Ethics and information security governance.

Improving information security through consequential ethics.

While, until now, our pages on corporate governance have concentrated on security governance there are several issues in corporate governance related to ethics that have a large influence on information security within an organization. In particular, if you are interested in developing a security culture to improve adherence to policies, you really should be looking at improving your organizational culture related to ethics instead. In the following sections we will discuss why you need to adapt your organization's code of ethics to address a major difference in ethical behavior between previous and current generations of employees, and how this will influence the way you need to design and institutionalize your acceptable use security policies.

The ideas discussed on this page have been published in the form of an extended abstract in Ruighaver, A.B. 2008, 'Encouraging ethical decision making in security policies', Fifth Australian Institute of Computer Ethics Conference AiCE 2008, Melbourne, February 11 2008. A full paper is awaiting publication and a draft of this paper is available on request.

The failure of Deontological Ethics

Current acceptable use policies try to influence an employee's behavior by listing those behaviors that are unacceptable for the organization. Officially the security strategy underlying these acceptable use policies is deterrence, and each policy is supposed to spell out what penalties the organization will impose if you breach these policy guidelines. In practice, organizations never implement the additional security measures needed to ensure that this strategy of deterrence is actually enforced (by trying to improve the likelihood that an offender is actually identified and punished). Without any actual deterrence these policies really only work when employees are willing to do the right thing, and when we first used these acceptable use policies several decades ago the majority of employees were happy to abide by the rules. Unfortunately, the ethical behavior of the current generation of employees is no longer based on just doing the right thing and business ethics has changed as well.

A brief examination of the code of ethics in several organizations indicates that most of those code of ethics are still based on deontological ethics as well, e.g. you should do the right thing. While the code of ethics in an organization, or in an industry, often still states that employees should abide by the company's policies (abide by the rules), the same company often has an organizational culture that emphasizes goals and allows (or even encourages) its employees to bypass rules when necessary to achieve these goals.

Encouraging Ethical decision making

To cope with the change in personal and business ethics over the past few decades, we really need to develop new codes of ethics and supporting programs to encourage employees to consider the consequences of their actions and make the right ethical decisions. In particular, it is important that your employees are educated in consequential ethics and encouraged to identify and avoid potential negative consequences for the organization when their behavior obviously aims to improve personal benefits. This, of course, assumes that your organization hires employees that are willing to put the organization's best interests above their own self-interest. Unfortunately, anecdotal evidence suggests that this is not always the case.

To support the use of consequential ethics in acceptable use policies, you will have to re-think the way you structure and write these policies. If your organization's culture is based on goals, and allows the breaking of rules, you will have to identify and prioritize the objectives of each of your acceptable use policies. You will also have to make it clear which rules are just guidelines, which are standards (avoid breaking) and which are absolute norms. More on this in our paper and in future additions to this web site.