All elements of organizational management continue to operate similar to that of individuals, with an inherent social contract and responsibility to the society in which they exist and function. Social contract theory suggests that a person’s moral obligations are dependent on the ‘contract’ or agreement with others and among each other to form the basic co-existence and institutions of society. Most industries operate with set standards and guidelines, many of which require that certain security and privacy standards are upkept. Purchasing of cyber security products and services is driven by both these security standards as well as expectations from stakeholders such as business partners or consumers that certain elements of cooperation are protected, in a manner of speaking being an unspoken social contract.
The first ethical issue to consider is harm to privacy. One of the most common cyber security threats is the theft of personal data which can lead to identity theft or be used for extortion. Cyber security systems have to be trusted to provide a “critical line of defense against personal and organizational privacy harms”. Incompetent cyber security practices such as outdated encryption, lack of incident response planning, and poor patching can lead to both ineffective and unethical protection of privacy which negligently exposes others.
Another issue is cyber security resource allocation, driven by the high cost and considerable organizational resources required to upkeep effective cyber security. It is an ethical issue as it requires to balance between security and competing for resource needs, even if a product is not viable or there is a time-sensitive process. For example, in a hospital, if there is suspicious activity on the network, a tedious security logon procedure may be implemented for terminals, but it may take time away from personnel who may need to treat patients and access life-saving equipment quickly. Both the cost and extent of cyber security in organizations should be considered when evaluating products.
Finally, there is the issue of transparency and disclosure. Cyber security is a risk-management activity, and these risks may significantly affect other parties. It is an ethical duty to disclose risks when these arise. When evaluating cyber security products and services, it is highly important to evaluate the aspect of transparency of those who provide them. It is likely that most cyber security firms have at some point faced some sort of breach or security scenario. However, it is also important how these providers addressed the issue, disclosed it to appropriate stakeholders, and worked with the respective organizations to address future risks and cyber security practices.