Ethical principles shaping cybersecurity decision-making

The human factor in information systems has been a large vulnerability when implementing cybersecurity and many approaches, including technical and policy driven solutions, seek to mitigate this vulnerability. However, decisions to implement technical solutions or apply policy must consider the ethical ramifications. Our aim for this research involves evaluating how individuals prioritise ethical principles when making cybersecurity sensitive decisions and how much perceived choice they have when doing so. We accomplish this by performing a study involving participants from two separate backgrounds (Computing and Psychology students) that collects their responses to cybersecurity scenarios and creates profiles that match their values. A total of 193 participants responded to five different cybersecurity ethically sensitive scenarios in random order selecting their action as well as the ethical principle (i.e. Beneficence, Non-Maleficence, Justice, Autonomy, Explicability) and reason behind their action. Using participants’ demographic, personality, values, and cyber hygiene practice, we created profiles using machine learning to predict participants’ choices and the most important ethical principle. Autonomy was found to be the most important ethical principle followed by Justice. Our study suggests participants were able to weigh up the ethical principles but future work should be directed at larger and more varied participant pools.