Ethical decision-making: Using formal and informal guidelines

Security Strategies This newsletter is sponsored by SonicWALL Risk Management Leads to a Secure Network Join this live Webcast on September 12, 2007 at 1:00 p.m. ET/10:00 a.m. PT to learn how assessing your company's risk can lead to a more proactive sustainable security strategy. Hear respected security experts Andreas Antonopoulos from Nemertes Research and SonicWALL VP of Product Management, Patrick Sweeney, discuss this new risk management approach and its benefits. Click here to register today! Network World's Security Strategies Newsletter, 09/04/07 Ethical decision-making: Using formal and informal guidelines By M. E. Kabay In my last two columns, I began discussing the July 30 column by Vauhini Vara of the _Wall Street Journal_ entitled, “Ten Things Your IT Department Won’t Tell You.” The author provides detailed information on how to violate acceptable-use policies for corporate computer equipment. In this column and the next, I want to continue applying Kallman and Grillo’s ethical decision-making methodology. We applied part 1 of the methodology last week. Moving on to part 2 - "Look for explicit and implicit guidelines relevant to the situation" - I’ll continue analyzing the case of Bob, an employee who signed an appropriate-use agreement with his employer but who chooses to follow Vara’s suggestions for cheating his employer of useful work - and then concealing his violations of policy. Explicit guidelines include: Comprehensive Network Access Control The new wave of sophisticated crimeware not only targets specific companies, but it also targets desktops and laptops as backdoor entryways into business operations and resources. Network access control enables proper configuration and security of user endpoints before they are allowed access on the corporate network. Click here to download this whitepaper * Laws * Contracts * Agreements * Policies * Rules * Professional standards * Codes of ethics The most obvious explicit guideline in our example is the acceptable-use policy. Bob is unquestionably violating the policy as written. He is almost certainly also violating the terms of his employment contract, which should stipulate that he agrees to follow policies and guidelines promulgated for the protection of corporate assets. Depending on whether Bob belongs to various professional societies and holds professional certifications, his duplicitous behavior may also violate professional standards and codes of ethics. What about Vara? Are there any explicit professional standards she could follow? Journalists can subscribe to the Code of Ethics (CoE) of the Society of Professional Journalists (SPJ). According to the Preamble, “Members of the Society share a dedication to ethical behavior.” However, I have been unable to find any specific injunction in the SPJ’s CoE that would bear on the issue of publishing instructions for employees about how to cheat employers and then lie about it. Perhaps it never occurred to anyone at the SPJ that any of their members would do that, any more than I suppose a member would write an article about how to commit a crime and get away with it. What about the WSJ itself? Does it publish explicit guidelines for its writers? I couldn’t find the guidelines on the WSJ Web site, but James A. White, a news editor for the publication, very kindly responded by e-mail to my request. The Code of Conduct (CoC) for the Dow Jones organizations is available online and includes these explicit words in its “Employment” section: “For its part, the Company expects employees to perform excellent work in a cost-effective manner, to strive for quality and productivity, to follow directions and instructions, to properly care for facilities and equipment, to anticipate problems and suggest improvements, to treat other employees and clients and customers with honesty and courtesy, and to be energetic in the performance of tasks and fulfillment of goals.” Presumably if Vara were to apply her own advice, she’d be violating that instruction. However (and unfortunately), I don’t see anything in the CoC that explicitly applies to publishing instructions on how to break contracts or even laws. I suppose that it’s possible that the WSJ could sanction an article on getting away with stock fraud or mortgage fraud, but perhaps that’s stretching the analogy beyond belief. Or is it? Returning to our ethical decision-making process, _implicit_ guidelines include: * Expectations * Customs * Habits * Religious obligations * Personal integrity Bob’s in trouble on all these counts, unless he works in an office populated by members of a criminal subculture or a weird cult. As for Vara, she’s not doing too well either on the informal guidelines front. For a roundup of some professional opinions about her article, see Naomi Grossman’s article in the Aug. 14, 2007, issue of bMighty.com. Next time, I’ll look at the last three contributions to ethical decision-making: principles, rights and duties, and intuitive cues. Editor's note: Last Tuesday's newsletter [Hacker tips published in Wall Street Journal] was mistakenly attributed to Mark Gibbs, but was written by M.E. Kabay. Our apologies for the error.   What do you think? Post a comment on this newsletter

TODAY'S MOST-READ STORIES: 1. Microsoft blames human error for glitch 2. Airline puts Linux PC in every seat 3. MPLS proposal spawns IETF, ITU turf war 4. Psst... Wanna buy a data center? 5. Hacks hit embassy, government e-mail worldwide 6. Secrets of vendors' pricing plans 7. Bank of India site hacked 8. ISPs to rural U.S.: Live with dial-up 9. Notes from OPNETWORK 2007 10. How close is World War 3.0? MOST E-MAILED ARTICLE: Airline puts Linux PC in every seat

Contact the author: M. E. Kabay, Ph.D., CISSP-ISSMP, is Associate Professor of Information Assurance and CTO of the School of Graduate Studies at Norwich University in Northfield, Vt. Mich can be reached by e-mail and his Web site. This newsletter is sponsored by SonicWALL Risk Management Leads to a Secure Network Join this live Webcast on September 12, 2007 at 1:00 p.m. ET/10:00 a.m. PT to learn how assessing your company's risk can lead to a more proactive sustainable security strategy. Hear respected security experts Andreas Antonopoulos from Nemertes Research and SonicWALL VP of Product Management, Patrick Sweeney, discuss this new risk management approach and its benefits. Click here to register today! ARCHIVE Archive of the Security Strategies Newsletter. BONUS FEATURE IT PRODUCT RESEARCH AT YOUR FINGERTIPS Get detailed information on thousands of products, conduct side-by-side comparisons and read product test and review results with Network World’s IT Buyer’s Guides. Find the best solution faster than ever with over 100 distinct categories across the security, storage, management, wireless, infrastructure and convergence markets. Click here for details. PRINT SUBSCRIPTIONS AVAILABLE You've got the technology snapshot of your choice delivered to your inbox each day. Extend your knowledge with a print subscription to the Network World newsweekly, Apply here today. International subscribers, click here. SUBSCRIPTION SERVICES To subscribe or unsubscribe to any Network World newsletter, change your e-mail address or contact us, click here. This message was sent to: security.world@gmail.com. Please use this address when modifying your subscription. Advertising information: Write to Associate Publisher Online Susan Cardoza Network World, Inc., 118 Turnpike Road, Southborough, MA 01772 Copyright Network World, Inc., 2007