The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.02 - March/April (2010 vol.8)
pp: 67-72
Ang Cui , Columbia University
Angelos D. Keromytis , Columbia University
Andrea M. Matwyshyn , University of Pennsylvania
ABSTRACT
The authors provide the articulation of the ethical argument for the role of vulnerability researchers and security practitioners. They argue that, provided that these researchers don't themselves engage in conduct that causes harm, their conduct doesn't necessarily run afoul of ethical and legal considerations. Furthermore, creating effective defenses against cyberthreats requires vulnerability researchers and practitioners to master techniques such as network recognizance, reverse engineering, penetration testing, and vulnerability exploitation. Although some consider research employing such techniques unequivocally unethical and possibly illegal, a deep understanding in these areas is pivotal to understanding and mitigating the escalating cyberthreat. Using the case study of recent work done at Columbia University, the authors advocate for crafting a code of conduct for vulnerability researchers and security practitioners, including the implementation of procedural safeguards to ensure minimization of harm. They also propose some best practices in vulnerability research.
INDEX TERMS
security vulnerability research ethics, security & privacy
CITATION
Ang Cui, Angelos D. Keromytis, Andrea M. Matwyshyn, "Ethics in Security Vulnerability Research", IEEE Security & Privacy, vol.8, no. 2, pp. 67-72, March/April 2010, doi:10.1109/MSP.2010.67
REFERENCES
1. S. Gaudin, "Banks Hit T.J. Maxx Owner with Class-Action Lawsuit," Information Week,25 Apr. 2007; www.informationweek.com/news/internetshowArticle.jhtml?articleID=199201456&queryText=Banks%20Hit%20T.J.%20Maxx%20Owner%20with%20Class-Action%20Lawsuit .
2. A.M. Matwyshyn, "Material Vulnerabilities: Data Privacy, Corporate Information Security and Securities Regulation," Berkeley Business Law J., vol. 3, 2005, pp. 129–203.
3. A.M. Matwyshyn, "Technoconsen(t)sus," Wash. Univ. Law. Rev., vol. 85, 2007, pp. 529–574.
4. N.E. Bowie and T.W. Dunfee, "Confronting Morality in Markets," J. Business Ethics, vol. 38, no. 4, 2002, pp. 381–393.
5. T.W. Dunfee, "Do Firms with Unique Competencies for Rescuing Victims of Human Catastrophes Have Special Obligations?" Business Ethics Q., vol. 16, no. 2, 2006, pp. 185–210.
6. T.W. Dunfee, "The World is Flat in the Twenty-First Century: A Response to Hasnas," Business Ethics Q., vol. 17, no. 3, 2007, pp. 427–431.
7. P.M. Schwartz, "Notifications of Data Security Breaches," Michigan Law Rev. vol. 105, 2007, pp. 913–971.
8. Digital Millennium Copyright Act, US Code, Title 12, section 1201(i)–(j).
9. Int'l Airport Centers, LLC et al. v. Jacob Citrin, Federal Supplement, 3rd Series, vol. 440, 2006, p. 419 (US Court of Appeals for the 7th Circuit).
10. LVRC Holdings v Brekka, Federal Supplement, 3rd Series, vol. 581, 2009, p. 1127, 1137 (US Court of Appeals for the 9th Circuit).
11. R.C. Ford and W.D. Richardson, "Ethical Decision Making: A Review of the Empirical Literature," J. Business Ethics, vol. 13, 1994, 205–221.
12. M.S. Schwartz, T.W. Dunfee, and M.J. Kline, "Tone at the Top: An Ethics Code for Directors?" J. Business Ethics, vol. 58, no. 1, 2005, pp. 79–100.
26 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool