The ACM Code of Ethics and Professional Conduct

is a set of ethical principles for computing professionals, established by the Association for Computing Machinery (ACM). It provides guidelines for responsible decision-making in computing-related professions.

42

Reference: ACM

43 of 64

3.2.2- Ethical Guidelines and Standards: (ACM Code of Ethics)

1. General Ethical Principles (Public Interest)

Contribute to society and human well-being
Avoid harm (minimize risks in computing projects)
Be honest and trustworthy
Be fair and take action against discrimination
Respect privacy and confidentiality

2. Professional Responsibilities

Strive for high-quality work
Maintain professional competence (continuous learning)
Know and respect laws
Honor contracts and agreements
Give proper credit for work

43

Reference: ACM

1. The General Ethical Principles in the ACM Code of Ethics emphasizethe public interest and the responsibility of computing professionals to act ethically.

Contribute to Society and Human Well-being – Computing professionals should develop technology that benefits individuals and communities. Their work should prioritize positive societal impact.
Avoid Harm – It is essential to minimize risks in computing projects, ensuring security, privacy, and safety in digital systems.
Be Honest and Trustworthy – Ethical conduct requires honesty in communication, transparency in decisions, and reliability in professional interactions.
Be Fair and Take Action Against Discrimination – Professionals must uphold fairness, promote inclusivity, and address any discriminatory practices in the industry.
Respect Privacy and Confidentiality – Protecting sensitive data and ensuring user privacy are critical aspects of responsible computing.

2. The Professional Responsibilities outlined in the ACM Code of Ethics emphasize the importance of integrity, competence, and accountability in the computing profession.

Strive for High-Quality Work – Computing professionals must ensure that their work meets high standards of quality, reliability, and security.
Maintain Professional Competence – Continuous learning and skill development are essential to stay updated with emerging technologies, industry trends, and ethical challenges.
Know and Respect Laws – Professionals should understand and comply with relevant laws, regulations, and policies governing technology and cybersecurity.
Honor Contracts and Agreements – Ethical computing requires honoring commitments, fulfilling obligations, and maintaining transparency in professional relationships.
Give Proper Credit for Work – Acknowledging contributions, citing sources, and avoiding plagiarism are fundamental to ethical practice.

44 of 64

3.2.3- Ethical Guidelines and Standards: (ACM Code of Ethics)

3. Professional Leadership Principles

Ensure computing benefits all people
Support social responsibility
Promote ethical decision-making within organizations
Encourage responsible technology development

4. Compliance with the Code

Uphold and promote the principles
Take action against ethical violations

44

Reference: ACM

3. The Professional Leadership Principles in the ACM Code of Ethics emphasize the role of computing professionals in shaping ethical and socially responsible technology practices.

Ensure Computing Benefits All People – Technology should be designed and implemented to serve society equitably, avoiding harm or exclusion.
Support Social Responsibility – Professionals must advocate for the ethical use of technology and consider the broader impact of computing on communities.
Promote Ethical Decision-Making Within Organizations – Leaders should encourage a culture of integrity, ensuring that ethical considerations are embedded in business and technical decisions.
Encourage Responsible Technology Development – Computing professionals should prioritize safety, security, and long-term sustainability when designing and deploying new technologies.

4.The Compliance with the Code section of the ACM Code of Ethics reinforces the responsibility of computing professionals to uphold ethical standards in their work.

Uphold and Promote the Principles – Professionals should actively follow and advocate for ethical practices, ensuring that ethical considerations guide their decisions.
Take Action Against Ethical Violations – When encountering unethical behavior, individuals should address it appropriately, whether through reporting, education, or corrective actions.

By committing to compliance, computing professionals help maintain trust, accountability, and integrity within the industry.

45 of 64

3.2.4- Ethical Guidelines and Standards: (ISO 27001)

ISO/IEC 27001

is an international standard for managing information security risks through a structured Information Security Management System (ISMS). It ensures confidentiality, integrity, and availability (CIA) of information by implementing security controls.

45

Reference: ISO

46 of 64

3.2.5- Ethical Guidelines and Standards: (GDPR)

GDPR (General Data Protection Regulation)

is a European Union (EU) data protection law that governs how organizations collect, store, and process personal data. It ensures privacy, transparency, and user control over personal information.

46

Reference: GDPR

GDPR is a European Union (EU) data protection law that sets strict guidelines on how organizations handle personal data.

Purpose – Ensures individuals have control over their personal information while promoting transparency and accountability in data processing.
Key Principles – Includes lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality.
User Rights – Grants individuals rights such as access, rectification, erasure (right to be forgotten), and data portability.
Compliance Requirements – Organizations must obtain clear consent, ensure secure data processing, and notify authorities in case of data breaches.
Penalties – Non-compliance can result in fines of up to €20 million or 4% of annual global turnover, whichever is higher.

GDPR strengthens data privacy and security, ensuring organizations handle personal data responsibly while giving individuals greater control over their information.

47 of 64

3.2.6- Ethical Guidelines and Standards: (GDPR)

Lawfulness, Fairness, and Transparency

Data must be processed legally and openly.

Purpose Limitation

Data collected for specific, legitimate purposes.

Data Minimization

Only necessary data should be collected.

Storage Limitation

Data should not be kept longer than needed.

Integrity and Confidentiality

Protect data against unauthorized access and breaches.

Accountability

Organizations must comply and demonstrate compliance.

Accuracy

Personal data must be kept up to date.

47

Reference: GDPR

GDPR is built on several key principles that ensure responsible data handling:

Lawfulness, Fairness, and Transparency – Organizations must process personal data legally, fairly, and in a way that is clear to individuals.
Purpose Limitation – Data should only be collected for specific, legitimate purposes and not used beyond its intended scope.
Data Minimization – Only necessary data should be collected to reduce risks and protect user privacy.
Storage Limitation – Data should not be retained longer than necessary and must be securely deleted when no longer needed.
Integrity and Confidentiality – Organizations must implement security measures to protect data from unauthorized access, breaches, or misuse.
Accuracy – Personal data must be kept up to date, and incorrect information should be corrected or deleted promptly.
Accountability – Organizations are responsible for GDPR compliance and must demonstrate their adherence through policies, documentation, and audits.

By following these principles, organizations can ensure responsible data processing and protect individuals’ privacy rights.

48 of 64

3.2.7- Ethical Guidelines and Standards: (GDPR)

User Rights Under GDPR

Right to Access – Users can request their data.
Right to Rectification – Users can correct inaccurate data.
Right to Erasure ("Right to be Forgotten") – Users can request data deletion.
Right to Data Portability – Users can transfer their data to another service.
Right to Object – Users can object to data processing.

48

Reference: GDPR

GDPR grants individuals several rights to control their personal data:

Right to Access – Users have the right to request and receive a copy of their personal data held by an organization.
Right to Rectification – If data is inaccurate or incomplete, users can request corrections to ensure accuracy.
Right to Erasure ("Right to be Forgotten") – Users can request the deletion of their personal data when it is no longer needed or if they withdraw consent.
Right to Data Portability – Individuals can request their data in a portable format and transfer it to another service provider.
Right to Object – Users can object to their data being used for marketing, profiling, or certain processing activities.

These rights empower individuals, ensuring transparency and control over their personal information while holding organizations accountable for responsible data handling.

49 of 64

3.2.8- Ethical Guidelines and Standards: (NIST)

The National Institute of Standards and Technology (NIST)

Provides cybersecurity frameworks and guidelines to help organizations manage risks and protect information systems.

49

Reference: NIST

The National Institute of Standards and Technology (NIST) is a U.S. government agency that provides cybersecurity frameworks and guidelines to help organizations protect their information systems.

Purpose – NIST develops best practices to help organizations identify, assess, and manage cybersecurity risks effectively.
NIST Cybersecurity Framework (CSF) – A widely used framework that includes five core functions: Identify, Protect, Detect, Respond, and Recover.
Guidance for Compliance – Helps organizations align with cybersecurity standards like ISO 27001, GDPR, and other regulatory requirements.
Continuous Improvement – Encourages organizations to regularly assess and update their security measures to address emerging threats.

By following NIST guidelines, organizations can strengthen their security posture, minimize risks, and enhance resilience against cyber threats.

50 of 64

3.2.9- Ethical Guidelines and Standards: (NIST)

1. NIST Cybersecurity Framework (CSF)

Identify – Understand assets, risks, and business context.
Protect – Implement safeguards (e.g., access controls, encryption).
Detect – Monitor for security threats and incidents.
Respond – Take action against detected incidents.
Recover – Restore systems and ensure resilience.

2. NIST Special Publication (SP) 800 Series

SP 800-53 – Security controls for federal information systems.
SP 800-171 – Protecting controlled unclassified information (CUI).
SP 800-61 – Incident response best practices.

3. NIST Privacy Framework

Helps organizations manage privacy risks and ensure data protection.

50

Reference: NIST

1. The NIST Cybersecurity Framework (CSF) provides a structured approach to managing cybersecurity risks. It consists of five core functions:

Identify – Organizations must understand their assets, risks, and business context to prioritize security efforts.
Protect – Implement safeguards such as access controls, encryption, and security policies to minimize risks.
Detect – Continuously monitor for security threats and incidents to ensure quick detection of vulnerabilities.
Respond – Take immediate action when a threat is detected, including containment, investigation, and mitigation.
Recover – Restore affected systems and operations while ensuring long-term resilience.

2. The NIST Special Publication (SP) 800 Series provides detailed cybersecurity guidelines and best practices for organizations. Key publications include:

SP 800-53 – Establishes security controls for U.S. federal information systems, covering risk management, access control, and encryption.
SP 800-171 – Focuses on protecting controlled unclassified information (CUI) in non-federal systems, often used by contractors and third-party vendors.
SP 800-61 – Provides incident response best practices, helping organizations prepare for, detect, and recover from cyberattacks.

3. The NIST Privacy Framework is a structured approach that helps organizations identify, assess, and manage privacy risks while ensuring the protection of personal data. Designed to complement cybersecurity frameworks, it enables organizations to balance data protection with innovation and operational needs.

By following the NIST Privacy Framework, organizations can strengthen data privacy, improve regulatory compliance, and protect user rights effectively.

51 of 64

3.3- Ethical Decision-Making Models

Ethical Decision-Making Models

A structured approach ensures cybersecurity professionals make ethical, fair, and well-reasoned decisions when facing dilemmas.

51

Reference:

Ethical Decision Making

52 of 64

3.3.2- Ethical Decision-Making Models

1. Define the Ethical Problem

Clearly identify the issue and who is affected (users, company, public, etc.).

2. Gather Relevant Information

Collect facts, laws, policies, and security risks. Identify ethical guidelines (ACM Code of Ethics, ISO 27001, company policies).

52

Reference:

Ethical Decision Making

53 of 64

3.3.3- Ethical Decision-Making Models

3. Identify Stakeholders

List all individuals and groups impacted by the decision(employees, customers, government, etc.).

4. Consider Ethical Models

Analyze the situation using Utilitarianism, Deontology, and Virtue Ethics.

53

Reference:

Ethical Decision Making

54 of 64

3.3.4- Ethical Decision-Making Models

5. Explore Possible Solutions

List alternative actions and weigh their consequences(e.g., disclose the vulnerability, delay disclosure, report anonymously).

6. Make a Decision & Justify It

Choose the best solution that balances security, ethics, and business needs.

54

Reference:

Ethical Decision Making

55 of 64

3.3.5- Ethical Decision-Making Models

7. Take Action & Monitor Outcomes

Implement the decision and track its impact.

8. Reflect & Document the Process

Learn from the case and record findings for future guidance.

55

Reference:

Ethical Decision Making

56 of 64

4- Case Study and Group Discussion

Ethical Dilemma: Insider Threats

A security analyst finds a major vulnerability in their company’s system but is pressured to keep quiet.

56

57 of 64

4- Case Study and Group Discussion

Ethical Dilemma: Insider Threats

Q: What should the analyst do?

A: The analyst should report the vulnerability through the proper internal channels, such as their immediate supervisor, or the IT security team.

57

Reference:

How NIS2 Will Impact You and Your Organization

58 of 64

4- Case Study and Group Discussion

Ethical Dilemma: Insider Threats

Q: What ethical principles apply?

A: The analyst has an ethical responsibility to ensure that the vulnerability is addressed to protect public safety and organizational integrity.

58

Reference:

ISC2 Code of Ethics

59 of 64

4- Case Study and Group Discussion

Ethical Dilemma: Government Backdoor

A government agency requests a cybersecurity firm to install backdoors for surveillance.

59

60 of 64

4- Case Study and Group Discussion

Ethical Dilemma: Government Backdoor

Q: Should the firm comply?

A: the firm should assess the legality of the request, consider ethical implications like privacy and trust, consult with legal and ethics experts, and advocate for transparency where possible.

60

Reference: Backdoor

Key Points for Response:

Assess the Legality:�

"The first step is to evaluate if the request is legal under national and international privacy laws. Compliance with data protection regulations is crucial."

Consider Ethical Implications:�

"The firm must weigh the ethical concerns, such as the potential risk to user privacy, trust, and the possibility of the backdoor being misused."
"This aligns with the (ISC)² Code of Ethics, which emphasizes protecting society, acting honorably, and safeguarding the infrastructure."

Consult Experts:�

"It’s essential to seek guidance from legal and ethical experts to fully understand the consequences and responsibilities involved."

Advocate for Transparency:�

"Where possible, the firm should advocate for transparency to ensure accountability and maintain public trust."

61 of 64

4- Case Study and Group Discussion

Ethical Dilemma: Government Backdoor

Q: What are the ethical and legal consequences?

A: Ethical consequences include losing people’s trust, risking misuse, and conflicting with professional standards, while legal consequences could involve privacy law violations and liability for misuse.

61

Reference: Backdoor

62 of 64

5- Best Practices and Conclusion (expound sub-topics below)

How to Promote Ethical Cybersecurity Practices:

Transparent policies, training, and accountability
Ethical hacking programs and responsible disclosure policies

<Insert Image>

62

Reference: (Title, Year)

* Hyperlink the source

63 of 64

Introduction to Cybersecurity Ethics (expound sub-topics below)

Definition of Ethics in Cybersecurity
Why Cybersecurity Ethics Matter

Trust and integrity in digital systems
The impact of ethical failures (e.g., data breaches, misinformation, surveillance abuse)

Cybersecurity vs. Cybercrime vs. Cyberethics

<Insert Image>

63

Reference: (Title, Year)

* Hyperlink the source

1 of 64

2 of 64

3 of 64

4 of 64

5 of 64

6 of 64

7 of 64

8 of 64

9 of 64

10 of 64

11 of 64

12 of 64

13 of 64

14 of 64

15 of 64

16 of 64

17 of 64

18 of 64

19 of 64

20 of 64

21 of 64

22 of 64

23 of 64

24 of 64

25 of 64

26 of 64

27 of 64

28 of 64

29 of 64

30 of 64

31 of 64

32 of 64

33 of 64

34 of 64

35 of 64

36 of 64

37 of 64

38 of 64

39 of 64

40 of 64

41 of 64

42 of 64

43 of 64

44 of 64

45 of 64

46 of 64

47 of 64

48 of 64

49 of 64

50 of 64

51 of 64

52 of 64

53 of 64

54 of 64

55 of 64

56 of 64

57 of 64

58 of 64

59 of 64

60 of 64

61 of 64

62 of 64

63 of 64

64 of 64