CSE 3482

Introduction to Computer Security

Law & Ethics

Instructor: N. Vlajic, Winter 2017

Learning Objectives

Upon completion of this material, you should be able to:

• Differentiate between law and ethics.
• Identify major US laws that relate to the practice of
information security.
• Identify relevant professional organizations and their
Codes of Ethics.
Required Reading

Computer Security, Stallings: Chapter 19

Introduction
Introduction (cont.)
• Law – written set of rules adopted and enforced by a
government to define expected behavior
 these rules attempt to balance individual freedoms
and social order, which may be in conflict
 laws are largely drawn from the ethics of a culture

• Ethics – informal set of values and beliefs about

right and wrong behavior in a given culture
 some ethics are thought to be universal
 murder, theft, assault are legally and ethically
unacceptable in most world’s cultures

Key difference between law and ethics:

law caries the sanction of a governing authority
and ethics do not!
Introduction (cont.)

In majority of cases, what is legal is also ethical

and the other way around.

However, with the society operating a dynamic

‘

and ever-changing environment, there are cases

when law and ethics are in conflict.
Introduction (cont.)
• Relationship between Law and Ethics

Edward Snowden
‘NSA Leak’ Case

Breaking into Screening of

Somebody’s Web-traffic by Employer
Email Account / Government

http://210.46.97.180/zonghe/book/203-Entrepreneurship(fifth%20edition)-
Harcourt%20Colledge%20Publishers-Donald%20F.%20Kuratko/chapter_6.htm
Introduction to Law
Introduction to Law (cont.)
Introduction to Law (cont.)
Introduction to Law (cont.)
• Categories of Common Law – in Canada and USA:
 Public Law(s): regulate …
1) organization & functioning of the state
2) relationship between state & its subjects
 concerned with matters that affect society
as a whole
 deals with regulation of behavior generally

 Private Law(s): regulate relationship

between individuals & groups that are not
of public importance
 deals with disputes between parties
 regulates rights and duties of individuals to
each other
 Introduction to Law (cont.)
• Subcategories of Law
 Public Law(s)
 Constitutional Law – related to interpretation & application of the
Constitution of Canada, including the Charter of R&F (freedom of
expression & religion, freedom from unreasonable search & seizure, …)
 Administrative Law – addresses actions and operations of government
& government agencies
 Criminal Law – deals with behaviors that results in injury to people
and/or property (murder, break and enter, sexual assault, etc.)

 Private / Civil Law(s)

 Family Law – deals with various relationships of family life
 Contract Law – outlines requirements for legally binding agreements
 Tort Law – seeks compensation for loss caused by negligence
 Property Law – outlines relationship between individuals & property
 Labour Law – outlines relationship between employers & employees
Civil vs. Criminal Law
 Civil vs. Criminal Law (cont.)
• Criminal vs. Civil Law Principles
 In Criminal Law, to convict someone, the guilt must
be proven ‘beyond reasonable doubt’.
 In Criminal Law, the sentence to the offender may
include one or a combination of the following:
 fine
 restitution – compensate for victim’s loss or damages
 probation
 community service
 imprisonment

 In Civil Law, to convict someone, the guilt must be proven

on ‘balance of probabilities’.
 In Civil Law, monetary remedies (damages) are most
common.
Civil vs. Criminal Law (cont.)

‘beyond reasonable doubt’ evidence =

= clear and convincing evidence
(‘merely possibility’ that what something is true is NOT sufficient)

‘balance of probabilities’ evidence =

= evidence with 50% threshold
(produces a belief that what is presented is
more likely true than not true)

More evidence is needed to

find the defendant at fault in criminal
than in civil ones.
Civil vs. Criminal Law (cont.)

http://www.sba.pdx.edu/faculty/maggief/chap1.pdf
http://www.sclifflaw.com/wp-content/uploads/2013/06/Comparisons-Between-Criminal-Law-and-Civil-Law.jpg
 Civil vs. Criminal Law (cont.)
“Every crime has two essential parts: the action or "actus reus"
and the intent or "mens rea" (guilty mind).
For example, the crime of arson has two parts: actually setting
fire to a building and doing it wilfully and deliberately. Setting a
fire by accident may not be a crime.
For most criminal cases both
the action and the intent
must be proven. If either
element is missing, then NO
crime has been committed.”

http://www.lawlessons.ca/lesson-plans/2.1.definition-and-principles
Law and Computer Security

victim

Is a DDoS a Civil or a Criminal offence?

In US, as of 2008, DDoS is considered
a criminal offence under Computer Misuse Act.
In Canada, DDoS is also a criminal offence under
Criminal Code 430: Unauthorized Use of Computer & Mischief.
Law and Computer Security (cont.)
“In the early days of computer security, information security
professionals were pretty much left on their own to defend their
systems against attacks. They did not have much help from the
criminal and civil justice systems.
When they did seek assistance from law enforcement, they were
met with reluctance by overworked agents who did not have a
basic understanding of how something that involved a computer
could actually be a crime …
Fortunately, both our legal system and the man and women of law
enforcement have come a long way over the past two decades …”

CISSP: Certified Information Systems Security Professional Study Guide,

by J. M. Steward, E. Tittel, M. Chapple (pp. 630)
 Law and Computer Security (cont.)
“The first computer security issues addressed by legislators were
those involving computer crime.
Early computer crime prosecutions were attempted under
traditional criminal law, and many were dismissed because judges
thought that applying traditional law to this modern type of crime
was too far of a stretch. …”
“… Legislators responded by passing specific statutes that defined
computer crime and laid out specific penalties for various crimes …
Every information security professional should have basic
understanding of the law as it relates to information technology.
However, the most important lesson to be learned is knowing when
it is necessary to call in an attorney …
CISSP: Certified Information Systems Security Professional Study Guide, by
J. M. Steward, E. Tittel, M. Chapple (pp. 633)
Law and Computer Security (cont.)
• To minimize their & their organization’s liability, information
security professionals must:
 keep informed about new laws, regulations and ethical issues
as they emerge
 understand the scope of organization’s legal and ethical
responsibilities
 educate the management and employees about their legal and
ethical obligations and the proper use of information technology
 Computer Crime
• Computer Crime – criminal activity in which either
of the following is true:
 computer is a target – e.g., somebody
attempts to control a computer or
interfere with its availability
(examples: development and distribution
of malware, DDoS attacks, …)
 computer is a storage device – e.g.,
somebody uses a computer to store
stolen or inappropriate content
 computer is a communication tool –
e.g., somebody uses computer(s) to
conduct illegal sale of drugs or guns

Is ‘computer crime’ the same in different countries?