Ethics scenarios for Organisations and Individuals
The scenarios below are intended as a reference repository for Member Organisations and for the practitioners that represent them, to aid ethical judgement and behaviour.
Guidance for use
The scenarios below are differentiated by:
They have been sourced from experiences faced by various professional bodies in recent years, and the processes described are based on the results of these investigations. The Council may update these scenarios, or add new ones, from time to time.
For each scenario, the applicable ethical Principle - contained either within the Code of Ethics for Member Organisations or within the Guiding Ethical Principles for Cyber Security Practitioners - is shown. For scenarios that a practitioner may face, issues have been identified as either professional or personal.
The scenarios included are examples and do not represent an exclusive list. Both Member Organisations and practitioners are encouraged to recommend further scenarios to the Council for inclusion and to provide support to the cyber security community. The Council’s Ethics Committee will review both existing and suggested scenarios, building on them as necessary to ensure that all ethical Principles are represented, and determining whether the corresponding issues are appropriate for the Committee itself to address.
Key
Given the prominence of NCSC’s Cyber Body of Knowledge (CyBOK) within the Council, all scenarios have also been aligned to the relevant knowledge area.
A: Human, Organisational and Regulatory Aspects
- A1: Risk Management & Governance Security management systems and organisational security controls, including standards, best practices, and approaches to risk assessment and mitigation.
- A2: Law & Regulation International and national statutory and regulatory requirements, compliance obligations, and security ethics, including data protection and developing doctrines on cyber warfare.
- A3: Human Factors Usable security, social and behavioural factors impacting security, security culture and awareness, as well as the impact of security controls on user behaviours.
- A4: Privacy & Online Rights Techniques for protecting personal information, including communications, applications, and inferences from databases and data processing. It also includes other systems supporting online rights, touching on censorship and circumvention, covertness, electronic elections, and privacy in payment and identity systems.
B: Attacks and Defences
- B1: Malware and Attack Technologies Technical details of exploits and distributed malicious systems, together with associated discovery and analysis approaches.
- B2: Adversarial Behaviours The motivations, behaviours, and methods used by attackers, including malware supply chains, attack vectors, and money transfers.
- B3: Security Operations & Incident Management The configuration, operation, and maintenance of secure systems including the detection of and response to security incidents and the collection and use of threat intelligence.
- B4: Forensics The collection, analysis, and reporting of digital evidence in support of incidents or criminal events.
C: Systems Security
- C1: Cryptography Core primitives of cryptography as presently practiced, and emerging algorithms, techniques for analysis of these, and the protocols that use them.
- C2: Operating Systems & Virtualisation Security Operating Systems protection mechanisms, implementing secure abstraction of hardware, and sharing of resources, including isolation in multiuser systems, secure virtualisation, and security in database systems.
- C3: Distributed Systems Security Security mechanisms relating to larger-scale coordinated distributed systems, including aspects of secure consensus, time, event systems, peer-to-peer systems, clouds, multi-tenant data centres, and distributed ledgers.
- C4: Authentication, Authorisation & Accountability All aspects of identity management and authentication technologies, and architectures and tools to support authorisation and accountability in both isolated and distributed systems.
D: Software and Platform Security
- D1: Software Security Known categories of programming errors resulting in security bugs, and techniques for avoiding these errors – both through coding practice and improved language design – and tools, techniques and methods for detection of such errors in existing systems.
- D2: Web & Mobile Security Issues related to web applications and services distributed across devices and frameworks, including the diverse programming paradigms and protection models.
- D3: Secure Software Lifecycle Secure Software Lifecycle. The application of security software engineering techniques in the whole systems development lifecycle resulting in software that is secure by default.
E: Infrastructure Security
- E1: Network Security Network Security aspects of networking and telecommunication protocols, including the security of routing, network security elements, and specific cryptographic protocols used for network security.
- E2: Hardware Security Security in the design, implementation, and deployment of general-purpose and specialist hardware, including trusted computing technologies and sources of randomness.
- E3: Cyber Physical Systems Security Security challenges in cyber-physical systems, such as the Internet of Things and industrial control systems, attacker models, safe-secure designs, and security of large-scale infrastructures.
- E4: Physical Layer & Telecommunications Security Security concerns and limitations of the physical layer including aspects of radio frequency encodings and transmission techniques, unintended radiation, and interference.
Scenarios for Organisations
|
0001 |
|
|
Code reference: |
Credibility (7.1) |
|
CyBOK references: |
A1, A2, A3 |
|
Scenario: |
It emerges that an employee has breached confidentiality, by discussing the outcomes of a client project, assignment or audit with a third party. Such action could compromise the security of the business. What action should we take? How can we stop them? |
|
Process: |
You should:
If the individual is not accredited, consider reporting matter to the Council if their organisation is affiliated in some way. |
|
Experience required on Ethics Committee: |
Legal HR Board-level business Cyber security knowledge (for implications to corporate security) |
|
Last updated: |
March 2021 |
|
Scenario ref. no.: |
0002 |
|
Code reference: |
Credibility (7.1) |
|
CyBOK references: |
A1, A3, B3, B4 |
|
Scenario: |
A client has asked us to conduct an attack on the company that the client thinks mounted an attack on them. Should we do this? |
|
Process: |
If your organisation is accredited to a professional or trade body: seek its advice. That body may then handle the incident via its own existing Codes of Conduct, or may decide to take it to the Ethics Committee for further opinion. If your organisation is not accredited to a professional body: report this issue to the Council’s Ethics Committee. Note that, in the UK, this action is illegal under the Computer Misuse Act and should be reported to the authorities. |
|
Experience required on Ethics Committee: |
Cyber security Legal |
|
Last updated: |
March 2021 |
|
Scenario ref. no.: |
0003 |
|
Code reference: |
Credibility (7.1) |
|
CyBOK references: |
A1, A2, C1, C2, C4?, D1, E1 |
|
Scenario: |
It is discovered, during an assignment, that a client subject to national or international legislation/security frameworks (eg. PCI-DSS, GDPR) has had a serious security breach. However, the client refuses to follow the mandatory reporting procedures. What should we do? |
|
Process: |
Irrespective of whether the issue is legislative or security framework-related, you should strongly encourage the client to report. If your advice is ignored and the issue is related to legislation: there may be a legal obligation for a security professional to report the breach to the appropriate body. If your advice is ignored and the issue is security framework-related: the obligation to report may not be as clear cut. You may require the guidance of NCSC, the Council or other appropriate professional and/or trade body. You should also:
Seek advice from the Regulator if legislative/security frameworks are applicable. |
|
Experience required on Ethics Committee: |
Cyber security Legal |
|
Last updated: |
March 2021 |
|
Scenario ref. no.: |
0004 |
|
Code reference: |
Integrity (7.2) |
|
CyBOK references: |
C1, C2, C3, C4 |
|
Scenario: |
It emerges that a probe has been left in place on our network by a supplier at the end of a penetration testing assignment. What should we do? |
|
Process: |
Establish whether action was intentional or accidental. This should determine whether the action was an ethical breach or not. If the supplier responsible for leaving the probe is accredited to a professional body: raise a formal complaint to that body. That body may then handle the incident via its existing Codes of Conduct, or it may choose to take it to the Ethics Committee for a consolidated view. If the supplier responsible for leaving the probe is not accredited to a professional body:
Your supplier should provide formal assurances that:
If the supplier is an accredited company, you should expect the process for this to be validated at the point of next audit. You should also ask for evidence that the policy has been distributed to all relevant staff members. If the incident is deemed to be unethical practice, your supplier should:
|
|
Experience required on Ethics Committee: |
Technical cyber security organisation(s), e.g. CREST, NCSC – particularly if your supplier is an accredited company since, in which case action may be taken [by their accrediting body] via their own codes and processes. You may require Legal advice regarding appropriate financial recompense. |
|
Last updated: |
March 2021 |
|
Scenario ref. no.: |
0005 |
|
Code reference: |
Integrity (7.2) |
|
CyBOK references: |
C1, C2, C3, C4 |
|
Scenario: |
It emerges that a "honeypot", impersonating a real company or individual, is being used during a red-team penetration testing assignment without the knowledge or consent of the organisation or individual. What should we do? |
|
Process: |
Establish whether action was intentional or accidental. This should determine whether the action was an ethical breach or not. If the supplier responsible for leaving the probe is accredited to a professional body: raise a formal complaint to that body. That body may then handle the incident via its existing Codes of Conduct, or it may choose to take it to the Ethics Committee for a consolidated view. If the supplier responsible for leaving the probe is not accredited to a professional body:
If the incident is deemed to be unethical practice, your supplier should:
|
|
Experience required on Ethics Committee: |
Technical cyber security organisation(s), e.g. CREST, NCSC – particularly if your supplier is an accredited company since, in which case action may be taken [by the accrediting body] via their own codes and processes. Legal |
|
Last updated: |
March 2021 |
|
Scenario ref. no.: |
0006 |
|
Code reference: |
Integrity (7.2) |
|
CyBOK references: |
A1, A2, A3 |
|
Scenario: |
During production of a report for an organisation that has had a penetration test conducted, it emerges that the supplier was unduly influenced by that organisation to issue a positive report on the outcome; or, conversely, to withhold information from the report. What should we do? |
|
Process: |
You should consider carefully the risks of disclosure of client confidential information to avoid breakdown of trust with the organisation. If the supplier responsible for leaving the probe is accredited to a professional body: raise the issue to that body. That body may then handle the incident via its existing Codes of Conduct, or it may choose to take it to the Ethics Committee for a consolidated view. If the report relates to a regulated scheme, report the issue to the Regulator. |
|
Experience required on Ethics Committee: |
Technical cyber security organisation(s), e.g. CREST, CIISec, BCS – particularly if your supplier is an accredited company since, in which case action may be taken [by the accrediting body] via their own codes and processes. Board-level business. |
|
Last updated: |
March 2021 |
|
Scenario ref. no.: |
0007 |
|
Code reference: |
Integrity (7.2) |
|
CyBOK references: |
A1 |
|
Scenario: |
We’ve identified misuse or exploitation of information, including for personal gain, in our organisation. Where should we report this? Note: there is a similar example in the scenarios for Individuals*. |
|
Process: |
If your organisation is accredited to a professional or trade body, you should consider seeking its advice, which will be independent. Alternatively, consult the Council. |
|
Experience required on Ethics Committee: |
Legal Board-level business |
|
Last updated: |
March 2021 |
|
Scenario ref. no.: |
0008 |
|
Code reference: |
Integrity (7.2) |
|
CyBOK references: |
A2, A3, A4 |
|
Scenario: |
We are being asked to pay a Bug Bounty reward, but we are aware that the individual is a minor. What do we do? Should we report it and, if so, to whom? |
|
Process: |
CREST has published this useful reference information on Bug Bounties. |
|
Experience required on Ethics Committee: |
Cyber security Legal |
|
Last updated: |
March 2021 |
|
Scenario ref. no.: |
0009 |
|
Code reference: |
Professionalism (7.3) |
|
CyBOK references: |
B3, C2, C4, E1, E2 |
|
Scenario: |
A "backdoor" to a product has been identified that would allow unauthorised access to a network (or similar). Where and how do we report this? |
|
Process: |
You should report serious vulnerabilities quickly and securely to the vendor or system owner (which may be your client). You will need to balance the public right to be informed and allowing the vendor or owner time to respond effectively. When reporting to the vendor/system owner, you should also:
If appropriate (depending on product type): advise Government or the appropriate Regulator. |
|
Experience required on Ethics Committee: |
Cyber security IoT (if appropriate) |
|
Last updated: |
March 2021 |
|
Scenario ref. no.: |
0010 |
|
Code reference: |
Professionalism (7.3) |
|
CyBOK references: |
B3, C2, C4, E1, E2 |
|
Scenario: |
We have established that the supplier of a component part of our security architecture is making claims about the product that are untrue. Should we report this? |
|
Process: |
If the supplier is a member of the UK Cyber Security Council, you should report the issue to the Council. If the supplier is not a member of the Council, but is a member of another professional or trade body, you should report the issue to that body. If the supplier is not a member of any body, you should open a dialogue with the supplier in the first instance. |
|
Experience required on Ethics Committee: |
|
|
Last updated: |
March 2021 |
|
Scenario ref. no.: |
0011 |
|
Code reference: |
Professionalism (7.3) |
|
CyBOK references: |
A1, E2 |
|
Scenario: |
A team of security researchers has discovered vulnerabilities in our product and is going to announce these at the conference Defcon. Although we’re aware that the team of researcher researchers would release its findings, we’ve continued to sell the product anyway. What should we do? |
|
Process: |
You should:
As part of this process, you should consider how to publicly disclose your awareness of this issue and how it will be dealt with. If not already in place, you should:
For further guidance on vulnerability disclosure, refer to the ISO/IEC 29147 standard. |
|
Experience required on Ethics Committee: |
Cyber security Legal |
|
Last updated: |
March 2021 |
|
Scenario ref. no.: |
0012 |
|
Code reference: |
Professionalism (7.3) |
|
CyBOK references: |
A2, A3, A4 |
|
Scenario: |
We have been contacted by a researcher who says that they have identified vulnerabilities with our product and are willing tell us subject to a fee. We do not have a bug bounty program. Should we pay? What if we refuse and they leak to hacker community? |
|
Process: |
Most hunters will settle for acknowledgment, but the motivations of ethical hackers and criminal hackers are very different. You may consider:
|
|
Experience required on Ethics Committee: |
Cyber security Legal |
|
Last updated: |
March 2021 |
|
Scenario ref. no.: |
0013 |
|
Code reference: |
Responsibility & Respect (7.4) |
|
CyBOK references: |
C1, C2, C3, C4 |
|
Scenario: |
We’ve discovered that a supplier has caused damage to our website during a routine penetration test. What action can we take? |
|
Process: |
Firstly, you should ascertain whether or not the supplier acted reasonably. If the supplier responsible is accredited to a professional body: raise a formal complaint to that body. That body may then handle the incident via its existing Codes of Conduct, or it may choose to take it to the Council’s Ethics Committee for a consolidated view. If the supplier responsible is part of a Regulator scheme – for example, it is a CHECK provider – you should raise the issue with that Regulator. If the supplier responsible is not accredited to a professional body:
If your supplier is found to be at fault and is an accredited company, you should expect the process for this to be validated at the point of next audit. You should also ask for evidence that the policy has been distributed to all relevant staff members. If your supplier is found to be at fault:
|
|
Experience required on Ethics Committee: |
Technical cyber security organisation(s), e.g. CREST – particularly if your supplier is an accredited company since, in which case action may be taken [by the accrediting body] via their own codes and processes. NCSC You may require Legal advice regarding appropriate financial recompense, if a resolution is unsatisfactory or unachievable. |
|
Last updated: |
March 2021 |
|
Scenario ref. no.: |
0014 |
|
Code reference: |
Responsibility & Respect (7.4) |
|
CyBOK references: |
A1, B1, D1, E1, E2 |
|
Scenario: |
My organisation has received a ransomware demand. Management wants to pay, but someone on the management team believes that it is inappropriate or illegal. Should we pay to recover our information? |
|
Process: |
Ensure that your data has actually been encrypted and that you are not a victim of "scareware". Refer to NCSC’s advice on mitigating ransomware attacks. Take legal advice on whether funds can be lawfully remitted into the hands of a ransomware operator. Paying your attackers does not guarantee that files will be returned or that decryption functionality has been built into the malware: on average, 25% of data is not returned. The longer a ransom payment is delayed can also affect the quantity of data that might be returned. You should:
You should also report such incidents to the Police and other law enforcement agencies, including NCSC. |
|
Experience required on Ethics Committee: |
Technical cyber security organisation(s), e.g. CREST, NCSC – particularly if your supplier is an accredited company since, in which case action may be taken [by the accrediting body] via their own codes and processes. You may require legal advice. |
|
Last updated: |
March 2021 |
|
Scenario ref. no.: |
0015 |
|
Code reference: |
Responsibility & Respect (7.4) |
|
CyBOK references: |
A1, A3 |
|
Scenario: |
When recruiting for a sensitive security role, is it acceptable for my company to conduct background research on a candidate’s personal life via social media? |
|
Process: |
Depending on the circumstances, you should seek advice from:
|
|
Experience required on Ethics Committee: |
Legal HR Board-level business |
|
Last updated: |
March 2021 |
|
Scenario ref. no.: |
0016 |
|
Code reference: |
Responsibility & Respect (7.4) |
|
CyBOK references: |
A1, A3 |
|
Scenario: |
We have been asked to punish staff for failing our simulated phishing exercises. Should we do this? |
|
Process: |
No: NCSC advises against punishing staff, particularly around simulated phishing attacks. Be aware that punishing staff for such action can encourage cover-ups, which may lead to more serious breaches. |
|
Experience required on Ethics Committee: |
Legal HR Cyber security |
|
Last updated: |
March 2021 |