Introduction | The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

We hear a lot about ethics these days when it seems everyone is out for themselves, from the executives of major corporations to a secretary in a small company office who perpetrates a fraud. One thing that makes a professional a true professional is ethical conduct. That is especially a requirement for an ISSO.

When you think of ethics and ethical behavior, what comes to mind? For some it means "doing the right thing." But what is the "right" thing to do? For some, it is anything that they can get away with and not violate laws. In fact, some narrowly define being ethical as doing anything as long as it does not violate laws. However, ethics and morality go hand-and-hand but what is moral? For example, communists believe that whatever furthers the advance of communism is moral and acting in a manner that does not further communism is immoral.

Remember that we talked earlier in this book about committing crimes and committing crimes takes opportunity, motive, and rationalization. The same applies to ethical behavior. You can use opportunity, motive, and rationalization to do the "right" thing or to not do what is right.

ethics [ thiks] noun

1. study of morality's effect on conduct: the study of moral standards and how they affect conduct (takes a singular verb); Also called moral philosophy; 2. code of morality: a system of moral principles governing the appropriate conduct for an individual or group (takes a plural verb) [15th century. Via Old French ethiques from, ultimately, Greek ēthikē, from ēthikos "ethical" (see ethic).] ^[3]

If you find someone's wallet, you have the opportunity to keep it. Suppose the motive is that you do not have a job and you have a family to support. You can rationalize it by saying that the money can buy much-needed food for the family, and besides, the person must be well off based on the number of gold and platinum credit cards in the wallet. Let's say that you just found the money and there is absolutely no evidence indicating to whom it belonged. Would it then be ok to keep it? The answer in both cases is no. Why? It does not belong to you. Therefore, even if it were not against the law to keep the money, it would be still unethical. However, sometimes the process is that you turn it over to the local police and if, after a set period of time, no one claims the money, it is yours. That would be ethical because you followed the locally established processes. What about illegally copying software in violation of copyright laws? Isn't that also unethical?

The interesting thing about ethics is that it may also depend on your culture. For example, the businessperson who gives gifts to a procurement officer in a corporation that he or she wants to do business with may be breaking the law in some countries, but such gifts are expected in others. Is it wrong to accept the gifts in those countries where that is a tradition? No. Of course, if it violated a law or company policy, it would also be unethical because violating a law is in itself unethical. Add to all this the moral issues, knowing what is right and what is wrong, considering what you were taught growing up, and all this brought together and integrated in each of us with our culture, working environment, and the like. The philosophy of morals and ethics has been the subject of study and discussions for centuries. We surely will not provide the definitive answers here. However, we must understand the basics of ethics because it does have an impact on protecting corporate assets.

mor al [m wral] adjective

1. involving right and wrong: relating to issues of right and wrong and to how individuals should behave; 2. derived from personal conscience: based on what somebody's conscience suggests is right or wrong, rather than on what the law says should be done; 3. in terms of natural justice: regarded in terms of what is known to be right or just, as opposed to what is officially or outwardly declared to be right or just; a moral victory; 4. encouraging goodness and respectability: giving guidance on how to behave decently and honorably; 5. good by accepted standards: good or right, when judged by the standards of the average person or society at large; 6. telling right from wrong: able to distinguish right from wrong and to make decisions based on that knowledge; 7. based on conviction: based on an inner conviction, in the absence of physical proof.

noun (plural mor als)

1. valuable lesson in behavior: a conclusion about how to behave or proceed drawn from a story or event; 2. final sentence of story giving advice: a short, precise rule, usually written in a rather literary style as the conclusion to a story, used to help people remember the best or most sensible way to behave

plural noun mor als

standards of behavior: principles of right and wrong as they govern standards of general or sexual behavior

[14th century. From Latin moralis, from mor-, stem of mos "custom," in plural "morals" (source of English morale and morose ).]^[4]

Ethical behavior is expected of everyone who works in a corporation. Few if any corporations or any type of business or government agency want to be seen as doing anything unethical.

Some people believe that if it is not against the law, it is ethical. Often it seems that corporations that walk a fine line between legal and illegal behavior use a great deal of rationalization to justify their actions. However, in most circumstances, the ethical question remains: Yes, it is legal, but is it the ethical thing to do?

If you see someone in your corporation doing something that violates corporate policy, should you report that person to management? This is probably an employee's most difficult ethical dilemma. In some nation-states, it is better to not report anyone, even committing a serious crime, because many children were brought up to not be a "squealer," a "fink," a "snitch." In some societies, that is almost as bad, if not worse, as committing the offense that is being reported.

Because of the amount of unethical behavior within some corporations and nation-states, there are processes by which one, sometimes called a whistleblower, can receive financial rewards for identifying illegal or unethical behavior. However, as much as corporations like to say that they have an ethics program within their corporation, when an employee comes forth and reports illegal activities, it seems that, more often than not, he or she is the subject of harassment, receives no promotions, and is made to feel unwanted in the corporation. Management looks upon that person as one who could not be trusted. Ironic, isn't it? A person reports someone's unethical behavior in accordance with the corporate policy. That person, instead of being considered an honest and loyal employee, is considered to be untrustworthy. There are many examples of such conduct within the corporations of the United States and other nation-states. Suffice it to say that corporate management can tout an ethics program, but one that truly works as stated in the brochures is another matter.