Abstract:
Security is often not funded because risk costs, as evaluated by an organization for its own benefit, has a ROI that is below other possible investments. However, there are multiple benefits of evaluating risk from an ethical perspective. This presentation proposes a maturity model for the ethics of risk, based on an evaluation of research related to ethical risk. The framework describes risk, management, legal, and engineering concerns appropriate to risk analysts, security staff, or software engineering professionals. The framework provides a list of actionable items for each of five levels of ethical risk maturity.
Sample Practices per Maturity Level:
- Risk Immature Level
Adopt a Standardized Risk Process
Create a Culture of Communication and Responsibility
Document and Communicate Risk Findings
Involve Business Management
- Self-Protection Level: Milton Friedman and Shareholder Primacy: Corporations are in business to make money for stockholders
Analyze Fraud and Ethical Risk
Develop a Code of Ethics Addressing Organizational Sustainability
Price Insurance with Discounts for Controls
- Compliance Focus: Awareness of criminal, civil (contract, tort, copyright), and administrative law
Pay Attention to the Intent of Regulation
Adhere to Regulations and Standards Addressing Business Ethics
Consider Legal Responsibility Beyond Regulation
Develop and Follow Soft Law
- Stakeholder Concern: Edward Freeman and Stakeholder Theory: The only way to [maximize profits] is to create great products and services that customers want to buy.
Understand the Ethics of the Product Development
Personalize Risk
Evaluate Sandman’s Outrage Factor
Calculate Risk from the Stakeholder Perspective
- Concern of the Other: Pure ethical theories: Virtue, Deontology, Consequentialism, and concern for Freeman’s secondary stakeholders.
Train and Think in Ethics
Calculate Risk from the Societal Perspective
Research Unknown Risk Scientifically
Document and Evaluate Societal Decisions Systematically