WIC2007 · Cybersecurity Ethics
01 / 25
WIC2007 · Cyber Security

An Introduction toCybersecurity Ethics

Why protecting data is really about protecting people — and how to choose well when the rules run out.
LecturerFaiz Zaki
Session2025 / 2026
Adapted from “An Introduction to Cybersecurity Ethics” — Shannon Vallor, Markkula Center for Applied Ethics, Santa Clara University.
Where we begin
The most important thing is not life, but the good life.
Socrates · 399 B.C.
Definition

Ethics is the oldest human question:
how do we live well?

Applied ethics narrows it to something practical — how should I act, here, in this situation? It lives in personal reflection, in community values, and in the professional codes that bind doctors, lawyers and engineers.

Why ethics, why now

Technology is never neutral.

We bake our values into everything we build — and into how we distribute and use it. Technology doesn’t just serve what we want; it shapes what we come to want.

Three forces

Why the old rulebook can’t keep up

01

Speed & scale

Technology reshapes society faster than laws and regulators can respond.

02

The expertise gap

Lawmakers rarely understand the systems — so technologists must anticipate the harms.

03

Uneven impact

The same tool creates winners and losers. That makes it a question of justice, not just engineering.

You don’t secure data.
You secure people.

Cybersecurity protects the integrity and reliability of the human systems we all depend on. Behind every network sits a real life.

Who is shielded
Secure a hospital network and you protect patients — without ever holding a scalpel. Also students, voters, investors, drivers, passengers, credit usersall of us.

The work happens behind the scenes. That invisibility is exactly why its ethical weight is so easy to miss.

1
Part One

The important ethical issues in cybersecurity

A
Issue A

Harms to privacy

Identity theft, surveillance, blackmail, extortion. Even people who live “off the grid” are exposed through their doctors, lawyers and employers. Sensitive data rarely stays where it was created.

B
Issue B

Harms to property

Theft of funds, trade secrets and intellectual property. Even “defensive” moves like hacking back can spill collateral damage onto innocent third parties — Stuxnet infected hundreds of thousands of unrelated machines.

C
Issue C

Resource allocation

Security has real cost — money, speed, usability. A system that is maximally secure but unusable can’t be justified, just as you wouldn’t secure a bank by padlocking every door. Striking that balance is itself an ethical act.

D
Issue D

Transparency & disclosure

There’s a default duty to disclose known risks so people can protect themselves — held in tension against the danger of tipping off attackers before a patch exists. No single rule fits every case.

E
Issue E

Roles, duties & interests

Competing loyalties — to employer, client, nation, the public, and yourself — frequently collide. Untangling them takes deliberate ethical reflection, not reflex.

Roles in tension
White-hatacts with permission · defends the public good
Grey-hatno clear authorisation · blurred lines
Black-hatexploits for criminal or political gain

The market for zero-day exploits pays for both finding and exposing dangerous tools — the perfect portrait of cybersecurity’s tangled incentives.

2
Part Two · On the job

Legal is not the same as ethical.

Ten recurring questions
01

Balancing values

06

Data storage & encryption

02

Incident response

07

IoT & product design

03

Breach disclosure

08

Accountability

04

Network monitoring vs. privacy

09

Research & testing

05

Competing obligations

10

Broader, long-term impacts

3
Part Three

What do we owe the public?

Vocation

A professional professes something.

To profess is to stand publicly for a value and accept accountability for it. Society grants professionals respect and power in exchange for protecting a vital public good. A stakeholder is anyone your work can affect — and your trivial interest never outweighs another person’s vital one.

The bargain
With great power comes great responsibility.
Public trust is real power — and real obligation
Case spotlight · Equifax, 2017
143Mpeople exposed

A patch had been available for two months before the breach. Equifax knew for months before disclosing. Its consumer-help site was itself insecure — and tried to waive the right to sue. One admin panel was guarded by “admin / admin.” Executives sold ~$2B in stock before the public announcement.

Discuss — Which of the ten challenges does this touch? How could an ethical culture, not just better tooling, have changed the outcome?

Part Four · Three lenses

How to think it through

01

Virtue ethics

Focuses on character — what a good person is like. Cultivate practical wisdom; learn from exemplars.

“What would a person of excellent character do?”
02

Consequentialist

Judges by outcomes — the greatest good, the least harm, for everyone affected.

“Which choice produces the best overall result?”
03

Deontological

Grounded in duties and rights. Kant: never treat a person as a mere means to an end.

“What are my duties, and whose rights are at stake?”

Each has limits — strongest when used together to test a decision from every angle.

Case for debate

“The ends justify the means.”

Anthony & Sarah fight malware by releasing their own patch-worms “into the wild,” auto-disabling infected machines without warning, and hacking back at attackers — risking innocent third parties. They hide their methods from employer, users and the public.

Discuss — Test them against all three frameworks. Which best practices do they ignore? Is the employer’s “the less I know, the better” stance ethical?

Part Five · Best practices

Make ethics a habit, not a checkbox.

In the work

  • Keep ethics visibleOut of the compliance box — it’s always in play.
  • See the human lives behind the systems
  • Trace downstream, upstream & lateral risk
  • Build clear chains of accountabilityAvoid the “problem of many hands.”

In yourself

  • Examine your own choices, regularly
  • Look for moral exemplars
  • Exercise moral imaginationPicture the harm before it happens.
  • Keep good company & trust your moral strength
Carry this out

Five things to remember

01

Cybersecurity protects human flourishing, not just machines.

02

Legal ≠ ethical — the hard calls live where rules run out.

03

Think in stakeholders; rank by what each stands to lose.

04

Use virtue, consequences & duty together.

05

Make reflection standard, pervasive and rewarding.

WIC2007 · Cyber Security

Questions &
Discussion

Pick a breach from this week’s news. Who were the stakeholders? Which challenges and best practices were in play — and what would you have done?

LecturerFaiz Zaki
CourseWIC2007 Cyber Security
SourceMarkkula Center, SCU