Nick Marshall – WGU Note Repository

Just another WordPress site

IT C182 – Unit 8 – Ethics

  • Define computer security, ethics, and privacy.
  • Identify the role of organizational culture in ethics.
  • Identify the role of government regulations in ethics.
  • Discuss the role of professional associations and ethics standards in the IT profession.

Questions about the impact of IT are widespread and ever-present. With the release of new technologies and applications, more questions arise than can be answered or agreed on. Computing professionals and organizations must continuously consider their ethical and regulatory obligations; security, ownership, and liability; and social impact.

In this section, you will explore some of the legal and ethical questions triggered by the use of technology, the societal and legal context in which the IT professional works, and the role of the professional organizations and societies in educating these professionals. You will familiarize yourself with several codes of conduct professionals abide by when developing and working with computing systems.

Ethics ,Law, and Regulation of Information Technology

As Mei maintains multiple database applications in her medical office, she works with patient data, including name, age, address, and health condition. She also works with similar information about other employees. As the database administrator, Mei implements strong password policies. Mei has used multiple filters to prohibit access to certain websites, according to the Acceptable Use Policy. To monitor and secure the equipment, she installed cameras and card access to select rooms.

Mei takes courses on security and privacy to stay current with developments. It is her responsibility and professional commitment to make the IT infrastructure in her office as secure as possible given the IT budget her office has established.

Technology and Ethics

Questions about the impact of information technology are widespread and ever-present. With the release of new technologies and applications, more questions arise than we can answer or agree on.

  • Does information technology make society better or worse?
  • Is it acceptable to participate in a technical society without making an effort to understand information technology?
  • Do people who determine how technology will be supported or used have an obligation to understand technology?
  • To what extent should governments regulate information technology?
  • How do our decisions regarding technology affect future generations?
  • How should we change education to align with our ever-evolving technological society?
  • How can knowledge of an individual’s activities tracked through technology be appropriately used while simultaneously ensuring it is not abused?

Consider having a discussion with a friend or colleague about one or more of these questions. Do you and your colleague agree? What other questions emerged from your discussion?

Everyday computing has evolved rapidly, leading to both regulatory and social changes. Many computing laws are based on previous mindsets and physical considerations. Such laws fail to take into consideration the unique features of computing. For example, data has three primary stages: data at rest, data in transit, and data in use. When a crime occurs involving data, which country has the right to press charges—where the data was temporarily stored (data in use), where the server is located (data at rest), or the many locations the data passed through (data in transit)?

Advances in computing also affect ethics, challenging the traditional principles on which social behaviors are based. For example, do new applications represent new freedoms or new controls?

The difference between ethics and regulations is important when considering everyday computing. Regulations are requirements set by governing bodies and can result in penalties, fines, or even criminal charges. Alternatively, ethics are the morals that individuals and organizations abide by. For example, the ethics a person lives by determine whether that person takes lost money to its owner or puts it in their pocket. On the other hand, stealing money from a person’s pocket is illegal, or against the regulations, rather than against a person’s ethics.

Computing professionals and organizations must continuously consider their ethical and regulatory obligations; security, ownership, and liability; and social impact.

Ethics and Information Technology

Philosophers have taken many different approaches to ethics in their search for fundamental theories and principles to guide decisions and behaviors. Character-based ethics (also known as virtue ethics) argues that good behavior is not the result of applying identifiable rules (regulations), but is instead a natural consequence of good character. Other theories of ethics, such as consequence-based, duty-based, and contract-based, suggest that ethical dilemmas are resolved by considering consequences, duties, and contracts.

Character-based ethics is usually what is presented and discussed with professionals. Rather than reviewing specific ethical theories, they review case studies leading to a variety of ethical questions related to the professional’s area of expertise. Discussing these case studies helps professionals become more aware of ethical issues.

Reflect on an ethical dilemma you faced while using technology. What did you consider to arrive at your conclusion?

Coes of Professional Conduct and Professional Organizations

Do computer professionals have moral responsibilities? If so, what are they? Who is to blame when computer software failure causes harm? Is computer hacking immoral? Is it immoral to make unauthorized copies of software? Are you familiar with standards that already exist to govern ethics in IT? Consider making a list of the ethical principles an IT professional should follow. How does your list of ethical principles compare to the Ten Commandments of Computer Ethics listed below?

Ten Commandments of Computer Ethics

Many ethical standards are already widely accepted throughout the world. One of the most notable is the Ten Commandments of Computer Ethics, dating to the early 1950s.

Computer Ethics Institute
Ten Commandments of Computer Ethics
Thou shalt not use a computer to harm other people.Thou shalt not interfere with other people’s computer work.Thou shalt not snoop around in other people’s computer files.Thou shalt not use a computer to steal.Thou shalt not use a computer to bear false witness.Thou shalt not copy or use proprietary software for which you have not paid (without permission).Thou shalt not use other people’s computer resources without authorization or proper compensation.Thou shalt not appropriate other people’s intellectual output.Thou shalt think about the social consequences of the program you are writing or the system you are designing.Thou shalt always use a computer in ways that ensure consideration and respect for other humans.
Source: The Ten Commandments of Computer Ethics

Asimov’s Three Laws of Robotics

Laws of robotics are a set of laws, rules, or principles that are intended as a fundamental framework to underpin the behavior of robots designed to have a degree of autonomy. Robots with a high degree of complexity do not yet exist, but they have been widely anticipated in science fiction and films and are a topic of active research and development in the fields of robotics and artificial intelligence. The best known set of laws are those written by Isaac Asimov in the 1940s, or are based upon them, but other sets of laws have been proposed by researchers in the decades since then.

Asimov’s Three Laws of Robotics
A robot may not injure a human being or, through inaction, allow a human being to come to harm.A robot must obey orders given it by human beings except where such orders would conflict with the First Law.A robot must protect its own existence as long as such protection does not conflict with the First or Second Law.
Source: Asimov’s Three Laws of Robotics

Science fiction? Yes, but take a look at the 2011 Engineering and Physical Sciences Research Council (EPSRC) and the Arts and Humanities Research Council (AHRC) of Great Britain’s set of five ethical “principles for designers, builders and users or robots”:

  • Robots should not be designed solely or primarily to kill or harm humans.
  • Humans, not robots, are responsible agents. Robots are tools designed to achieve human goals.
  • Robots should be designed in ways that assure their safety and security.
  • Robots are artifacts; they should not be designed to exploit vulnerable users by evoking an emotional response or dependency. It should always be possible to tell a robot from a human.
  • It should always be possible to find out who is legally responsible for a robot.

Codes of Ethics and Professional Conduct

Rule-based, ethical standards have been published by multiple professional organizations, including the Association for Computing Machinery (ACM), the Institute of Electrical and Electronics Engineers (IEEE), the American Statistical Association (ASA), and the Association of Information Technology Professionals (AITP).

Compare the ethical standards of these organizations to your list and to each other. What similarities and differences do you see?

Institute of Electrical and Electronics Engineers
Code of Ethics
We, the members of the IEEE, in recognition of the importance of our technologies in affecting the quality of life throughout the world, and in accepting a personal obligation to our profession, its members, and the communities we serve, do hereby commit ourselves to the highest ethical and professional conduct and agree:
to hold paramount the safety, health, and welfare of the public, to strive to comply with ethical design and sustainable development practices, and to disclose promptly factors that might endanger the public or the environment;to avoid real or perceived conflicts of interest whenever possible, and to disclose them to affected parties when they do exist;to be honest and realistic in stating claims or estimates based on available data;to reject bribery in all its forms;to improve the understanding by individuals and society of the capabilities and societal implications of conventional and emerging technologies, including intelligent systems;to maintain and improve our technical competence and to undertake technological tasks for others only if qualified by training or experience, or after full disclosure of pertinent limitations;to seek, accept, and offer honest criticism of technical work, to acknowledge and correct errors, and to credit properly the contributions of others;to treat fairly all persons and to not engage in acts of discrimination based on race, religion, gender, disability, age, national origin, sexual orientation, gender identity, or gender expression;to avoid injuring others, their property, reputation, or employment by false or malicious action;to assist colleagues and co-workers in their professional development and to support them in following this code of ethics.
Source: IEEE Code of Ethics and Professional Conduct
Association for Computing Machinery
Code of EthicsSoftware Engineering Code of Ethics and Professional PracticeSoftware engineers shall commit themselves to making the analysis, specification, design, development, testing and maintenance of software a beneficial and respected profession. In accordance with their commitment to the health, safety and welfare of the public, software engineers shall adhere to the following Eight Principles:PUBLIC – Software engineers shall act consistently with the public interest.CLIENT AND EMPLOYER – Software engineers shall act in a manner that is in the best interests of their client and employer consistent with the public interest.PRODUCT – Software engineers shall ensure that their products and related modifications meet the highest professional standards possible.JUDGMENT – Software engineers shall maintain integrity and independence in their professional judgment.MANAGEMENT – Software engineering managers and leaders shall subscribe to and promote an ethical approach to the management of software development and maintenance.PROFESSION – Software engineers shall advance the integrity and reputation of the profession consistent with the public interest.COLLEAGUES – Software engineers shall be fair to and supportive of their colleagues.SELF – Software engineers shall participate in lifelong learning regarding the practice of their profession and shall promote an ethical approach to the practice of the profession.
Source: ACM Ethics
American Statistical Association
Ethical Guidelines for Statistical PracticeThe ethical statistician: Identifies and mitigates any preferences on the part of the investigators or data providers that might predetermine or influence the analyses/results.Employs selection or sampling methods and analytic approaches appropriate and valid for the specific question to be addressed, so that results extend beyond the sample to a population relevant to the objectives with minimal error under reasonable assumptions.Respects and acknowledges the contributions and intellectual property of others.When establishing authorship order for posters, papers, and other scholarship, strives to make clear the basis for this order, if determined on grounds other than intellectual contribution.Discloses conflicts of interest, financial and otherwise, and manages or resolves them according to established (institutional/regional/local) rules and laws.Accepts full responsibility for his/her professional performance. Provides only expert testimony, written work, and oral presentations that he/she would be willing to have peer reviewed.Exhibits respect for others and, thus, neither engages in nor condones discrimination based on personal characteristics; bullying; unwelcome physical, including sexual, contact; or other forms of harassment or intimidation, and takes appropriate action when aware of such unethical practices by others.
Source: Ethical Guidelines for Statistical Practice
Association of Information Technology Professionals
Code of EthicsI acknowledge:That I have an obligation to management, therefore, I shall promote the understanding of information processing methods and procedures to management using every resource at my command.That I have an obligation to my fellow members, therefore, I shall uphold the high ideals of AITP as outlined in its Association Bylaws. Further, I shall cooperate with my fellow members and shall treat them with honesty and respect at all times.That I have an obligation to society and will participate to the best of my ability in the dissemination of knowledge pertaining to the general development and understanding of information processing. Further, I shall not use knowledge of a confidential nature to further my personal interest, nor shall I violate the privacy and confidentiality of information entrusted to me or to which I may gain access.That I have an obligation to my employer whose trust I hold, therefore, I shall endeavor to discharge this obligation to the best of my ability, to guard my employer’s interests, and to advise him or her wisely and honestly.That I have an obligation to my college or university, therefore, I shall uphold its ethical and moral principles.That I have an obligation to my country, therefore, in my personal, business, and social contacts, I shall uphold my nation and shall honor the chosen way of life of my fellow citizens.I accept these obligations as a personal responsibility and as a member of this Association. I shall actively discharge these obligations and I dedicate myself to that end.
Source: AITP Code

Functions of Professional Organizations

Professional organizations support single disciplines through educational and informational missions. And as new disciplines emerge, so do supporting professional organizations. Their influence on professional organizations stems from the services provided to members. They publish professional journals, develop standards of professional ethics and excellence, and raise public awareness. Professional organizations, often referred to as societies, can be local, regional, national, and international.

Notable examples include the Association of Women in Computing and the Association for the Advancement of Artificial Intelligence, in addition to the others previously mentioned.

The Association for Women in Computing (AWC) is dedicated to promoting the advancement of women in the computing professions.

The Association for the Advancement of Artificial Intelligence (AAAI) is devoted to advancing scientific understanding of the mechanisms underlying thought and intelligent behavior, and their embodiment in machines.

Some organizations define quality standards for educational programs and institutions in the discipline. The Accreditation Board for Engineering and Technology (ABET) certifies the quality of undergraduate educational programs in the computing science field based on criteria identified by ACM and IEEE.

Select one or two professional organizations from this section that interest you. Review their website and learn their structure, standards, and resources.

The Ethical Culture of an Organization

Organizational culture is defined by the expectations, experiences, philosophy, and values that guide employees’ behaviors. An organization’s culture is exhibited in the employees’ self-perceptions and interactions with others.

When working professionally, you may encounter situations where your personal ethics clash with the ethical culture of your company. An employee is expected to follow the organization’s ethical code of conduct. The ethical code of conduct is a written policy that assists employees in identifying ethical behaviors as defined by the organization.

A computing professional might be asked to develop IT policies. Policies such as an acceptable use policy (AUP) should reflect the organization’s ethics and provide clear guidelines. An acceptable use policy, detailing how computer systems owned by the organization can be used, should include the following aspects:

  • legal considerations, including data security laws, jurisdiction, the ownership of systems and data, and proper use of intellectual property
  • data security provisions, including personal responsibilities of users, ways the systems can and cannot be used, and types of unacceptable web content
  • liability considerations, outlining disclaimers that remove an organization’s responsibilities for data breaches, information theft, or misuse of the internet

Assume you are responsible for creating an acceptable use policy for the medical office. What guidelines would you include?

Privacy

Information privacy refers to the right to control how your personal information is collected, used, and exchanged. The discussion over privacy has intensified with massive data breaches, businesses selling personal data to other organizations, and targeted advertising abuse. While closely related, privacy and security are not the same. Security focuses on protecting data from unauthorized use and the exploitation of stolen data for profit. Privacy focuses on the use and governance of personal data, ensuring that it is collected, shared, and used appropriately.

Skim through “The 15 Biggest Data Breaches of the 21st Century” and select a data breach to research. How were people affected by the data breach?

Professional organizations, such as the International Association of Privacy Professionals (IAPP), help organizations design and apply appropriate approaches to privacy.

Computing professionals often handle sensitive data and information for both employees and clients. Additionally, data analysis may use data revealing organizational strategies for competitive advantage that need to be protected. Networking professionals may have insight into websites individuals access. Software developers may have access to strategic initiatives their software will support. All these situations raise ethical dilemmas. The ethical codes of an organization and professional organizations can help professionals resolve such ethical dilemmas.

In some cases, there may be a conflict of interest. A conflict of interest is a situation in which a person has two relationships that might be incompatible with each other. For example, a person might have loyalty to an employer as well as loyalty to a family business. Each of these businesses expects the person to have its best interest first. Organizations should provide clear outlines on how to handle conflicts of interest.

Confidentiality

The Confidentiality portion of the CIA triad shown as part of information security.

Figure. Confidentiality portion of the CIA Triad.Confidentiality is a set of rules that limits access to data/information. Data is commonly categorized according to the amount and type of damage that could be done by unauthorized access. Implementing access controls is largely responsible for enforcing confidentiality.

Often, authorized users are given security training, supported by the computing professionals in the organization. Training typically includes how clients can identify and reduce security risks by doing the following:

  • Create strong password policies. Passwords should be at least eight characters combined with numbers and special characters. Passwords also need to be changed at least every three months, depending on the sensitivity of data on a given system.
  • Recognize social engineering attacks. Social engineering is a general term that describes any attack that takes advantage of humans’ trusting nature. Phishing is one example of a method of capturing the victim’s valuable information (e.g., username and password, personally identifiable information) by sending emails that mimic real emails from businesses. These emails seemingly request that you reset the password for your account when in reality the attackers capture the victim’s input for their own use.

Integrity

The Integrity portion of the CIA triad shown as part of information security.

Figure. Integrity portion of the CIA Triad.Integrity is maintained when the data/information is both trustworthy and accurate. Data must not be changed in transit or be altered by unauthorized users. Methods for maintaining integrity include file permissions, user access controls, version control, and redundant systems or copies.

Availability

The Availability portion of the CIA triad shown as part of information security.

Availability refers to the ability to provide reliable access to the data/information for authorized individuals. Availability is best ensured by rigorously maintaining all hardware, testing compatibility with operating systems and installed applications, and keeping systems patched and up-to-date.

The elements of the confidentiality-integrity-availability (CIA) triad depend on each other. For example, if the confidentiality of data is emphasized, the integrity of data is less likely to be compromised. Organizations often make conscious compromises between the elements of the CIA triad when resources are limited, remaining vigilant about known risks.

Research more about the CIA triad. How is your organization implementing the CIA triad in its everyday processes?

Security is challenging for organizations with expanding volumes of data or those that are using emerging technologies. Big data, for example, poses security risks because of the volume of data and information that needs to be safeguarded, the multiple places these data are stored, and the different forms in which the data exist. The Internet of Things (IoT) also poses unique security challenges. For example, security can be an issue because of the number of connected hardware devices that are unpatched or configured with weak passwords.

In a recent demonstration, researchers showed that a network could be compromised through a Wi-Fi enabled (aka, “smart”) light bulb.

While enhancing the security of computer systems through regulations is typically effective and may deter some attacks, it does not prevent them. Also, because computer systems are used internationally, it can be difficult to obtain recourse. The United States and many other countries have federal laws governing computer security and privacy. For example, the United States’ Security Breach Notification Laws govern the actions of a company in the case of data records being compromised, lost, or stolen. At the same time, laws that apply to various industries may impose obstacles on, or even restrict, implementation of new technologies. The legal landscape that applies to the work of computer personnel is large and complex.

What laws or regulations are in place in your country and industry? How do these compare to those established in the United States?

Information Technology Law Organizations and Resources

Multiple organizations and agencies are dedicated to represent and protect individuals from computer crimes and abuse of technology. Some of these organizations include the following:

  • The global organization Computer Professionals for Social Responsibility (CPSR) promotes the responsible use of technology through education.
  • The Federal Communications Commission (FCC) is an independent U.S. government agency that regulates communications by radio, television, wire, satellite, and cable.
  • The Institute for Telecommunication Sciences (ITS) is the research and engineering laboratory of the National Telecommunications and Information Administration (NTIA). It promotes the development of advanced telecommunications and information infrastructure in the United States.
  • The National Institute of Standards and Technology (NIST) promotes the development and deployment of systems that are reliable, usable, interoperable, and secure; advances measurement science through innovations in mathematics, statistics, and computer science; and conducts research to develop the measurements and standards infrastructure for emerging information technologies and applications in the United States.
  • The National Security Agency (NSA) is the U.S. government agency that is responsible for the health and security of American vital data and networks. Some examples may be confidential resources stored at the Department of Defense, networks responsible for the U.S. power grid, and military operations.

Nick

Leave a Reply

Your email address will not be published. Required fields are marked *