If you're working with at least two other IT/security professionals,
and you're not breaking any rules, look around -- there's a good
chance one of them is.
That's the net result of Dark Reading's "Security Scruples" reader
survey, which tested the attitudes and ethics of some 648 IT and
security pros over the last two weeks.
The survey, which asked IT people about their beliefs and behavior in
both real and hypothetical security situations, suggests that about
two thirds of them agree on the conventions for proper conduct -- and
the other third might be doing anything from peeking at colleagues'
personal data to actively stealing information from the company.
"I do know [IT] people who believe they have not only the right, but
the duty to check up on other employees," says survey participant
John Morgus, IT manager at Kenworth Northwest Motor Trucks. "I
personally feel they are indulging their curiosity for their own
reasons."
The data from the survey bears out Morgus' contention that there are
at least a few IT people in most situations who will go their own way
-- often against the conventional professional ethic. In virtually
every question that we asked, a large majority agreed on how to do
the "right thing" -- but they were nearly always contradicted by a
minority who said they would do the exact opposite.
For example, when we asked readers whether they have ever used their
security privileges to peek at information they are not authorized to
access, nearly 63 percent of respondents said no. About 27 percent
said they have accessed unauthorized data, but only a few times in
their careers. And approximately 10 percent -- some 65 people -- said
they abuse their security privileges on a regular basis.
Other questions yielded a similar breakdown or responses. When we
asked readers what they would do if they found a list of victims of a
forthcoming layoff, 68 percent of readers said they would leave the
file alone. But 23 percent said they would sneak a peek, and about
8.5 percent said they would not only peek, but share the data with
other employees in the organization.
In another hypothetical situation, we asked readers what they would
do if they walked into their boss' empty office and found their own
performance review up on the computer screen. Some 64 percent said
they would leave the room; 33 percent said they would sneak a peek,
and another three percent said they would print or email the document
so they could read it in more detail.
Respondents' choices in hypothetical situations seemed consistent
with their general attitudes about security. While 64 percent of
those surveyed said it is "never okay" to access data without
authorization, the other 26 percent said that IT people and/or top
executives should have the rights to any data they wish. About seven
percent agreed with the traditional hacker credo, which states that
anyone with the skills to access the data should be allowed to have
it, as long as they don't hurt the data in the process.
Some IT people peek at unauthorized data simply because they can, and
their natural curiosity gets the best of them, survey respondents
said. "Some people want to know what goes on behind closed doors, and
in managers' meetings," says Lonny Cross, network security engineer
for the Supreme Court of Oklahoma.
"Regrettably, though, there are a few IT staffers who have a
superiority complex and see it as their right to treat everybody else
in the company like lesser beings," notes Denver Greiner, an
independent consultant. "That includes looking at anything on any
system under their control."
But the desire to access or steal company data isn't limited to IT
people. According to a study published last week by Prefix Security,
a U.K. firm, about 37 percent of the males surveyed said they believe
it is acceptable to take database information and sales leads. The
majority of the 1,000 respondents in the Prefix study admitted to
stealing data or confidential documents, but many of those
respondents do not perceive their actions as "wrong."
The ethics of IT security aren't always clear, some professionals
say. "The fundamental elements for ethics exist almost universally,
but the real problems come in when people are instructed in the
situational ethic -- that the ends justify the means," says Charles
Tuite, operations coordinator at Ball State University. "We need a
licensing or other program that contains a code of ethics."
Many other respondents agreed, though most were skeptical that a
broad code of ethics for IT security could be developed and enforced.
ISC2, which administers the CISSP security certification, does
maintain some ethical rules, but respondents said they are not widely
understood or recognized.
And many IT people have a different set of standards for others than
they do for themselves. In our survey, only 53 percent of respondents
said they would report a colleague who was abusing security
privileges to access payroll information, personnel files, or
executive plans. 41 percent said they would tell the colleague not to
do it again, but keep it quiet; two percent said they would ask the
colleague to show them how to gain access to the unauthorized
information themselves.
Similarly, there was a small but significant minority who said they
wouldn't report an offer from a competitor to steal corporate data.
In a hypothetical offer of $50,000, two percent of respondents said
they would steal and sell their company's customer list. Another 14
percent said they would decline the offer but would not report it to
anyone.
Many respondents said they believe the ethics of IT and security
managers -- or lack thereof -- are reflective of the attitudes and
morals of society as a whole. "Look at today's generation -- or the
last 20 years," says Eric Nooden, IS manager at Rockford
Gastroenterology Associates. "Our decline in morals and personal
responsibility is partially to blame. Then again, look at technology -
- our laws are just now starting to catch up to it."
Virtually all of the respondents said the key to avoiding ethical
problems in IT organizations is to hire the right people. "One of the
toughest issues we face right now is doing employee background
checks," said one security manager. "Insiders can do the most
damage."
