Ira Winkler from ComputerWorld has a rather controversial article up about the separation of ethics from computer security. This is IT journalism at its most typical: they can write about it, but they don’t know it. He does have some points, but otherwise he also has dubious claims.
There are a few things Ira conveniently leaves out or is not even aware of in regards to this subject.
1. The methods to detect, investigate, and enforce ethical behavior on computer systems utilize many of the same functions that computer security uses. This means there is a natural integration of the two. Computer security requires virus scanning and data/file inspection of some sort. Unethical copyright distribution will utilize similar tools and the same staff.
2. There is a tendency to generalize. If someone is visiting bad web sites that are unethical to visit inside the corporate network, there could be security implications. Too often, those same sites house malware and other bad things. This is just a tendency, but that is what computer security is about. It is not just 100% black and white. The twin goals of ethics and security help to fully dictate that those sites are offlimits and against policy. In short, why make two policies when they support each other?
3. If there are too many points to make when educating users on computer security and ethics, that is not an argument to separate the two entirely. It just means the education needs to be structured better to accomodate making only one or two points. Perhaps ethics can be split off during the education process, but this is simply not an a valid supporting argument. It would be difficult to teach users about email security, password complexity, phishing attacks, and proper data usage in the copy room at one time as well. So does that mean those should not be computer security as well?
4. What does Enron have to do with this discussion other than being an excuse to bring up a popular culture/media example?
5. What does physical security have to do with this argument? Yes, security staffers may be disdained for being those who mete our punishments, but it makes no sense in an argument to separate ethics and computer security. The argument would be to minimize our negative impact on users. Well, by that token, should we separate out incident response, since that tends to be negative? What about when a virus is detected on a machine and we have to go inform the user and slap their wrist for downloading it in their email and saving it? This argument makes no sense.
6. Ira would have been better served by not bringing up phishing attack examples and how those are mechanical in nature but ethical decisions are not as straight-forward. Tell that to the people doing studies on how difficult it can be to detect phishing websites. In fact, I would conjecture that most unethical behavior in a workplace is *easier* to determine than some of the “mechanical” computer security issues, especially for non-technical people.
The best part of the article is how Ira even attacks his own argument and makes no real effort to address it. The ending feels very bipolar like he had an argument, didn’t win, but then just moved on.
Now, all that said, there is merit to saying ethics should be separated in part from computer security itself. IT staffers may detect and report on unethical behavior, but ethics is still ultimately up to legal, HR, and corporate executives to determine. But that is not enough to say that ethics and computer security should be fully separate. There is too much at stake for business and security staff to try to fully separate these spheres in anything but a very large company that can have separate ethics staff. Even then, those teams will work closely together anyway.