Whereas most months we revise and reissue NoticeBored security awareness modules on topics we've covered before, this month we've written a completely new one on ethics and morality in information security. To be fair, its something we have touched on several times but it seemed appropriate to go into a bit more depth for once.
Ethical people and indeed organizations act in accordance with principles of conduct that are generally considered correct, appropriate or proper. In respect of information security, ethical behavior reinforces procedural controls. Unethical people who disregard the principles and ignore procedures weaken security, just as a rusty door bolt can jeopardize physical security. However, there is more to ethics than mere compliance. We all face ethical decisions and dilemmas from time to time, situations in which our internal values, beliefs guide our actions as much as external pressures.
The NoticeBored newsletter explores the risks around ethics and sets the scene for the remainder of the awareness module. The module covers aspects such as:
- Responsible disclosure of security vulnerabilities
- Cheating and hacking
- Management responsibilities to set the right ethical tone at the top
- Employee responsibilities to uphold ethical principles
- Whistleblowing on unethical practices
- The slippery slope from entirely ethical to entirely unethical behaviors.