Cyber ethics in the workplace

While moderating a game of "Cyber ethical Surfivor" at a large, financial conference recently, I posed the following conundrum:

"You receive an anonymous e-mail which includes all the technical and business details of a key competitor's project. Your company is way behind. If you use the information, you will likely beat your competitor and you will be a hero. If you don't use the information, your company will lose a great deal of money and you will likely be the scapegoat. If you use the information, no one - except you - will ever know. What do you do?"

Most of the members of Team A said they would use the information. The first player set the tone, and all but one of the rest followed suit with slight variations on the rationale that "Business is war."

The members of Team B shook their collective heads. Every one of them said it was unethical, maybe illegal, to use the information, and there was no way they would resort to "cheating" to win, even with their livelihood on the line.

I was struck by two things: First, that the two teams were so diametrically opposed; and second, that there was almost no dissent among the members of each team, even though the players had been randomly selected from a large audience and didn't know one another.

The winner of that round was chosen through audience applause. Surprisingly, the audience was also split just about 50-50. (Ultimately, our judges had to decide.) However, in other cities in Europe and the U.S., the results from this same question have seen entire audiences and players lean strongly one way or the other.

Having run a few dozen Cyber ethical Surfivor games for the private sector, government, military and international groups, as well for hackers, I conclude that there is no cyber ethical consistency across the spectrum of computer users, security professionals, consultants, executives, military leaders and technical staff.

At the top of every information-security pyramid must sit policy; that boring set of guidelines and rules that human resources gives every employee. Most security-aware companies provide staff with a reasonable set of black-and-white policies: Do this; don't do this. However, policy guidelines do not address the gray areas.

The concept of adding cyber ethics to information security is new to most companies. Cyber ethics is a leadership issue, as I have observed in the games I have hosted on three continents. On every team a leader emerges who sets the ethos for the team through strong personality and communications skills.

Leadership is about culture, not management, whether we're talking at the corporate or national level. We know that poor user behavior can cause accidental security breaches, and what I've found is that much of this poor behavior comes from an ethical lack of understanding of the implications of one's actions.

We teach our employees not to open unknown e-mail attachments without scanning them first. But do we teach our staff not to read e-mail that arrives at their desk but that is intended for someone else? Where is the corporate line between cheating and competition? Do we give our staff enough ethical guidelines to know what is objectionable or offensive in a heavily multicultural workplace?

The first step in establishing a cyber ethical culture is to ask the really tough questions, the answers to which may be highly politically incorrect. HR, legal, security and top management need to work together to set the tone they wish to flow through their organizations. Sometimes this can be done through gaming; other times off-site meetings will work.

The second step is to include cyber ethical components in corporate security awareness campaigns to keep employees clued in.

The last but most important step is to be ready to make changes rapidly when cyber ethics becomes a component of information security efforts. Many of our ethical beliefs changed instantly on Sept. 11. We cannot predict how they will change tomorrow or next year - but we need to be prepared.

Schwartau is president of Interpact, a security awareness consulting firm, and author of many books, including Cybershock and Computer and Internet Ethics. Reach him at winns@gte.net.