Study Web

Future of Information Systems

Cybersecurity, Ethics and Privacy

Information ethics, cybercrime, cybersecurity threats, privacy laws, codes of conduct, and ethical dilemmas in information systems.

Cybersecurity, Ethics and Privacy

As organisations become more digitally dependent, they face growing risks from cyber threats and increasing scrutiny over how they handle data ethically and legally. This lecture addresses two interconnected domains: information ethics — the moral principles governing how information is created, managed, and used — and cybersecurity — the practices and technologies that protect information systems from attack, damage, and unauthorised access.

Information Ethics

Information ethics focuses on the moral issues arising from the development and use of information systems. It is concerned with how technology should be used, not just how it can be used. Key areas of information ethics include:

  • Privacy — what information about individuals can be collected, stored, and used? Who has the right to access personal information? How should organisations handle sensitive data (health records, financial records, location data)?
  • Accuracy — who is responsible for the accuracy of information? What are the consequences when information systems produce inaccurate outputs that harm people?
  • Property — who owns information? What rights do creators have over digital content? What are the ethics of intellectual property in a world of easy digital copying?
  • Access — who has the right to access what information? How should access be controlled? What are the ethics of the digital divide — unequal access to digital technology and information?

Laws vs Ethics

It is important to distinguish between laws and ethics:

  • Laws are formal rules created and enforced by government authorities; violating laws carries defined sanctions (fines, imprisonment, civil liability). Laws define the minimum acceptable standard of behaviour.
  • Ethics define socially and professionally acceptable behaviour that may go beyond what the law requires. Something can be legal but unethical (e.g. using detailed personal data to manipulate vulnerable people). Ethical codes guide professionals in situations that laws may not fully address.

The key distinction: laws carry the sanctions of a governing authority; ethics represent community and professional standards that rely on conscience, professional reputation, and social norms for enforcement.

Ethical Dilemmas in Information Systems

An ethical dilemma arises when two moral imperatives conflict — when doing the right thing by one standard means doing the wrong thing by another. Examples in information systems include:

  • A company's data shows that a specific customer group is high-risk — using this data for pricing is commercially rational but may constitute discrimination
  • An employee discovers their employer is using customer data in ways that were not disclosed to customers — they face a conflict between loyalty to their employer and their ethical obligation to customers and the public
  • Insurance companies accessing private medical data to increase premiums for high-risk individuals — legal in some jurisdictions, deeply ethically contested

Professional Codes of Ethics

Professional bodies provide codes of ethics to guide members in ethical decision-making. The Australian Computer Society (ACS) code of ethics identifies the following values in priority order:

  1. Primacy of the Public Interest — the public interest comes first; member actions must not cause harm to the public or undermine public trust in technology
  2. Enhancement of Quality of Life — information professionals should aim to improve quality of life through technology
  3. Honesty — members must be truthful and transparent
  4. Competence — members must only undertake work they are qualified to perform
  5. Professional Development — ongoing learning to maintain and improve professional skills
  6. Professionalism — adherence to the standards and norms of the profession

Cybersecurity: People, Not Computers

A critical insight for understanding cybersecurity is that the primary source of cyber threats is people, not computers. Technology creates the tools and channels through which attacks occur, but it is human actors — criminals, insiders, hacktivists, state-sponsored groups — who create and spread threats. This means that technical defences alone are insufficient; organisations must also address human behaviour through training, culture, and governance.

Major Cybersecurity Threats

  • Malware — malicious software designed to damage or disrupt systems; includes viruses (attach to legitimate programs), worms (self-replicating, spread across networks), trojans (disguised as legitimate software), and ransomware (encrypts files and demands payment)
  • Phishing — deceptive emails or websites designed to trick users into revealing credentials, financial information, or personal data. Phishing is the most common attack vector for many types of cybercrime.
  • Social engineering — manipulating people rather than exploiting technical vulnerabilities; attackers exploit trust, urgency, authority, or fear to get users to take unsafe actions (e.g. clicking a malicious link, revealing a password, transferring funds)
  • Denial of Service (DoS) and Distributed DoS (DDoS) — flooding a system with traffic to overwhelm it and make it unavailable to legitimate users
  • Man-in-the-middle attacks — intercepting communications between two parties to eavesdrop or alter the messages
  • Insider threats — attacks or data breaches caused by current or former employees who have legitimate access to systems

Privacy and Data Protection

Privacy law regulates how organisations collect, store, use, and share personal information. In Australia, the Privacy Act 1988 and the Australian Privacy Principles (APPs) establish the framework for privacy protection. Key obligations include:

  • Collecting only information that is necessary for a specified purpose
  • Being transparent with individuals about what information is collected and how it will be used
  • Keeping information secure against misuse, interference, loss, and unauthorised access
  • Giving individuals the right to access and correct their personal information
  • Notifying affected individuals and the regulator in the event of an eligible data breach

Privacy compliance is both a legal obligation and an ethical responsibility — organisations that mishandle personal data cause real harm to real people.