The Importance of Ethics in ICT: A Comprehensive Guide

Posted on Sep 3, 2024 in Other subjects

Topic 1: What is a Profession?

What is a Profession?

‘A disciplined group of individuals who adhere to ethical standards and who hold themselves out as, and are accepted by the public as, possessing special knowledge and skills in a widely recognised body of learning derived from research, education and training at a high level, and who are prepared to apply this knowledge and exercise these skills in the interest of others.’

Characteristics of a Profession:

  • Good Knowledge & Skills (Current & high-quality expertise)
  • Good work ethic (goal-focused)
  • Good judgement/decision making (willingness & capability)
  • Positive behaviours (e.g., interactions with others – leadership/support)
  • Honest (Moral) & Ethical

What is Ethics?

Ethics is about actions and not just moral issues. In other words, defining – what action is right and why?

Utilitarianism:

This is focussed on the best outcome for the majority (the greater good for the greater number). Within this philosophy, an action is ethically correct if the consequences lead to happiness and avoid pain. Additionally, the end justifies the means. Voting is an example, and this approach is popular, common, easily understood and easy to implement. However, it can lead to abuses (particularly of minorities) and it can be morally ambiguous (e.g., what is ‘best’?).

Deontology:

This philosophy is focussed on duty and equality. The underlying logic is that happiness should not be the test of correctness, and the majority is not always right. The intent is that our primary duty is to each other as human beings. Therefore, people are not a means to an end – they are the end. The driving strategy is that every action must be universal and impartial (e.g., it is applied equally to everyone). However, this can be challenging and therefore the micro-macro test is applied. This looks at the extent of the ramifications – will this affect just a few people (i.e., micro), or will it affect lots of people (i.e., macro)? This approach can be universal and fair because it is not necessarily based on simple pleasure. That being said, it can create conflicts in terms of the micro-macro test.

Contracts:

These are legal and social agreements based on rights, freedoms and obligations. They can be written (e.g., laws) or unwritten (e.g., social understanding) and once known they can provide clarity, surety and a common basis for trust. There is some ambiguity in some contracts because they may be legal, but not ethical, or vice versa. One of their greatest limitations is that they tend to be minimalist (e.g., simply avoiding harm) and this can create situations in which abuses are implemented within the contractual frameworks.

Character:

Character-based philosophies are defined by the application of moral virtues and range from the application of selfishness to selflessness. Generally, as the philosophy moves more towards the selfless end of the continuum, individuals believe that they are conforming with a higher standard. Consequently, they may not conform to norms, duties, or contracts, but will focus on their ‘higher’ objectives. Although the focus for character-based philosophy can lead people to do good, negative outcomes can also be experienced because there is often conflicting virtues and individual perspectives can add ambiguity to what is right and wrong (e.g., what is a good and selfless act for one person, may not be seen that way by someone else).

The Modern Approach

The modern approach is that no single philosophy is applicable to every situation. The intent should, therefore, be focussed on using each appropriately and having a caring nature, being consistent and considering the consequences.

Topic 2 – Ethical Conduct of the Organisation: Relationships

People working in ICT have a moral obligation as professionals, and this is particularly important because of the importance of ICT in everyone’s lives. It is therefore important to act ethically. This includes being ethical in relationships with employers, other employees, clients, users, suppliers, other professionals and the broader society. Ethical problems can disrupt all of these different types of relationships. Consequently, ethical frameworks are necessary, and these should focus both internally and externally.

Stages of Ethical Growth in an Organisation:

Survivalist:

This type of organisation is focussed purely on its own survival and because of the ‘win at all costs’ mentality that this can engender, this can create a significant avoidance of ethical behaviour.

Paternal/Machiavellian:

This type of organisation is focussed on profit and relies on alliances (us and them) and may treat both allies and competitors badly. Typically, these organisations are hierarchical and paternal, and laws and regulations are often treated with expediency.

Orderly/Bureaucratic:

These organisations are based on orderly and often traditional structures. Team members are loyal, and the ethics are based on established rules. Laws and regulations are often treated literally, and not applied in line with the spirit of the regulations.

Participative/Creative:

This approach recognises individual differences and encourages innovation. There is often some support for internal debate and the ethical controls are based on core values and goals that honour the spirit of the principles of law.

Collaborative/Excellence:

Organisations at this stage of ethical growth tend to utilise explicit values to encourage growth. Therefore, leaders encourage collaboration, networking and client service focus. There is an integrated ethical focus that leverages laws and regulations to form a foundation for behaviours.

Social Wellbeing:

This moves the focus of the business from a predominantly inward to include a more defined outward focus. These types of organisation typically see the importance of supporting the local area and the broader community as well as their own staff. Organisations with this approach therefore typically have a strong internal and external ethical focus.

Global Harmony:

This last stage of ethical growth is demonstrated by the broadening of the focus of the organisation from supporting both local and global causes. Such organisations are highly idealistic, and laws and ethical standards are treated in compliance with global intent.

A Code of Ethics or a Code of Conduct:

As organisations move through the stages of ethical growth, they typically develop codes to provide guidance and regulation for the members of the team. These can be categorised as:

  • a ‘Code of Ethics’, which is a set of guidelines that should influence decision making by giving advice to individuals on how they should handle different situations; and
  • a ‘Code of Conduct’, which provides guidelines and associated rules that can be used for disciplinary purposes as necessary.

ICT professionals should apply these codes appropriately, and use them to build a strong reputation for themselves and their organisation.

Topic 3 – Quality of Life: What is Quality of Life (QoL)?

QoL refers to the standard of health, comfort and happiness experienced by an individual or group. In some contexts, this can also be used to refer to things that are needed to achieve good Quality of Life.

QoL factors include:

  • material living conditions (e.g., income, consumption and other material states);
  • productivity and productiveness of a person’s main activity (which has social and psychological implications);
  • leisure and social interactions;
  • governance and basic rights;
  • economic and physical safety;
  • health (physical and mental health and the ability to maintain it); and
  • education (providing the skills to cope with the world and changing situations).

Topic 4 – Communications & Networking: What is Communication?

Communication refers to ‘the imparting or interchange of thoughts, opinions or information by speech, writing or signs’. The effectiveness of communication is an important element in defining relationships (Topic 2) and Quality of Life (Topic 3). Poor communication is unfortunately very common and can create misunderstanding that leads to significant problems, which affect so many aspects of what we do.

Each stage in this process is important, as failure to implement the steps appropriately can lead to the failure of the communication. The key steps are:

Develop the Message.

The first step requires individuals to define their message first. In practical terms, if you do not understand your own message, it becomes impossible to communicate effectively. Consequently, this is a very important step.

Encode the Message.

Encoding refers to the process by which our brains develop the message, so it will be understandable by the receivers. This is where an understanding of the audience becomes so important and why the utilisation of the Profiling Pyramid shown to the right is so critical. The Profiling Pyramid is explained in the Topic 5 – Pre-Reading 1 file provided in the LMS.

Transmit the Message.

The third step is to transmit the message in a format that can be received effectively by the audience for your content. In practical terms, this means providing the message through a ‘Channel’ that aligns to one or two senses (e.g., sight, hearing, touch, taste, smell) at a time. When transmitting the message, great care should be taken to manage external interference. Although referred to under the concept of ‘noise’ it can include any form of interference in the environment (e.g., distracting noise/visual information, etc.). Additionally, noise can refer to the creation of incongruence between the channels. For example, showing one thing on a screen and discussing something different, or your body language and voice not being aligned with the message that is being transmitted by your words, can all create incongruence.

Receive the Message.

The step of receiving the information is outside the direct control of the sender. However, it is directly influenced by the preceding steps. The key is to utilise the channels of communication (e.g., sight, hearing, touch, taste smell) effectively. If two channels are being used the information is provided in each of the channels must be related (e.g., showing a picture of a cat and discussing a cat) and not fully redundant (not listing all of the words being spoken and then reading them off a slide). See http://www.seahorses-consulting.com/DownloadableFiles/HowMuchTextPerSlide.pdf for more details.

Decode the Message.

The receiver attaches meaning to each part of the message. We need to understand that this can include situations where the decoding is affected by internal interference. Internal interference refers to situations where people misunderstand or misconstrue (e.g., where they intentionally/unintentionally mistake the intent of the message). These issues are caused by the way our brains assess information in relation to what we already know. Therefore, good communicators take these issues into account.

Understand the Message.

If the sender has done everything correctly, and the receiver is not actively using their previous knowledge to interfere with the communications, a common understanding of the message can be created. It is important that the sender take every step possible to try to ensure that this is achieved when aiming to persuade others or communicate information successfully. The techniques discussed in Topics 5 and 6 provide insights into how this can be achieved.

Good communication is also best served through two-way transmissions. This can include formal interchanges (e.g., letting an audience ask a question, or enter a discussion), or informal feedback analysis (e.g., where the presenter reads the body language of an audience to gain insights into their understanding of the message).

Topic 7 – Privacy: What do we mean by the term Privacy?

This refers to a person’s right to control access to their personal information.

The Elements of Privacy:

The model shown to the right refers to a range of different types of privacy that need to be controlled. These include having control of personal space, and information on psychological state, behaviours and social interactions. These last three aspects related to the control of Personal Information are directly affected by many aspects of ICT and in particular the management of access to personal data and communications.

In accordance with the Privacy Act (1988) Personal Information ‘means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

(a) whether the information or opinion is true or not; and

(b) whether the information or opinion is recorded in a material form or not.’

Within the concept of Personal Information, there is a more specific category known as ‘Sensitive Information’. This category includes:

(a) ‘Information or an opinion about an individual’s racial or ethnic origins, political opinions, political associations, religious beliefs or affiliations, philosophical beliefs, memberships for professional/trade organisations, membership of trade unions, sexual orientation or practices, criminal record;

(b) Health information about an individual;

(c) Genetic information about an individual that is not otherwise health information;

(d) Biometric information (e.g., biometric authentication/verification attributes); and

(e) Biometric templates’ (a digital reference of distinct characteristics extracted from biometric samples – e.g., fingerprint scans).

Topic 8 – Cybercrime and Cybersecurity: What is Cybercrime?

Cybercrime refers to criminal activities in which ICT systems and/or data/applications stored on computer-related media is the object of the crime (e.g., hacking, phishing, etc.), or is used as a tool to commit an offence (child pornography, hate crimes, etc.). For this unit, the focus is on the first definition.

What is Cybersecurity?

Cybersecurity can be considered the state of being protected against criminal or unauthorised use of electronic data or systems, and the measures taken to achieve this. In other words, it refers to delivering effective security measures that protect ICT data and systems from cybercrime.

What are the threats?

Cybersecurity threats can be broadly categorised as:

Cyber-trespass.

This is where unauthorised people or systems gain access to ICT systems, applications, or data.

Cyber-piracy.

This type of cybercrime refers to situations where people or systems take, reproduce or distribute data or information in a manner that is not authorised.

Cyber-vandalism.

This refers to attacks that disrupt or destroy data, systems, applications or other ICT resources.

Mixed.

In many situations, cybercrime involves more than one of these preceding types of attack.

Methods Used to Facilitate Cyber Attacks

There are a range of methods utilised to facilitate these attacks. These include:

Malware.

Malware is short for Malicious Software and it includes the following types:

  • Viruses. These are code elements capable of copying themselves and typically having a detrimental effect on ICT. They most commonly need some form of host program to operate.
  • Worms. This is a type of malware with the primary function of self-replicating to other computers, while remaining on an infected system. Worms are typically stand-alone programs or services.
  • Spyware. These can be worms or viruses that collect personal information and/or keystrokes (e.g., the typing in of passwords) and make them available to others, so they can use this information to launch other forms of attack. In some cases, spyware can also change computer settings directly.
  • Trojans. This form of malware can be a virus or worm, and it typically infects a computer because the user is tricked into downloading or activating the code (e.g., you are sent an email with an attached file that looks like a video to watch, but when you click on it the worm or virus is activated).
  • Rootkits. These are very specific types of virus or worm that aim to access low-level information on the computer (e.g., registry or password files) and make changes to these, which compromise the security of the computer.
  • Ransomware. These can be viruses or worms that hold the computer and its data to ransom. In other words, ransomware typically stops user/system access and then demands payments to be made, or the data will be destroyed completely.
  • Logic Bomb. A logic bomb is a piece of code that implements a malicious activity after a certain amount of time, or where specific conditions are met.

Phishing.

This type of cybercrime refers to situations where fake websites or emails collect personal data or other information, so these can be used to initiate other cybercrimes (e.g., getting people to fill in their bank details on a fake website, so this information can then be used by the criminals to steal money from online accounts).

Denial of Service (DoS), or Distributed Denial of Service (DDoS) attacks.

A DoS attack involves the targeting of services such as web portals, by tying up system resources. For example, DoS attacks create continuous pings of a firewall, so it cannot process other transactions. A DDoS attack is similar, but it uses numerous (in some case millions) of individual computers to launch simultaneous DoS attacks.

Unauthorised Access/System Misuse.

The preceding types of attack are typically implemented by external sources and they can get inside an organisation’s firewall because security protocols or individual actions are lax. There is also another level of risk, which relates to authorised personnel misusing their access to commit cybercrime. For instance, downloading sensitive information to which the person is not authorised, damaging data repositories, or sharing confidential materials with unauthorised people or organisations, are relatively common examples of unauthorised access or system misuse.

Implementing Cybersecurity:

The intent of cybersecurity is to protect against these various threats. In particular, cybersecurity aims to protect four key system factors, which are:

Accessibility.

This refers to protecting accessibility to the appropriate and authorised users, so they can retrieve, utilise and act on data and applications in/through ICT systems.

Availability.

A prime objective of cybersecurity is to ensure the availability of data and systems at the mandated level of performance.

Confidentiality.

These types of cybersecurity control are designed to allow authorised users to access sensitive or protected data/systems, while excluding unauthorised agents (e.g., people, bots, etc.).

Integrity

The last key factor refers to ensuring the maintenance and assurance of the accuracy and consistency of data, applications and systems, over their entire lifecycle.

To achieve these objectives, an integrated approach should be utilised that applies technical, procedural, physical and personal controls. Best practice for cybersecurity mandates that these controls should be applied through a Defence in Depth approach.

Australian Legislation (NDB):

In addition to implementing this type of Defence in Depth, eligible organisations have a responsibility to report notifiable breaches to the Australian Government in accordance with the Notifiable Data Breaches (NDB) scheme. This scheme is managed under the Office of the Australian Information Commissioner in accordance with the Privacy Amendment (Notifiable Data Breaches) Act 2017. This act requires organisations that experience a notifiable breach to conduct rapid investigations on all eligible breaches and then provide formal notifications both to the government and individuals whose data may have been compromised. Key terms related to this legislation are:

Unauthorised Access.

This occurs when personal information is accessed by someone who is not permitted to have access and includes unauthorised access by an employee/contractor or 3rd Party (e.g., hacking).

Unauthorised Disclosure.

Unauthorised disclosure occurs when an entity, whether intentionally or unintentionally, makes personal information accessible or visible to others outside the entity, and releases that information from its effective control in a way that is not permitted by the Privacy Act. This includes an unauthorised disclosure of data/information by an employee of the entity.

Loss.

Loss refers to the accidental or inadvertent loss of personal information held by an entity, in circumstances where it is likely to result in unauthorised access or disclosure.

Eligible Data Breach.

This occurs when:

  1. there is unauthorised access to, or unauthorised disclosure of, personal information, or a loss of personal information, that an entity holds;
  2. this is likely to result in serious harm to one or more individuals; and
  3. the entity has not been able to prevent the likely risk of serious harm with remedial action.

Serious Harm.

This is determined based on criteria such as the nature, sensitivity and security of the information, circumstances of the breach and likelihood of compromise, the likely ramifications of the misuse of the material, likely intent of the person/s who created the breach and other relevant matters.

Exceptions from Reporting under the NDB.

There are very few exceptions to the requirement to report and they include:

  1. The data breach is not eligible (does not conform to requirements listed as an Eligible Data Breach).
  2. The breach relates to enforcement-related activities (this only relates to enforcement bodies such as Customs, Police, etc.), but even in these circumstances, the breach must still be reported to the Information Commissioner.
  3. The notification would be inconsistent with secrecy provisions (e.g., s26WP(2)), such as those aligned to secret provisions for security Agencies and protection of confidentiality.
  4. As a result of declarations by the Privacy Commissioner, which only happens in very specialised cases.
  5. For breaches related to My Health Record data by certain specified organisations under the Act, who only need to report to the System Operator. Therefore, not reporting under the NDB in this circumstance simply avoids duplication of reporting.

Topic 6 – Communications Practice – Technical/Report Writing: A Good Writing Process

The following diagram illustrates the key steps required to draft highly effective technical documents and reports:

This process is very similar to the one utilised for presentation development, but it is specifically designed to deliver a methodical approach that manages drafting and reviews in an integrated manner. The key steps in this approach are:

Bounding.

This first step is designed as a rapid method for identifying the key points that you want to raise. The three boundaries are:

  • Your Aims/Objectives. It is important to begin by identifying what you/your organisation require from the document.
  • Target Objectives. Next, identify what the reader (target for the message) needs from the document. You should then identify whether the two objectives are the same. If they are not, you would typically utilise your aim to set the structure, but this is not always the case. When identifying the target objectives, also think carefully about what points need to be made to meet their objectives for reading the document.
  • Limits/Limitations. The final boundary relates to scoping the content in relation to any imposed limits. For example, is there a defined structure or word count applicable, or are there trade secrets or other information that you cannot share.

Focusing.

Once you have identified the key points that you need to make, proceed onto the focusing step. In this step you will:

  • Identify a Report Theme. A report theme should be a key sentence or a few words that encapsulate the aim of your paper. The theme must be justifiable and provable, and it should always be designed to have resonance for the reader. The theme should then shape how the content and key messages in the document are developed.
  • Develop a Clear Title. Take the time to develop a clear title that is closely linked to the theme. This title should be a signpost for the information included in the document. Additionally, aim to make the title short, pithy, catchy, positive and motivating. Wherever possible, therefore, avoid boring titles. Additionally, avoid hyperbole in the title, as this type of approach can upset many people.
  • Define the Points. You should take the points that you developed in the Bounding process and begin to group and align these in preparation for the next step.

Laying Out.

Laying out aims to create a clear outline for the paper, by building on the preceding steps. In particular, during this part of the process you should:

  • Develop Draft Graphics. It is typically very useful to develop some draft graphics that help you to order your thoughts in relation to the content that you are developing. You need to structure these graphics so they are logical (e.g., following standard reading layouts such as left to right and top to bottom). Additionally, make sure that they are not overly complex. Generally, try to implement graphics that can be defined in terms of three or four chunks.
  • Develop Content Outline. Take the points that you have developed and refined during the focusing process, and insert them into the Cognitive Templates. To support this method, you can use the various Cognitive Template forms provided in the Topic 5 and Topic 6 materials supplied in the LMS. Alternately you can use the guidance provided in the book Persuasion and Influence, or at this URL: http://www.seahorses-consulting.com/DownloadableFiles/UsingTemplates.pdf.
  • Draft Abstract/Executive Summary. Now that you have reached the point where you understand the information that you want to include, draft your Abstract/Executive Summary. When drafting this, follow the rules detailed in Topic 6.

Green Review.

Once you have finished the steps in Laying Out, conduct the Green Review. This review is designed to check the logic paths and points before you invest a lot of time and effort in the drafting. It is, therefore, a really important way to save time in drafting because you can spot problems before you waste time writing a lot of content. The Green Review should, therefore, cover the materials developed through Bounding, Focussing and Laying Out. In other words, it will assess the dot points developed and the structure and flow of those dot points. Additionally, it will review the diagrams that have been developed. Finally, a green review will look at the abstract that was created as the last part of the Laying Out process.

Fleshing Out.

After the content has been Green Reviewed, start fleshing out the dot points and developing any ancillary materials that are required (e.g., CVs, etc.). There are four key rules that you should apply to optimise the fleshing out. These Rules are:

  • Rule 1 – Achieve the Objectives Required for the Introduction and Conclusion. Topic 6 provides a checklist of requirements that need to be achieved within your Introduction and Conclusion. As you start fleshing out your material, make sure that you fulfil these objectives.
  • Rule 2 – Group Your Points. As you build your document, rationalise and group your points. In particular, think about the relationship between the points in terms of dependency (I need to make this point before this point) and similarity (this point is similar to that point, so they can be grouped effectively). Remember, you should aim to have no more than four chunks of points if possible, as this reflects the limitations of human working memory (e.g., people’s ability to develop a mental model of the information that is being provided).
  • Rule 3 – Order Your Points. Take into account the concept of primacy and recency, when ordering a list of points that you will be discussing. In practical terms, this means you should put the second most important point first in the listing and the most important point in a listing of issues to be covered as the last item. Next, appropriately situate the other required points between the first and last.
  • Rule 4 – Apply the Drafting Tips. The drafting tips are explained in Topic 6 and cover a range of important techniques that you should apply to improve the quality of your writing. In particular, as you are writing, make sure that you always include appropriate WIIFM (‘What’s In It For Me’ – from the reader’s perspective) and ‘So What’ statements (a statement included in the narrative that explains to the reader why the points you are making are important to them).

Pink Review.

Once the team has completed drafting their material in the template, the document should be integrated as the first draft. This draft should be reviewed thoroughly during the Pink Review and any changes that are required should then be implemented.

Gold Review.

If your document requires costings to be included, make sure that these pricing issues are investigated and refined from the Bounding process onward.

Final Drafting.

Red Review.