While the subject of teaching ethics is all the rage in business education, with many good ideas coming out of that realm, it might also be time to take a look at other professions that can stand to learn from what is happening in business schools. While my focus has been on information security, maybe it is time to take a look at the ethics we are teaching in our information security schools as well.
Information Security has to have a high standard for ethical behavior, we see that reinforced by the community with the CISSP code of ethics, the SANS code of ethics, and even the ACM has their own code. All these codes in many ways defines what we consider ethical behavior in the information security field. Most colleges have a code of ethics for student behavior, and a limit of liability statement used to ensure that if the student goes off track the school will be held faultless or as close to faultless as possible. These are all very good standards to have, but I think we are missing one additional point that the business schools have brought into the program, and that is a separate code of ethics specific to the industry and field that they will be going in.
We have seen a lot of examples of good information security engineers gone bad over the last 20 years. We have seen the outcomes, we know the jail time or the parole time they got, we know they will have a hard time working in information security again. We have seen in some cases credentials stripped from people who engaged in ethical breaches during their career.
Instructors though are more front line, we will be the first ones to see plagiarism, cheating, falsifying data, or otherwise engaging in behavior that would or could cause considerable harm to the information security field.
Do we really want a student from an information security school that committed multiple ethical violations like cheating to be working in your company?
Can I trust a graduate from a school who engaged in unethical behavior or falsified information during their student career to be impartial during an information security investigation?
What if it was a later determined unfounded claim of sexual harassment or discrimination against a teacher? Would you want to hire a student who was willing to falsify a claim on harassment or discrimination?
As instructors, or advisors, or even as department heads we see all this, and there are times we see this on many occasions from the same student, or group of students.
My worry comes in not so much at the instructor side, but the behaviors that will be displayed in the corporate environment. Would such a student be willing to plant evidence against a supervisor or co-worker they hated just to get rid of them? It is a worthy question, because it impacts the entire system, student, instructor, school, and place of work. If we know this about the student that they engage in ethically questionable behavior in school should they still be graduated in the information security field?
I do not have an answer to this one, although the discussion around this is well worth having. What duty does an educational system have to ensure that only ethically sound people graduate into a profession where lives, assets, identities, and livelihood can be at stake if the person has displayed staggeringly bad judgment throughout their educational career?
Thoughts on this one?
(Cross-posted @ Managing Intellectual Property & IT Security)