OVERVIEW OF ETHICAL ISSUES
such as Security, Confidentiality and Hacking in Software Engineering
Research work by Sana & Nayab
Abstract
Ethics are basically the moral principles that applies to the practices of engineering .Ethics are part of engineering because an engineer is socially responsible when manufacturing products and processes for society. Ethical issues emerge when some specific action or decision make contention with the ethical standards of the society. Engineering directly impacts on people’s quality of life. The services provided by an engineer must be secure, confidential and should be protected from any unethical use like illegal hacking. The objective of the paper is to find out why ethical issues such as security, confidentiality and hacking occurs/happens and we will analyze tools and techniques that can be used to overcome the ethical Issues. Finally this paper focuses on how effective proposed tools and techniques are in term of ethical issues with the evolution in technology.
Keywords: Ethical issues, Security, Confidentiality, Hacking.
1.Introduction
In the world of cooperation, ethics take part an
essential role for the employee and the
employer. Ethics is a set of rules or concept that
is regarded as standards, which are generally
forced by a community or a profession. They
can be expressed in the self-observation of the
individual and his constant attempt to become a
better human being on private level. In
professional life, it is considered as standards to
which all members of a profession are bound.
Engineering is the process of developing a well-
organized mechanism using technology.
In engineering, ethics are basically the moral
principles that apply to engineering practices. A
software engineer with ethics can assist and
provide his services in a better way by applying
them to most of the conditions which make an
appearance at work.
Engineering became a recognizable profession
in the 19th century. However, at that time, ethics was seen as a personal concern rather than a
professional one. In the beginning of 20th
century, there had been a sequence of notable
failures, these failures had intense repercussion
on engineers which enforced the profession to
face gaps in the technical practices and ethical
standards. So, the first codes of engineering
ethics were officially adopted by American
engineering companies in 1912-1914.
As of today, engineering ethics is a well-developed
area of professional ethics in the modern West
like medical, legal, and business ethics and
professional engineers are expected to both
know and abide by ethical standards as a
condition of belonging to the profession.
Why we need ethics in software engineering?
We need ethics in this particular field because a
software engineer shares a fundamental human
preference to prosper and be successful in life
and work with everybody. What does this have
to do with ethics? Picture a future where you are
faced with a moral dilemma resulting from a
project you are working on and which shows serious danger for end users.
In this kind of
scenario, are you going to act in a way that you
would be comfortable with if it later on exposed
to public? .So a software engineer is responsible
for providing services to society so his decision
must not make contention with the standard of
the society.
Why Software engineers face ethical issues?
The process of software development and
deployment in the Internet age has certain
eccentricity which make ethical issues for
software engineers even more critical in some
situations than for other types of engineers. First,
the shortened life cycle has weakened and in
some cases eliminating the review of software
by management and legal teams.
It’s normal for
engineers to code and deploy functionality
directly for instance for web applications like
Facebook. Even where more conventional
development practices are carried, partially
some deployments such as fixing bugs are
provided with technical (not ethical)
supervision. In any case, engineers retain at least
the capability to deploy code directly to users, a
capacity that can easily be misused. There are
considerable other ethical concerns that
engineers may confront. Some of them have to
do with technical practice, however numerous
others have to do with broader business conduct
considerations.
Some of them incorporate
security, confidentiality and hacking ethical
issues. Security refers to the entire activities required to
secure data or information and systems which
assists it in order to facilitate its legitimate or
proper use. Hacking and confidentiality comes
under security. Confidentiality is the practice to
keep the information as a secret only provided to
desirable mean .The maintenance of secrecy
refers to the unrevealing of any data concerning
the company’s business processes that are not in
public knowledge.
Every company can identify
the individuals and groups that might have access to a particular set of information. There
are many ways of breaking confidentiality, and
techniques to protect them from confidentiality
breach. So when confidential data or information
is leaked then it becomes an ethical issue for a
software engineer. According to the Code of
Ethics and Professional Practice when a
professional who is questioned about the
technical details of the employer’s forthcoming
product must choose between answering the
question completely and keeping the information
secret.
Hacking is the illegal and unauthorized access to
someone’s private data or system. Hacking can
be broadly divided into ethical and unethical
hacking. Unethical Hacking significantly affects
the development of systems and networks. This
is especially the case of systems and networks of
organizations where sensitive or confidential
information is used on regular basis.
Organizations or data holders must find
solutions and measures to protect information
technology assets. In this endeavor,
organizations can use ethical hacking which is
used to find loopholes in a software .
To achieve
better results through ethical hacking include the
total authorization of hired hacker for the testing
of software. Due to some security reasons all the
information is not provided which may result as
a loophole in system. Our study focuses on why
we need to consider these ethical issues in
software engineering and how we can overcome
these ethical issues.
Background
Ethics are defined as standard for differentiating
well from bad and the elaboration of ethics
solely cannot give perceptions of conduct for
software engineering student according to
researchers. Systematic methods are required to
facilitate the explanation of ethics. This kind of
methods are very appropriate for software
engineers in modeling the ethical decisions. Diagramming techniques includes such as
flowcharts and UML diagrams which seems to
be familiar approach for software engineers. [1]
.Poorly quality developed software increases the
chances of systems hacking.
System security is a
relevant topic for a software engineers practice.
It is the responsibility of the software engineer
to make the system secure which shouldn’t be
exploited. The software can only be hacked if it
has loop holes in the system that lead to
unauthorized access to data, applications,
networks or computer devices. [2] .Ethical
hackers are waged professionals who discover
loopholes in software to overcome the risk of
being hacked by black hat hackers. These are the
people who try to protect data while on the
internet with various attacks from hackers and
keep it safe with the owner.
Ethical hackers use
the same methods as black hat hackers but their
intention is to use their knowledge in a
productive way. Information obtained from
ethical hacking is used to maintain the security
of the system and to prevent system from further
potential attacks. [3]. As technology advances,
security threats and risks are increasing and due
to that fact Cybercriminals are becoming
increasingly more sophisticated with the ways in
which they exploit technology, making it
difficult to eliminate risks. Cyber-attacks can be
on technological infrastructure, in the form of
malware and viruses or on individuals according
to a study. Security ethical issue can be
mitigated by training programs and raising
awareness among the members of the
organization and end users of the software
according to scholars [4].
Ethical issues arises in
many areas of privacy, including surveillance,
medical privacy, Internet privacy and workplace
privacy. Making ethics effective in society plays
an important role in information security. The
ability to give people a set of ethical rules to
follow and provide an ethical conscience will
definitely establish a better layer of security in
organizations. Nowadays, information systems
are becoming large that it becomes more
difficult to manage with only technological
control mechanisms. Control mechanisms must
therefore be built on individual control
mechanisms which can be achieved by ethical
frameworks. While, the laws dictate what
behaviors we should follow while ethics
recommend what we should follow and it also
notable that for any good law, the law is based
on ethics. [5][8][9].
we categories hacking into
two ways, first is permissioned or ethical
hacking and second is illegal which is known as
reverse hacking. Security issue needs to be
considered during the development of the
software to find weakness in the system. Basic
principle of information security is strengthen
your Firewall. The firewall blocks the access to
the malicious and unsupported approach. It
creates a barrier between a trusted internal
networking and an unreliable external networks
just like internet. An intrusion detection system
is a hardware or software application .It is used
to monitor or control malicious activity on the
network. When a malicious activity occurs, an
administrator or safety information and event
management is reported. [6] The patch is a
backup of a computer program designed to
update, fix and improve it.
This includes
removing vulnerabilities and other defects and
these types of fixes are known to fix bugs. [6].
Ethics plays an important role in securing the
information systems. Social responsibility
means that every person is bound to behave in a
way that is not detrimental for the society. While
The illegal copying and distribution of
programs, music, videos and other form of
digital media is a major problem especially
among “Millennial” students, some of whom
may not have acquired digital media through
legitimate media these matters would consider
come under intellectual property and media
rights which point to the unethical behavior.
However universities need to introduce ethics
awareness and teach courses regarding ethical standard and provide training to the future
leaders of the development so they can apply
ethics in their profession while developing the
software [7].
InfoSec is a framework for
implementing socio ethical awareness which
will help organizations in spreading awareness
between all the staff and end users. This InfoSec
framework will contribute in establishing
awareness .Mainly in this era of advanced
technology, this framework’s has become
necessary to form standards of behavior for
client and companies. Individuals and
organizations that trade on the Internet should be
assured of their rights to privacy, the ownership
of their information and the responsibility to
ethically and properly control this
information.[9]
Methodology and Techniques Available
We are using back study approach in our paper. Firstly we will quickly look at the need of ethics in engineering then will describe the ethical issues including security, confidentiality and hacking and how they become ethical issues for software engineers. Finally we will discuss ways and techniques to mitigate these ethical issues.
Need of ethics in software Engineering
Software engineer has the power to do good and
bad to the society and that power must be used
to bring positivity and improvement in the lives
of the people. Taking decision according to
some standard is basically related to ethics.
Assuming that a recently graduated software
engineer has been hired to develop a software.
Without either assessing or testing the
framework appropriately, the recently hired
developer's boss pressurizes him/her to complete
the task rapidly. The board, as well, is very
much content with its quick turn of events and
offers the developed software to a few maternity
wards at emergency clinics nationwide.
The
abnormalities supported in the product, be that as it may, lead to the passing of a few babies.
The inquiry that emerges is that who is to be
considered responsible for these deaths? The
clinic heads being referred to have absolutely
procured the frameworks in accordance with
some honesty, particularly in the light of the fact
that they are no IT specialists in this field. The
developer in this situation is obviously help
responsible [8] .
This example demonstrates the
need of ethical awareness and responsibility.
So, firstly we are going to describe what
security, confidentiality and hacking is and how
these factors fall under ethical issues.
Security
Security is a condition of protection against danger or loss. In general, Security is a concept similar to safety. In the case of networks, security is also called information security and it points to the protection of data assets in case of breach of confidentiality. Information security means protecting information and information systems from unauthorized access, usage of data, discloser, interruption, alteration or destruction.
The Internet has increased the digitalization of various processes, such as online banking, online transaction, and transferring money over the internet, sending and receiving various forms of data over the internet which is increasing the security risks of data. Poorly quality developed software increases the chances of systems hacking. System security is a relevant topic for software engineer’s practice. It is the responsibility of the software engineer to make the system secure which is not easily exploitable. It becomes a moral problem for a software engineer when he cannot protect the security of the system. The software can only be hacked if it has loopholes in the system that lead to unauthorized access to data, applications, networks, or computer devices. In addition, information is accessed without permission.
Sometimes technical and technological measures are not sufficient to protect the origins of information. Additional measures should be used because there are many parameters when it comes to information security. One of these parameters is people. These people can be responsible for the system such as security professionals, employees, and users. These are the people who interact with the information system. To ensure that people are educated in the information system, a procedure that uses moral judgment must be entered. Computer and information ethics is studied by many researchers, academics, and professionals [1].
Including an ethical layer in information, security is very important because it can fill the gap which was created by those people. According to Kowalski, there are four significant explanations behind moral issues that appear in system or software security. To start with, there is a growing control gap in business data frameworks. The control gap can be additionally partitioned into three classes: Technological gap, socio-specialized gap, and social gap. What the truth and desires for the abilities of security implementing capacities is basically the technological gap. The socio-technical gap is the irregularity between socially-expected standards and security strategies while social gap points to people not acting as indicated by anticipated accepted practices Second, morals might be the regular language for the pros of various fields, and can be seen likewise by bunches outside the registering network. Third, current information systems are huge to the point that there are no verifiable mechanical control structures to oversee them. Rather, most frameworks are overseen by people’s understood control structures that are based on the system of ethical standards. Fourth, there is the requirement for top-down methodology, as to ISSI (Information
Systems Secure Interconnection) – model. As indicated by ISSI, five nontechnical layers are included as head of OSI conventions. The highest of these is the ethical layer that is a decent beginning stage to agree among clients and frameworks. Confidentiality refers to protecting information so that unauthorized people cannot access it. In other words, confidentiality data is only accessible to authorized persons. Failure to maintain confidentiality means that the person who should not be provided access has obtained it, through intentional behavior or by accident. In general, this breach of confidentiality, generally known as a breach that cannot be addressed. When the system is given access to an unauthorized parts, there is no way to detect it. Almost all of the major security accidents reported in the media today involve significant confidentiality losses. Because of the unauthorized access of confidential data to third party, it is ethical problem for the software engineer because he was responsible for maintaining the confidentiality of the data or information.
Hacking
Today all information is available online,
accessed by a large number of users, some of
them use this information to gain knowledge and
others use it to know how to use this information
to destroy or breach data and databases of
websites without the owner’s knowledge. As
computer technology advances, it also has its
dark side which is hacking. Today, a large
number of companies, institutions, banks and
websites are subject to different types of hacker
attacks by hackers.
Hacking is a method of finding loopholes or
vulnerabilities in computer system or networks
and using them to gain unauthorized access to
data or to change the characteristics of targeted
computer system or networks. Modifying computer, programs or networks to achieve
specific goal are terms of hacking that are
inconsistent with user goal. Hacker’s expertise
include software cracking as well as hardware.
A hacker is a computer enthusiast and highly
skilled in programming, security and
networking.
Hacking have two paths. The first one is legal
and authorized work while the other path is
illegal and unauthorized work. The authorized
advance is also known as certified engineering
.Illegal hacking is also called reverse
engineering .White hat hacking is legal job
assigned with the permission of organization
while Black and Grey hat hacking is not
approved.
According to the ways of working or according to their intension, Hackers can be classified into three groups.
- White Hat Hackers
- Black Hat Hackers
- Grey Hat Hackers
White Hat Hackers /Ethical Hacking
Ethical hacking is an information security
branch and also called as “Penetration testing”
or “White Hat hacking”. They are waged
professionals. To overcome the risk of being
hacked by hackers, we have ethical hacker in
this field, who are specialized in computer
security that violates and find loop holes in
protected networks or computer systems of some
organizations or companies and corrects them to
improve security working under set of rules and
regulations by various organizations. These are
the people who try to protect data while on the
internet with various attacks from hackers and
keep it safe with the owner. Ethical hackers use
the same approaches as black hat hackers but
their intention is to use their knowledge
productively. Information obtained from ethical hacking is used to maintain the security of the
system and to prevent system from further
potential attacks.
Ethical hacking is a useful tool for the industry.
Their expertise extends through penetration
studies, site security assessment, and secure
code reviews and security policy reviews.
Mark Abene, known worldwide for his
pseudonym Phiber Optik, information security
expert and entrepreneur. High level hacker were
in the 1980s and 1990s. He was one of the first
hackers to publicly discuss and defend the
positive benefits.
Need Of Ethical Hackers In software engineering:
Since each organization has its own confidential information that can be compromised or harmed by malicious hackers, therefore to protect this information, organizations employ ethical hackers and allow them to penetrate their systems ethically, find flaws or gaps in your systems and fix them before they hack your system. Ethical hacking is effective approach to overcome ethical problems in hacking
Black Hat Hackers
Cracker is the other name of Black hat Hackers.
Crackers are highly skilled programmer’s breaks
into someone system has malicious intent to
steal or destroy their important or confidential
information or compromise the security of some
institution, close or change the functions of sites
and networks. Crack system security for
personal gain is the main goal of cracker. These
people generally demonstrate their extensive
knowledge of computers and commit various
cybercrimes, such as identity theft, credit card
fraud etc.
Student used his hacking skills to hijack
webcams to catch young women pictures in
various stages of undress (Humphries 2008). [2] .So this act is considered as illegal hacking
which is highly unethical and affecting the lives
of the common people.
Grey Hat Hackers
A Gray Hat Hacker is a security expert who
frequently breach the law but has no malicious
intent such as the black hat hackers. The word
Gray Hat is obtained from Black Hat and White
Hat because white hat hackers or ethical hacker
discover weaknesses and loopholes in the
networks and computer system or and do not tell
anyone until it is fixed, while others hackers
apart from the black hat illegally hack the
computer system or the network to discover
loopholes and leak the information to the third
parties and the gray hat hacker does not illegally
hacks and does not tell anyone how to do it.
Gray Hat Hackers are amid white hat hackers
who manipulate to maintain the security of the
system and black hat hackers who hacks
maliciously to hacks computer systems.
Despite of their positive objectives, the gray hat
hacking can have upsetting social outcomes.
According to Reports of CNN reported in the
spring of 2015, Chris Roberts who is a
consultant for cybersecurity was detained after
supposedly illegally accessing the control
system of exceeding twenty united Commercial
airlines flights(Perez 2015).Although he profess
that his act was meant purely to aware people of
crucial security problems in the software of the
aircraft. It is not hard to perceive the negative
outcome that could rise if a malicious black hat
hacker attempted the similar action.
Ways to mitigate Ethical issues
We can overcome ethical issues using different
tools and techniques.
At first understanding of ethical is important
which can be explained by systematic methods
in an effective way. Moral standards needs to be
carried out without classification which come up as a foundation for morality. Systematic
methods are required to facilitate the explanation
of ethics. This kind of methods are very
appropriate for software engineers in modeling
the ethical decisions. Diagramming techniques
includes such as flowcharts and UML diagrams
which seems to be familiar approach for
software engineers.
Nowadays, information systems are becoming
large that it becomes more difficult to manage
with only technological control mechanisms.
Control mechanisms must therefore be built on
individual control mechanisms which can be
achieved by ethical frameworks. We can achieve
high and potent security by incorporating ethics
in control mechanisms.
Microsoft endured a break of security as for its
corporate system in October 2000 in which
important source code for a future item had been
obtained. The inquiry, accordingly, remains:
what are the full ramifications of that security
penetration for the association? Could Microsoft
be guaranteed that no endeavor had been made
to adjust the said item or to inspect it for some
type of trapdoor through which to dispatch
future security penetrates? Despite the fact that
they remain to a great extent unanswered, the
inquiries that emerge from the over two cases,
speculative and genuine, highlighting the need
of ethical information security awareness inside
the organization.
Societies of computer such as ACM have
recommended some professional practices and
code of ethics which an engineer must follow.
Ethics are tightly linked to legal procedures or
law if breached can leave an organization in
crisis. Community plays an important role in
information security by making ethical standards
productive. If ethical rules and standard are
given to individuals to follow and educating
them on ethics will definitely improve the
security layer in companies. Code of ethics
provide guidelines to individuals for interacting
with the system. They can be applicable to all
the people working in an organization including
developers, management, end users and security
experts. Organization can also specifically
develop code of ethics and apply them within
organization. This can be more useful and
efficient due to target and additionally it can fill
distinct security gaps related to information.
Kluge [9] has developed a code of conduct for
health information professionals. He discussed
various problems in the field of health
informatics and proposed a code of conduct for
various information security problems, he
suggested that in addition to the technical safety
layer in the health information system, there
should be an ethical layer that protect patient
private data. By creating this layer in health
information professionals.
One of these controls, Let us consider, can be
applied to intrusion detection systems, and is as
follows: Use of Surveillance System -
Unauthorized access attempts such as alerts
from proprietary intrusion detection systems,
access policy violations, network gateway
notifications and firewalls.
Consequently, ethics can need be applied within
groups which agree upon basic ethical standards
and acceptable conditions of use of information
systems. This responsibility can start from a
variety of factors. Agreement on common
standards for the functioning of systems at the
company level could be common business
interests. Individually, conditions of
employment or codes of ethics between the peer
groups can be the determining factor.
At the point when we talk about the ethics in
security, it must be taken into account when
developing software. Safety quality engineering
(SQUARE) is a process model gives a mean to
obtain, categorize and prioritize security
requirements for software system. The objective
of this methodology is to integrate security concepts during the early phases of the software
development life cycle (SDLC). The model can
also be used to document and analyze the
security side of systems put into service and
make improvement to software systems.
Awareness of security is an important factor in
securing the information of organization.
Numerous studies conducted confirms that lot of
computer users have insufficient knowledge of
information security. Government need to make
effort to provide awareness related to security so
that the people or users understand the threats
and risks in security. People working in an
organization are capable to make essential
security decisions at the need of hour, that’s why
employees should be provided proper training
and awareness to cope with this problem. Awareness should be including that what are the
security threats and how we can cope with these
threats. All users must be educated about
information security threats and understand their
responsibility in the process of security.
Security problem occurs when there are
weakness in the software which can be
controlled by reviewing the code. Code review
is an activity where the developers, coders and
testing team review the code in a group. The
weaknesses or loopholes in the software are
observed by the code review team which is
important before deployment of the software.
The software engineer is a professionally
responsible for the protection and confidentiality
of information / data. He should not disclose his
customers' personal data to unauthorized third
parties. He can only release the information if
that person has allowed it or it very necessary to
share the information.
Bases on moral theories, one techniques that can
be practically used to mitigate the issues of
hacking would be to focus on piloting the moral
and ethical concerns of gray hat hacking
scenarios through educational programs. Ethical
or white hat hackers still have the profound
Skills and capabilities as black hat hackers.
Basically, the laws dictate what behaviors we
should follow while ethics recommend what we
should follow and it also notable that for any
good law, the law is based on ethics. Laws are
enacted to protect the people who are innocent
from the harm to boost rights. There are some
laws related to hacking, if the laws are applied
properly, hacking ethical issues can be mitigated
to some extent. The law punishes hacking under
the computer crime statutes.
Internationally, countries have started legalizing
diverse laws and rules against hackers to protect
people and organizations from reverse
engineering attacks and other related crimes to
hacking. Unfortunately, obedience to the law is
the main exceptionally criminal component in IT
security that prompted its initiation in any case.
Individuals' have to recognize what their
privileges are and the discipline to be imposed if
they somehow happened to violate law.
Along these lines, the UK Computer Misuse Act
of 1990 ensures against all PC abuse offenses by
securing against unapproved access to PC
material; unapproved access with aim to submit
or encourage commission of further offenses and
unapproved alteration of data/information.
The computer fraud and Abuses act is the main
/important law against hacking that prohibits
illegitimate access to third party or some other
system.
Though the law was primarily intended
to protect the computer systems of U.S.
government entities and financial institutions,
the extent of the law has extended with changes
to include virtually all computers in the country
(containing devices such as servers, laptops,
smartphones desktops and tablets).
Civil Violations under the CFAA is the law to
penalize the criminals who violates the law. But
the modification made in 1994 expanded the act
to take in the causes of action for to take in the causes of action for civil suits as
well as to criminal prosecution. Violation in this
act included the following clauses: attaining data
from a computer through illegitimate means,
Trafficking in a computer password that can be
used to get access to a computer; spreading
spam and harming the data or information stored
on computer.
Professional software engineers are aware of the
fact that security considerations must be taken
into account in the design and during the
complete software development life cycle. Their
security skills can be further strengthened by
developing additional skills in hacking
approaches while inspecting ethical reasoning to
completely understand the dividing line between
white hat and gray hat hacking circumstances.