Difference between revisions of "Journal:Smart information systems in cybersecurity: An ethical analysis"

From LIMSWiki
Jump to navigationJump to search
(Saving and adding more.)
(Saving and adding more.)
Line 35: Line 35:


Cybersecurity is therefore a complex and multi-disciplinary issue. Security has been defined in the international relations and security studies spheres both as “the absence of threats to acquired values”<ref name="WolfersNational52">{{cite journal |title="National Security" as an Ambiguous Symbol |journal=Political Science Quarterly |author=Wolters, A. |volume=67 |issue=4 |pages=481–502 |year=1952 |doi=10.2307/2145138}}</ref> and “the “absence of harm to acquired values.”<ref name="BaldwinTheCon97">{{cite journal |title=The Concept of Security |journal=Review of International Studies |author=Baldwin, D.A. |volume=23 |issue=1 |pages=5–26 |year=1997 |url=https://www.cambridge.org/core/journals/review-of-international-studies/article/concept-of-security/67188B6038200A97C0B0A370FDC9D6B8}}</ref> Within the profession, cybersecurity is more commonly defined in terms of confidentiality, integrity, and availability of [[information]].<ref name="LundgrenDefin19">{{cite journal |title=Defining Information Security |journal=Science and Engineering Ethics |author=Lundgren, B.; Möller, N. |volume=25 |issue=2 |pages=419–41 |year=2019 |doi=10.1007/s11948-017-9992-1}}</ref> A 2014 literature review on the meanings attributed to cybersecurity has led to the broader definition of cybersecurity as "the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems.”<ref name="CraigenDefining14">{{cite journal |title=Defining Cybersecurity |journal=Technology Innovation Management Review |author=Craigen, D.; Diakun—Thibault, N.; Purse, R. |volume=4 |issue=10 |pages=13–21 |year=2014 |doi=10.22215/timreview/835}}</ref>
Cybersecurity is therefore a complex and multi-disciplinary issue. Security has been defined in the international relations and security studies spheres both as “the absence of threats to acquired values”<ref name="WolfersNational52">{{cite journal |title="National Security" as an Ambiguous Symbol |journal=Political Science Quarterly |author=Wolters, A. |volume=67 |issue=4 |pages=481–502 |year=1952 |doi=10.2307/2145138}}</ref> and “the “absence of harm to acquired values.”<ref name="BaldwinTheCon97">{{cite journal |title=The Concept of Security |journal=Review of International Studies |author=Baldwin, D.A. |volume=23 |issue=1 |pages=5–26 |year=1997 |url=https://www.cambridge.org/core/journals/review-of-international-studies/article/concept-of-security/67188B6038200A97C0B0A370FDC9D6B8}}</ref> Within the profession, cybersecurity is more commonly defined in terms of confidentiality, integrity, and availability of [[information]].<ref name="LundgrenDefin19">{{cite journal |title=Defining Information Security |journal=Science and Engineering Ethics |author=Lundgren, B.; Möller, N. |volume=25 |issue=2 |pages=419–41 |year=2019 |doi=10.1007/s11948-017-9992-1}}</ref> A 2014 literature review on the meanings attributed to cybersecurity has led to the broader definition of cybersecurity as "the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems.”<ref name="CraigenDefining14">{{cite journal |title=Defining Cybersecurity |journal=Technology Innovation Management Review |author=Craigen, D.; Diakun—Thibault, N.; Purse, R. |volume=4 |issue=10 |pages=13–21 |year=2014 |doi=10.22215/timreview/835}}</ref>
Cybersecurity therefore can be seen to encompass property rights of ownership of networks that could come under attack, as well as other concerns attributed with these, such as issues of access, extraction, contribution, removal, management, exclusion, and alienation.<ref name="HessUnder06">{{cite book |title=Understanding Knowledge as a Commons: From Theory to Practice |author=Hess, C.; Ostrom, E. |publisher=MIT Press |year=2006 |isbn=9780262083577}}</ref> Hence cybersecurity fulfills a similar role to physical security in protecting property from some level of intrusion. Craigen ''et al.'' also argue that cybersecurity refers not only to a technical domain, but also that the values underlying that domain should be included in the description of cybersecurity.<ref name="CraigenDefining14" /> Seen this way, ethical issues and values form bedrock to cybersecurity research as identifying the values which cybersecurity seeks to protect.
Despite these concerns, there are some potential grounds for use of SIS in cybersecurity. The most effective is in scanning systems for known attacks, or known abnormal patterns of behavior that have a very high likelihood of being an attack. When coupled with a human operator to scan any alerts and so determine whether to take action, the combined human-machine security system can prove to be effective, albeit still facing the above problems of automation bias and excessive false positives.<ref name="MacnishUnblink12">{{cite journal |title=Unblinking eyes: The ethics of automating surveillance |journal=Ethics and Information Technology |author=Macnish, K. |volume=14 |issue=2 |pages=151–67 |year=2012 |doi=10.1007/s10676-012-9291-0}}</ref>


==References==
==References==

Revision as of 19:19, 3 June 2019

Full article title Smart information systems in cybersecurity: An ethical analysis
Journal ORBIT Journal
Author(s) Macnish, Kevin; Fernandez-Inguanzo, Ana; Kirichenko, Alexey
Author affiliation(s) University of Twente, F-Secure
Primary contact Email: k dot macnish at utwente dot nl
Year published 2019
Volume and issue 2(2)
Page(s) 105
DOI 10.29297/orbit.v2i2.105
ISSN 2515-8562
Distribution license Creative Commons Attribution 4.0 International
Website https://www.orbit-rri.org/ojs/index.php/orbit/article/view/105
Download https://www.orbit-rri.org/ojs/index.php/orbit/article/view/105/117 (PDF)

Abstract

This report provides an overview of the current implementation of smart information systems (SIS) in the field of cybersecurity. It also identifies the positive and negative aspects of using SIS in cybersecurity, including ethical issues which could arise while using SIS in this area. One company working in the industry of telecommunications (Company A) is analysed in this report. Further specific ethical issues that arise when using SIS technologies in Company A are critically evaluated. Finally, conclusions are drawn on the case study, and areas for improvement are suggested.

Keywords: cybersecurity, ethics, smart information systems, big data

Introduction

Increasing numbers of items are becoming connected to the internet. Cisco—a global leader in information technology, networking, and cybersecurity—estimates that more than 8.7 billion devices were connected to the internet by the end of 2012, a number that will likely rise to over 40 billion in 2020.[1] Cybersecurity has therefore become an important concern both publicly and privately. In the public sector, governments have created and enlarged cybersecurity divisions such as the U.S. Cyber Command and the Chinese “Information Security Base,” whose mission is to provide security to critical national security assets.[1]

In the private sphere, companies are struggling to keep up with the required need for security in the face of increasingly sophisticated attacks from a variety of sources. In 2017, there were “over 130 large-scale, targeted breaches [by hackers of computer networks] in the U.S.,” and “between January 1, 2005 and April 18, 2018 there have been 8,854 recorded breaches.”[2] Furthermore, cyberattacks affect not only the online world, but also lead to vulnerabilities in the physical world, particularly when an attack threatens industries such as healthcare, communications, energy, or military networks, putting large swathes of society at risk. Indeed, it has been argued that some cyberattacks could constitute legitimate grounds for declarations of (physical) war.[3]

Cybersecurity is therefore a complex and multi-disciplinary issue. Security has been defined in the international relations and security studies spheres both as “the absence of threats to acquired values”[4] and “the “absence of harm to acquired values.”[5] Within the profession, cybersecurity is more commonly defined in terms of confidentiality, integrity, and availability of information.[6] A 2014 literature review on the meanings attributed to cybersecurity has led to the broader definition of cybersecurity as "the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems.”[7]

Cybersecurity therefore can be seen to encompass property rights of ownership of networks that could come under attack, as well as other concerns attributed with these, such as issues of access, extraction, contribution, removal, management, exclusion, and alienation.[8] Hence cybersecurity fulfills a similar role to physical security in protecting property from some level of intrusion. Craigen et al. also argue that cybersecurity refers not only to a technical domain, but also that the values underlying that domain should be included in the description of cybersecurity.[7] Seen this way, ethical issues and values form bedrock to cybersecurity research as identifying the values which cybersecurity seeks to protect.

Despite these concerns, there are some potential grounds for use of SIS in cybersecurity. The most effective is in scanning systems for known attacks, or known abnormal patterns of behavior that have a very high likelihood of being an attack. When coupled with a human operator to scan any alerts and so determine whether to take action, the combined human-machine security system can prove to be effective, albeit still facing the above problems of automation bias and excessive false positives.[9]


References

  1. 1.0 1.1 Singer, P.W.; Friedman, A. (2014). Cybersecurity and Cyberwar: What Everyone Needs to Know (1st ed.). Oxford University Press. ISBN 9780199918119. https://books.google.com/books?id=9VDSAQAAQBAJ. 
  2. Sobers, R. (18 May 2018). "60 Must-Know Cybersecurity Statistics for 2018". Varonis Blog. Archived from the original on 08 November 2018. https://web.archive.org/web/20181108122758/https://www.varonis.com/blog/cybersecurity-statistics/. Retrieved 17 December 2018. 
  3. Smith, P.T. (2015). "Cyberattacks as Casus Belli: A Sovereignty‐Based Account". Journal of Applied Philosophy 35 (2): 222–41. doi:10.1111/japp.12169. 
  4. Wolters, A. (1952). ""National Security" as an Ambiguous Symbol". Political Science Quarterly 67 (4): 481–502. doi:10.2307/2145138. 
  5. Baldwin, D.A. (1997). "The Concept of Security". Review of International Studies 23 (1): 5–26. https://www.cambridge.org/core/journals/review-of-international-studies/article/concept-of-security/67188B6038200A97C0B0A370FDC9D6B8. 
  6. Lundgren, B.; Möller, N. (2019). "Defining Information Security". Science and Engineering Ethics 25 (2): 419–41. doi:10.1007/s11948-017-9992-1. 
  7. 7.0 7.1 Craigen, D.; Diakun—Thibault, N.; Purse, R. (2014). "Defining Cybersecurity". Technology Innovation Management Review 4 (10): 13–21. doi:10.22215/timreview/835. 
  8. Hess, C.; Ostrom, E. (2006). Understanding Knowledge as a Commons: From Theory to Practice. MIT Press. ISBN 9780262083577. 
  9. Macnish, K. (2012). "Unblinking eyes: The ethics of automating surveillance". Ethics and Information Technology 14 (2): 151–67. doi:10.1007/s10676-012-9291-0. 

Notes

This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. The 2018 article by Sobers on 60 must-know cybersecurity facts has been updated in 2019; an archived version from 2018 is used in this version. The Lundgren and Möller citation has changed since the original article published online; this version represents the new information.