The Mindset of Information Security: Walking a razor thin line

The Mindset of Information Security: Walking a razor thin line

Samuel Warren

IS461-Information Security Overview

Professor Dan Morrill

February 8, 2011

The Mindset of Information Security: Walking a razor thin line

In the mid-late Twentieth Century, there was a commonly held belief to “do the right thing.” Those who want to “do the right thing” because it is the right thing to do are said to have morals or strongly held beliefs. As organizations began to grow, many of them looked for a way to translate that notion of “doing the right thing” to an organized set of rules. To better explain, Merriam-Webster’s Dictionary of Law describes an organized set of rules as such: “The rules or standards governing the conduct of a person or the conduct of the members of a profession.” In essence, the rules were created out of a deep-seated desire to keep “doing the right thing” in an organization with a way to penalize those who choose to disregard them. Many professions have their own unique code of ethics associated with them. While some overlap, they are designed specifically for the governance of each profession, including terminology and consequences associated with breaking that code. For example, in the practice of Law, it is common for someone to be stripped of their title and practice, a process called dis-barring, for ethics violations. There are, in many cases, larger consequences associated with a breach of ethics. In Medicine, a doctor can not only lose his license to practice medicine, but also be sued for mal-practice. In the realm of Information Security (InfoSec), there are several different sets of ethical codes and guidelines. But which is the best? What approach should InfoSec professionals take when it comes to ethics? InfoSec, like other professions, requires a great deal of discernment and balance.

The differences between ethics will almost always exist. Instead of fighting, trying to create a new set of ethics, the best course of action one can take is finding a set of ethics that best aligns with one’s morals. Depending on the field, there may be one set of ethics or many.  One example of a unified ethical practice among lawyers is keeping their client’s information confidential. The biggest reason to that is they want to ensure a level of trust between them. If a defense lawyer accepts a case where the defendant is actually guilty, the lawyer’s job is not to give a moral judgment on what the defendant may have done; his job is to get the defendant alleviated consequences, if not outright acquittal. In InfoSec, however, there are multiple sets of ethics. A Venn diagram would show quite a bit of overlap between just the two largest bodies: the ISACA and ISC2. The differences are where interpretation can creep in and cause confusion. One poignant example is found when examining the two on their individual sites. On the ISC2 site, under the heading “Objectives for Guidance,” the following subheading is confusing: “To Discourage such behavior as… Professional recognition of or association with amateurs” (www.ISC2.org, 2011). Whereas on the ISACA site, they reference, “Support the professional education of stakeholders in enhancing their understanding of the governance and management of enterprise information systems and technology, including: audit, control, security and risk management” (www.ISACA.ORG, 2011).  

They both seem to indicate education, but where they differ here is the approach. The ISACA encourages professional education, but the depth at which they approach it is different. ISACA seems to be a little more broad-based, focusing on management and policy. However, ISC2 seems to be better known among the other high-tech fields. There are definite differences in how each set of ethical standards deal with issues, but the best possible way to deal with the differences is to find one that works well for the organization. In essence, one has to just deal with the differences in stride. As long as an organization allows their Information Security professionals to keep them up-to-date on the main security concerns as it relates to ethics, any organization can deal with the differences appropriately.

One thought that needs to be considered when talking about ethics is balance. If the world of Information Security were just considering keeping information secure, it would be an easy job! However, many know that the aforementioned career is far more involved. While the title suggests a course of action, there are many other areas to consider, such as organizational needs. If a customer wants their information secure, but cannot afford the system an InfoSec professional recommends, obviously there is an adjustment that needs to be made. One difficult place to find that balance is a not-for-profit type organization, such as a school or church.

Institutions of higher learning impose unique challenges for chief information officers. On the one hand, resources must be open to embrace academic freedom and interactive learning environments. At the same time, openness makes universities targets [for a] lot cyber break-ins and other unauthorized activities. (Nolin, 2006)

The key for some of these organizations is finding a balance between the demands and what is secure enough. While one cannot completely account for every possible criminal mindset, one can definitely put in as many safeguards as possible. Ultimately, the criminal mind is ever-changing. It is looking for cracks, exploits, and weaknesses. The question that needs to be asked more often is “How much risk are we willing to absorb?” While every organization is different, and presents its own challenges, finding a balance of how much is too much and what needs to be protected is the key to keeping information secure. If InfoSec professionals can keep the organization in a good balance and protect everything that is inside of the acceptable margins, the organization will, at the very least, be more securely protected.

            Information Security is a complex, challenging, and rewarding field. With so many different concerns that need to be addressed, how does one make sure the information they are protecting is secure? Unfortunately, there is no easy answer to that question. However, if an InfoSec professional can maintain a clear understanding of what system of ethics works for their organization and maintain balance among protection and risk, they will be able to keep the information they are protecting more secure. Although the technology and mindsets of InfoSec professionals are rapidly becoming better acquainted with the criminal mind, it seems they are just one step behind the criminals. By staying informed on recent events in the field of information security, the gap will continue to shrink and cause better protected information to become a byproduct. Information Security is really a balancing act on a razor thin line. There are very few truly secure ways to keep information; however, mitigating the risk an organization takes on is what Information Security is all about.

References

Ethics. (n.d.). Merriam-Webster's Dictionary of Law. Retrieved February 08, 2011, from Dictionary.com website: http://dictionary.reference.com/browse/ethics

ISACA. (2011). Code of Professional Ethics . Retrieved February 9, 2011, from ISACA website: http://www.isaca.org/Certification/Code-of-Professional-Ethics/Pages/default.aspx

ISC2. (2011). Code, Objectives for Guidance, To Discourage Such Behavior As. In (ISC)2 Code of Ethics (par.10). Retrieved February 9, 2011, from (ISC)2 website: https://www.isc2.org/ethics/default.aspx

Norlin, L. (2006). A Secure Balance. American School & University, 78(6), SS44-SS46. Retrieved from EBSCOhost.