Ethica Issues Related to Cybersecurity of an Organisation

Australia's Cyber security strategy sets out the Australian Government's philosophy for advancing and protecting the interests of Australian individuals, businesses, and government in an online environment. Broadly speaking, the cyber security responsibility of an organization is to assure confidentiality, integrity, and availability of digital information within the organization. Australia's Cyber Security Strategy encourages businesses to better 'educate and empower employees to use sound practices online.' This is one of the key cyber-security responsibilities of an organization, which includes promoting institutional cyberculture and raising awareness of the cyber practice. Businesses also need to ensure their cyber security practices are at the very least 'robust and up to date,' because as people and systems become increasingly interconnected, the amount of valuable information stored online has increased. This corresponds to the increase in efforts to steal and exploit that information, which threatens the economy, individual and organizational privacy, and safety.

The lack of a global authority which has established and will oversee a set of ethical standards means that organizations have an individual responsibility to either hold their organizational members to account to a specified code of ethics or adopt an existing set of guidelines from another organization, such as the Information Systems Security Association (ISSA). This is partly due to the 'slippery slope' concept. This concept is important to address, particularly in the IT security department of an organization as they typically have the most jurisdiction and involvement with cyber security decisions of any non-executive employee in an organization. because although there are a lot of questions around what an appropriate ethical response should be, this is a question that each IT security professional employee must answer themselves, in the situational context. This is because most ethical issues that these professionals will confront have not yet been codified into law, and there is no existing body which has established and will oversee a detailed code of ethics. Digital technologies have enormous amounts of potential, however, their potential depends on the extent of trust an organization can have in the internet and cyberspace. Without an appropriate strategy, the organization is open to ethical and financial compromise.

The primary ethical issues within cybersecurity which organizations face and need to address include; Incident response, encryption issues, roles and responsibilities of individual employees and departments, threats to privacy and property, cyberspace resource allocation, and transparency and disclosure. In terms of incident response, organizations need to have a process which managers are required to follow as to how, when, and where they need to have conversations with employees to inform them of breaches in cyber security. They also need to address to what extent should incident investigations be carried out to, and what level of importance is placed on the employee's privacy in comparison to the organization's responsibility to identify and address the nature of the breach. Within the corporate sphere, many of the methods implemented will provoke ethical questions - largely again this is because of the lack of universal, mandatory governing bodies. Cyber security professionals, in whatever capacity they are employed, need to consider ethics when utilizing or implementing any security solution involving administrative access to other employees' personal information. As addressed in Australia's Cyber Security Strategy's encouragement for education and empowerment of employees, this reinforces how important it is for people employed in this profession to have a comprehensive understanding of all cyber-related ethics issues. For organizations, in particular, healthcare organizations due to the sensitive health information involved, it is important to monitor that their cybersecurity professionals are consistently employing these practices as a part of their working behavior. IT cyber security professionals could also play a role in helping organizations to be ethical from the ground up, by being involved in the vetting of potential employees. This would help to reinforce an ethical culture, and ensure new employees immediately embrace ethical practices. The organization is also responsible for determining the extent to which the company holds Cyber-security professionals, the IT department, management, and executives responsible when a cyber breach occurs. The organization should comply with the principle of least privilege, which requires that each abstraction layer of the online environment must only allow each module to access only the information and resources necessary to its legitimate purpose. As the Snowden disclosures demonstrate, often the most damaging risk to the government or business online security is not ‘malware’ but ‘warmware’; the ability of a trusted insider to cause massive disruption to a network or to use legitimate access to obtain classified material and then illegally disclose it.