The Development of Ethical Cultures in Computer Security Research

The Development of Ethical Cultures in Computer Security Research

Computer security researchers prevent, discover, and fix flaws in devices and cyber infrastructures, impacting national security, business practices, information privacy, and personal safety. However, these researchers must also navigate ethical dilemmas about how to use big data and shared networked resources to discover vulnerabilities; how to safely expose these problems; and how to best ensure that critical vulnerabilities are fixed. The project asks four questions: R1) How has the computer security community formed an ethical research culture? R2) How are ethics expectations communicated among researchers? R3) What sociotechnical factors support and challenge sustaining ethical practices? R4) How effective is ethical self-regulation in computer security research? This project utilizes multiple methods, including citation analysis, content analysis, and interviews, to illuminate and evaluate the ethical culture of computer security research. Phase I examines the development of ethics controversies and community responses through an analysis of key ethics moments in the last twenty years of computer security research. Key ethics moments are instances where ethical issues arose through advances in new techniques for research, the publication of research which generated debates about ethics, or through ethical guidance such as The Menlo Report: the field’s consensus-building effort to establish research ethics norms. Phase I uses citation network analysis to identify additional key ethics moments, followed by discourse analysis to examine key actors, language, and strategies for communicating ethics norms. Phase II interviews diverse computer security researchers identified by the citation analysis to trace how the community developed and changed its approach to ethics over time. Phase III conducts a stakeholder assessment of the strengths and weaknesses of ethical self-regulation in computer security research. Phase IV creates and evaluates educational case studies based on the empirical findings for students, as well as policy recommendations for conference review committees and researchers struggling to identify best practices for ethical computer security research.

Duration: 
September 2016 - August 2020
Funder: 
National Science Foundation
Total Award Amount: 
$163,768

Principal Investigator: