Most people recognize that humans are fallible, but this fact can have dire consequences for those whose jobs entail protecting life or assets. Within the cyber realm, insiders are often responsible for cybersecurity incidents, resulting in a US billion-dollar security awareness computer-based training market.1 Many vendors purport to bolster the proverbial human firewall, but awareness training alone is insufficient. There is increasing attention given to using human psychology to positively influence end user behavior,2 particularly in the context of organizational culture, after years of not properly addressing human factors in information security plans.3
In a previous column, I noted an increase in conversations surrounding ethics within the workplace. This is not surprising as the overarching issue of soft skill deficiencies in the cybersecurity workforce has outpaced technical skills shortfalls.4 A topic that may come up during such a conversation is the notion of “doing the right thing.” On the surface, this does not sound difficult to practice. I, for one, can honestly say that I have not lived my entire life on the straight and narrow. In fact, facets of my former career entailed operating in proverbial grey areas. While it was easy to live with myself in my earlier days, it was not until a milestone promotion in the US Navy that I turned a page to appreciate and model better behavior and take often unpopular, albeit necessary, positions on certain matters.
Defining Ethics, Morals and Values
To better understand the nuance of ethics within the workplace, it is important to note that ethics, morals and values are not synonymous and vary based on one’s culture, which can change.5 An article from the University of Cincinnati (Ohio, USA) defines these terms as follows:
- Ethics—A structured system of principles that govern appropriate conduct for a group, including activities such as professional ethics, compassion, commitment, cooperation
- Morals—Society's standards of right and wrong, very similar to ethics
- Values—An individual's accepted standards of right or wrong 6
What follows is a unique example of why it is important to distinguish these terms from each other. Prior to my employment at ISACA®, I had an opportunity to sit for a full scope polygraph7 required for additional employment opportunities within the US intelligence community. Polygraphs are not unusual, and members of the US intelligence community are typically subjected to 1 of 3 variants, depending on their position, every 5 years. I did not pass the polygraph, which came as no surprise since I (and countless others) often must retest multiple times before the examiner deems us to be of acceptable risk. Of note, the scientific community and the US Supreme Court question the reliability and validity of polygraph techniques.8 For me, each examination literally felt like it took 5 years off my life. What shocked me most, though, was being told by the examiner that I would need to find a way to “check my morals” if I were ever going to pass. Think about that for a moment. My personal values—which the examiner mistook for morals—cause me anxiety attributed to regretting past personal indiscretions (never amounting to legal trouble). Yet they, and by extension, I, were somehow viewed as a larger liability than those who take the same test and never feel conflicted about mistakes nor are interested in self-improvement.
Rethinking Organizational Culture
Between ethics, morals and values, only ethics can be explicitly codified with any success, for example through associated codes of conduct (i.e., ethics policies) by credentialing bodies. This begs the question within the greater IT industry overrun by credentials—all of which require attestation to some code of conduct that includes ethical behavior—why the challenges of conformance? I believe it boils down to organizational culture.
Earlier in my career, I served as an information security manager and led computer network defense for a sizeable organization. In the early days, I received a proper education as to the limited appetite leadership had for standard setting and enforcement. On multiple occasions an employee, due to their position, could unduly influence the ramifications of policy violations. It was beyond frustrating. In the years since, I have both been a part of and a witness to positive change in the management/employee relationship vis-à-vis policy enforcement, but far too many still share similar stories. As a profession, we can and must do better.
I realize there are many out there who do the proverbial right thing and take decisive, ethical action even in the face of potentially conflicting workplace policies. If the organizational environment is supportive of the “right” decisions, obviously there is no strife. However, many stories from the frontlines paint a different picture. In the workplace, speaking out9 or making unpopular decisions may manifest as passive aggression, stonewalling, retaliation or even termination of employment.10, 11 While labor laws are influential factors, just because something is permissible does not mean it is moral. Though some may seek legislative action to enforce moral behavior, I believe it is naïve to think morality can be effectively legislated in all instances. If one considers the definition of ethics to be the appropriate conduct of a group, cultural factors including personal, societal and organizational influences come into play. How these manifest from one enterprise to another and one region to another will differ.
Returning to the definitions of ethics, morals and values, the latter applies to individuals and morals are tied to society, whereas ethics establish expected conduct for groups. Values are typically adopted from others,12 so it stands to reason that standard-setting bodies and organizational culture can shape one’s values. Many people have a greater appreciation for interpersonal relationships after experiencing the effects of the COVID-19 pandemic and the required technical mitigations faced by organizations.
But there is still work to be done. To further improve organizational culture, my best advice is to rely on data. Data-driven decisions and transparency in means and methods can diffuse emotional responses. It is my experience that few leadership decisions are popular with all staff. Technology fields have long struggled with adaptation to a business focus. Put simply, enterprise leaders make return on investment (ROI) decisions using data. Alternatively viewed as risk vs. reward, the question many ask themselves is, "How much of a factor should personal integrity and adherence to codes of conduct be in carrying out duties when faced with policies or situations that make us uncomfortable?”
Conclusion
The IT industry is cluttered with acceptable use policies, terms of agreement and codes of conduct intended to guide appropriate behavior—many of which are not uniformly enforced. Those in policy enforcement positions may take the stance that a user was told what they could or could not do, and violators get what they deserve. Conversely, stories are told of repeat offenders who continually put others in harm’s way without recourse. There are no simple answers, but in the face of adversity, are you willing to do the right thing even if you stand alone?
Endnotes
1 Sjouwerman, S.; ”Some Interesting Security Awareness Computer-Based Training Numbers,” KnowBe4, 30 May 20212 Columbia Southern University, Orange Beach, Alabama, USA, “How Human Behaviors Affect Cybersecurity,” The Link, 5 February 2021
3 Nobles, C.; “Botching Human Factors in Cybersecurity in Business Organizations,” Holistica, vol. 9, iss. 3, 2018
4 ISACA®, State of Cybersecurity 2021, Part 1: Global Update on Workforce, USA, 2021
5 Rieselman, D.; “What Are Values?” UC Magazine, University of Cincinnati, Ohio, USA, August 2005
6 Ibid.
7 ClearanceJobs, “The Differences Between Counterintelligence, Lifestyle, and Full Scope Polygraphs,” November 2018
8 EveryCRSReport.com, “The U.S. Intelligence Committee: Selected Cross-Cutting Issues,” 12 April 2016
9 Boogaard, K.; “Why Is Speaking Up at Work Important?,” Atlassian, 15 November 2018
10 Gonzalez, E.; “Workplace Retaliation: What Small Businesses Need to Know,” The Blueprint, 2 January 2021
11 Texas A&M University-Corpus Christi, USA, “How to Address Ethical Issues in the Workplace,” 26 October 2021
12 Taylor, J.; “Personal Growth: Your Values, Your Life,” Psychology Today, 7 May 2012
Jonathan Brandt, CISM, CDPSE, CCISO, CISSP, CSAP, PMP
Is the director of professional practices and innovation at ISACA®. In this role, he leads information technology, information security, privacy and risk thought leadership initiatives relevant to the ISACA professional community. He serves ISACA departments as a subject matter expert on information security and spearheads innovative workforce readiness solutions and related performance assessments. Brandt is a highly accomplished US Navy veteran with nearly 30 years of experience spanning multidisciplinary security, cyberoperations and technical workforce development. Prior to joining ISACA, Brandt was a project manager for classified critical infrastructure projects across the globe.