Ethics in IT — Week 1 · Ch. 3
Cyberattacks & Cybersecurity Ethics
Cybersecurity ethics is not about preventing every attack — it's about navigating the tradeoffs between competing values.
13 slides ~16 minutes ETH-03 · The Factionless
By the end of this module, you will identify the four core security tradeoffs, distinguish three classes of perpetrators, apply the reasonable-assurance proportionality standard, walk an ethical incident response, and analyze the Sony Pictures breach.
Slide 2 of 13
The Four Core Security Tradeoffs
Every security decision sits on one of these four axes. Pretending you don't choose is choosing.
The ethical question is proportionality: does the gain on one axis justify the cost on the other? "Maximum security" is a slogan, not an answer.
Slide 3 of 13
Incident Types
Five categories. Each carries a distinct set of ethical obligations — for the developer, the user, and the organization.
Malware
Software designed to disrupt, damage, or gain unauthorized access. Ethical issue: developer obligation to avoid creating or enabling harmful code.
Phishing
Social engineering to extract credentials or actions. Ethical issue: org obligation to train + implement controls; user obligation to exercise judgment.
DDoS
Distributed denial-of-service. Ethical issue: orgs may protect availability; the line is when defensive measures harm innocent third parties.
Insider Threat
Malicious or negligent acts by authorized users. Ethical issue: surveillance vs. privacy; obligations to users whose data is at risk.
Data Breach
Unauthorized access & exfiltration. Ethical issue: proportionate controls before; disclosure to affected parties after.
Pattern
Each incident type has both a before obligation (controls) and an after obligation (response). Both are ethical, not just operational.
Slide 4 of 13
Three Perpetrator Tiers
The threat actor changes the standard. Defending against each tier carries a different ethical bar.
The standard isn't constant. An org that can't stop a nation-state hasn't necessarily failed ethically. An org that can't stop a script kiddie absolutely has.
Slide 5 of 13
Reasonable Assurance
The proportionality standard. Not "all risk eliminated" — "controls calibrated to obligations."
The negligence standard: failing to remediate known, patchable vulnerabilities — when a breach results — is ethically indefensible regardless of attacker sophistication. This is the line.
Slide 6 of 13
Incident Response Ethics
Five phases. Each has an ethical obligation distinct from the technical task.
1Preparation: documented IR plan; train staff; establish law-enforcement and legal counsel relationships before an incident.
2Detection: investigate promptly and thoroughly. Do not suppress findings that are inconvenient. Preserve evidence chain of custody.
3Containment: limit harm to affected parties, not primarily to organizational reputation. Optics last.
4Notification: notify affected parties promptly and completely. Legal minimums are a floor, not a ceiling. Delay to assess legal exposure at user cost is indefensible.
5Recovery: implement genuine improvements, not optics. Post-incident review identifies what failed ethically as well as technically.
Slide 7 of 13
Disclosure: Floor vs. Ceiling
The legal clock is the floor. The ethical clock is sooner.
The temptation: use the legal window to assess legal exposure, prepare PR, coordinate with insurers. The ethical reality: every hour you delay, an affected party can't act to protect themselves. The clock that matters runs in their time, not yours.
Slide 8 of 13
Case Study: Sony Pictures Breach
November 2014. The breach exposed not just data — it exposed proportionality failure.
The breach: attackers (attributed to North Korean state-sponsored actors) breached Sony Pictures Entertainment and exfiltrated approximately 100 terabytes of data: unreleased films, internal emails, executive compensation data, and the personal data of approximately 47,000 current and former employees — including SSNs and medical records.
The ethical failure preceded the breach. Sony had been warned about security vulnerabilities prior to the breach. Employee personal data — SSNs, medical records, salary data — was particularly exposed because it was not segregated or protected with controls appropriate to its sensitivity. The attacker triggered the exposure. Sony's security posture caused it.
100 TB
Data exfiltrated.
47,000
People whose SSNs and medical records were exposed.
Pre-warned
Sony was warned about vulnerabilities; warnings not adequately addressed.
Slide 9 of 13
The Three Failures
Reasonable assurance was not met on any of three counts. The attacker only made the failure visible.
Proportionality
Sony held medical records and SSNs for 47,000 people. Reasonable assurance required controls proportionate to that sensitivity. The controls in place were not adequate to that standard.
Known & Unaddressed
Pre-breach warnings about security vulnerabilities that were not remediated constitute a failure of reasonable assurance. Known, unpatched vulnerabilities + sensitive PII = ethical failure regardless of attacker sophistication.
Duty to Employees
47,000 people trusted Sony with their most sensitive personal data as a condition of employment. They did not choose to take that risk. The obligation ran to the user relationship — the employees — not only to the employer's interests.
The deeper failure: Sony's incident-response posture was reactive. The data should have been segregated, encrypted, and monitored proportionate to its sensitivity. Reasonable assurance is a before-the-incident standard. Treating it as an after-the-incident standard is the ethical failure.
Slide 10 of 13
What Would You Do?
The data is there. The patches aren't. The incident hasn't happened. Yet.
You are the CISO at a mid-sized entertainment company. You have an incident response plan. You become aware that the company holds the SSNs and medical data of 40,000 former employees in an unencrypted database that has not been patched in 18 months. The data is there because no one ever got around to deleting it after the HR system migration. What is your ethical obligation, and what does "reasonable assurance" require you to do before an incident occurs?
Triage NOW
Patch the database. If patching introduces risk, take it offline immediately. The exposure is current; the obligation is current.
Right-size
Question the retention. If the data isn't needed, delete it. Reasonable assurance includes not holding sensitive data without justification.
Escalate & document
Internal escalation, written record. Don't carry the risk alone. If leadership refuses to act, that is a separate ethical issue with its own response.
Slide 11 of 13
When the User Is Your Employee
Sony's failure shows the trickiest case: when "user" and "employer" are the same population.
The professional answer: when the security investment vs. cost-control conversation pits the employer's interest against the employees' interest, the employees are users for ethical purposes — and user obligations dominate when the data is theirs and they had no real choice in handing it over.
Slide 12 of 13
The Ethical Clock
The single most useful framing for cybersecurity ethics decisions.
Before an incident
Reasonable assurance is the standard.
Proportionate controls. Patched vulnerabilities. Data minimized to what's needed. IR plan documented. Staff trained.
This is when most of the ethical work happens — quietly, in the absence of crisis.
After an incident
Affected-party harm is the standard.
Notify quickly and completely. Don't suppress findings. Don't optimize for legal exposure at user expense. Genuine recovery improvements, not theater.
This is when the work done before is tested.
The Sony lesson distilled: the breach was not the ethical failure — it was the trigger. The ethical failure was the years of quiet decisions before the breach to under-resource security relative to the data's sensitivity. Cybersecurity ethics is mostly about what happens before the alarm.
Slide 13 of 13
Module 3 Summary
Cyberattacks & Cybersecurity Ethics — key takeaways.
1Four core tradeoffs: privacy vs. safety, security vs. usability, disclosure vs. concealment, access vs. availability. Every security decision is on one of these axes.
2Five incident types: malware, phishing, DDoS, insider threat, data breach. Each carries before-incident and after-incident obligations.
3Three perpetrator tiers: script kiddies (no excuse), criminal organizations (proportionate controls), nation-state (defense not always achievable).
4Reasonable assurance = asset value + threat landscape + known vulnerabilities + IR plan, calibrated proportionately. Not "all risk eliminated."
5Known unpatched vulnerabilities = indefensible. The negligence floor. No attacker sophistication argument changes this.
6Five IR phases: Prepare, Detect, Contain, Notify, Recover. Each has ethical obligations distinct from the technical task.
7Legal floor ≠ ethical timeline. The 72-hour notification clock is a minimum, not a target. Notify when affected parties need to act, not when lawyers say you must.
8Sony lesson: the breach was the trigger; the ethical failure was the years before. Cybersecurity ethics is mostly about the quiet decisions made when no alarm is sounding.
Next up: Module 4 — Week 1 Checkpoint. Three cases (VW, SAP, Sony) compared side-by-side. The patterns that connect them.