The Role of the Professional Code of Ethics in addressing IT Security Threats

Late last century, we saw the rapid rise of Information Technology, replacing erstwhile manufacturing based industrial societies into knowledge based ones.  With this transformation came attendant risks and threats to security of information.  This aspect of the new digital age has invoked much debate and concern among stakeholders.  Some IT companies have come up with anti-piracy and data protection security systems.  Some others have emphasised the importance of adhering to ethical codes of conduct that would prevent unsafe and unethical practices on part of IT employees.  Organisations such as Association for Computer Machinery (ACM) and Australian Computer Society (ACS) are strong advocates of ethical practices by IT personnel and have laid out sets of recommendations.  This essay will look at some of their codes and how they can have practical use in reducing clearly identified threats to computer systems.

At the outset, it is important to remember that almost any sort of business enterprise today will have a dedicated IT department.  Hence the code of ethics laid down by ACM and ACS are applicable to IT personnel of such departments, irrespective of the business domain of the particular organisation.  Some of the frequently occuring information security breaches are common for almost all businesses that are enabled by Information Technology.  Broadly speaking, the term ‘system security threats’ refers to “the acts or incidents that can and will affect the integrity of business systems, which in turn will affect the reliability and privacy of business data”. (Lin, 2006).  Irrespective of the size of the organisation, the threat is persistent, and hence measures have to be undertaken to curb security breaches and ensure business continuity.

Beyond the commonly identified security threats such as Viruses, Spyware, Adware, etc, a major source of information leakage and misappropriation occurs due to the abuse/misuse of computer network by employees themselves. (Lin, 2006).  Since IT personnel have privileged access to vital business information, it is often very tempting for them to misuse this privilege and undermine the prospects for their employers. Employees are also prone to using Internet connectivity for their personal use when in fact they were strictly meant for official use.  For example while email and general Internet access are given to improve productivity, surveys have shown that employees (including IT personnel) use them for such activities as online-shopping, playing games, social networking websites, etc.  Some of them use it to ‘moonlight’ on other projects which fall outside the terms of agreement in the employee contract (Kolb & Abdullah, 2009).  All these activities exposes the organisation to security threats as not all websites have robust security measures to counter these threats.  Moreover, considering that using computer network facilities for personal use/gain is a breach of trust place by the employers, it is useful for employees to remember clause 1.3 of ACM code of ethics, which states that without honesty no amount of trust could be built.  Lacking trust, an organisation will lose its cohesion and quickly disintegrate.  Hence, the honest IT professional should abstain from making “deliberately false or deceptive claims about a system or system design, but will instead provide full disclosure of all pertinent system limitations and problems”. (ACM, Section 1.3, 1992)  At the same time, the IT professional will ensure that there is no conflict of interest in his mind; and that his discharge of duties are as stated and undersigned in the employment agreement.  Usually, the conflict of interest is between professional obligations and personal interests of the employee.  Confronted with such as dilemma, the employee should always give preference to his ‘professional obligations’ so that the interests of his organisation are protected.

A 2005 survey on American business corporations is quite instructive in this regard, for its findings are relevant to the Australian corporate world.  The survey shows that 76% of organisations keep track of their employees’ web connections; one in two companies screen the content transmitted by employees.  The survey further showed that one in four organisations being surveyed had terminated the employment of workers for misuse/abuse o the Internet.  Similarly, about 25% of companies “have fired employees for misuse of e-mail; and 65% of those surveyed used software to block employee access to inappropriate websites” (Lin, 2006).  Although most organisations allow limited personal usage of the Internet, it is prudent that organisations also have a written policy with respect to usage of computer systems.  The key here is to constantly adapt the set of policies to the changing IT environment.  In this respect, the code of ethics provided by ACM can be useful in informing employees of the consequences of their actions.  For example imperative 2.8 of ACM Code of Ethics and Professional Conduct requires IT personnel to gain access to the company’s networks and other IT facilities only after being authorised (ACS, 2005).  This means

“theft or destruction or trespassing of tangible and electronic property is     prohibited…No one should enter or use another’s computer system, software, or data files without permission. One must always have appropriate approval before using system resources, including communication ports, file space, other system   peripherals, and computer time.” (ACM, Section 2, 1992)

According to Gartner research firm, leakage of proprietary/confidential company information can cost an organisation up to 12 percent of its total annual expenditure.  With  the cost of implementing security services expected to increase 20% this year, it would be unrealistic for organisations to fix security issues after the fact (Britt, 2007).  Given that this much money is at stake, it is prudent on part of the IT department personnel to follow Code of Ethical conduct as prescribed by ACM or ACS.  Acting upon such codes would prevent wasteful expenditures for the company.  This especially makes sense when we realise that there is no correlation between the money spent on implementing security features and their eventual effectiveness.  As per the same Gartner research report, the true measure of a successful security system is its cost effectiveness. (Britt, 2007)  In this context, the motto of prevention is the best possible course for IT companies.

1 2