Ethics Self-Test: Are You a Threat?Take This Quiz to Assess Your Own Moral Compass In July 2010, Bradley Manning, a U.S. Army soldier, was arrested and charged with transferring classified data onto his personal computer, providing that information to an unauthorized source, Wikileaks. Manning took part in an act he believed was right, aiding in Wikileaks' mission of providing freedom of speech and transparency between governments and the public.
Manning's actions led to an embarrassing data leak for the U.S. Government. It also got other organizations to reconsider their own employees. What measures were in place to protect these organizations from experiencing their own version of Wikileaks?
The Manning incident also highlights the problem of ethics in the workplace - particularly involving information security. What happens when a person makes an ethical choice that puts an organization's security or privacy at risk?
Ethics are a person's ability to decide what is right or wrong in a particular situation. But knowing what is right or wrong is often hard to figure out, based on a person's individual morals and how they perceive a situation. In the case of Manning, just because he had access to the information, did that give him the right to release it?
A person's ethics can lead to intentional or unintentional misuse of a company's systems and files, or even a breach. And at a time where social media and smart phones are everywhere, organizations may be overlooking key areas that could lead to potentially damaging data leaks.
In fact, ethics is such a growing concern within the information security field that companies such as Booz Allen Hamilton enforce ethics training for their employees. These organizations realize that ethical lapses in the workplace may make an employee an insider threat, sometimes without him/her even knowing it.
Ethics QuizAre you a potential threat to your organization? Would you recognize one if you saw it?
Below are five ethical dilemmas that could come up within any private or public sector organization. Take the quiz, track your scores and see how you measure up on the scale of insider threats. 1. While working at a bank, you find out that a family member has an account at your branch. Do you:
- a) Access their account once they've given you permission?
- b) Access the family member account only if it's part of your job responsibility?
- c) Not access the account at all because of your personal relationship?
2. You are a systems administrator for a government agency. To improve security, you want to install rootkit tools [software that enables a user access to a computer while hiding their presence] to assist in your job responsibilities. Do you:
- a) Seek permission to install the tools and abide by whatever answer you're given?
- b) Seek permission and, if not approved, install the tools anyway because it may assist in your job responsibilities?
- c) ) Not seek permission and install the tools anyway because it may assist in your job responsibilities?
3. You are a software engineer at a healthcare system who developed a GPS program to aid customers in finding the nearest clinic. You recently moved on to another software position at a new company where the program could be useful. Do you:
- a) Prior to leaving, consult with your former employer about taking software you've written to assist in future projects?
- b) Place the software on a freeware forum for others to use since you created it?
- c) Take the software as a referral for your future job opportunities?
4. While working at a credit union, you develop a close relationship with a customer and find them on Facebook. Do you:
- a) Communicate with them using social media?
- b) Mention this discovery in person next time you see them?
- c) Refrain from doing anything at all?
5. It's an employee's birthday at your workplace, and you take out your smart phone to document the activities. Do you:
- a) Film the celebration just for yourself and the employee?
- b) Film the celebration and post it on a social media site?
- c) Not film the celebration at all?
The AnswersQuestion 1: The most appropriate answer is C: You don't access the account at all because of your personal relationship. When it comes to family, people often feel they have certain obligations. "Even if you have authorized access in the customer system, it might be against the policy of the organization. Organizations should enforce policy controls in systems, to prevent unauthorized accessing of data," says Randy Trzeciak, Technical Team Lead of Insider Threat Outreach and Transition at the SEI CERT program, a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pa.
And often times, people don't even think about gaining permission from a family member or an organization to access family members' records.
Organizations may not know that these observations are occurring, and employees could be reviewing sensitive information they may not be allowed to see, even if it is their family member.
In a healthcare organization, for instance, if unauthorized employees are caught viewing electronic health records, they could be fired under the Health Insurance Portability and Accountability Act of 1996 [HIPAA] Privacy and Security Rules, where personal records are protected.
Question 2: The most appropriate answer is A: You seek permission to install the tools and abide by whatever answer you're given. "Some IT administrators use the excuse that they could use this to improve the security," Trzeciak says. "In some of the cases, it's true." But it's also very easy for that IT administrator to turn around and use rootkits for a negative purpose.
It depends on the organization's policy. Some have a policy stating rootkits are not allowed to be installed. And that raises a dilemma of whether you would do it anyway, Trzeciak says.
The easy answer is: If the boss says "no," then live with that decision.
Question 3: The most appropriate answer is A: You should consult with your employer prior to leaving about taking software you've written to assist in future projects. Software engineers may have a perceived ownership for programs, even if the institution, company or agency has the rights to it. "In some instances, developers take pieces of code, maybe not an entire program... things they justify as being common or freely available with them to another job," says Trzeciak. "For example, if a coder wrote a common program to do something as simple as looking up a date, while being paid by an organization, some coders may take it with them to a new job to avoid having to re-write."
Taking the concept or the idea of that program, the steps you took, may be acceptable. But you need to be careful about violating policies around intellectual property. Again, consulting the organization and seeing what's allowed and what isn't is very important before making a move.
Question 4: The most appropriate answer is C: You refrain from doing anything. Talking with customers outside of the workspace may not even be allowed by your organization. With young adults entering new jobs today, the situation becomes gray with social media and what individuals think is allowed or not allowed.
"Younger employees tend to be more accepting of social media sites," Trzeciak says. "Most employees do this on a daily basis as part of communications." But organizations need to clearly state if they allow or accept it as a way employees can communicate. "Because more employees are using them, there is a greater chance for accidental disclosures of organization data."
Those accidental disclosures could mean revealing that the customer banks at a certain organization, or in the context of healthcare, if a person is a patient at a certain hospital. This is information that organizations may not know is being released, and which could violate individuals' privacy.
Question 5: The most appropriate answer is C: You don't film the celebration. We live in a culture where everything is constantly documented, and forgetting where you are could lead to a breach of information that you may not have intended. If you're filming a small birthday celebration at a hospital, patients may end up on screen, equipment may be visible or records on a computer monitor may be displayed. At a government agency, important officials, documents or technologies could be caught on camera.
It's important to consult an organization's policy on this one, Trzeciak says. You may feel it appropriate to film the celebration, and if it's done on your personal smart phone, that opens up other questions. Organizations need to have clear policy on the use of employee-provided and personal smart phones and how employees can use them in the workplace, Trzeciak says.
Score Ranking & TakeawayIf you got 4-5 answers right: You recognize the threats within yourself and others. "Even if you answered these correctly, there still is a threat," Trzeciak says. "You absolutely need to trust individuals in organizations to do what they need to do, but verify their actions."
If you got 3 answers right: You may be missing some threats posed by yourself and insiders. Ethics, how you choose to act in a certain situation, can have unforeseeable consequences. Employees may not intend to disclose information through their smart phone. Or they may not have malicious intent when adding rootkits to an organization's systems to monitor for suspicious activity. But in weighing the options for each of these areas, it's always important to consult a risk officer or legal department in your organization.
If you got 0-2 answers right: You may not even understand the threats posed by yourself and other insiders. CERT offers guidance for mitigating insider threats on their website. One of their documents, "Common Sense Guide to Prevention and Detection of Insider Threats," gives practical guidance to organizations. "We attempt to provide organizations practical guidance of what you should be doing, identifying critical assets, granting access, tracking access, or including things like security awareness training," Trzeciak says.
Organizations can also require certifications and training for their employees as measures to prevent the possibility of insider threats, which can result from ethical dilemmas.
And if they don't already, organizations should develop a code of ethics that addresses all potential risks in an organization.
For further reading on ethics, please see Contributing Editor Upasana Gupta's piece: What is the Role of Ethics? In it, she explores the definition of ethics, its challenges in the workplace and training options that are available for organizations.