Balancing Policies, Principles, and Philosophy in Information Assurance

Laws, codes, and rules are essential for any community and society, public or private, to operate in an orderly and productive manner. Without laws and codes, anarchy and chaos abound and the purpose and role of the organization is lost. However, there is a potential for serious long-term problems when individuals or organizations become so focused on rules, laws, and policies that basic principles are ignored. We discuss the purpose of laws, rules, and codes, how these can be helpful to, but not substitute for, an understanding of basic principles of ethics and integrity. We also examine how such an understanding can increase in the level of ethical and moral behavior without imposing increasingly detailed rules.

Privacy and Public Access in the Light of E-Government

This chapter addresses the competing interests of privacy versus public access to information. The chapter explores the collective and individual value of privacy and public access in a manner that considers information at the macrosocial and macroethical level. By using Sweden as a case study, we exemplify the classic and irresolvable tension between issues of information availability and confidentiality, integrity, and privacy. Given that privacy and public access interests will constantly need to be rebalanced, we present the views of government officials due to their unique role in implementing this balance. We conclude with an analysis of the reasonableness of this conduct.

Peer-to-Peer Networks

Peer-to-peer networks are one of the main sources of Internet traffic, and yet remain very controversial. On the one hand, they have a number of extremely beneficial uses, such as open source software distribution, and censorship resilience. On the other hand, peer-to-peer networks pose considerable ethical and legal challenges, for instance allowing exchanges of large volumes of copyrighted materials. This chapter argues that the ethical quandaries posed by peer-to-peer networks are rooted in a conflicting set of incentives among several entities ranging from end-users to consumer electronics manufacturers. The discussion then turns to the legal, economic, and technological remedies that have been proposed, and the difficulties faced in applying them. The last part of the chapter expands the scope of ethical issues linked to peer-to-peer networks, and examines whether existing laws and technology can mitigate new threats such as inadvertent confidential information leaks in peer-to-peer networks.

Ethics, Privacy, and the Future of Genetic Information in Healthcare Information Assurance and Security

The risks associated with the misuse and abuse of genetic information are high, as the exploitation of an individual’s genetic information represents the ultimate example of identity theft. Hence, as the frontline of defense, information assurance and security (IAS) practitioners must be intimately familiar with the multidimensional aspects surrounding the use of genetic information in healthcare. To achieve that aim, this chapter addresses the ethical, privacy, economic, and legal aspects of the future uses of genetic information in healthcare and discusses the impact of these uses on IAS. The reader gains an effective ethical framework in which to understand and evaluate the competing demands placed upon the IAS practitioners by the transformative utility of genomics.

Social/Ethical Issues in Predictive Insider Threat Monitoring

Combining traditionally monitored cybersecurity data with other kinds of organizational data is one option for inferring the motivations of individuals, which may in turn allow early prediction and mitigation of insider threats. While unproven, some researchers believe that this combination of data may yield better results than either cybersecurity or organizational data would in isolation. However, this nontraditional approach yields inevitable conflicts between security interests of the organization and privacy interests of individuals. There are many facets to debate. Should warning signs of a potential malicious insider be addressed before a malicious event has occurred to prevent harm to the organization and discourage the insider from violating the organization’s rules? Would intervention violate employee trust or legal guidelines? What about the possibilities of misuse? Predictive approaches cannot be validated a priori; false accusations may harm the career of the accused; and collection/monitoring of certain types of data may adversely affect employee morale. In this chapter, we explore some of the social and ethical issues stemming from predictive insider threat monitoring and discuss ways that a predictive modeling approach brings to the forefront social and ethical issues that should be considered and resolved by stakeholders and communities of interest.

On the Importance of Framing

Forces have converged to produce stunning new technologies and the Information Age. As a result, we experience unanticipated consequences. Among the implications of this transition are a variety of ethical predicaments. This chapter introduces a process of conceptual framing. We classify this work as the inspection and consideration of our conceptual frameworks. We move from doubt about our current frameworks toward better ones. The way to make this transition is to render beliefs into ideas and then compare those ideas. Nevertheless, there is always an imperfect alignment of ideas with lived reality, so we must avoid dogmatic closure. The ethics predicaments we face are in actuality an ill-defined “mess” of multiple problems, the solutions to which affect one another. In response, we consider the processes of design for the future in the face of such ill-defined ethics problems.

Behavioral Advertising Ethics

Behavioral advertising is a method for targeting advertisements to individuals based on behavior profiles, which are created by tracking user behavior over a period of time. Individually targeted advertising can significantly improve the effectiveness of advertising. However, behavioral advertising may have serious implications for civil liberties such as privacy. In this chapter, we describe behavioral advertising ethics within the context of technological development, political and legal concerns, and traditional advertising practices. First, we discuss the developmental background of behavioral advertising technologies, focusing on web-based technologies and deep packet inspection. Then, we consider the ethical implications with a primary focus on privacy of behavioral advertising technologies. Next, we overview traditional market research approaches taken to advertising ethics. Following that, we discuss the legal ethics of behavioral advertising. Finally, we summarize these cross-disciplinary concerns and provide some discussion on points of interest for future research.

International Ethical Attitudes and Behaviors

Organizational information security policy must incorporate organizational, societal, and individual level factors. For organizations that operate across national borders, cultural differences in these factors, particularly the ethical attitudes and behaviors of individuals, will impact the effectiveness of these policies. This research looks at the differences in attitudes and behaviors that exist among five different countries and the implications of similarities and differences in these attitudes for organizations formulating information security policies. Building on existing ethical frameworks, we developed a set of ethics scenarios concerning data access, data manipulation, software use, programming abuse, and hardware use. Using survey results from 599 students in five countries, results show that cultural factors are indicative of the differences we expected, but that the similarities and differences among cultures that should be taken into account are complex. We conclude with implications for how organizational policy makers should account for these effects with some specific examples based on our results.

Data Breach Disclosure

As information technology has become more ubiquitous and pervasive, assurance and security concerns have escalated; in response, we have seen noticeable growth in public policy aimed at bolstering cybertrust. With this growth in public policy, questions regarding the effectiveness of these policies arise. This chapter focuses on policy analysis of the state data breach disclosure laws recently enacted in the United States. The state data breach disclosure laws were chosen for policy analysis for three reasons: the rapid policy growth (the United States have enacted 45 state laws in 6 years); this is the first instantiation of informational regulation for information security; and the importance of these laws to identity theft and privacy. The chapter begins with a brief history in order to provide context. Then, this chapter examines the way in which historical, political and institutional factors have shaped our current data breach disclosure policies, focusing on discovering how patterns of interaction influenced the legislative outcomes we see today. Finally, this chapter considers: action that may result from these policies; the action type(s) being targeted; alternatives that are being considered, and; potential outcomes of the existing and proposed alternative policies.