The Code of Honor E-Book

Table of Contents

Cover

Table of Contents

Title Page

Introduction: “Like Your Hair Is On Fire”

How Should You Read This Book?

Why Are There Two Authors but Only One Voice?

How Should You Approach the Critical Applications Case Studies?

How Should You Use the Cybersecurity Code of Honor?

A Challenge to Make the World a Better Place

CHAPTER 1: One Code to Rule Them All?

In Case You Are Wondering Why You Should Care

Do We Need Ethics in Cybersecurity?

Long-Standing Models for the Code

Why the Need for the Code Is Urgent

Notes

CHAPTER 2: This Is a Human Business

Cybersecurity Is a Human Business

Humans Have Inherent Value

Humans Over Technology

The Solution to the Problem of Cybersecurity Is Principally a Human Solution

Character Costs and Character Pays

Case Study: When Security Is on the Chopping Block

Note

CHAPTER 3: To Serve and Protect

We Need You on That Wall

Know Your Why—Purpose and People

Service Means Sharing: Sharing Starts with Good Communication

Sharing with the Broader Cyber Community: We Are All on the Same Wall

Checking In

A Final Example

Case Study: Responsible Disclosure of a Security Flaw

Notes

CHAPTER 4: “Zero-Day” Humanity and Accountability

Bad Decisions and Multiplication

Humans Are Flawed

Turning Vulnerability into Strength: It Begins with Humility

Being a Lifelong Learner

Handling the Mistakes of Others

Let's Try to Avoid “Breaking Bad”

How to Develop a Reflective Practice

Case Study: To Pay or Not to Pay—A Ransomware Quandary

Note

CHAPTER 5: It Begins and Ends with Trust

The Secret of Success

Trust Is the Currency of Cybersecurity

How Trust Is Built

When Things Go Bad

Building Trust Requires Courage

The Role of Leadership in Building a Culture of Trust

A Checklist for Building Trust

Case Study: A Matter of Trust and Data Breaches

Note

CHAPTER 6: There Is Strength in the Pack

No Room for Know-it-Alls

Making Informed Ethical Decisions with Input

Why Teamwork Really Does Make the Dream Work

When Collaboration Breaks Down—Seeking Allies in Your Organization

The Power of Mentors

Beware of Rattlesnakes

Case Study: Graded on a Curve? The Security Audit Checkmark

CHAPTER 7: Practicing Cyber Kung Fu

Essential to Success: Patience, Wisdom, and Self-Control

Remember the

Titanic

A Few Principles for Emergency Planning

Stay Calm, Cool, and Collected

Our Job Is Not Revenge

Develop Your Cyber Kung Fu

Case Study: An Open Door: Vigilante Justice

Note

CHAPTER 8: No Sticky Fingers Allowed

If It's Free, It's for Me?

Avoid a “Robin Hood” Narrative

A Tragedy of “Free Information”

Intellectual Property Is Property

To Catch a Thief, We Must Train Like One

Choices Have Consequences

All I Really Need to Know I Learned in Kindergarten

Case Study: Something Borrowed and Something New

Notes

CHAPTER 9: It's None of Your Business

Curiosity Can Kill the Cat

The Golden Rule Applied to Cybersecurity

Stay in Your Lane

Four Questions to Help Avoid Impropriety

Each Time You Cross the Line, It Becomes Easier

We Hurt Real Human Beings

An Outrageous Example of the Problem

Remember: We Are the Shield

Case Study: To Share or Not to Share? Investigating the CFO's System

Notes

Appendix A: The Cybersecurity Code of Honor

Appendix B: Where Do We Go from Here?

Acknowledgments

About the Authors

Index

Copyright

End User License Agreement

Guide

Cover

Title Page

Copyright

Introduction: “Like Your Hair Is On Fire”

Table of Contents

Begin Reading

Appendix A: The Cybersecurity Code of Honor

Appendix B: Where Do We Go from Here?

Acknowledgments

About the Authors

Index

End User License Agreement

Pages

iii

ix

x

xi

xii

xiii

xiv

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

193

194

195

197

198

199

200

201

202

203

204

iv

205

The Code of Honor

Embracing Ethics in Cybersecurity

Introduction: “Like Your Hair Is On Fire”

Dear Reader,

You may not realize it yet, but we would like to humbly suggest to you that, metaphorically speaking, your hair is on fire—or at least you should be responding to the current state of the cybersecurity industry and its impact on the world with an alarmed sense of immediate concern. We assume you have opened these pages because you are a leader with cybersecurity responsibilities, a cybersecurity practitioner, or a student preparing for a role in this industry. Or, although you may have another role, perhaps cybersecurity is quickly becoming a critical concern in your daily work. Regardless of what brought you here, we are quite sure the challenges we address in these pages are more far-reaching and urgent than you may even realize right now.

The Code of Honor is the result of a journey we began several years ago to address an expanding ethical vacuum in our industry, where critical decisions are often made without regard to their ethical implications. At the same time, the weight and financial impact of our decision-making is rapidly increasing. As you will learn in the coming pages, the crossroads of cybersecurity and ethics aren't some philosophical “pie in the sky” discussion. Cybersecurity professionals hold a great deal of power and enormous levels of responsibility in the workplace and the broader economy. It is a high-pressure, fast-paced, and exciting field where ethical decision-making can make the difference between success and abject disaster, not only for your career but for your organization, customers, or constituents, and perhaps far beyond. The topics we explore in this book are integral to the daily operations of nearly every industry and are essential to the very stability of our modern world.

As the cybersecurity industry is changing at light speed, we must truly respond to the emergent ethical challenges with a level of “hair on fire” determination and precision. Our offering in The Code of Honor is a systematic and thoughtfully constructed program for building best practices regarding ethics in decision-making in the tech industry with a specific focus on cybersecurity. This book presents a concise, carefully designed, and timeless set of ethics that will engage everyone from C-suite leaders who work on the periphery of the cyber world to the most seasoned cybersecurity professionals and everyone in between.

We thought it best to begin by answering a few questions that will help you maximize your experience and effectively engage with the pages ahead.

How Should You Read This Book?

To craft this book, we spent a year thinking through and documenting various ethical dilemmas we've seen in the cybersecurity industry in our several decades, worth of experience as practitioners, leaders, and educators. From those discussions, we spent a great deal of time wrestling with each other to formulate a clear, short, valuable Cybersecurity Code of Honor to provide a framework for ethical decision-making for real-world cybersecurity leaders and practitioners. We then refined the code of honor by gathering input from dozens of friends and colleagues throughout the cybersecurity industry. We wrote this book to provide an in-depth tool that expands on the ideas of that code of honor, which is in Appendix A of the book.

The chapters are written in a specific sequence and are meant to be read in order. Every chapter supports a tenant of the code of honor. Each chapter is full of engaging stories, industry-specific illustrations, and practical, real-world applications designed to teach the essential foundational concepts behind this widely accepted code of ethics that is becoming an industry standard. The book is designed to be read individually or in a team or corporate setting. We highly encourage you to work through the lessons of each chapter with other professionals who can help you learn and grow.

Why Are There Two Authors but Only One Voice?

While “we” (Paul and Ed) contributed equally significantly to this product, we did not want to confuse the reader by writing with two different voices throughout these chapters. We chose to approach the important concepts in this book with one consistent voice to make the reading experience straightforward and ensure the content is front and center. On rare occasions, we will refer to specific experiences of Paul or Ed by name, but we will generally refer to our common and shared experiences as “we.”

How Should You Approach the Critical Applications Case Studies?

Every chapter closes with a case study called “Critical Applications,” designed to help you utilize the essential skills and concepts you have learned in that chapter and those before it. These case studies are meant to challenge you to consider the ethical implications of the choices we must make in our professional lives. While the names, companies, and details of these stories have been changed, they are based on real-world examples from across our industry that we have observed or advised our colleagues about.

Each case study can be used to facilitate lively small group discussion and debate in classrooms, corporate sessions, training exercises, or seminar settings. Not only are these studies powerful teaching tools for students and industry professionals, but they can also assist C-suite leaders who need to better understand the scope of cybersecurity challenges, define their liability and responsibility, and think strategically about budget and hiring personnel necessary to protect their organizations. As you'll see later in this book, we think of cybersecurity ethical practices rather like muscles—the more you work them out, the stronger you'll get. Please use these “Critical Applications” scenarios at the end of each chapter as an exercise regimen for yourself and your team.

How Should You Use the Cybersecurity Code of Honor?

Our book closes with the Cybersecurity Code of Honor that is a singular universal code of ethics currently being adopted by cybersecurity practitioners and leaders around the world. The Cybersecurity Code of Honor was born out of research, interviews, and conversations with the world's leading experts in our field and can be applied to a wide range of ethical decisions you may confront in the cybersecurity industry. We recognize that various cybersecurity certification bodies and other related organizations have developed oaths and codes of honor for holders of those certs. We applaud their efforts and have reviewed each of them carefully as we formulated the Cybersecurity Code of Honor. We aim to build something applicable beyond individual cybersecurity certifications and even individual job roles—to create something useful as a framework throughout the cybersecurity world.

We have been humbled to witness the immediate impact the Cybersecurity Code of Honor has made across the industry. It is our hope it will also be adopted by you, your organization, or your school to help provide a singular lens through which best ethical practices in our field may be determined.

A Challenge to Make the World a Better Place

We have done our best to present the lessons about this system of cybersecurity ethics in a way that will engage everyone. It is our sincerest hope that this book can function as a comprehensive learning tool for students, cybersecurity professionals, and business leaders who have been desperately seeking a widely agreed-upon set of principles to guide their professional and personal ethical decisions. We believe that this book (and its corresponding code of honor) can be a catalyst for your career advancement, help enhance the security of your organization, and even fast-track your leadership teams' success. Ultimately, we challenge you to embrace the ethical standards and practices in this book for the world's greater good.

CHAPTER 1One Code to Rule Them All?

Cybercrime and cybersecurity should be among the foremost concerns of every industry, service, and every civic interest. Why? Cyber technology effectively runs the modern world from banking to healthcare, retail to sanitation, and governance to modern warfare. Cybersecurity practitioners wield great power, are under intense pressure, work in a culture that is changing at warp speed, and often have profound responsibilities. The fast-paced environment of our industry can be a breeding ground for mistakes, misused authority, and even intentionally abused power. The unprecedented speed of innovation in the 21st century has left us without a clear system of ethics for this great economic and security threat of our age. We would be remiss if we didn't begin by sharing some statistics with you reflecting how cybersecurity and cybercrime impact the world as we write this book. While the numbers may read like an archeological time capsule by the time you read them, it is our way of pulling the “fire alarm” in the midst of an unfolding global crisis.

According to research, an estimated 53.35 million U.S. citizens were affected by cybercrime just in the first half of 2022.

1

Ransomware attacks in 2022 cost global businesses an estimated $20 billion. As cybercriminals are becoming rapidly more advanced and targeting businesses that can pay higher ransom fees, experts believe that $20 billion will balloon to more than $30 billion just in the next year.

2

The average cost to an individual organization that has suffered a data breach in 2022 was $4.35 million.

3

This cyber arms race by the world's bad actors is also leading to increased security spending. According to a recent report, cybersecurity spending is expected to reach $172 billion by the close of 2022.

Every time we open our browser or news app to check the latest research, the proverbial fire presents its rapid spread in the news cycle of the day. Today's headline points out that “Crypto-hackers steal $3 Billion This Year,” while another proclaims, “2025 will be the biggest year for Digital Heists!” Cyberattackers, through ransomware and other insidious schemes, have caused massive damage to banks, hospitals, schools, critical infrastructures, and more. And it seems to be only getting worse.

In Case You Are Wondering Why You Should Care

For those of you on the periphery of our industry or simply new to the job, it is important to know what you are risking if you choose to ignore this cybersecurity crisis (no matter how big or small your organization is). Even today, there are too many leaders who still don't fully understand the scope of impact that cyberattacks can have in our world. Here are just a few of the effects that cyberattacks can inflict upon you and your business:

You may suffer damage to your computer systems. When malicious computer attackers target your business, they can damage or destroy data on those systems, and the cost to repair or rebuild them can be extremely high.

Attackers can steal sensitive data from your business such as consumer information or even trade secrets, which can have a dramatic impact on your company's reputation and financial standing.

A cyberattack can interrupt the services that your business provides and cause you to lose money, customers, and time.

You can face legal consequences from a cyberattack. You and your business can be held accountable for damages to consumers.

Being hit by a cyberattack can ruin your brand and your reputation, making it harder to attract and keep customers. It can negatively impact your business long after the immediate damages of an attack have been corrected.

Finally, there is always cybercrime and identify theft’s impact on real people. If cybercriminals steal consumer information from your systems, those customers will be put at risk, affecting your consumer retention, impacting stakeholder trust, and resulting in legal issues. Even more concerning are cyberattacks that break into healthcare systems, transportation, or other critical infrastructures, perhaps causing severe damage to life and limb.

Cybersecurity is no longer an issue that you can ignore. We would argue that your success as a business, a professional, and a leader could be tied to how seriously you address this problem. Experts are currently predicting that cybercrime will eclipse the gross domestic product (GDP) of the world's largest economies in the near future. While it may sound fantastical, we are here to tell you it is a stark and unnerving reality.

It's as if we are trying to put out this worldwide four-alarm fire with a water gun. Every day in the cybersecurity industry, we are fighting for the resources, staffing, education, and ethical framework to keep attackers at bay. While the global workforce in our industry stands at around 4.7 million workers, it is predicted that there will be an astounding 3.4 million cybersecurity worker shortage worldwide within a few years. Currently, we need 600,000 positions filled in the United States alone. As we struggle to keep up with the demand to fill positions, we also must be vigilant to find good candidates of reputable character who are committed to serving the greater good. If we fill open positions with people who lack the ethical framework and character to put it into real-world practice, we'll only make the problem worse—much worse.

This is a problem that touches the day-to-day operations of nearly every public and private entity. Yes, by the time you read these words, the numbers will be outdated, and unfortunately, the challenges will be way bigger. There is simply no evidence that these trends will reverse course in the near future. Technology will continue to dominate the business landscape and become ever more a part of all of life. We are not going to go backward from our online, on-demand, virtual world any time soon. And of course, we are not likely going to become less technologically advanced or cyber-integrated. Attackers are not going to give up. Cybercrime is too lucrative an industry.

Is there a way to stop or at least slow down the trend? Is there any hope?

Do We Need Ethics in Cybersecurity?

Yes. An ethical standard in cybersecurity is fundamental to its future. If you work in cybersecurity, your day-to-day job can feel like fighting fires. Your day can go from 0 to 100 with one email or intrusion alert, and you will often find yourself in high-stress situations that have serious consequences on your company and its customers or stakeholders. One of the realities of working in fast-paced, pressure-filled environments is the ever-present temptation to cut corners or take shortcuts. There is tremendous pressure on both practitioners and leadership in our line of work to make the right decisions because those choices can have far-reaching impacts on numerous individuals. We can better illustrate a few of the common ethical challenges with a story about two professionals who have been recently affected by cybercrime.

Sarah is the CEO of a midsize medical device engineering company that has been hit recently with a ransomware attack. It isn't long before her small security team identifies the entry point through a third-party IT service provider that is also used by several of her fiercest competitors. As her cybersecurity team rolls into response and investigation, the questions mount: Is the attacker truly connected to the service company, or is it just set up to appear that way? Does the CEO have a responsibility to alert her competitors of the potential breach? Do competitors have an advantage over Sarah during the downtime caused by the attack? Her firm designs medical devices for several healthcare organizations. Are there legal obligations to alert those entities of the attack? Do they have to alert their parent company, who could be negatively affected by this event if it went public? When the attackers reach out with a ransom, should they quietly pay to make the entire situation go away? Is that even possible? How do they balance an obligation to protect the public and their obligation to defend the interests of their engineering firm? Is there an ethical framework by which all of these complicated questions could be examined and answered properly?

Jim is a security operations center (SOC) analyst at the very company servicing all of those medical device engineering firms with IT support. He was recently asked to do some lucrative after-hours security consulting at a local company. While that freelance work technically conflicted with the noncompete clause he signed in his contract with his primary employer, Jim accepted it because he really needs the money. And the chief information security officer (CISO) of his organization didn't seem to mind that he was doing this side gig, although she never actually approved of it. Jim has recently learned that his company was breached and that his CISO has chosen not to share information about the breach with her superiors, shareholders, or customers. The organization has policies and procedures that his boss is simply not following. Because he is a lead analyst, he has all the data he needs concerning the breach and its impact to go over his CISO's head and warn the company president. He has also learned that the breach is likely connected to the ransomware attack on several of the engineering firms his company services (like Sarah's). Attackers are leveraging his company's access to customer environments to deploy ransomware. But, Jim is nervous that his lucrative side gig could be exposed by his CISO as retribution if he chooses to speak up about the breach. What has Jim gotten himself into? Does he have an ethical obligation to tell someone about the breach? Is he miscalculating the level of concern about the breach? Does he really have the full picture of how his CISO is responding to the crisis? One thing is true: Jim has no idea the significant impact his personal choices could have on Sarah and other engineering firms his company supports!

For those of you who are industry professionals, Sarah's and Jim's stories may seem common. If you are a C-suite leader on the periphery of cybersecurity, you should know that situations such as this occur every day. These are stories of well-respected professionals, not criminals. But, as we connect the question of ethics to cybersecurity work, it is important to recognize that many of the attacks your organization may face are the result of an insider threat, meaning they are too often a consequence of either a negligent, confused, or malicious employee. According to some research, malicious insiders are responsible for around 22% of security incidents. Stanford University, working with a top cybersecurity organization, recently found that nearly 88% of data breaches are caused by an employee mistake or mishandling of a situation. We have been around the industry long enough to see that many of these mistakes are simply lapses in judgment that could be avoided! In this business, our daily decision-making matters.

The reality is that cybersecurity, behind all the screens, programs, systems, and hardware, is still a human business. Real people are making real decisions, and those decisions need a reference point, a guide, or a compass. Now, you may be wondering if there are already ethical and moral codes used at all in the cybersecurity field. The short answer is yes, there are various ethical codes of honor in the industry. Many are very specific and are associated with various industry technical certifications. We appreciate and support those efforts to drive ethical behaviors in conjunction with technical excellence. However, these efforts tend to be disjointed and bound to a specific technical expertise rather than the industry at large. Most of all, they are usually a series of required behaviors and proscribed activities, but none of them is truly an ethical framework for decision-making. There has never been one universally agreed upon or adopted code for cybersecurity ethics. We believe that there is a tremendous need for a framework to help leaders and practitioners understand and analyze the implications of the decisions they make. A collectively agreed upon code of honor supported by a well-thought-out code of ethics has never been available.

As a result, everyone is left to navigate their own path. Each organization uses its own map, or no map, to navigate the thousands of daily choices that consequently impact thousands (and sometimes millions) of people. We need one direction and one code now more than ever.

Long-Standing Models for the Code

To think through what our Cybersecurity Code of Honor (included in Appendix A of this book and available online) and this book should look like, we examined the merits of the world's universally accepted moral and ethical systems in similarly vital areas of industry, civics, and life. We found that throughout the history of civilization, our greatest modernizations in the most essential fields such as law, medicine, and even warfare have always driven us to come together and find a commonly held, universal, and guiding framework for character and ethics.

We believe that the scope and magnitude of cybersecurity is on par with the scope and magnitude of the fields of law, medicine, and warfare. In fact, as you read these words, cybersecurity is redefining warfare and significantly impacting law and medicine. Yet, humans in law, medicine, and warfare have had the benefit of time for two millennia or more to develop the ethical codes and frameworks that guide them in civilized nations. The difference is that cybersecurity is new, and we don't have two millennia to figure this out. It has to happen now, given the rapid pace of technological change, the centrality of information technology, and its security in our daily lives.

One of the oldest guiding documents in history is the Hippocratic oath, still revered and utilized by physicians around the globe. The oath addresses the moral obligations of its oath-takers, including the need “to treat the ill to the best of one's ability, to preserve a patient's privacy, to teach the secrets of medicine to the next generation.”4

The Geneva Conventions of 1949 and their additional protocols were international treaties adopted after World War II and vital to limiting the barbarity of armed conflict. They were mutually accepted by civilized nations across the world to try to protect people who do not take part in the fighting (such as civilians, medics, and aid workers) and those who can no longer fight (such as the wounded, the sick, or prisoners of war). The Geneva Conventions and protocols are a descendant of “Just War” theory, which can be traced back as far as Ancient Egypt.

We researched various ethical codes across multiple cultures. For example, in the United States, our social workers have one binding set of principles called the National Association of Social Workers (NASW) Code of Ethics that help guide professional practices. Alternatively, lawyers have a binding oath in each U.S. state as well as a single guiding code of ethics through the American Bar Association. Of course, the levels to which these moral agreements have an impact or consequence vary from field to field. Many are voluntary, and most are not enforceable by law, but upholding such codes may determine whether someone is able to maintain their license to practice in their respective fields. We believe these oaths and codes of honor are all vital to providing a singular lens through which to examine professional and personal practices while establishing a gold standard. These universally accepted ethical codes act as a guide in a world where we are so often faced with complicated and confusing choices.

Why the Need for the Code Is Urgent

The pace of development in technology is so rapid, it is nearly impossible to keep up. In cybersecurity, offensive capabilities advance relentlessly, while our defensive postures and infrastructures struggle to stay relevant as they