CypherCon 2022

The Ethics of Risk

Susan Lincke, PhD

Abstract:

Security is often not funded because risk costs, as evaluated by an organization for its own benefit, has a ROI that is below other possible investments.  However, there are multiple benefits of evaluating risk from an ethical perspective.  This presentation proposes a maturity model for the ethics of risk, based on an evaluation of research related to ethical risk.  The framework describes risk, management, legal, and engineering concerns appropriate to risk analysts, security staff, or software engineering professionals.  The framework provides a list of actionable items for each of five levels of ethical risk maturity.

 

Sample Practices per Maturity Level:

  1. Risk Immature Level

Adopt a Standardized Risk Process

Create a Culture of Communication and Responsibility

Document and Communicate Risk Findings

Involve Business Management

 

  1. Self-Protection Level: Milton Friedman and Shareholder Primacy: Corporations are in business to make money for stockholders

Analyze Fraud and Ethical Risk

Develop a Code of Ethics Addressing Organizational Sustainability

Price Insurance with Discounts for Controls

 

  1. Compliance Focus: Awareness of criminal, civil (contract, tort, copyright), and administrative law

Pay Attention to the Intent of Regulation

Adhere to Regulations and Standards Addressing Business Ethics

Consider Legal Responsibility Beyond Regulation

Develop and Follow Soft Law

 

  1. Stakeholder Concern: Edward Freeman and Stakeholder Theory: The only way to [maximize profits] is to create great products and services that customers want to buy.

Understand the Ethics of the Product Development

Personalize Risk

Evaluate Sandman’s Outrage Factor

Calculate Risk from the Stakeholder Perspective

 

  1. Concern of the Other: Pure ethical theories: Virtue, Deontology, Consequentialism, and concern for Freeman’s secondary stakeholders.

Train and Think in Ethics

Calculate Risk from the Societal Perspective

Research Unknown Risk Scientifically

Document and Evaluate Societal Decisions Systematically

Susan Lincke, PhD

Computer Science Professor

Susan Lincke PhD CISA CRISC is a Professor of Computer Science at University of Wisconsin-Parkside.  She is the author of Security Planning: An Applied Approach (Springer), and received an NSF grant CCLI Grant: ‘Information Security: Audit, Case Study, and Service Learning’ between 2009-2013. She developed the cyber-security certificate at University of Wisconsin-Parkside and co-developed its security lab.  She has 17 years of software engineering and project management experience in telecommunications, including at Motorola, GE and MCI.  She has 50 academic publications in information security and wireless modeling.