The various normative ethical theories (deontology, utilitarianism, agent based) provide different ways of viewing the world and could lead to justifiably opposing outcomes. Let’s look at them in regard to cybersecurity applications, then look at how they can be used together.
Utilitarianism is based on the Greatest Happiness Principle, decisions are based on choosing an action that maximises positive (or minimises negative) outcomes. Consider a kidnapped unpopular head of state who knows ICBM launch codes and is likely to undergo rubber hose cryptanalysis. A utilitarian approach could be used to justify assassinating the head of state: we kill one person to prevent mass casualty – maybe war – they won’t be missed by many, millions, perhaps billions will be happier.
Deontological theory considers a good action to be one which adheres to ethical rules. Applying a deontological approach to our abducted leader: if we were all allowed to kill people when it was advantageous, would the world be a better place? No it wouldn’t, people with large families could justify killing single colleagues for promotions, the homeless could be harvested for organs. So we would not assassinate the leader.
Agent based ethical theory does not consider actions or their outcomes, but looks at the virtues of the individual or agent making the decisions. With fundamental virtues being: prudence, temperance, fortitude and justice. Returning again to our missing leader, a leader chosen according to agent based theory will resist rubber hosing and do what is ethically right, so we need only worry about their welfare, not state secrets.
As mentioned, we could easily use these theories to create justifiable opposing positions. But what if instead of being alternatives, they each have applications depending on the context of the decision? We could use the theory that works with the judgement required, with my initial thoughts being, at the:
- Community level (environment): Utilitarianism
- Organisational level (framework): Deontological
- Employee level (decision maker): Agent based
Thus we have an overarching environment that is aiming to be as safe as possible, achieved through legislation and education. Organisations operating within this environment have rules which provide a framework for making decisions. The staff responsible for making decisions within this framework possess the virtues that we consider important for making value judgements. I believe using the models together like this could help to balance some potentially unjust outcomes from their use alone, eg assinating heads of state, facilitating terrorist activity, employing liars.
Postscript
Throughout this course I’ve found my natural approach was to pit these theories against each other – looking at how I could use one to justify a position against another. But as I read and came to understand the benefits of each, and listened to my classmates’ same issues in the webinar recording, I started to consider how we could make use of the different theories in different contexts within the security ecosystem. I’ve shifted from thinking that I need to subscribe to one theory, to seeing them as a toolkit, where I can choose the theory that best suits my current situation.
I found considering the benefits of virtue based ethics the most difficult to comprehend. I think this is because I was considering the agent to be operating without a framework, just thinking of them being a good person making their own decisions for each situation they encountered. But Gray & Tejay (2014) highlighted the value of an individual’s virtues in combating insider attacks – an issue I have considered in past courses (Hally, 2021). This fitted in nicely with my emerging thoughts on the role of the normative theories in different contexts of security. I also wonder if we could apply agent based ethics to security systems and automated responses, this will be an interesting area of further consideration.
References
Christen, M., Gordijn, B., & Loi, M. (2020). The ethics of cybersecurity. Springer Nature.
Graham, G. (2004). Eight theories of ethics. Psychology Press.
Gray, J., & Tejay, G. (2014, March 24). Development of virtue ethics based security constructs for information systems trusted workers. Unknown. https://www.researchgate.net/publication/264274034_Development_of_Virtue_Ethics_Based_Security_Constructs_for_Information_Systems_Trusted_Workers
Hally, L. (2021, July 13). Spot the insider. A Cyber Security Blog by Luke Hally. https://www.lukehally.au/security-culture/spot-the-insider/
Kidder, R. M. (2003). How good people make tough choices. HarperPB.
