Ethics in Security Vulnerability Research

Debate has arisen in the scholarly community, as well as among policymakers and business entities, regarding the role of vulnerability researchers and security practitioners as sentinels of information security adequacy. The exact definition of vulnerability research and who counts as a "vulnerability researcher" is a subject of debate in the academic and business communities. For purposes of this article, we presume that vulnerability researchers are driven by a desire to prevent information security harms and engage in responsible disclosure upon discovery of a security vulnerability. Yet provided that these researchers and practitioners do not themselves engage in conduct that causes harm, their conduct doesn't necessarily run afoul of ethical and legal considerations. We advocate crafting a code of conduct for vulnerability researchers and practitioners, including the implementation of procedural safeguards to ensure minimization of harm

Research with Refugees in Fragile Political Contexts: How Ethical Reflections Impact Methodological Choices

Research with refugees poses particular ethical challenges, especially if data is collected in places where most refugees today live: namely countries neighbouring conflict, ones that are sometimes at war with their country of origin and where refugees are exposed to different degrees of legal vulnerability, posing security risks to participants and researchers alike. These challenges are exacerbated when data is collected across countries and includes survey research. The article adds to the emergent literature on ethics in forced displacement by highlighting how security precautions and ethical considerations influence and shape methodological choices. Based on recent fieldwork with Syrian refugees in Lebanon and Turkey in 2018, the article discusses a mixed-methods approach combining in-depth interviews with an individual survey based on multistage cluster sampling, random walks and limited focused enumeration. Advocating for a refugee-centred approach, it elaborates on: (i) how to negotiate ‘ethics in practice’; (ii) how risks and violence influence the choice of fieldwork sites; and (iii) how ethical considerations impact in particular quantitative or mixed-methods studies. It describes the advantages of including members of refugee populations in research teams, as well as open challenges with regard to risks, informed consent, confidentiality, sensitive issues, positionality, advocacy and collaborative writing efforts

Vulnerabilities and responsibilities: dealing with monsters in computer security

Purpose – The purpose of this paper is to analyze information security assessment in terms of cultural categories and virtue ethics, in order to explain the cultural origin of certain types of security vulnerabilities, as well as to enable a proactive attitude towards preventing such vulnerabilities.\ud \ud Design/methodology/approach – Vulnerabilities in information security are compared to the concept of “monster” introduced by Martijntje Smits in philosophy of technology. The applicability of different strategies for dealing with monsters to information security is discussed, and the strategies are linked to attitudes in virtue ethics.\ud \ud Findings – It is concluded that the present approach can form the basis for dealing proactively with unknown future vulnerabilities in information security.\ud \ud Research limitations/implications – The research presented here does not define a stepwise approach for implementation of the recommended strategy in practice. This is future work.\ud \ud Practical implications – The results of this paper enable computer experts to rethink their attitude towards security threats, thereby reshaping their practices.\ud \ud Originality/value – This paper provides an alternative anthropological framework for descriptive and normative analysis of information security problems, which does not rely on the objectivity of risk

Early Relationships, Pathologies of Attachment, and the Capacity to Love

Psychologists often characterize the infant’s attachment to her primary caregiver as love. Philosophical accounts of love, however, tend to speak against this possibility. Love is typically thought to require sophisticated cognitive capacities that infants do not possess. Nevertheless, there are important similarities between the infant-primary caregiver bond and mature love, and the former is commonly thought to play an important role in one’s capacity for the latter. In this work, I examine the relationship between the infant-primary caregiver bond and love. I argue that while these very early attachments do not represent genuine love, a fuller understanding of them can inform extant philosophical views of love

Methods to Integrate Considerations on Culture, Ethics and Citizen Acceptance Into Urban Planning for Resilience Enhancing and Vulnerability Reduction

This paper presents selected relevant research results from the EU FP7 project VITRUV (“Vulnerability Identification Tools for Resilience Enhancements of Urban Environments”), relating to methods to integrate consideration on culture and ethics aspects, including citizen acceptance, into conceptual urban planning. While security aspects do not always figure prominently in urban planning, much of that planning has effects on citizens’ security. Security aspects obviously have an influence on how built environment is changed and developed. Conversely, the way in which built environment is changed and developed influences the security of infrastructures and society as a whole, both in manifest and in latent ways. Putting one focus on ‘soft’, such as cultural, aspects in urban planning, related parts of VITRUV will help urban planners identify how their planning decisions may directly or indirectly affect societal security. In this context, security means a high level of safeguard for the infrastructure, the supply of goods and services as well as for the commonly acquired values of a community. By identifying and validating practical methods to integrate social and cultural aspects in an urban planning tool, project results will facilitate the consideration of the multiple dimensions of threats and vulnerabilities in their context of urban planning. This among other things includes appropriate addressing of gaps between ‘factual’ security and citizens’ ‘felt’ security

Resilience: an all-encompassing solution to global problems? A biopolitical analysis of resilience in the policies of EC, FEMA, UNDP, USAID, WB, and WEF

This thesis examines the use of resilience in international policy-making. A concept that originally meant an ability of ecosystems to absorb disturbance has not only been welcomed in many disciplines outside ecology, but lately become popular in the policies of international organisations that claim resilience as a solution to various ‘global problems’ such as climate change, underdevelopment, or economic crises. The study contributes to the ongoing critical discussion on the governance effects of resilience. Here, the Foucauldian theory of biopolitics and the concept of governmentality are useful. Resilience now addresses human systems and communities with concepts from natural sciences, thus making it a biopolitical phenomenon. Specifically, the thesis asks how mainstreaming resilience affects the pursuit of agendas in six organisations: European Commission, Federal Emergency Management Agency, United Nations Development Programme, United States Agency for International Development, World Bank, and World Economic Forum. Using Foucauldian discourse analysis, the study is thematically divided into adaptive, entrepreneurial and governing aspects of resilience. Each part explicates how truth, power and subjectivity are constructed in the discourse. The analysis shows that contrary to the policy claims, resilience does not function as a solution but is constitutive of the problems it attempts to solve. The current policy discourse confirms pre-existing practices and power relations, and further problematizes issues on the agendas. The thesis confirms that the policies are trapped in a neoliberal biopolitics that has problematic implications for human subjectivity and political agency. It further concludes that if resilience is to have any practical relevance and positive effects, the policy discourse has to be changed, for which current critical accounts do not offer a plausible direction. Therefore, a distinction between resilience as a policy tool and social resilience is needed, whereby the use of resilience as a policy solution is reduced to disaster risk reduction and similar technical functions, and social resilience is recognised as a communal capacity that cannot be subject to policy regulation

COVID-19-DRIVEN SOCIETAL SUSTAINABILITY IN THE APPAREL SUPPLY CHAIN: INSIGHT FROM MUSLIM-MAJORITY COUNTRIES

The current COVID-19 epidemic unveils the vulnerability in the apparel supply chain (ASC). Many workforces are facing future uncertainty due to pandemic-driven job losses. This study aims to comprehend the causes of societal sustainability deficiency in the ASC in Muslim-majority countries and propose strategies supporting a suitable improvement.  Information gathered from experts using a qualitative research method; reveals that the primary cause of the lack of societal sustainability is the dominating power of several brands in the ASC. The usage of contract workforce and illegal subcontracting of apparel production also disrupt the protocol of societal compliance. Besides, the lack of application of Islamic ethics in business operations leads to poor labor conditions causing disruption in labor-societal security. The study proposes that it is imperative to adopt a sustainable procurement framework that integrates the sharing of disturbance risks among suppliers and brands post-COVID-19 crisis. It is also crucial to prohibit suppliers operate illegal subcontracting of apparel manufacture. Besides, brands’ order allocation plans and supplier selection must be adjusted to enable the workforce’s societal security. Contribution from labor unions and NGOs must be urged to achieve the grassroots level in community development schemes. As this study involves the Muslim-majority context, mitigation strategies from the Islamic ethics perspective are also considered helpful for solving societal sustainability issues in the ASC

To deceive or not to deceive! Legal implications of phishing covert research

Whilst studying mobile users' susceptibility to phishing attacks, we found ourselves subject to regulations concerning the use of deception in research. We argue that such regulations are misapplied in a way that hinders the progress of security research. Our argument analyses the existing framework and the ethical principles of conducting phishing research in light of these regulations. Building on this analysis and reflecting on real world experience; we present our view of good practice and suggest guidance on how to prepare legally compliant proposals to concerned ethics committee

Refining the PoinTER “human firewall” pentesting framework

PurposePenetration tests have become a valuable tool in the cyber security defence strategy, in terms of detecting vulnerabilities. Although penetration testing has traditionally focused on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyber-attacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper we reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. In this paper, we propose improvements to refine our framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny.MethodologyWe conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet our requirements to have an ethical human pentesting framework, we compiled a list of ethical principles from the research literature which we used to filter out techniques deemed unethical.FindingsDrawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, we propose the refined GDPR compliant and privacy respecting PoinTER Framework. The list of ethical principles, we suggest, could also inform ethical technical pentests.OriginalityPrevious work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature

Vulnerability in Social Epistemic Networks

Social epistemologists should be well-equipped to explain and evaluate the growing vulnerabilities associated with filter bubbles, echo chambers, and group polarization in social media. However, almost all social epistemology has been built for social contexts that involve merely a speaker-hearer dyad. Filter bubbles, echo chambers, and group polarization all presuppose much larger and more complex network structures. In this paper, we lay the groundwork for a properly social epistemology that gives the role and structure of networks their due. In particular, we formally define epistemic constructs that quantify the structural epistemic position of each node within an interconnected network. We argue for the epistemic value of a structure that we call the (m,k)-observer. We then present empirical evidence that (m,k)-observers are rare in social media discussions of controversial topics, which suggests that people suffer from serious problems of epistemic vulnerability. We conclude by arguing that social epistemologists and computer scientists should work together to develop minimal interventions that improve the structure of epistemic networks