The ethical considerations of cybersecurity professionals towards the public include: individual privacy vs public security; individual security vs availability of public goods; transparency vs preserving public trust; present harm vs future benefit and vice versa. The proliferation of connected devices and services complicates this.

Powell (2001) made the case that if cybersecurity were a public good “we would not see the private sector devoting so many dollars, employees, and planning resources” to it. Being focused on economics this view lacks consideration for ethical impacts, whereas Taddeo (2019) adds nuance by making a case for cybersecurity robustness as a public good. I think this is especially justified in a world where connected devices proliferate because: they expand the burden of security from corporations to include individuals; blur the line between natural and normative privacy; remote data storage creates more potential for harm, in scale, geographic and temporal reach.

With each connected device being a potential attack vector (Rizvi et al., 2018) an individual’s poor security can impact on the rights of, and cause harm to others, adding an ethical dimension to the individual decision of whether or not to secure one’s devices. This creates an opportunity to extend on Taddeo’s (2019, p. 351) case for “collaboration between the private and the public sector to ensure high level of system robustness” to include end-users.

 Cybersecurity professionals have a number of ethical obligations to help include end-users in this collaboration: 

• Informing government policy, public education and industry standards to engage end-users. In doing so we need to weigh ethical issues such as the individual vs community (Kidder, 2003). Eg keeping a public record of patched devices to help ensure security would infringe on individual rights to privacy and autonomy. 
• Business/organisational level, ensuring that security is kept in focus across business activities. We would need to consider ethical considerations such as allocation of resources as well as balancing the interests of our stakeholders. 
• Product level, ensuring that consideration of the end-user’s responsibility is embedded in the device’s user experience. Again balance is required, eg forced updates risk making a device incompatible with other devices which users can’t afford to update, potentially discriminating on socioeconomic status.

Insecure connected devices pose a significant risk to the robustness of a connected society, this creates ethical requirements on individuals using them. I believe this places an obligation on cybersecurity professionals to help them to do this, an obligation which would require a thoughtful and deliberate approach to balancing the needs and rights of individual, commercial and public interests.

References

F-Secure. (2017). Ethical challenges in Cybersecurity, by Mikko Hypponen [Video]. In YouTube. https://www.youtube.com/watch?v=-CXD8qSPDHo

Kidder, R. M. (2003). How good people make tough choices. HarperPB.

Powell, B. (2001). Is Cybersecurity a Public Good? Evidence from the Financial Services Industry. Independent Institute Working Paper Number 57.

Rizvi, S., Pipetti, R., McIntyre, N., & Todd, J. (2018, July). An attack vector for iot networks. 2018 International Conference on Software Security and Assurance (ICSSA). http://dx.doi.org/10.1109/icssa45270.2018.00019

Taddeo, M. (2019). Is cybersecurity a public good? Minds and Machines, 29(3), 349–354. https://doi.org/10.1007/s11023-019-09507-5