How Smart Information Systems are used in Cybersecurity
The Case / Scenario
Increasing numbers of items are becoming connected to the internet. It is estimated that by 2020, more than 40 billion devices will be online. The security of those devices, and the people using them (cybersecurity) has therefore become an important concern. In the private sphere, companies are struggling to keep up with the need for security in the face of increasingly sophisticated attacks from a variety of sources. There is currently little integration of Smart Information Systems (SIS; AI and Big Data) in cybersecurity, but there are some clear benefits for its use. The most effective is in scanning systems for known attacks or abnormal patterns of behaviour which might indicate an attack. When coupled with a human operator, a combined human-machine security system can be effective. This case study focuses on the ethical challenges that SIS bring in cybersecurity to shed some light on the risks of this sector and how they are currently minimized.
Ethical issues identified in the case study largely matched those found in the literature, particularly:
- Privacy: Privacy is a central issue in cybersecurity, as increasing volumes of (sometimes highly sensitive) personal data are gathered and stored in the cloud. Related to this is control of data, as a loss in control entails that data can be used for a variety of, sometimes unethical, purposes. Furthermore, it is also not clear how privacy can be measured (“quantitative privacy”).
- Security and Vulnerabilities: Finding vulnerabilities in a network which leave it open to an attack can help cybersecurity professionals understand the magnitude of a particular attack. However, disclosure of vulnerabilities to public bodies may risk exploitation of the disclosing company.
An additional ethical concern was identified thanks to the case study:
- Anomalies: Cyberattacks may come from fake mobile phone base stations or other network operators. SIS can help to recognize these attacks through anomaly detection.
- Codes of Conduct: There is little effective guidance for ethical behaviour in cybersecurity.
There are several measures taken to tackle the ethical concerns, notably:
- Privacy: Privacy can be (partly) preserved by employing technical fixes like “differential privacy”, although these are not as universally effective as some vendors suggest.
- Security and Vulnerabilities: Hackathons are an effective means to identify weaknesses that can then be improved.
- Anomalies: It is important to actively search for behavioural anomalies to prevent attacks.
- Codes of Conduct: Companies rely on generic professional guidance for ethical behaviour in cybersecurity, coupled with the ethical awareness of teams working in cybersecurity.
This case study shows strong correlations with the ethical issues found in the academic literature. However, there remains a gap between the issues discussed in academia and those found by those working in the cybersecurity industry, suggesting a need for a better dialogue between the two.
Specific insights arising from this case study include:
- Privacy: Privacy protections can be strengthened through using technical fixes, but their effectiveness may be hard to measure, and they should not be treated as a panacea. However, ethical concerns regarding SIS in cybersecurity go further than mere privacy issues. There is a need to improve the debate on ethical aspects of cybersecurity, going beyond privacy as the over-riding concern.
- Security and Vulnerabilities: Hackathons and other means of engaging with the broader cybersecurity community should be encouraged where possible to identify and strengthen weaknesses in security.
- Anomalies: Anomaly detection needs to be thought of in broad terms to include not just employee behaviour but also that of clients, competitors, and other stakeholders.
- Codes of Conduct: There is need for clear codes of ethical conduct for international practice.