Research Paper

Cyber Defense Moral Responsibility and Ethics in Cybersecurity

Lysander Suerte Jr.

Network Security CNET 221 (Sec. 006)

Professor Prodip Roy

Fall 2023
Table of Contents

Introduction

Background of the Study

What is Cyber Defense?

Importance of Cyber Defense

Example of Cybersecurity Threats, Laws, and Regulations in Canada

Cybersecurity laws and legislation (2023)

Moral Responsibility in Cyber Defense

How can organizations effectively employ cyber defense tactics?

How can leaders take a stance on cyber defense?

Preventing Attacks

What Are Ethics in Cybersecurity?

General Ethical Principles

Security vs. Privacy Protection

Conclusion

Reference
Introduction

In today’s world, the use of technology is a normal thing for anybody. With everything
used in a human’s daily lives merging into the internet, there are increasing widespread
concerns regarding cybersecurity. As individuals and organizations become more dependent on
technology, personal information and data integrity has become increasingly important than
ever before. The aim of this research is to identify the different kinds of threats while knowing
the moral responsibility and ethics in dealing with them. This research also includes the
different kinds of cyber defense, threats, and laws from different countries with regards to how
they maintain confidentiality and protection to everyone.

While it is a fact that organizations and individuals need to protect themselves from
cyber-attacks, there is a question on how to deal with the threat while being ethically
responsible for the action taken. Sensitive data and access control are the most important
factors that need to be protected, whether it may be personal information or massive
organization data. As cybersecurity professionals, they are more knowledgeable in this manner,
hence organizations and government will employ these experts to protect systems and
sensitive information.
Background of the Study

What is Cyber Defense?

The term ‘cyber defense’ refers to the ability to prevent cyber-attacks from infecting a
computer system or device (Ling et al., 2023). Cyber defense is the ability of an individual or
organization to prevent cyber threats. Threats such as infiltrating a computer system or
network to gain private information, or to gain control over the infrastructure to be held for
ransom or disrupt services. It takes a lot of decision making and necessary preventive actions
for a technological community to act. But at the end of the day, Cyber Defense is growing more
important than ever.

Importance of Cyber Defense

Organizations at some point will encounter persistent threats that will hinder the
business operations. Threats can be stealing sensitive data or disrupting the network
connectivity. These persistent threats are always knocking on any organization and
strengthening the defense against these will greatly improve the trust of individuals.

Example of Cybersecurity Threats, Laws, and Regulations in Canada

Hacking

Hacking is gaining control or access to a computer system without authority. In Canada,

it is an offence to fraudulently obtain, use, control, access or intercept computer systems or
functions under the Criminal Code (R.S.C., 1985, c. C-46). The relevant provisions of the
Criminal Code that prohibit hacking (i.e., unauthorized access) are as follows:

Section 184: Any person who knowingly intercepts private communication, by means of
any electro-magnetic, acoustic, mechanical, or other device, is guilty of an indictable
offence carrying a maximum penalty of five years’ imprisonment (Ling et al., 2023).

Section 342.1: Any person who fraudulently obtains any computer services or intercepts
any function of a computer system – directly or indirectly – or uses a computer system
or computer password with the intent to do either of the foregoing, is guilty of an
 indictable offence carrying a maximum penalty of 10 years’ imprisonment (Ling et al.,
2023).

Recently, in R. v. Senior, 2021 ONSC 2729, the Ontario Superior Court summarized the
essential elements required for the accused to be found guilty of an offence under
Section 342.1 of the Criminal Code and found the defendant guilty of unauthorized use
of a computer after running a license plate number contrary to York Regional Police
directives (Ling et al., 2023).

Section 380(1): Any person who defrauds another person of any property, money,
valuable security or any service is guilty of: (i) an indictable offence carrying a maximum
penalty of 14 years’ imprisonment where the value of the subject matter of the offence
exceeds $5,000; and (ii) an indictable offence or an offence punishable by summary
conviction carrying a maximum penalty of two years’ imprisonment where the value of
the subject matter of the offence is under $5,000 (Ling et al., 2023).

Section 430(1.1): Any person who commits mischief to destroy or alter computer data;
render computer data meaningless, useless or ineffective; obstruct, interrupt or
interfere with the lawful use of computer data; or obstruct, interrupt or interfere with a
person’s lawful use of computer data who is entitled to access it, is guilty of: (i) an
indictable offence punishable by imprisonment for life if the mischief causes actual
danger to life; (ii) an indictable offence or an offence punishable on summary conviction
carrying a maximum penalty of 10 years’ imprisonment where the value of the subject
matter of the offence exceeds $5,000; and (iii) an indictable offence or an offence
punishable on summary conviction carrying a maximum penalty of two years’
imprisonment where the value of the subject matter of the offence is under $5,000 (Ling
et al., 2023).

Denial-of-service attacks

According to Section 430(1.1) of the Criminal Code, it is an offence to obstruct, interrupt

or interfere with the lawful use of computer data or to deny access to computer data to a
person who is entitled to access it; the maximum penalty for such an offence is 10 years’
imprisonment where the offence relates to property with a value exceeding $5,000 (Ling et al.,
2023).

Phishing

Phishing may constitute fraud according to Section 380(1) of the Criminal Code. For
example, in R. v. Usifoh, 2017 ONCJ 451, the accused was convicted of fraud relating to an
email phishing scam emanating out of Nigeria and Dubai where he lured victims into sending
funds. The maximum penalty for offences under Section 380(1) of the Criminal Code is 14
years’ imprisonment (Ling et al., 2023).

There are several types of Phishing that falls under the Criminal Code:

1. Infection of IT systems with malware (including ransomware, spyware, worms, trojans

and viruses) According to Section 430(1.1) of the Criminal Code, it is an offence to
commit mischief in connection with computer data, as noted above. The maximum
penalty for such an offence is 10 years’ imprisonment where the value of property in
question exceeds $5,000; however, if a human life is endangered, offenders can be
liable to life imprisonment (Ling et al., 2023).
2. Distribution, sale or offering for sale of hardware, software or other tools used to
commit cybercrime. It is an offence under Section 342.2 of the Criminal Code to –
without lawful excuse – sell or offer for sale a device that is designed or adapted
primarily to commit cybercrime, knowing that the device has been used or is intended
to be used to commit a cybercrime that is prohibited under Sections 342.1 or 430 of the
Criminal Code (Ling et al., 2023).
3. Possession or use of hardware, software or other tools used to commit cybercrime. It is
an offence under Section 342.2 of the Criminal Code to – without lawful excuse –
possess, import, obtain for use, distribute, or make available a device that is designed or
adapted primarily to commit cybercrime, knowing that the device has been used or is
 intended to be used to commit a cybercrime that is prohibited under Sections 342.1 or
430 of the Criminal Code (Ling et al., 2023).
4. Identity theft or identity fraud ( in connection with access devices). Sections 402.2 and
403 of the Criminal Code prohibit identity theft and identity fraud, respectively. With
respect to identity theft, it is an offence to obtain or possess another person’s identity
information with the intent to use it to commit an indictable offence like fraud, deceit,
or falsehood. Furthermore, any person who transmits, makes available, distributes,
sells, or offers another person’s identity information for the same purposes will be guilty
of a criminal offense (Ling et al., 2023).
Regarding identity fraud, it is an offence to fraudulently personate another person,
living or dead, with the intent to:
i. gain advantage for themselves or another person
ii. obtain any property or interest in any property.
iii. cause disadvantage to the person being personated or another person.
iv. avoid arrest or prosecution or to obstruct, pervert or defeat the course of justice.
5. Electronic theft (breach of confidence by a current or former employee, or criminal
copyright infringement). Electronic theft is not specifically covered by the Criminal Code;
however, depending on how the electronic theft is carried out and what is stolen, it may
be considered an indictable offence under one of the many prohibitions against
fraudulent transactions found in the Criminal Code. For example, any deceit, falsehood,
or fraud by a current or former employee to knowingly obtain a trade secret, or
communicate or make available a trade secret, is prohibited under Section 391(1) of the
Criminal Code. Similarly, it is an offence under Section 342.1 of the Criminal Code to
fraudulently obtain any computer service, which includes data processing and the
storage or retrieval of computer data (Ling et al., 2023).
In addition to the foregoing, Section 322 of the Criminal Code deals with theft generally.
Many of the prohibitions in Section 322 against theft would cover electronic theft as
well. For example, a person commits theft when he/she fraudulently and without color
of right takes or converts to his/her use anything with intent to deprive – temporarily or
 absolutely – the owner of his/her thing, property, or interest therein. That said, the
Supreme Court of Canada’s historical approach to electronic theft is that non-tangible
property, other than identity theft, is not considered property (see R. v. Stewart, [1988]
1 SCR 963) for the purposes of Section 322 of the Criminal Code. This interpretation has
since been applied to data and images, which also cannot be the subject of theft under
Section 322, although they can be the subject of other criminal offences (Ling et al.,
2023).
It is also a criminal offence to circumvent technological protection measures, or
manufacture, import, distribute, offer for sale or rental, or provide technology, devices,
or components for the purposes of circumventing technological protection measures
under Section 41.1 of the Copyright Act. Knowingly circumventing technological
protection measures for commercial purposes is a criminal offence under Section
42(3.1) of the Copyright Act and can carry a maximum penalty of a $1 million fine
and/or five years’ imprisonment (Ling et al., 2023).
Canadian privacy laws, including legislation relating to personal health information, also
contain provisions prohibiting the unauthorized collection, use, disclosure, and access to
personal information (“PI”). For example, under Section 107 of Alberta’s Health
Information Act, RSA 2000, c. H-5, it is an offence to collect, gain, or attempt to gain
access to personal health information in contravention of the Act (e.g., by way of
electronic theft without the authorization of the relevant data subject); the maximum
penalty for such an offence is a fine of $200,000 for individuals, and $1 million for any
other person (Ling et al., 2023).
6. Unsolicited penetration testing (i.e. the exploitation of an IT system without the
permission of its owner to determine its vulnerabilities and weak points). Unsolicited
penetration testing may be considered an offence under Section 342.1 of the Criminal
Code. Under Section 342.1, individuals are prohibited from fraudulently, and without
color of right, obtaining, directly or indirectly, any computer service, or intercepting or
causing to be intercepted, directly or indirectly, any function of a computer system.
 Unsolicited penetration testing may also be considered mischief under Section 430(1.1)
of the Criminal Code (Ling et al., 2023).
7. Any other activity that adversely affects or threatens the security, confidentiality,
integrity or availability of any IT system, infrastructure, communications network,
device, or data. Pursuant to Section 184 of the Criminal Code, it is an offence for any
person to knowingly intercept a private communication by means of any electro-
magnetic, acoustic, mechanical, or other device, which is punishable by a maximum
penalty of five years’ imprisonment. Although the concept of “intercepting” generally
requires the listening or recording of contemporaneous communication, in R. v. TELUS
Communications Co., [2013] 2 SCR 3, unlawful interception also applied to the seizing of
text messages that were stored on a telecommunication provider’s computer (Ling et
al., 2023).
Moreover, under Section 83.2 of the Criminal Code, any person who commits an
indictable offence under this or any other Act of Parliament for the benefit of, at the
direction of or in association with a terrorist group is guilty of an indictable offence and
liable to imprisonment for life. The definition of a “terrorist activity” under Section
83.01 includes an act that causes serious interference with or serious disruption of an
essential service, facility, or system, whether public or private, other than because of
non-violent advocacy, protest, dissent, or stoppage of work; this may include
“cyberterrorism” (Ling et al., 2023).
Under Section 19 of the Security of Information Act (R.S.C., 1985, c. O-5), it is also an
offence for any person to fraudulently, and without color of right, communicate a trade
secret to another person, or obtain, retain, alter, or destroy a trade secret to the
detriment of Canada’s economic interests, international relations, or national
defense/national security. The maximum penalty under Section 19 is 10 years’
imprisonment (Ling et al., 2023).
Cybersecurity laws and legislation (2023)

There are different cybersecurity laws applied depending on geographical jurisdiction. It can
be like the place where an individual resides, and it can also be totally different. It is important
to be aware of these to avoid conflict with the local authorities where you travel to or reside.
Below are some examples of cybersecurity laws by each region.

1. The United States

Operating in the United States requires compliance with several laws dependent upon
the state, industry, and data storage type (Brands, 2023).
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that
protects patient health information. If you provide cloud hosting services to a healthcare
provider, you must ensure your systems adhere to healthcare cybersecurity regulations
(Brands, 2023).
The Gramm-Leach-Bliley Act (GLBA) regulates the collection and handling of financial
information. Any organization that collects or stores financial data must comply with
this law (Brands, 2023).
The Payment Card Industry Data Security Standard (PCI DSS) sets rules for safeguarding
consumer credit card data. Any MSP that processes payment card data must be
compliant with this regulation. Additionally, if you have clients in the financial services
sector, you may be subject to the New York Department of Financial Services (NYDFS)
cybersecurity regulation (Brands, 2023).
NYDFS regulation is expanding, making it a very important legislative body to MSPs and
IT professionals nationwide. Recent additions to the NYDFS regulations require more
stringent notification procedures, specifically when it comes to ransomware
deployment. These new requirements affect leadership responsibility, stress the
importance of sound vulnerability assessments, and incident and disaster response and
recovery. While these regulations only apply to the New York jurisdiction now, they
could be foreshadowing for other state’s reporting requirements soon (Brands, 2023).
The Executive Order on Improving the Nation’s Cybersecurity, signed in 2021, was
created in the wake of several high-profile security incidents in the U.S. The goal was to
modernize cybersecurity by implementing protected networks for federal institutions to
better respond to cyber incidents and improving collaboration between the public and
private sectors (Brands, 2023).
NIST 800-53 is a set of guidelines issued by the U.S. National Institute of Standards and
Technology that regulates how governmental agencies approach cybersecurity. Though
geared towards governmental bodies, 800-53 shares many components related to The
NIST Cybersecurity Framework which provides public and private organizations alike
with a comprehensive set of best practices for protecting systems from cyberattacks
(Brands, 2023).
Recently, the Securities and Exchange Commission (SEC) has also weighed in on
cybersecurity regulations in the U.S. The financial regulatory body recently passed
legislation demanding cybersecurity disclosures from organizations operating within the
industry. This “final rule” governs cybersecurity management, incident reporting,
governance, and strategy disclosures (Brands, 2023).
Capitol Hill is also changing the U.S.’s cybersecurity regulation landscape. Recently, D.C.
lawmakers passed a $1.7 trillion spending bill for the Department of Defense. The entire
bill, spanning nearly 5,000 pages, covers several different initiatives; the most pertinent
to our industry is the pledge of $2.9 billion worth of funding to the Cybersecurity and
Infrastructure Security Agency (Brands, 2023).
 This $2.9 billion “shot in the arm” to the organization will cover initiatives to bolster
overall federal cybersecurity protection, protect civilian networks that may interface
with lesser levels of government, improved threat hunting, emergency communications
preparedness, and expanding regional operations (Brands, 2023).
2. The European Union
The European Union has enacted several data privacy laws to protect the personal
information of its citizens. The General Data Protection Regulation (GDPR) is one of the
most important regulations to be aware of, as it sets out the requirements for collecting,
storing, and processing personal data (Brands, 2023).
Some of the key features of the GDPR involve the following:
a. Providing clear and transparent information on how data is being collected,
stored, and used.
b. Establishing protocols for responding to data breaches.
c. Ensuring data is only kept for as long as necessary.
3. The United Kingdom
The Data Protection Act (DPA) is a law in the UK regulating personal data handling.
Passed in 2018, it replaces the previous Data Protection Act (1984), which laid out data
processing requirements for organizations, including MSPs (Brands, 2023).
The DPA requires organizations to inform customers about their data handling practices
and provide a way for customers to access and delete their data. It also sets out
requirements for handling data breaches, preventing unauthorized access, and ensuring
secure data disposal (Brands, 2023).
Cyber Essentials is like NIST in the US because it is a government-backed set of
cybersecurity standards that organizations are encouraged to follow. In fact, to bid on
government contracts, organizations must be certified for Cyber Essentials (Brands,
2023).
MSPs operating in the UK must also pay attention to new Network and Information
Systems (NIS) regulations. Piggybacking off a £2.6 billion government cybersecurity
 initiative, the new rules are designed to bolster the cyber resilience of at-risk businesses
(Brands, 2023).
Since MSPs are third-party vendors who remotely access sensitive data in some of the
world’s most important industries (i.e., healthcare, finance, etc.), they are now in the
crosshairs of the new cybersecurity regulations. The new legislation focuses on more
stringent reporting requirements to governmental bodies like Ofcom, Ofgem, and the
Information Commissioner’s Office (Brands, 2023).
4. ASEAN/Oceania
Though ASEAN countries have yet to pass an overarching regulatory framework, the
Association of Southeast Asian Nations announced a Cybersecurity Cooperation Strategy
that adopts many vital tenets of the GDPR and DPA. This includes protecting personal
data, ensuring secure data storage and disposal protocols, and informing customers of
their rights related to cybersecurity (Brands, 2023).
With a comprehensive framework in place, managed service providers can ensure that
their cybersecurity practices comply with the laws of each country in the region (Brands,
2023).
In Australia, there is already a general standard for cybersecurity professionals to follow:
the ACSC Essential 8. Like Cyber Essentials and the NIST framework, these are a set of
mitigation strategies and controls that help protect Australian businesses from
cyberthreats. This primarily focuses on protecting Microsoft Windows-based network
connections but can also be applied to other platforms (Brands, 2023).

Moral Responsibility in Cyber Defense

Cyber-attacks are targeted attacks. As such, every individual, or organization has the
moral responsibility to equip themselves in these situations. First, individuals working in cyber
defense have a moral responsibility to act ethically and with integrity. This includes honoring
the rights and privacy of the individuals, as well as ensuring the defense measures are
adequate. In addition, organizations that provide cyber defense services also have a moral
responsibility to act ethically and with integrity. Organization needs to ensure that their policies
and employees are properly aligned to the standard of cyber security and be able to handle
cyber threats, as well as implementing systems and counter measures to protect data and
privacy of everyone involved. Lastly, governments have a moral responsibility to protect their
citizens from cyber-attacks. They implement appropriate laws and regulations to make sure
that cyber defense measures are effective, as well as to update necessary adjustments since
technology keeps evolving. With this said, the importance of against Cyber-attacks is a necessity
for day-to-day life on an individual.

How can organizations effectively employ cyber defense tactics?

Protect your organization from insider threats. For the average organization, 23% of
cyber incidents emerge from malicious insiders (Cybertalk, 2022).

Obtain threat intelligence tools and share threat intelligence information with
competitors or adjacent organizations. Threat intelligence can help you see which threats pose
the greatest risk to your infrastructure, enabling you to devise a plan to protect your resources
(Cybertalk, 2022).

How can leaders take a stance on cyber defense?

Invest in operational speed: Leaders prioritize moving fast when it comes to breach
detection and breach response. You want to be able to evaluate the number of systems
impacted by an attack, the duration of the incident, and where the organization could improve
in terms of isolating cyber incidents (Cybertalk, 2022).

Learn from your initiatives: Data shows that among organizations that are good at
scaling, they’re also four times better than average at identifying and defending against cyber
security attacks. This suggests that certain mentalities and ways of thinking can assist
organizations in expanding and enhancing their cyber defense (Cybertalk, 2022).

Promote collaboration: Research indicates that organizations with better collaboration

capabilities are two times better than average at defending against attacks, protecting their
attack surfaces, and ensuring that regulatory requirements are met (Cybertalk, 2022).

Preventing Attacks
 In the article, that author asked the question if organizations are allowed to use the
following measures to protect their infrastructure which is technically part of their jurisdiction
(Ling et al., 2023). Examples of measures for preventing attacks are the following:

(i) Beacons are imperceptible, remotely hosted graphics inserted into content to trigger
a contact with a remote server that will reveal the IP address of a computer that is
viewing such content (Ling et al., 2023).
Canadian privacy laws require users to provide consent to and/or be provided with
sufficient notice of the collection, use and disclosure of their PI, and an opportunity
to withdraw such consent (Ling et al., 2023).
(ii) Honeypots are a type of security mechanism that is used to attract and identify
attackers. For example, digital traps designed to trick cyber threat actors into acting
against a synthetic network, thereby allowing an organization to detect and
counteract attempts to attack its network without causing any damage to the
organization’s real network or data (Ling et al., 2023).
The use of honeypots is not expressly prohibited under applicable Canadian laws,
and, to our knowledge, there is currently no case law that provides further guidance.
That said, the general application of Canadian privacy laws relating to the collection,
use or disclosure of PI applies notwithstanding that they may be used defensively
(Ling et al., 2023).
(iii) Sinkholes are used to redirect traffic for malicious purposes. For example, it
measures to re-direct malicious traffic away from an organization’s own IP addresses
and servers, and it is commonly used to prevent DDoS attacks (Ling et al., 2023).
The use of sinkholes is not expressly prohibited under applicable Canadian laws, and,
to our knowledge, there is currently no case law that provides further guidance.
That said, the general application of Canadian privacy laws relating to the collection,
use or disclosure of PI applies notwithstanding that they may be used defensively
(Ling et al., 2023).

In addition, are the organizations permitted to monitor or intercept electronic

communications on their networks, including email and internet usage of employees, to
prevent or mitigate the impact of cyber-attacks? Employee monitoring is generally permissible
under Canada’s privacy legislation, but it must be carried out in compliance with such laws, and
for a reasonable purpose, such as preventing, detecting, mitigating, and responding to cyber-
attacks (Ling et al., 2023).

Does your jurisdiction restrict the import or export of technology (e.g. encryption software and
hardware) designed to prevent or mitigate the impact of cyber-attacks? Canada has export
controls in place to ensure that exports of certain goods and technology (e.g., military, and
dual-use technologies) are consistent with national foreign and defense policies (Ling et al.,
2023).

What Are Ethics in Cybersecurity?

Ethics can be described as ideals and values that determine how people live and,
increasingly, how businesses and their employees work (Chin, 2023). While it is not totally
related to technical topics such as networking and device configuration, it is important that
individuals involved in operating these technologies be equipped with these ideologies. It can
be included in a company’s corporate structure. The benefit of having a strong ethical
foundation is that individuals will make ethical decisions according to the rapidly changing
technology environment. With the world experiencing massive changes in artificial intelligence,
data collection and processing becomes imminent that individuals grow weary on how
protected their personal information is.

The cyber threat is rapidly evolving, and governments and businesses must make ethical
decisions to protect the credibility of their cyber defense to protect innocent individuals against
attackers. New technologies mean networks and counter measures need to elevate regarding
cyber security.

General Ethical Principles

 The General Ethical Principles section makes the following assertions about the role of
computing professionals (Chin, 2023). Computing professionals should:

1. Use their skills to benefit society and people’s well-being and note that everyone is a
stakeholder in computing.
2. Avoid negative and unjust consequences, noting that well-intended actions can result in
harm that they should then mitigate.
3. Fully disclose all pertinent computing issues and not misrepresent data while being
transparent about their capabilities to perform necessary tasks.
4. Demonstrate respect and tolerance for all people.
5. Credit the creators of the resources they use.
6. Respect privacy, using best cybersecurity practices, including data limitation.
7. Honor confidentiality, including trade secrets, business strategies, and client data.

Professional Responsibilities

The Professional Responsibilities section also says that computing professionals must
prioritize high-quality services, maintain competence and ethical practice, promote computing
awareness, and perform their duties within authorized boundaries Strive to achieve high quality
in both the processes and products of professional work (Chin, 2023).

1. Maintain high standards of professional competence, conduct, and ethical practice.

2. Know and respect existing rules pertaining to professional work.
3. Accept and provide an appropriate professional review.
4. Give comprehensive and thorough evaluations of computer systems and their impacts,
including analysis of possible risks.
5. Perform work only in areas of competence.
6. Foster public awareness and understanding of computing, related technologies, and
their consequences.
7. Access computing and communication resources only when authorized or when
compelled by the public good.
 8. Design and implement systems that are robust and usably secure.

Professional Leadership Principles

Professional Leadership pertains to any position within an organization that has influence or
managerial responsibilities over other members and has increased responsibilities to uphold
certain values set by the organization (Chin, 2023).

1. Ensure that the public good is the central concern during all professional computing
work.
2. Articulate, encourage acceptance of, and evaluate fulfillment of social responsibilities by
the organization or group members.
3. Manage personnel and resources to enhance the quality of working life.
4. Articulate, apply, and support policies and processes that reflect the principles of the
Code.
5. Create opportunities for members of the organization or group to grow as professionals.
6. Use care when modifying or retiring systems.
7. Recognize and take special care of systems that become integrated into the
infrastructure of society.
8. Compliance with the Code

Compliance with the Code of Ethics is the only way to ensure cybersecurity professionals
uphold certain ethical standards. Without enforcement of the Code of Ethics or similar ethical
considerations, it is impossible to document and recognize adherence to ethics and social
responsibility (Chin, 2023).

Corporate Social Responsibility and Cybersecurity

Modern business is obligated to protect data with the big amounts of data being
processed. Cybersecurity helps prevent infiltration on networks and data breaches that
threaten the confidentiality of information. There is so much at stake that cybersecurity
professionals should be willing to come under scrutiny by those in and outside the field (Chin,
2023).
 “Cyber ethics encapsulates common courtesy, trust, and legal considerations” (Chin, 2023).
Cyber security professionals should always protect individuals. The following considerations will
explore the different effective cyber security approaches and how poor cyber security is
potentially unethical but also ineffective.

1. Information Security
Businesses have a moral obligation to protect their customers. They benefit from data
that allows them to operate and can give them a competitive advantage, but they need
to protect that information from hackers and accidental leaks (Chin, 2023).
Unfortunately, businesses that are hacked are often at fault. While nobody deserves to
be hacked, a business’s moral obligations to consumers are such that they are expected
to have adequate cybersecurity for their computer systems and respond promptly and
decisively in the event of a cyber incident (Chin, 2023).
For example, Equifax’s 2017 cyber-attack is a prime example of a business that damaged
its reputation due to inadequate cybersecurity and poor response to attacks. It was
hacked around May 2017 but did not disclose the breach until September (Chin, 2023).

2. Transparency
Ethically, businesses should be prepared to disclose the risks inherent to the business if
they could substantially affect people, whether customers, business partners, or their
supply chain (Chin, 2023).
Data breach reporting is a significant part of a business’s transparency. While reporting
a breach highlights a business in crisis, failing to report promptly can lead to a more
significant loss of trust, criticism from industry professionals, and sometimes, as in
Equifax’s case, action from investigators (Chin, 2023).
Even if a business operates in an unregulated industry or a cyber-attack does not cause
business disruption or affect clients, reporting all data breaches is a worthwhile ethical
consideration. The more businesses report cyber-attacks, the more information there is
for cybersecurity experts and industry professionals to share and learn from. This
protects other businesses and their clients from emerging threats (Chin, 2023).
3. Security vs. Privacy Protection
A great example of ethical dilemma in cybersecurity is that privileged professionals have
access to sensitive information. Because of this they understand how cyber criminals
operate and can perform counter actions to those attempts. In this manner,
cybersecurity professionals set access privileges and can monitor network activity. They
can scan personal machines therefore can also read personal files, and because of this it
can protect or compromise the privacy of an individual.
Collecting data leads to ethical questions but so does protecting it (Chin, 2023).
Everyone deserves their privacy. But how do business and organizations protect the
data once collected?
4. Confidentiality
Cybersecurity professionals need to demonstrate their moral standards when handling
sensitive data (Chin, 2023). During daily duties, cybersecurity professionals will have
access to confidential data and files, and this could include sensitive data such as payroll
details, private emails, and medical records (Chin, 2023).
Intellectual property theft is one of the most expensive cybercrimes, as stealing vital
information can affect an individual and business, giving the attacker an unfair
advantage in the situation. For example, intellectual property theft can be a serious risk
to human life in a critical infrastructure industry, such as defense or healthcare (Chin,
2023).
5. Security
Cybersecurity professionals cannot have a lapse of concentration since it is a big
responsibility for others’ information security is a massive contractual and ethical
responsibility. Cybersecurity professionals must maintain their competence level,
respect sensitive information privacy, and uphold the well-being of those they serve. It
requires honesty for these team members to evaluate their skills, abilities, and alertness
and ensure that they take the appropriate action to stay on top of their game (Chin,
2023).
6. Ethical Hacking
 Ethical hacking refers to scheduled hacking by businesses or governing to discover their
own vulnerabilities and security gaps. Ethical hackers attempt to find vulnerabilities in
attempt to exploit and break into information systems and fix those issues before
cybercriminals find them. To protect data from hackers, particularly when they are using
increasingly sophisticated methods and rapidly advancing technologies, cybersecurity
professionals must use the same techniques (Chin, 2023). Cybersecurity programmers
need to know how to commit crimes by black hat hackers, such as stealing credit card
data (Chin, 2023).
Cyber professionals must be aware of computer ethics since what they do gives them
access to privileged information. This is especially true for professionals working in
critical infrastructure, including defense, healthcare, finance, and manufacturing, where
the consequences of unethical actions regarding sensitive data could cause serious harm
to individuals, organizations, and the economy (Chin, 2023).
7. Whistleblowing
Whistleblowing refers to someone reporting their organization’s wrongdoing, typically
an employee. A whistleblower’s objection might be that the organization or someone in
it is acting illegally, fraudulently, immorally, or without proper regard for safety or
human rights. Furthermore, the issue should be in the public interest (Chin, 2023).
If a cybersecurity expert reveals confidential information to stop a harmful practice, the
objective is good, but how they achieved this breaks the ethical confidentiality essential
to that employee-employer relationship (Chin, 2023).

Conclusion

In Astra Statistics 2023, it was reported that there are 2,2000 cyber attacks per day with
average cost of $9.44m worth of data breach and $8 trillion prediction cost by the end of 2023
(Palatty, 2023). There is an obvious need for cyber defense, whether it may be personal
responsibility, corporate responsibility, or government responsibility. First, as an individual
there are many tools available to make your data protect and identity private. Utilizing the
technology tools available and learning more on protecting is part of being a responsible
individual in a technological community. Second, any business is help responsible to any data
collected from its consumer. For example, hiring cybersecurity experts and maintain an
adequate network and security infrastructure to protect data loss and business reputation.
Lastly, the government is held responsible for the laws and consequence for those hackers.
Immense cyber defense for international threats and proper verdict to those who take the law
lightly.

There are laws implemented depending on the country of jurisdiction. In Canada alone,
there are 74,073 reported cases of cybercrime in 2022 as to compared with 15,184 cases back
in 2014 (Petrosyan, 2023). Around the world, only 156 countries (80 percent) have cybercrime
legislation (UNCTAD, n.d.). the evolving cybercrime leads to government implementing new
laws against them. Though cybersecurity experts and law makers need to take into
consideration the moral and ethical standards at hand especially when it comes to data privacy
and data breaches. Although exploitation is the common goal of a hacker, any individual with
the power to see data and control it has the moral and ethical behavior to handle the data
diligently. With these in mind, the technology has become a long way that it makes it scary with
AI technologies rising. Will AI technology recognize moral and ethical standards in their
algorithm or people in the community will never feel secure about their overall privacy and
protection.

Reference

Chin (2023). Cybersecurity and Social Responsibility: Ethical Considerations.

https://www.upguard.com/blog/cybersecurity-ethics

Ling et al. (2023) Cybersecurity Laws and Regulations Canada 2024. https://iclg.com/practice-
areas/cybersecurity-laws-and-regulations/canada

Brands (2023) Cybersecurity laws and legislation (2023).

https://www.connectwise.com/blog/cybersecurity/cybersecurity-laws-and-legislation

Cybertalk (2022) What is cyber defense? https://www.cybertalk.org/what-is-cyber-defense/

Palatty (2023). 160 Cybersecurity Statistics 2023. https://www.getastra.com/blog/security-
audit/cyber-security-statistics/#:~:text=Cybersecurity%20statistics%20indicate%20that
%20there,cost%20%248%20trillion%20by%202023.

Petrosyan (2023). Number of police-reported cyber crimes in Canada 2014-2022.

https://www.statista.com/statistics/613374/police-reported-cybercrimes-canada/#:~:text=As
%20of%202022%2C%20the%20number,in%20Canada%20was%20the%20highest.

UNCTAD (n.d.) Cybercrime Legislation Worldwide. https://unctad.org/page/cybercrime-

legislation-worldwide