To paraphrase Steven Levitt and Stephen Dubner (co-authors of Freakonomics): morality represents the way people would like the world to work. Economics represents how it actually does work.
If we are to address (or advance, depending on your perspective) the issues of cybercrime, cyber-espionage or other information security-related challenges, we must adopt a broader, more holistic approach that moves beyond (but does not abandon) technology "whack-a-mole" solutions and get to the root of the matter: human decision making. Two elements of such a broad-based approach are:
1. Establish or modify a sense of shared morality in potential actors- social norms.
Social norms? I am not implying we must all think the same way- both impossible and undesirable as it would destroy the creativity that has delivered such richness to the Web today. However, as open as the Web is, it must have underpinning rules, beyond technical standards, for it to work (even for those with nefarious intent). What I am referring to is shaping the perception of what is "acceptable behavior." Is it okay as a global, connected society for governments to hack their citizen's computers (or those of another country)? Is it acceptable for companies to host malicious websites while claiming they "are not in the editing" business? When does hactivism become crime? When does hacking extend beyond technical curiousity and become crime? When is it a public service? When does hacking conducted by a nation (or its surrogates) become an act of war? What are the limits of such activity?
We have yet to address these issues with the same level of attention as other issues with both regional and trans-regional implications. It is time we did so...
2. Influence their economic decision-making process.
Morality may describe how we want things to work; however, economics is how the world does work. If you want to change behavior, you need to influence the perceived economy of the individual(s) you are trying to influence. At what point is the cost or risk too high relative to benefit gained? How do I raise (or lower) barriers to entry? When do I seek alternatives? You get the idea. Today, the economics of malicious hacking favors the attacker.
Whether we wear white hats or black hats, if we are to proactively deter unwanted behavior (from our perspective), we must shape social norms and expectations; either making the activity we want to engage in acceptable or for that which we are trying to deter- unacceptable.
From there, it becomes a matter of personal morality and ultimately, economics.
I don't have the answers- just wanted to give you something to think about.
~CPwnk
A few cyber-ethics related links:
Fundamental Ethics in Information Systems by Christopher N. Chapman
Ethical Decision-Making in an IT Context: The Roles of Personal Moral Philosophies and Moral Intensity by Carlos Alberto Dorantes , Barbara Hewitt , Tim Goles
The Socrates Institute- K-12 cyber-ethics
skip to main |
skip to sidebar
Exploring the Boundaries of Information (in)Security.
Posts
