Carson Tow

Dr. Blakely

Cyb E 234

05/01/2022

My professional code of ethics

and what has shaped it

When I consider how I know what the right thing to do in the face of a dilemma, I don't

find myself examining a list of rules or set of ideals. Instead, I find that I turn to a handful of

influential factors in my life. These factors affect how I examine and eventually approach a

dilemma in a much more complex manner than a set of rules or even one ethical or moral

ideology. All these factors, and their 'interaction' with each other, push me to approach problems

from a more flexible position than one set of ethical rules might while still maintaining a firm

ethical stance on important ethical issues. These factors include my faith, my past interpersonal

experience, and my education (particularly and mainly this class). In this paper, I will examine

each of these factors, how and what it contributes to my personal approach to ethics in my

career as a cybersecurity professional, and how they affect each other in my decision-making.

The first of the three large factors contributing to my professional code of ethics is my

faith. I am a practicing, non-denominational Christian. Though I would never force my religion or

religious practices upon the public or others I might encounter in my career, it is still the most

influential factor in how I go about my life and make my personal decisions. With that being said,

my faith generally more directly impacts my morals. In lecture 3 (slides 8 & 9), Dr. Blakely went

over the difference between morals and ethics. Morals are more "intrinsic" and affect us

personally, while ethics are more "extrinsic" and are affected and enforced by society. In chapter

one of A Gift of Fire (P. 66), the author suggests that it is good practice to distinguish between
violations of morals and ethics, as they can be used to intimidate those with different views.

While generally, I find this to be true, I think our morals, whether intentionally or unintentionally,

affect how we lean on many of the more complex ethical dilemmas and how we approach

ethical dilemmas overall. One common example of this is the "Trolley Problem" discussed at the

beginning of the semester. While there isn't a particularly clear ethical right or wrong thing to do

in that problem, one's personal convictions often dictate their opinions. All this to say that while

my faith is not the sole driving force of my professional code of ethics, it often determines my

perspective on ethical dilemmas. The in-depth details of my religious beliefs as a Christian are

not particularly important to this examination; we can look at Divine Command Theory (lecture 5,

slide 5) which Dr. Blakely covered briefly in lecture 5. The basic idea is that we are

"commanded" to act a certain way. As mentioned in the aforementioned lecture, many factors

may vary in Divine Command theory, including literality and what topics are not directly

addressed by the religion. In the case of cybersecurity, there is really nothing that is directly or

literally addressed by my faith. Instead, the practices of my faith determine my approach to my

career.

Though less than other factors of my life, my faith does have some factors that directly affect

my code of ethics. One specific teaching that I follow as best I can and that I would deem quite

relevant to cybersecurity is selflessness. The most controversial and interesting way that

selflessness plays a role in cybersecurity is "Whistleblowing." Both in class and readings, we

covered multiple cases and situations pertaining to whistleblowing, including Julian Assange,

Chelsea Manning, and, most prominently, Edward Snowden. Selflessness in respects to

whistleblowing poses interesting ethical dilemmas. In the textbook A Gift of Fire (chapter 3) it

examines the Snowden case, it reads, "An organization founded by a retired CIA officer gave

Snowden its award for integrity and ethics in intelligence work, and the U.S. government

indicted Snowden for espionage. Is Snowden a hero or a traitor…" (P. 187). Due to my morals, I

tend to side closer with those who put themselves at risk (legal or otherwise). however, others
may lean toward the side of those who have been "whistle blown" especially if they were to find

themselves in that situation and valued self-preservation over selflessness. Both in a situation

like Snowden's or in the case of choosing between doing something that violates my code of

ethics and being fired, not getting promoted, etc. I would choose to follow my code of ethics

even at my own expense. Though I find my faith to push me on a professionally desirable path,

it also can create a struggle in my professional life. My faith and its effect on me can at times

make me less objective in a professional setting if I find something morally wrong, though it is

not breaking any shared ethical boundaries. This is something I must be wary of as I continue

my journey as a cybersecurity professional. Overall, though my faith contributes less to my

specific decisions in certain situations, it has the greatest weight on my outlook on the ethical

dilemmas I face.

The second large contributing factor is my past interpersonal experiences. This generally

has/will have the smallest impact on professional ethics in regard to cybersecurity. This instead

shapes the way I live out my ethical code on a day to day. One of the main things my past

interpersonal experience influences my code of ethics is where my responsibility for others and

their actions. This is something that I will go more into depth on with its relationship with

cybersecurity later. However, on a more general level, being able to separate your opinions and

responsibility from those around you is an important concept for my ethical code. One example

of this is during our class discussions. Often there were many different opinions on some ethical

dilemmas coming from both myself and my classmates around me. At times, I felt some of my

classmates' opinions, morals, or ethics might get them into trouble later in their careers. Despite

this, we were still able to have productive and interesting discussions. An ethics concept that we

used during our discussions throughout the semester was the difference between relativism and

tolerance. In lecture 3 (slide 20), Dr. Blakely discussed these differences, with relativism being

the idea that there is no real 'right' or 'wrong' and thus we have no right or basis for judging

others, and tolerance being willing to accept others' beliefs even if we don't agree with them.
This difference is a key part of keeping an ethical code while interacting with others in the field

of cybersecurity. Another key thing that my past interpersonal experiences have taught me is

emotional intelligence. Recently while discussing some of the soft skills for this class, we read

about emotional intelligence (as assigned for lecture 25). Emotional intelligence is something

that takes a lot of practice and effort to learn and get better at. Approaching ethical dilemmas

using emotional intelligence gained from past professional interactions is extremely important,

especially when discussing the dilemma with someone who may have less technical knowledge

of the dilemma. This also is a field in which I will likely continue to struggle at times, especially

when trying to empathize with those who have already done something commonly viewed as

unethical and thinking about why they might do so. One quote Dr. Blakely shared in lecture

three that resonated with me and made me continue to consider my emotional intelligence is a

quote from Gandhi, which reads, "Your beliefs become your thoughts, Your thoughts become

your words, Your words become your actions, Your actions become your habits, Your habits

become your values, Your values become your destiny." Overall, my interpersonal experiences

help me apply my faith and education to my professional, ethical code, which I use in my

interactions with peers and the world.

The third contributing factor, and the most directly applicable to my ethics in my career, is

my education. Though this class is not the only part of my education that has contributed to my

professional code of ethics, it does make up the majority, so for the purposes of now, I will focus

on this class. Although before I came into this class, I already had a general understanding of

my ethics and morals, I have been challenged in identifying the details of my ethical code and

gaining a new understanding of cybersecurity and engineering-specific ethical principles, tools,

and ideas. The most direct or most quantifiable things that I learned from this course have been

some of the standards, frameworks, and other tools that are used in cybersecurity. Though

these don't have the same personal impact some other parts of this class might, they give me

something to turn to when trying to make decisions about security levels in the cyber-world. For
example, during our time learning about threat modeling. Dr. Blakely had us read the overview

of and discuss in class the ATT&CK framework from MITRE (lecture 19). Now that I know of this

framework, if I am ever at a point in my career where I must decide for a business what we need

to do for our cybersecurity, even though I don't have every item in this framework memorized, I

do know where to turn to when considering security, This framework as well as other tools

taught by Dr. Blakely including the Ethical OS, the CCPA, and more, will help me in my career to

know where my boundaries are as a cyber security professional. Preventing me from perhaps

overstepping and infringing on privacy as we discussed with CCPA, or under securing what

systems I am in charge of and being unethical in my negligence. Admittedly this also is an

aspect of cybersecurity and building my professional ethics that I will need to improve upon, as

my understanding and memory of the specifics of many of these tools are still lacking. Another

thing that has affected how I view cyber ethical dilemmas is a higher understanding of the

different consequences of the right, wrong, or any decision in cybersecurity. One topic we

discussed in lecture 15 (slide 13) was the different types of cyber-attackers and their

intent/capability. Previously, even if I knew there was a difference between the different types of

cybercriminal actors, I would never have considered how they line up with each other in terms of

how drastic their intent and capabilities were. Inversely, some types of cybercrime that one

might see as harmless or even well-intentioned can still be damaging. One example of this

outlined in chapter 5 of A Gift of Fire is a hacker who used Boeing's systems to access another

system. However, Boeing still had to spend significant time and resources to ensure that no

malicious activity had occurred. Learning about examples and events like these has opened my

eyes to another truth of the world: the systems I will be working within my career are not just a

set of computers. They are a business that provides for its users and can often be the livelihood

of those running it, and I am ethically responsible for using tools and understanding of

cybersecurity to protect them. This leads to the other half of the things I've learned from this

class.
 While I did have a personal foundation and understanding of some cybersecurity and

ethical concepts, I had little to no foundation in viewing those in the context of the working or

business world. This class has opened my eyes to how the business world fits into my ethics

and how my perspective might be different from others, and how to deal with that. In lecture 27,

Dr. Blakely discussed some business ethics. One concept he introduced was a "Wicked

Problem," which, loosely, is defined as a problem that can't be fixed or solved due to the factors

of the problem. This is generally because there isn't really one solution to the problem.

Cybersecurity for businesses is a good example of this because, as cybersecurity professionals,

we have to find a balance between usability and security. We can see the different solutions or

decisions that cybersecurity engineers come to for the "Wicked Game" that is cybersecurity in

our very own class discussions. One interesting example of this was in our discussion in lecture

25. We were asked about how to deal with management that either doesn't care or doesn't

understand the dangers of some cyber issues in the business. While I might be more inclined to

push back against this management that is ignoring security, some of my classmates in these

discussions were quicker to accept it as they saw themselves as no longer at fault for anything

that happened. While learning about some of these business security ideas has been useful, the

discussions we had in class definitely challenged and grew my understanding of the ethical

issues that can arise and the different ways of dealing with them. Finding solutions on how to

find a balance between usability and security and communicating the dangers present at any

level of security to those with less expertise can be a challenge both ethically and functionally.

Luckily this is another area in which this class has helped inform my ability to act ethically in the

working world. Over the last few lectures of the semester, Dr. Blakely has taught us about "Soft

Skills" as they apply to our job as cyber security professionals. Though I knew that soft skills are

useful in the workplace, I never thought about how they relate to cybersecurity itself. I think this

part of the class will have a significant impact on my professional ethics. Knowing where my

ethical responsibilities start and stop and how to properly communicate what I know as part of
my ethical responsibility are both skills I have learned from the material of this class. A good

summary of what I got out of the soft skills is in lecture 27 (slide 14). In this lecture, Dr. Blakely

discussed what our job is (as Cybersecurity Professionals). He suggests that it is our

professional, ethical responsibility to maintain our expertise on security, advise the best course

of action to those in charge, and do our best to persuade them to do the secure thing. I had not

put much thought into the idea of someone of authority in business possibly ignoring cyber

security risks and what I would do in such a situation. So this part of the class filled in several

lapses in my understanding and knowledge of professional ethics.

Overall, I have grown my professional ethics from my faith, my interpersonal experiences, and

my education in this class. All three of these working together in different ways have shaped

both who I am and how I will act in the working world. With my faith driving my personal position

on many complex or convicting dilemmas, my interpersonal experience driving my interactions

with others and doing so in an ethical manner both in and outside of my career and the

cyber-world, and my knowledge from my education in this class (in conjunction with the rest of

my cybersecurity knowledge and education) driving my day to day understanding of ethics and

my actions in my career as cyber security professional working with others in and outside of my

industry and expertise. While between these three, I don't find a set list of ethical do's and

don'ts, they certainly shape my decision making and guide me toward the ethical decisions,

even in situations new to me, helping me continually grow as a person and a cybersecurity

engineer.