Journal:Smart information systems in cybersecurity: An ethical analysis - Revision history

Shawndouglas: Fixed citation issue

2021-09-19T21:00:48Z

Fixed citation issue

← Older revision		Revision as of 21:00, 19 September 2021
Line 55:		Line 55:

	===Informed consent===		===Informed consent===
	Acquiring informed consent is an important activity for cybersecurity, and one that has been at the heart of research ethics and practice for decades.<ref name="JohnsonComp12">{{cite book \|chapter=Computer Security Research with Human Subjects: Risks, Benefits and Informed Consent \|title=Financial Cryptography and Data Security \|author=Johnson M.L.; Bellovin S.M.; Keromytis A.D. \|editor=Danezis G.; Dietrich S.; Sako K. \|publisher=Springer \|pages=131–37 \|year=2012 \|doi=10.1007/978-3-642-29889-9_11 \|isbn=9783642298899}}</ref><ref name="MillerTheEthics09">{{cite book \|title=The Ethics of Consent \|editor=Miller, F.; Wertheimer, A. \|publisher=Oxford University Press \|year=2009 \|isbn=9780195335149}}</ref> Consent is variously valued as the respect for autonomy<ref name="~~MillerTheEthics09~~">{{cite book \|chapter=Autonomy and Consent \|title=The Ethics of Consent \|author=Beuchamp, T.L. \|editor=Miller, F.; Wertheimer, A. \|publisher=Oxford University Press \|pages=55–78 \|year=2009 \|isbn=9780195335149}}</ref> or the minimization of harm.<ref name="MansonRethink07">{{cite book \|title=Rethinking Informed Consent in Bioethics \|author=Manson, N.C.; O'Neill, O. \|publisher=Cambridge University Press \|year=2007 \|doi=10.1017/CBO9780511814600 \|isbn=9780511814600}}</ref> As such, the justification for informed consent is a considerable challenge for data analytics where anonymized data may be used without explicit consent of the person from whom it originates. This is also true within global cybersecurity, where a number of complicating issues arise, such as the complexity of informing users about detailed technical aspects in order to provide necessary information, as well as language barriers.<ref name="BurnettEncore15">{{cite journal \|title=Encore: Lightweight Measurement of Web Censorship with Cross-Origin Requests \|journal=Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication \|author=Burnett, S.; Feamster, N. \|pages=653–67 \|year=2015 \|doi=10.1145/2785956.2787485}}</ref> This, though, is the case for many other areas of research such as medical or social sciences, and the scripts need not be different in cybersecurity.<ref name="MacnishEthics19">{{cite web \|url=https://github.com/jeroenh/Ethics-and-Cyber-Security/blob/master/template.tex \|title=jeroenh/Ethics-and-Cyber-Security/template.tex \|author=van der Ham, J. \|work=GitHub \|date=14 September 2018}}</ref>		Acquiring informed consent is an important activity for cybersecurity, and one that has been at the heart of research ethics and practice for decades.<ref name="JohnsonComp12">{{cite book \|chapter=Computer Security Research with Human Subjects: Risks, Benefits and Informed Consent \|title=Financial Cryptography and Data Security \|author=Johnson M.L.; Bellovin S.M.; Keromytis A.D. \|editor=Danezis G.; Dietrich S.; Sako K. \|publisher=Springer \|pages=131–37 \|year=2012 \|doi=10.1007/978-3-642-29889-9_11 \|isbn=9783642298899}}</ref><ref name="MillerTheEthics09">{{cite book \|title=The Ethics of Consent \|editor=Miller, F.; Wertheimer, A. \|publisher=Oxford University Press \|year=2009 \|isbn=9780195335149}}</ref> Consent is variously valued as the respect for autonomy<ref name="MillerAutonomy09">{{cite book \|chapter=Autonomy and Consent \|title=The Ethics of Consent \|author=Beuchamp, T.L. \|editor=Miller, F.; Wertheimer, A. \|publisher=Oxford University Press \|pages=55–78 \|year=2009 \|isbn=9780195335149}}</ref> or the minimization of harm.<ref name="MansonRethink07">{{cite book \|title=Rethinking Informed Consent in Bioethics \|author=Manson, N.C.; O'Neill, O. \|publisher=Cambridge University Press \|year=2007 \|doi=10.1017/CBO9780511814600 \|isbn=9780511814600}}</ref> As such, the justification for informed consent is a considerable challenge for data analytics where anonymized data may be used without explicit consent of the person from whom it originates. This is also true within global cybersecurity, where a number of complicating issues arise, such as the complexity of informing users about detailed technical aspects in order to provide necessary information, as well as language barriers.<ref name="BurnettEncore15">{{cite journal \|title=Encore: Lightweight Measurement of Web Censorship with Cross-Origin Requests \|journal=Proceedings of the 2015 ACM Conference on Special Interest Group on Data Communication \|author=Burnett, S.; Feamster, N. \|pages=653–67 \|year=2015 \|doi=10.1145/2785956.2787485}}</ref> This, though, is the case for many other areas of research such as medical or social sciences, and the scripts need not be different in cybersecurity.<ref name="MacnishEthics19">{{cite web \|url=https://github.com/jeroenh/Ethics-and-Cyber-Security/blob/master/template.tex \|title=jeroenh/Ethics-and-Cyber-Security/template.tex \|author=van der Ham, J. \|work=GitHub \|date=14 September 2018}}</ref>

	Nonetheless, challenges of complexity, and of conveying that complexity in a manner that is sufficiently informative for a non-expert to make a decision, remain. Wolter Pieters notes that information provision does not correspond merely to the amount of information communicated, but to how it is presented, and that the type of information given is justified and appropriate. “One cannot speak about informed consent if one gives too little information, but one cannot speak about informed consent either if one gives too much. Indeed, giving too much information might lead to uninformed dissent, as distrust is invited by superfluous information.”<ref name="PietersExplan11">{{cite journal \|title=Explanation and trust: what to tell the user in security and AI? \|journal=Ethics and Information Technology \|author=Pieters, W. \|volume=13 \|issue=1 \|pages=53–64 \|year=2011 \|doi=10.1007/s10676-010-9253-3}}</ref>		Nonetheless, challenges of complexity, and of conveying that complexity in a manner that is sufficiently informative for a non-expert to make a decision, remain. Wolter Pieters notes that information provision does not correspond merely to the amount of information communicated, but to how it is presented, and that the type of information given is justified and appropriate. “One cannot speak about informed consent if one gives too little information, but one cannot speak about informed consent either if one gives too much. Indeed, giving too much information might lead to uninformed dissent, as distrust is invited by superfluous information.”<ref name="PietersExplan11">{{cite journal \|title=Explanation and trust: what to tell the user in security and AI? \|journal=Ethics and Information Technology \|author=Pieters, W. \|volume=13 \|issue=1 \|pages=53–64 \|year=2011 \|doi=10.1007/s10676-010-9253-3}}</ref>

Shawndouglas: /* Notes */ Added cat

2019-10-14T18:50:07Z

Notes: Added cat

← Older revision		Revision as of 18:50, 14 October 2019
Line 302:		Line 302:
	[[Category:LIMSwiki journal articles on big data]]		[[Category:LIMSwiki journal articles on big data]]
	[[Category:LIMSwiki journal articles on cybersecurity]]		[[Category:LIMSwiki journal articles on cybersecurity]]
			[[Category:LIMSwiki journal articles on privacy]]

Shawndouglas: /* Introduction */

2019-06-04T17:58:27Z

Introduction

← Older revision		Revision as of 17:58, 4 June 2019
Line 34:		Line 34:
	Cybersecurity therefore can be seen to encompass property rights of ownership of networks that could come under attack, as well as other concerns attributed with these, such as issues of access, extraction, contribution, removal, management, exclusion, and alienation.<ref name="HessUnder06">{{cite book \|title=Understanding Knowledge as a Commons: From Theory to Practice \|author=Hess, C.; Ostrom, E. \|publisher=MIT Press \|year=2006 \|isbn=9780262083577}}</ref> Hence cybersecurity fulfills a similar role to physical security in protecting property from some level of intrusion. Craigen ''et al.'' also argue that cybersecurity refers not only to a technical domain, but also that the values underlying that domain should be included in the description of cybersecurity.<ref name="CraigenDefining14" /> Seen this way, ethical issues and values form bedrock to cybersecurity research as identifying the values which cybersecurity seeks to protect.		Cybersecurity therefore can be seen to encompass property rights of ownership of networks that could come under attack, as well as other concerns attributed with these, such as issues of access, extraction, contribution, removal, management, exclusion, and alienation.<ref name="HessUnder06">{{cite book \|title=Understanding Knowledge as a Commons: From Theory to Practice \|author=Hess, C.; Ostrom, E. \|publisher=MIT Press \|year=2006 \|isbn=9780262083577}}</ref> Hence cybersecurity fulfills a similar role to physical security in protecting property from some level of intrusion. Craigen ''et al.'' also argue that cybersecurity refers not only to a technical domain, but also that the values underlying that domain should be included in the description of cybersecurity.<ref name="CraigenDefining14" /> Seen this way, ethical issues and values form bedrock to cybersecurity research as identifying the values which cybersecurity seeks to protect.

	The case study is divided into four main sections. The next two sections focus on the technical aspects of cybersecurity and a literature review of academic articles concerning ethical issues in cybersecurity, respectively. Then the practice of cybersecurity research is presented through an interview conducted with four employees at a major telecommunications software and hardware company, ~~Com-pany~~ A. Finally, the last section critically evaluates ethical issues that have arisen in the use of SIS technologies in cybersecurity.		The case study is divided into four main sections. The next two sections focus on the technical aspects of cybersecurity and a literature review of academic articles concerning ethical issues in cybersecurity, respectively. Then the practice of cybersecurity research is presented through an interview conducted with four employees at a major telecommunications software and hardware company, Company A. Finally, the last section critically evaluates ethical issues that have arisen in the use of SIS technologies in cybersecurity.

	==The use of smart information systems in cybersecurity==		==The use of smart information systems in cybersecurity==

Shawndouglas: Finished adding rest of content.

2019-06-04T17:55:12Z

Finished adding rest of content.

← Older revision		Revision as of 17:55, 4 June 2019
Line 19:		Line 19:
	\|download = [https://www.orbit-rri.org/ojs/index.php/orbit/article/view/105/117 https://www.orbit-rri.org/ojs/index.php/orbit/article/view/105/117] (PDF)		\|download = [https://www.orbit-rri.org/ojs/index.php/orbit/article/view/105/117 https://www.orbit-rri.org/ojs/index.php/orbit/article/view/105/117] (PDF)
	}}		}}
	~~{{ombox~~
	~~\| type = content~~
	~~\| style = width: 500px;~~
	~~\| text = This article should not be considered complete until this message box has been removed. This is a work in progress.~~
	}}
	==Abstract==		==Abstract==
	This report provides an overview of the current implementation of smart information systems (SIS) in the field of [[cybersecurity]]. It also identifies the positive and negative aspects of using SIS in cybersecurity, including ethical issues which could arise while using SIS in this area. One company working in the industry of telecommunications (Company A) is analysed in this report. Further specific ethical issues that arise when using SIS technologies in Company A are critically evaluated. Finally, conclusions are drawn on the case study, and areas for improvement are suggested.		This report provides an overview of the current implementation of smart information systems (SIS) in the field of [[cybersecurity]]. It also identifies the positive and negative aspects of using SIS in cybersecurity, including ethical issues which could arise while using SIS in this area. One company working in the industry of telecommunications (Company A) is analysed in this report. Further specific ethical issues that arise when using SIS technologies in Company A are critically evaluated. Finally, conclusions are drawn on the case study, and areas for improvement are suggested.
Line 288:		Line 284:
	\|}		\|}

			===Implications of this report===
			This report exposes some of the weakest part of SIS technology and the importance of cybersecurity, by supporting the claim that there is a need to improve the ethics of research in SIS. The cyber world is forming an important part of society, and in some areas at least, albeit not among the interviewees for this case study, there is a lack of understanding of the ethical problems that come with this, which can bring damage to many stakeholders.

			===Future research===
			This report argues for the need for multi-disciplinary studies between academia and the technical community to prevent ethical concerns from being undervalued. Future research goes hand in hand with legal implications, particularly at the international level, as well the need to create clearer codes of conduct for businesses and international practices, and the necessity to increase the cybersecurity teams within companies.

	==References==		==References==

Shawndouglas: Saving and adding more.

2019-06-04T17:31:16Z

Saving and adding more.

Show changes

Shawndouglas: Saving and adding more.

2019-06-04T14:43:15Z

Saving and adding more.

← Older revision		Revision as of 14:43, 4 June 2019
Line 114:		Line 114:

	This case study focuses on the ethical challenges that SIS bring in cybersecurity to shed some light on the risks of this sector and how they are currently minimized. The interview was conducted with four employees as a group at the headquarters of Company A in Scandinavia. All are experts in the Company A cybersecurity research team: Interviewee 1, a doctoral student; Interviewee 2, a researcher who focuses on core network security; Interviewee 3, a researcher who focuses on trusted computing; and Interviewee 4, a researcher with a background in machine learning (see Table 1, below). The methodology employed for the interview can be found in ''Understanding Ethics and Human Rights in Smart Information Systems: A Multi Case Study Approach'' by Macnish ''et al.''.<ref name="MacnishUnder19">{{cite journal \|title=Understanding Ethics and Human Rights in Smart Information Systems: A Multi Case Study Approach \|journal=ORBIT Journal \|author=Macnish, K.; Ryan, M.; Stahl, B. \|volume=2 \|issue=2 \|pages=102 \|year=2019 \|doi=10.29297/orbit.v2i1.102}}</ref>		This case study focuses on the ethical challenges that SIS bring in cybersecurity to shed some light on the risks of this sector and how they are currently minimized. The interview was conducted with four employees as a group at the headquarters of Company A in Scandinavia. All are experts in the Company A cybersecurity research team: Interviewee 1, a doctoral student; Interviewee 2, a researcher who focuses on core network security; Interviewee 3, a researcher who focuses on trusted computing; and Interviewee 4, a researcher with a background in machine learning (see Table 1, below). The methodology employed for the interview can be found in ''Understanding Ethics and Human Rights in Smart Information Systems: A Multi Case Study Approach'' by Macnish ''et al.''.<ref name="MacnishUnder19">{{cite journal \|title=Understanding Ethics and Human Rights in Smart Information Systems: A Multi Case Study Approach \|journal=ORBIT Journal \|author=Macnish, K.; Ryan, M.; Stahl, B. \|volume=2 \|issue=2 \|pages=102 \|year=2019 \|doi=10.29297/orbit.v2i1.102}}</ref>

			{\|
			\| STYLE="vertical-align:top;"\|
			{\| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="100%"
			\|-
			\| style="background-color:white; padding-left:10px; padding-right:10px;" colspan="2"\|'''Table 1.'''
			\|-
			\|-
			! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"\|Description
			! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"\|Organization 1
			\|-
			\| style="background-color:white; padding-left:10px; padding-right:10px;"\|Organization
			\| style="background-color:white; padding-left:10px; padding-right:10px;"\|Company A
			\|-
			\| style="background-color:white; padding-left:10px; padding-right:10px;"\|Location
			\| style="background-color:white; padding-left:10px; padding-right:10px;"\|Scandinavia
			\|-
			\| style="background-color:white; padding-left:10px; padding-right:10px;"\|Sector
			\| style="background-color:white; padding-left:10px; padding-right:10px;"\|Cybersecurity/Telecommunications
			\|-
			\| style="background-color:white; padding-left:10px; padding-right:10px;"\|Name
			\| style="background-color:white; padding-left:10px; padding-right:10px;"\|Interviewee 1–4
			\|-
			\| style="background-color:white; padding-left:10px; padding-right:10px;"\|Length
			\| style="background-color:white; padding-left:10px; padding-right:10px;"\|136 minutes
			\|-
			\|}
			\|}

			===Description of SIS technologies being used in Company A===
			Background research was initially conducted through investigating Company A’s website and public documents from conferences. This was then supplemented by the interviewees’ explanations of the technical capabilities of the technologies used at Company A.

			Company A is a global digital communications company. It is involved in [[cloud computing]], artificial intelligence, machine learning, [[internet of things]], and the infrastructure of mobile networks, including 5G. Company A’s website refers to a combination of analytics and augmented intelligence, but the company also specializes in research and development (R&D) through Bell Labs, where it conducts research. Marcus Weldon, president of Bell Labs, in his book ''The Future X Network'', shows the development of technology and the relation with global economy and society, by acknowledging the “scale of changes wrought by a nexus of global, high-speed connectivity, billions of connected devices (IoT), cloud services, and non-stop data streaming, collection, and big data analytics.”<ref name="MarkoTheOmni15">{{cite web \|url=https://www.forbes.com/sites/kurtmarko/2015/10/27/omni-connected-world/ \|title=The Omni-Connected World: Bell Labs Plans For Future Of Connected Everything \|author=Marko, K. \|work=Forbes \|date=27 October 2015}}</ref>

			These technologies are changing our world, and Company A sees itself as driving innovation and the future of technology to power this digital age and transform how people live, work, and communicate. These technologies use data, including personal data from customers and metadata from phone networks. During the interview, Interviewee 1 argued that they do not use AI, but they do use statistics and analytics, such as products that use machine learning (ML) and data collection to identify malware. They also use analytics to create rules for developing effective firewalls for the network. However, Interviewee 3 noted that AI is still part of the research and the internal projects:

			<blockquote>[W]e do not sell a brain... or the giant quantum computing brain that solves all the problems, but for a very long time, planning has been used in many products, you can consider some configuration algorithms that can be considered as AI, these things exist, but not in the futuristic sense. (Interviewee 3, 2018)</blockquote>

			The term “cybersecurity” appears in different articles across Company A’s website. The cybersecurity research team at Company A developed a report on security for 5G networks which has served as guidance for the European Union. They analyze bulk datasets to help clients (communications providers rather than end users) maximize efficiency and thus profit, while at the same time providing security such as malware detection to protect the end user from attacks.

			SIS applications vary due to the amount and variety of data that Company A gathers from its customers, as well as the diverse needs of those customers. Many of these needs could not be met without SIS technology, as they would be impossible to perform by hand. For the most part, Company A’s cybersecurity research team uses rule-based applications for sorting information, which is then evaluated by a person. Interestingly from an ethical point of view, Interviewee 1 pointed out that clients’ data gathering capability has expanded faster than their data analysis capability, so that they increasingly gather data that has no obvious purpose.

			===The effectiveness of using SIS by Company A===
			As noted above, the use of AI and ML is due to the complexity and amount of data retrieved from clients’ systems. According to Company A’s website, cloud computing, AI, ML, IoT, and 5G Networks are changing the world, and they have the power to transform how we live, work, and communicate. Much of this is due to the fact that the operations now performed would previously have been impossible, owing to the sheer volume and complexity of the data.

			Company A has been using SIS in cybersecurity for some time. SIS allows the team to discover attempted hacks or other misuse such as fraud, or the use of fake base stations (imitating a legitimate mobile phone tower in order to collect personal data). Current technology allows pre-filtering and sorting but is less effective at identifying or responding to targeted attacks, which are more sophisticated than bulk attacks. Interviewee 4 described a detection system they had worked on:

			<blockquote>[O]ne of their security teams was working on malware detection for telecom software for operators. That software ended up in systems that will protect end-users from malware that could be installed into phones. This is more at the operator level, not like an antivirus which is for a phone users-level. (Interviewee 4, 2018)</blockquote>




	==References==		==References==
Line 119:		Line 170:

	==Notes==		==Notes==
	This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. The 2018 article by Sobers on 60 must-know cybersecurity facts has been updated in 2019; an archived version from 2018 is used in this version. The Stone article on the Yahoo cyber attack also appears to have been updated in 2019, though no archived version of the article from 2017 exists. The Lundgren and Möller citation has changed since the original article published online; this version represents the new information. The original cites an article by Macnish and van der Ham, but the research doesn't appear to be published yet; found a draft on GitHub to cite. Non-figured "flavor" images from the original were not included here.		This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation (e.g., British English to American English). In some cases important information was missing from the references, and that information was added. The 2018 article by Sobers on 60 must-know cybersecurity facts has been updated in 2019; an archived version from 2018 is used in this version. The Stone article on the Yahoo cyber attack also appears to have been updated in 2019, though no archived version of the article from 2017 exists. The Lundgren and Möller citation has changed since the original article published online; this version represents the new information. The original cites an article by Macnish and van der Ham, but the research doesn't appear to be published yet; found a draft on GitHub to cite. The original has an inline citation for Marko 2015 but doesn't include it in the closing references; found the supposed reference online and included it here. Non-figured "flavor" images from the original were not included here.

	<!--Place all category tags here-->		<!--Place all category tags here-->

Shawndouglas: Saving and adding more.

2019-06-03T23:33:49Z

Saving and adding more.

← Older revision		Revision as of 23:33, 3 June 2019
Line 109:		Line 109:

	They note that ethical problems cannot be solved easily, yet proposing the creation of a code of conduct for cybersecurity to provide guidance and a degree of consensus within the cybersecurity community regarding appropriate action in the face of attacks.		They note that ethical problems cannot be solved easily, yet proposing the creation of a code of conduct for cybersecurity to provide guidance and a degree of consensus within the cybersecurity community regarding appropriate action in the face of attacks.

			==The case study of a cybersecurity company using SIS==
			The literature review demonstrates a variety of ethical issues in cybersecurity. In this section our goal is to present the ethical problems that arise in practice. We aim to compare practice with academic literature concerning ethical issues of SIS in cybersecurity. This will help to inform both sides if there is a lack of understanding of the problems, and to enable mutual learning.

			This case study focuses on the ethical challenges that SIS bring in cybersecurity to shed some light on the risks of this sector and how they are currently minimized. The interview was conducted with four employees as a group at the headquarters of Company A in Scandinavia. All are experts in the Company A cybersecurity research team: Interviewee 1, a doctoral student; Interviewee 2, a researcher who focuses on core network security; Interviewee 3, a researcher who focuses on trusted computing; and Interviewee 4, a researcher with a background in machine learning (see Table 1, below). The methodology employed for the interview can be found in ''Understanding Ethics and Human Rights in Smart Information Systems: A Multi Case Study Approach'' by Macnish ''et al.''.<ref name="MacnishUnder19">{{cite journal \|title=Understanding Ethics and Human Rights in Smart Information Systems: A Multi Case Study Approach \|journal=ORBIT Journal \|author=Macnish, K.; Ryan, M.; Stahl, B. \|volume=2 \|issue=2 \|pages=102 \|year=2019 \|doi=10.29297/orbit.v2i1.102}}</ref>

	==References==		==References==

Shawndouglas: Saving and adding more.

2019-06-03T23:26:00Z

Saving and adding more.

← Older revision		Revision as of 23:26, 3 June 2019
Line 101:		Line 101:

	===Responsibility===		===Responsibility===
			The locus of responsibility for protecting against, and paying for protection against, cyber attacks is an ongoing issue.<ref name="GuioraCyber17">{{cite book \|title=Cybersecurity: Geopolitics, Law, and Policy \|author=Guiora, A.N. \|publisher=Routledge \|pages=89–111 \|year=2017 \|isbn=9781138033290}}</ref> It is not clear whether companies should be left to fend for themselves against hostile state-sponsored attacks, or whether governments should provide at least some financial support for them. Given the aforementioned potential to view cyber attacks as justification for declaring war, it is important to ask the degree to which the state should shoulder “responsibility for protecting its own economy on the internet as it does in physical space, by providing safe places to trade.”<ref name="MacnishEthics19" />

			Cybersecurity is usually taken to concern attacks from outside an entity rather than inside, for example using firewalls against incoming traffic.<ref name="vanCleeffSecurity09">{{cite journal \|title=Security Implications of Virtualization: A Literature Study \|journal=Proceedings from the 2009 International Conference on Computational Science and Engineering \|author=van Cleeff, A.; Pieters, W.; Wieringa, R.J. \|pages=353-358 \|year=2009 \|doi=10.1109/CSE.2009.267}}</ref> Yet the development of technology allows for a global environment in which many businesses provide third parties access to their own networks, thus expanding the boundaries of what, or who, may be seen as “inside.” This extends to “mobile devices [that] can access data from anywhere, and smart buildings [which] are being equipped with microchips that constantly communicate with each other.”<ref name="vanCleeffSecurity09" /> Cleeff ''et al.'' refer to this as “deperimeterization,” implying that not only is the border of the organization’s IT blurred, but also that the accountability for that border is dispersed (a problem exacerbated in data analytics and AI where responsibility for decision-making is not always clear.<ref name="SparrowKiller07">{{cite journal \|title=Killer Robots \|journal=Journal of Applied Philosophy \|author=Sparrow, R. \|volume=24 \|issue=1 \|pages=62–77 \|year=2007 \|doi=10.1111/j.1468-5930.2007.00346.x}}</ref> For example, “if the organization makes a decision to apply a certain data protection policy in its software, the data may in fact be managed by a different organization. How will the organization that actually manages the data implement and verify this?”<ref name="vanCleeffSecurity09" />

			===Business interests and codes of conduct===
			Competing interests are frequently perceived in security and profit. This may be seen as a zero-sum game in which any money spent on security is money which cannot be spent on increasing profit. However, this is clearly a flawed approach given the financial costs incurred in suffering a successful cyberattack. An example here is the decision of Marissa Meier, then CEO of Yahoo, not to inform the public of attacks in 2013 and 2014 regarding their accounts, most likely because such a revelation could have led to a loss in profit. Yet, when it became known, it devastated the company.<ref name="StoneTheYahoo19">{{cite web \|url=https://www.cashfloat.co.uk/blog/technology-innovation/yahoo-cyber-attack/ \|title=The Yahoo Cyber Attack & What should you learn from it? \|author=Stone, N. \|work=CashFloat Blog \|date=07 April 2019}}</ref> In response to similar concerns, Macnish and van der Ham argue for the necessity of guidance on disclosure of vulnerabilities, declaring "public-spirited motivations should be protected from predatory practices by companies seeking to paper over cracks in their own security through legal action. However, current conventions as to how to proceed with disclosure of vulnerabilities seem to be skewed in the favor of corporations and against the interests of the public.”<ref name="MacnishEthics19" />

			They note that ethical problems cannot be solved easily, yet proposing the creation of a code of conduct for cybersecurity to provide guidance and a degree of consensus within the cybersecurity community regarding appropriate action in the face of attacks.

	==References==		==References==
Line 107:		Line 114:

	==Notes==		==Notes==
	This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. The 2018 article by Sobers on 60 must-know cybersecurity facts has been updated in 2019; an archived version from 2018 is used in this version. The Lundgren and Möller citation has changed since the original article published online; this version represents the new information. The original cites an article by Macnish and van der Ham, but the research doesn't appear to be published yet; found a draft on GitHub to cite. Non-figured "flavor" images from the original were not included here.		This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. The 2018 article by Sobers on 60 must-know cybersecurity facts has been updated in 2019; an archived version from 2018 is used in this version. The Stone article on the Yahoo cyber attack also appears to have been updated in 2019, though no archived version of the article from 2017 exists. The Lundgren and Möller citation has changed since the original article published online; this version represents the new information. The original cites an article by Macnish and van der Ham, but the research doesn't appear to be published yet; found a draft on GitHub to cite. Non-figured "flavor" images from the original were not included here.

	<!--Place all category tags here-->		<!--Place all category tags here-->

Shawndouglas: Saving and adding more.

2019-06-03T22:57:54Z

Saving and adding more.

← Older revision		Revision as of 22:57, 3 June 2019
Line 41:		Line 41:

	==The use of smart information systems in cybersecurity==		==The use of smart information systems in cybersecurity==
	The introduction of big data and [[artificial intelligence]] (smart information systems, or SIS) in cybersecurity is still in its early phase. Currently there is comparatively little work carried out on cybersecurity using SIS for several reasons. These include the remarkable diversity of cyberattacks (e.g., different approaches to hacking systems and introducing malware), the danger of false positives and false negatives, and the relatively low intelligence of existing SIS.		The introduction of big data and [[artificial intelligence]] (AI) (representations of smart information systems, or SIS) in cybersecurity is still in its early phase. Currently there is comparatively little work carried out on cybersecurity using SIS for several reasons. These include the remarkable diversity of cyberattacks (e.g., different approaches to hacking systems and introducing malware), the danger of false positives and false negatives, and the relatively low intelligence of existing SIS.

	Taking these in turn, the diversity of attacks—both in the source of the attack, the focus of the attack, and the motivation of the attack—is significant. Attacks can be launched from outside an organization (e.g., from a hacking collective, such as Anonymous) or from an insider (e.g., a disaffected employee looking to damage a system). They may come from a single source, typically masked through using the darknet, or from a source who has engaged in a number of “hops” (moving from one computer on a network to another, thus masking the original source) such that the originator could appear to be in a [[hospital]] or in a military base. If an attack were to appear to come from a military base, this might encourage the attacked party to “hack back.” However, if the military base were an artificial screen presented in front of a hospital, the reverse hack could bring down that hospital’s computer networks. The focus of the attack could be on imitating a user or system administrator (local IT expert) or on exploiting a security flaw in unpatched code (programming in a network that has a flaw which has not yet been fixed, also known as a zero-day exploit). The motivation of the attack can range from state security and intelligence gathering (e.g., U.S. Intelligence spying on Chinese military installations), to financial incentives through blackmail (e.g., encrypting a company’s files and agreeing to decrypt them only when the company has paid the hacker a certain sum of money). This diversity means that it is extremely difficulty to develop a SIS that will effectively recognize an attack for what it is.		Taking these in turn, the diversity of attacks—both in the source of the attack, the focus of the attack, and the motivation of the attack—is significant. Attacks can be launched from outside an organization (e.g., from a hacking collective, such as Anonymous) or from an insider (e.g., a disaffected employee looking to damage a system). They may come from a single source, typically masked through using the darknet, or from a source who has engaged in a number of “hops” (moving from one computer on a network to another, thus masking the original source) such that the originator could appear to be in a [[hospital]] or in a military base. If an attack were to appear to come from a military base, this might encourage the attacked party to “hack back.” However, if the military base were an artificial screen presented in front of a hospital, the reverse hack could bring down that hospital’s computer networks. The focus of the attack could be on imitating a user or system administrator (local IT expert) or on exploiting a security flaw in unpatched code (programming in a network that has a flaw which has not yet been fixed, also known as a zero-day exploit). The motivation of the attack can range from state security and intelligence gathering (e.g., U.S. Intelligence spying on Chinese military installations), to financial incentives through blackmail (e.g., encrypting a company’s files and agreeing to decrypt them only when the company has paid the hacker a certain sum of money). This diversity means that it is extremely difficulty to develop a SIS that will effectively recognize an attack for what it is.
Line 80:		Line 80:
	===Competence of research ethics committees===		===Competence of research ethics committees===
	Within universities and many research institutions, research ethics committees (RECs) or institutional review boards oversee applications for research to provide protection for research participants. However, RECs are often composed of experts in ethics who have limited awareness of cybersecurity practice, or computer scientists who lack ethical expertise. An example of this occurred when potentially harmful research was carried out on non-consenting individuals in totalitarian states which effectively tested the firewalls of those states.<ref name="BurnettEncore15" /> While this research clearly put individuals at risk without their consent, at least two RECs determined that the research was not of relevance for ethical review because it did not concern human participants or personal data. It did, however, concern IP addresses, which could easily be linked to a person, putting that person at risk.<ref name="MacnishEthics19" /> In the case of research using SIS, the potential for obscurity of the data could render the link with individuals more difficult to recognize still. Furthermore, it should be noted that these are concerns which arise in institutions with access to an REC. As pointed out by Macnish and van der Ham<ref name="MacnishEthics19" />, many private companies do not have any ethical oversight facilities.		Within universities and many research institutions, research ethics committees (RECs) or institutional review boards oversee applications for research to provide protection for research participants. However, RECs are often composed of experts in ethics who have limited awareness of cybersecurity practice, or computer scientists who lack ethical expertise. An example of this occurred when potentially harmful research was carried out on non-consenting individuals in totalitarian states which effectively tested the firewalls of those states.<ref name="BurnettEncore15" /> While this research clearly put individuals at risk without their consent, at least two RECs determined that the research was not of relevance for ethical review because it did not concern human participants or personal data. It did, however, concern IP addresses, which could easily be linked to a person, putting that person at risk.<ref name="MacnishEthics19" /> In the case of research using SIS, the potential for obscurity of the data could render the link with individuals more difficult to recognize still. Furthermore, it should be noted that these are concerns which arise in institutions with access to an REC. As pointed out by Macnish and van der Ham<ref name="MacnishEthics19" />, many private companies do not have any ethical oversight facilities.

			===Security issues===
			Given the aforementioned definition of security as the absence of threat to acquired values, the maintenance of good security is an ethical issue, as without it commonly held values may be compromised. “Insufficient funding, poor oversight of systems, late or no installation of 'patches' (fixes to security flaws), how and where data are stored, how those data are accessed, and poor training of staff in security awareness”<ref name="MacnishEthics19" /> are therefore all instances of ethical concern.

			===Trust and transparency===
			Trust is an issue which connects the cybersecurity expert to the users who are being protected. Relating back to concerns regarding the risks inherent in publicizing vulnerabilities, there are pressing issues concerning transparency, such as “how far to push transparency: should it extend to government agencies or even other companies? On one hand sharing information increases vulnerability as one’s defenses are known, and one’s experience of attacks shared, but on the other it is arguably only by pooling experience that an effective defense can be mounted.”<ref name="MacnishEthics19" />

			Pieters argues that trust in a person goes hand-in-hand with the explanation that a person gives. Artificial agents hence need to explain their decisions to the user, such as how security is maintained in online transactions.<ref name="PietersExplan11" /> He argues that there is a need for better understanding of the relationship between explanation and trust in AI and information security. Glass ''et al.'' concluded that trust depends on both the detail of explanations provided and on the transparency of the system.<ref name="GlassToward08">{{cite journal \|title=Toward establishing trust in adaptive agents \|journal=Proceedings of the 13th International Conference on Intelligent User Interfaces \|author=Glass, A.; McGuinness, D.L.; Wolverton, M. \|pages=227–36 \|year=2008 \|doi=10.1145/1378773.1378804}}</ref> From a cybersecurity perspective, what matters is how to communicate whether the system is secure, why it is secure, or how it is secure. In SIS, explanations are typically provided by the system itself, while in information security the explanations are provided by the designer.<ref name="BedersonElect03">{{cite journal \|title=Electronic voting system usability issues \|journal=Proceedings of the SIGCHI Conference on Human Factors in Computing Systems \|author=Bederson, B.B.; Lee, B.; Sherman, R.M. et al. \|pages=145–52 \|year=2003 \|doi=10.1145/642611.642638}}</ref> Pieters argues that the role of explanations consists, at least in part, in acquiring and maintaining users’ trust. He further exposes the concept of “black boxes” which, together with trust and explanation, is a fundamental concept in cybersecurity, where the precise algorithm and associated decision-making techniques may become invisible within SIS systems.<ref name="PietersExplan11" />

			Furthermore, through applying Bruno Latour's actor-network theory<ref name="LatourReass05">{{cite book \|title=Reassembling the Social: An Introduction to Actor-Network-Theory \|author=Latour, B. \|publisher=Oxford University Press \|year=2005 \|isbn=9780199256044}}</ref>, Pieters highlights several issues with explanations and trust in information systems. He notes that explanations can be different depending on the actors who are explaining the system or technology. For example, a government seeking to protect the democratic credentials of an election, or a business with a commercial interest in keeping the source code secret, will have different explanations for an e-voting system.<ref name="PietersExplan11" /> In the same way, Pieter notes that delegation of technical aspects relating to the SIS will lead to a new actor who will not necessarily have the same abilities to explain the system as the designer.

			Pieters also notes that explanations can have different goals, such as transparency versus justification. He argues<ref name="PietersExplan11" />:

			<blockquote>Explanation-for-trust is explanation of how a system works, by revealing details of its internal operations. Explanation-for-confidence is explanation that makes the user feel comfortable in using the system, by providing information on its external communications. In explanation-for-trust, the black box of the system is opened; in explanation-for-confidence, it is not.</blockquote>

			In the field of cybersecurity, as elsewhere in security, explanation of the security capabilities of the system to the user is an important requirement. “This is especially true because security is not instantly visible in using a system, as security of a system is not a functional requirement.”<ref name="PietersExplan11" /> For example, it is not possible to infer that if a system gives good results then that system is secure. As Pieters warns, a criminal might have changed the results of voting without anyone noticing. Uncertainty is a feature within these systems, and given that security is often added to the system without being integral to it, it is feasible that the system can function without compromise being detected. The challenges of trust are exacerbated when the system operates using data analytics and potentially opaque algorithms that cannot be understood, still less challenged, by those affected.<ref name="ONeilWeapons16">{{cite book \|title=Weapons of Math Destruction: How Big Data Increases Inequality and Threatens Democracy \|author=O'Neil, C. \|publisher=Crown \|year=2016 \|isbn=9780553418811}}</ref>

			===Risk===
			Consideration of who will decide what risks will be taken, what are the acceptable risks, and how risk is calculated<ref name="HanssonTheEthics13">{{cite book \|title=The Ethics of Risk: Ethical Analysis in an Uncertain World \|author=Hansson, S. \|publisher=Palgrave MacMillan \|year=2013 \|isbn=9781137333650}}</ref><ref name="WolffFive10">{{cite journal \|title=Five Types of Risky Situation \|journal=Law, Innovation and Technology \|author=Wolff, J. \|volume=2 \|issue=2 \|pages=151–63 \|year=2010 \|doi=10.5235/175799610794046177}}</ref> is important in cybersecurity. One of the arguments given for not requesting informed consent in the case described by Burnett and Feamster<ref name="BurnettEncore15" /> regarding the non-consensual importing of malware onto users' computers to test firewalls was that, in the opinion of the researchers, there was only a limited risk of harm to the subject. However, it does not take much reflection to identify the risk to users who live in states where censorship is an issue, leading to potentially difficult situations.<ref name="ByersEncore15">{{cite web \|url=https://conferences.sigcomm.org/sigcomm/2015/pdf/reviews/226pr.pdf \|format=PDF \|title=Encore: Lightweight Measurement of Web Censorship with Cross-Origin Requests – Public Review \|author=Byers, J.W. \|date=2015}}</ref><ref name="MacnishEthics19" /> Furthermore, it has been demonstrated that different groups of society tend to assess risk differently, with the acceptable risk threshold of white men being significantly higher than that of women or ethnic minorities.<ref name="HermanssonTowards10">{{cite journal \|title=Towards a fair procedure for risk management \|journal=Journal of Risk Research \|author=Hermansson, H. \|volume=13 \|issue=4 \|pages=501–15 \|year=2010 \|doi=10.1080/13669870903305903}}</ref><ref name="HermanssonConsist05">{{cite journal \|title=Consistent risk management: Three models outlined \|journal=Journal of Risk Research \|author=Hermansson, H. \|volume=8 \|issue=7–8 \|pages=557–68 \|year=2005 \|doi=10.1080/13669870500085189}}</ref>

			===Responsibility===


	==References==		==References==

Shawndouglas: Saving and adding more.

2019-06-03T22:02:47Z

Saving and adding more.

← Older revision		Revision as of 22:02, 3 June 2019
Line 69:		Line 69:
	Privacy is a central issue in cybersecurity, as increasing amounts of personal data are gathered and stored in the cloud. Furthermore, these data can be highly sensitive, such as health or bank records.<ref name="ManjikianCyber17">{{cite book \|title=Cybersecurity Ethics \|author=Manjikian, M. \|publisher=Routledge \|pages=81–112 \|year=2017 \|isbn=9781138717527}}</ref> While the data at risk from attack is private, in order to identify an attack, particularly when SIS are involved, an effective cybersecurity system must maintain an awareness of “typical” behavior so that “atypical” behavior stands out more obviously. However, doing this requires ongoing development of personal profiles of users of a particular system, which in turn involves monitoring their behavior online. In cases of both attack and prevention of attacks, users’ privacy risks are compromised.		Privacy is a central issue in cybersecurity, as increasing amounts of personal data are gathered and stored in the cloud. Furthermore, these data can be highly sensitive, such as health or bank records.<ref name="ManjikianCyber17">{{cite book \|title=Cybersecurity Ethics \|author=Manjikian, M. \|publisher=Routledge \|pages=81–112 \|year=2017 \|isbn=9781138717527}}</ref> While the data at risk from attack is private, in order to identify an attack, particularly when SIS are involved, an effective cybersecurity system must maintain an awareness of “typical” behavior so that “atypical” behavior stands out more obviously. However, doing this requires ongoing development of personal profiles of users of a particular system, which in turn involves monitoring their behavior online. In cases of both attack and prevention of attacks, users’ privacy risks are compromised.

	A related issues is that of control of data, which may be seen as an aspect of privacy<ref name="MoorePriv15">{{cite book \|title=Privacy, Security and Accountability: Ethics, Law and Policy \|author=Moore, A.D. \|publisher=Rowman and Littlefield \|year=2015 \|isbn=9781783484768}}</ref><ref name="MoorePrivacy12">{{cite journal \|title=Privacy: Its Meaning and Value \|journal=American Philosophical Quarterly \|author=Moore, A.D. \|volume=40 \|pages=215–27 \|year=2003 \|url=https://ssrn.com/abstract=1980880}}</ref> or additional to privacy concerns.<ref name="AllenPrivacy99">{{cite journal \|title=Privacy-as-Data Control: Conceptual, Practical, and Moral Limits of the Paradigm \|journal=Connecticut Law Review \|author=Allen, A.L. \|volume=32 \|pages=861–75 \|year=1999 \|url=https://heinonline.org/HOL/LandingPage?collection=journals&handle=hein.journals/conlr32&div=35}}</ref><ref name="MacnishGov16">{{cite journal \|title=Government Surveillance and Why Defining Privacy Matters in a Post‐Snowden World \|journal=Journal of Applied Philosophy \|author=Macnish, K. \|volume=35 \|issue=2 \|pages=417–32 \|year=2018 \|doi=10.1111/japp.12219}}</ref> In either case, the control of data is a critical factor, as once an attack is successful, control is lost. The data may then be used for a variety of ends, not only relating to violations of privacy but also for political or other gain, as was the case with Cambridge Analytica<ref name="CadwalladrRevealed18">{{cite web \|url=https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election \|title=Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach \|author=Cadwalladr, C.; Graham-Harrison, E. \|work=The Guardian \|date=17 March 2018}}</ref>, where the problem was not only privacy concerns, but also the control of users’ data, which enabled discrete, targeted political advertising concerning the U.K.’s referendum on membership of the ~~E.U.~~ and the ~~U.S.~~ presidential election, both in 2016.<ref name="IencaCambridge18">{{cite web \|url=https://blogs.scientificamerican.com/observations/cambridge-analytica-and-online-manipulation/ \|title=Cambridge Analytica and Online Manipulation \|author=Ienca, M.; Vayena, E. \|work=Scientific American \|date=30 March 2018 \|accessdate=10 July 2018}}</ref>		A related issues is that of control of data, which may be seen as an aspect of privacy<ref name="MoorePriv15">{{cite book \|title=Privacy, Security and Accountability: Ethics, Law and Policy \|author=Moore, A.D. \|publisher=Rowman and Littlefield \|year=2015 \|isbn=9781783484768}}</ref><ref name="MoorePrivacy12">{{cite journal \|title=Privacy: Its Meaning and Value \|journal=American Philosophical Quarterly \|author=Moore, A.D. \|volume=40 \|pages=215–27 \|year=2003 \|url=https://ssrn.com/abstract=1980880}}</ref> or additional to privacy concerns.<ref name="AllenPrivacy99">{{cite journal \|title=Privacy-as-Data Control: Conceptual, Practical, and Moral Limits of the Paradigm \|journal=Connecticut Law Review \|author=Allen, A.L. \|volume=32 \|pages=861–75 \|year=1999 \|url=https://heinonline.org/HOL/LandingPage?collection=journals&handle=hein.journals/conlr32&div=35}}</ref><ref name="MacnishGov16">{{cite journal \|title=Government Surveillance and Why Defining Privacy Matters in a Post‐Snowden World \|journal=Journal of Applied Philosophy \|author=Macnish, K. \|volume=35 \|issue=2 \|pages=417–32 \|year=2018 \|doi=10.1111/japp.12219}}</ref> In either case, the control of data is a critical factor, as once an attack is successful, control is lost. The data may then be used for a variety of ends, not only relating to violations of privacy but also for political or other gain, as was the case with Cambridge Analytica<ref name="CadwalladrRevealed18">{{cite web \|url=https://www.theguardian.com/news/2018/mar/17/cambridge-analytica-facebook-influence-us-election \|title=Revealed: 50 million Facebook profiles harvested for Cambridge Analytica in major data breach \|author=Cadwalladr, C.; Graham-Harrison, E. \|work=The Guardian \|date=17 March 2018}}</ref>, where the problem was not only privacy concerns, but also the control of users’ data, which enabled discrete, targeted political advertising concerning the U.K.’s referendum on membership of the European Union and the United States presidential election, both in 2016.<ref name="IencaCambridge18">{{cite web \|url=https://blogs.scientificamerican.com/observations/cambridge-analytica-and-online-manipulation/ \|title=Cambridge Analytica and Online Manipulation \|author=Ienca, M.; Vayena, E. \|work=Scientific American \|date=30 March 2018 \|accessdate=10 July 2018}}</ref>

			While the E.U. has sought to resolve concerns with privacy and control of data through the introduction of the General Data Protection Regulation<ref name="EUReg16">{{cite web \|url=https://publications.europa.eu/en/publication-detail/-/publication/3e485e15-11bd-11e6-ba9a-01aa75ed71a1/language-en \|title=Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) \|author=Council of the European Union, European Parliament \|publisher=European Union \|date=27 April 2016}}</ref>, this has raised its own concerns. While European companies must follow strict regulations in developing SIS-related algorithms when it comes to accessing personal data, the same only applies to non-European companies when they practice in Europe. This leads to a concern of “data dumping, in which research is carried out in countries with lower barriers for use of personal data, rather than jump through bureaucratic hurdles in Europe. The result is that the data of non-European citizens is placed at higher risk than that of Europeans.”<ref name="MacnishEthics19" />

			Incidental findings also fall under this category, as data derived from regular scans with the goal of profile-building can uncover new information about an individual which they did not want to reveal. Decisions should be made in advance on how to reveal that information and to whom it should be revealed; for example, the discovery that an employee is looking for another job.

			===Vulnerabilities and disclosure===
			An awareness or a duty to find vulnerabilities in a network which leave it open to an attack can help cybersecurity professionals understand the magnitude of a particular attack. However, disclosure of vulnerabilities to a particular authority, such as the company responsible, also risks the leak of that vulnerability from the responsible authority to communities of hackers so that that network or others may be exploited.<ref name="MacnishEthics19" /> If vulnerabilities are made public, then the public visibility of a system and therefore its commercial viability may be threatened. For example, Wolter Pieters has pointed out the challenge of exposing vulnerabilities in e-voting systems: prior to an election and the systems will not be trusted; after an election and the election result will be called into question. However, if the vulnerability is not disclosed, then an attack may occur, which genuinely compromises the election. A related issue here is whether cybersecurity researchers looking at the techniques and practices of hackers should have a duty to expose vulnerabilities as an act of professional whistle-blowing. By rendering this a duty, there is less pressure on the professional to have to decide what is the right thing to do in a particular case, such as when competing financial interests may argue against such revelations.<ref name="DavisThink91">{{cite journal \|title=Thinking like an engineer: The place of a code of ethics in the practice of a profession \|journal=Philosophy & Public Affairs \|author=Davis, M. \|volume=20 \|issue=2 \|pages=150–67 \|year=1991 \|url=https://www.jstor.org/stable/2265293}}</ref> As noted above, ethical issues arising from vulnerability disclosure are true of cybersecurity generally, whether involving SIS or not.

			===Competence of research ethics committees===
			Within universities and many research institutions, research ethics committees (RECs) or institutional review boards oversee applications for research to provide protection for research participants. However, RECs are often composed of experts in ethics who have limited awareness of cybersecurity practice, or computer scientists who lack ethical expertise. An example of this occurred when potentially harmful research was carried out on non-consenting individuals in totalitarian states which effectively tested the firewalls of those states.<ref name="BurnettEncore15" /> While this research clearly put individuals at risk without their consent, at least two RECs determined that the research was not of relevance for ethical review because it did not concern human participants or personal data. It did, however, concern IP addresses, which could easily be linked to a person, putting that person at risk.<ref name="MacnishEthics19" /> In the case of research using SIS, the potential for obscurity of the data could render the link with individuals more difficult to recognize still. Furthermore, it should be noted that these are concerns which arise in institutions with access to an REC. As pointed out by Macnish and van der Ham<ref name="MacnishEthics19" />, many private companies do not have any ethical oversight facilities.

	==References==		==References==
Line 76:		Line 85:

	==Notes==		==Notes==
	This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. The 2018 article by Sobers on 60 must-know cybersecurity facts has been updated in 2019; an archived version from 2018 is used in this version. The Lundgren and Möller citation has changed since the original article published online; this version represents the new information. The original cites an article by Macnish and van der Ham, but the research doesn't appear to be published yet; found a draft on GitHub to cite.		This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. The 2018 article by Sobers on 60 must-know cybersecurity facts has been updated in 2019; an archived version from 2018 is used in this version. The Lundgren and Möller citation has changed since the original article published online; this version represents the new information. The original cites an article by Macnish and van der Ham, but the research doesn't appear to be published yet; found a draft on GitHub to cite. Non-figured "flavor" images from the original were not included here.

	<!--Place all category tags here-->		<!--Place all category tags here-->