Recently a friend posed an interesting problem to me, a problem that he has been struggling with for quite some time. Management, in their infinite wisdom, had assigned him the formidable task of coming up with a code of ethics that the staff must follow for all computer usage. Their actions stemmed from the abuses by employees (both technical and non-) of the various computer facilities provided by the company. These infractions ranged from simple acts such as reading another’s email over their shoulder to offenses as serious as the destruction of work created by others. It was felt that if a generic policy was instituted, employees would be able to supplement their moral compasses with a document to aid them in their quest for a happy and productive co-existence with one another.
In a diversified company that includes, among others, arts, documentation and technical support departments, the problem of creating a generic document is indeed formidable. One might initially suggest that each department have their own code of ethics, but the obvious conflict arises that “Person X can do this, why can’t I?” Therefore the easy solution can immediately be discarded. Obviously guidelines that are generic enough to encompass all the departments are needed, but they must be specific enough so as to prevent employees from constantly second-guessing them, or worse, just plain ignoring them.
Unlike a technical document, in which there are several known facts presented in a clear, concise fashion, a code of ethics must encompass as wide a moral base as possible without unduly expanding parameters and excluding the majority of people that the guide is aimed at. For example, one employee may see the company’s fast network connection as the perfect place to surf for and view pornography during their lunch break, while it is possible that the vast majority of the office does not find this practice acceptable or even allowable in their environment. The viewer’s perspective is that they are on lunch break (thus their own time), and they are not outwardly disturbing anyone, nor are they unduly disrupting the network traffic during the lull. More importantly, others shouldn’t be looking at their screen anyway.
|"Writing an ethics document can be likened to writing the
commandments — it is expected that everyone follow the guidelines,
but they must not be so intrusive as to cause rejection of the
Hopefully, this simple example brings to light at least a small part of the problem that faces someone that is handed this daunting task. Writing an ethics document can be likened to writing the commandments…it is expected that everyone follow the guidelines, but they must not be so intrusive as to cause rejection of the doctrine. Special care must be given to ensure that the code does not create deadlock, i.e. where one rule contradicts another. Also, almost above all else, the writer must make sure that the code will not cause any productivity to be lost.
The first step in writing such a document should be a good understanding of what the term ethics actually means and implies. The American Heritage Dictionary describes ethics as “The rules or standards governing the conduct of a person….” The word ethics is tied strongly to morals. Turning once again to the dictionary, we find that one of the many definitions of morals is: “Conforming to standards of what is right or just in behavior.” Sound like what we’re looking for? In other words, a code of ethics should outline a set of parameters in which the users of this guideline perform their actions and/or duties.
Next, lets see why we need such a code to be explicitly outlined. In my associates’ case, the problem was that users simply did not seem to understand what was and was not acceptable usage of the computer resources. So the problem that we hope to solve is the lack of guidance and education in the ways of interaction (both explicitly and implicitly) between employees and their computers.
Simple topics should be handled first, with additional layers added as special cases apply. For example, the rule, “Keep your password a private affair,” seems like common-sense advice, but to many first-time users the idea of a password is more of a passing annoyance than a necessary measure. As needed, this rule can be further clarified to account for systems administrators or other IT professionals. This, of course, raises further issues (think of the infamous Motorola incident where Kevin Mitnick passed himself off as a person that really needed the blueprints for the next generation cell-phone).
Have the management, and the systems administrators, make a list of concerns they have with the way the system is being abused, and how they would like this problem prevented. The administrators can directly address some restrictions – such as password length and obscurity – through the use of utilities such as “anal.” Other issues, such as surfing for porn, must be dealt with in a less informal manner.
|"It should be realized that the majority of people, when confronted
with an infraction of the code of ethics, would generally mend their
ways rather than suffer the consequences."
It should be realized that the majority of people, when confronted with an infraction of the code of ethics, would generally mend their ways rather than suffer the consequences. In truth, the majority of infractions of the code will most likely be inadvertent … which brings us to the next point: implementation.
Once the code is written, how do we go about making sure people know and understand it? It would be easy for people to abuse their supposed lack of knowledge of the ethics document (at least initially) if a widespread education initiative were not made. A multi-level program is probably the most effective, starting with leaving printed copies of the new mandate in the lunch and coffee areas, as well as releasing an organization-wide memo updating everyone as to the current situation. Once this information has been available for a time, management can informally circulate around the company to see if there are any questions about the new document, thus re-enforcing the idea that the document is to be taken quite seriously. In a non-business situation (such as a university) reading of the code can be made a prerequisite to account activation, so new users will not have any excuse for being uninformed.
The writer must remember at all times that they are dealing with a wide spectrum of people that each have their own unique upbringing and thus their own unique view of what is right and wrong. The widest spectrum of values must be addressed, while the guidance and control the Code sets out to accomplish must be maintained.
In next week’s installment (
How Does the Code of Ethics Relate to Security?
) I will expand upon writing a Code of Ethics document, and how it relates to security with, thrown in for good measure, some knowledge gained the hard way from the more difficult situations that can arise.
SecurityPortal is the world’s foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
The Focal Point for Security on the Net ™