Ethical Risk Maturity Framework Susan Lincke My Motivation

Ethical Risk Maturity Framework Susan Lincke

My Motivation Security is/was not well funded in industry • Breaches are rampant • Crime pays: ransomware • Bigger picture: The world is not paying to eradicate cyber-security crime Issues: • Looking for profit? • Lack of interest? • Engineering problem? What is ethical risk? Your feedback is important in this process!

Maturity Levels Relating to Ethical Risk Societal Concern • Society • Environment Stakeholder Concern • Customers, Financiers, Suppliers • Employees, Community Compliance Concern • Regulation, Administrative law • Civil law, Contracts Self-Protection Risk Immature • Organization • Shareholders

A Comparison of Ethical Models Our Levels Self-Protection Friedman vs Freeman Compliance Concern Stakeholder Concern Freeman: Primary Stakeholders Societal Concern Friedman: Shareholder Primacy Piaget’s Moral Premoral, Egocentrism Judgment Respect for authority & Levels rules Criminal, Civil & Administrative Law Heteronomous Level: Cooperation and mutual respect Autonomous Level: Reciprocity and equality Kohlberg’s Levels of Moral Judgment Kohlberg’s 6 Stages Conventional Morality: Social Values & Rules Post-conventional: Justice & Welfare Preconventional Morality: Respect for Power & Punishment 1: 2: Benefit Obedience each other, to mutual authority deals 3: Social 4: Obey 5: Benefit society approval: social, legal, (change law) good vs. bad religious laws Freeman: Secondary Stakeholders 6: Ethical principles over social norms

Risk Immature Adopt a Standardized Risk Process Create a Culture of Risk Communication Involve business management Create a culture of communication and responsibility Document and communicate risk findings

Self-Protection Level SHAREHOLDER PRIMACY MILTON FRIEDMAN “What does it mean to say that the corporate executive has a “social responsibility” in his capacity as businessman? If this statement is not pure rhetoric, it must mean that he is to act in some way that is not in the interest of his employers. For example, that he is to refrain from increasing the price of the product in order to contribute to the social objective of preventing inflation, even though a price increase would be in the best interest of the corporation. Or that he is to make expenditures on reducing pollution beyond the amount that is in the best interest of the corporation or that is required by law in order to contribute to the social objective of improving the environment. Or that, at the expense of corporate profits, he is to hire “hardcore” unemployed instead of better qualified available workmen to contribute to the social objective of reducing poverty. ” -NY Times, 1970 RISK SCENARIOS On Average 5% of revenue lost annually to fraud Average Loss: $1, 509, 000/case Median Loss: $125, 000/case Asset Misappropriation: $100, 000/case Corruption: $200, 000/case Financial Statement Fraud $954, 000/case ACFE 2020 Report to the Nations

Self-Protection Level Train to Evaluate Fraud, Security, Business Risk Manage for Organizational Sustainability Develop a Code of Ethics Addressing Organizational Sustainability Evaluate Fraud and Ethical Risk Include an Anonymous Reporting Mechanism for Ethical Violations Calculate Quantitative Risk Analysis for Organization Price Insurance with Discounts for Controls

Compliance Concern CRIMINAL, CIVIL AND ADMINISTRATIVE LAW Economist Ronald Coase (1960) discusses economic effects of harm and their impact on victims and producers (organizations). In any transaction, both sides have interests. Legislating against a nuisance can result in harm to the producer. When regulation does not exist, civil law can solve problems with a more mutually beneficial outcome. RISK SCENARIO: RECENT SETTLEMENTS Reports from SC Magazine News Articles: • Capital One fined $80 million by the OCR for a breach that affected > 100 million customers (2019) • Wendy’s fast food chain agreed to pay $50 million to different states in 2019 for negligence after payment card data stolen from over 1, 000 locations in 2015 -2016. • Texas hospital paid $3. 2 million in HIPAA violations. • Target paid $18. 5 million to 47 different states after 2013 massive breach • Europe’s General Data Protection Regulation (GDPR) (2018): Google fined 50 million Euros ($54 Million US).

Compliance Concern Train for Compliance Risk Value Legal Adherence within Management Lead Ethically via Management Example and a Code of Ethics Address Regulation Fully Heed New Regulations Adhere to Regulations and Standards Addressing Business Ethics Pay Attention to the Intent of Regulation Consider Legal Responsibility Beyond Regulation Evaluate Product Liability Manage Projects Responsibly Follow Software Standards for Quality, Security, and Safety Develop and Follow Soft Law Configure Software for Policy Choice

Stakeholder Concern STAKEHOLDER THEORY R EDWARD FREEMAN RISK SCENARIO: EMPLOYEE BRIBE The survival of an organization relies on its interdependency: Hacker Offered Russian-Speaking Tesla Employee for $1 Million to Execute Ransomware Attack “So, even if the ideologues who insist that the only legitimate purpose of a business is to maximize shareholder value or maximize profits, the only way to do that is to create great products and services that customers want to buy. ” (p 4, Freeman et al. 2007) The Russian employee went to management and the FBI, who apprehended the Russian. Deception erodes trust and trust is required for economic transactions. Kriuchkov disclosed that they had demanded a $6 million ransom from another firm, which settled for $4. 5 million. Business management must take responsibility for the effects of their actions, including defending themselves to TV news reporters. When new regulation or litigation arises, the implication is business management failure. Cybercriminal said they would ransom the data and threaten to publish it online if demands were ignored. https: //www. cpomagazine. com/cybersecurity/hacker-offered-russian-speaking-teslaemployee-for-1 -million-to-execute-ransomwareattack

Stakeholder Concern Learn the Context of the Business Process and/or Product Development Manage with a View toward All Stakeholders Adopt a Code of Ethics Addressing Stakeholder Concerns Discuss the Qualitative Impact of Risk Affecting All Stakeholders CARE for Ethics within Product Development/Procurement Discuss Values of Concern Personalize Risk Consider Risk Beyond the Expected Evaluate the Impact of Risk Quantitatively Evaluate the Outrage Factor Calculate Risk from the Stakeholder Perspective Inform/Communicate Ethical Issues to Stakeholders Sell Safety and Security to Customers Evaluate Risk in Software Implementation for All Stakeholders Address Risk in Software Design Security into the Product Document and Evaluate Safety Decisions Systematically

Societal Concern ETHICAL THEORIES Utilitarianism theory: acts that promote the greatest happiness for the greatest number Deontological Ethics theory similar to Golden Rule: do unto others as you would like them to do unto you. Important: the motive for actions; the morally commendable motive is to act from duty Virtue Ethics is concerned with the character of an entity and on avoiding vice. Virtue can also apply to an organizational level by improving internal organizational qualities RISK SCENARIO: EXTREME WEATHER California: Over 12, 000 lightning strikes in 3 weeks sparked almost 2 dozen major fires 5 million acres burned, destroyed homes; thousands flee. This is early 20 times what had burned at this time last year. September-October historically the worst fire months; due to heat & winds. Managing Climate Risk in the Financial System: “A world wracked by frequent and devastating shocks from climate change cannot sustain the fundamental conditions supporting our financial system, ” Others threats: hurricanes, tornados, floods Threat: customers, suppliers disappear

Societal Concern Train and Think in Ethics Manage Considering the Societal Impact of Decisions Adopt a Code of Ethics that Addresses Societal Concerns Discuss the Societal Impact of Risk Qualitatively Think Outside the Engineer Role Consider Societal Risk Broadly Avoid Ignoring Undesirable Decisions Evaluate the Impact of Risk Quantitatively Calculate Risk from the Societal Perspective Research Unknown Risk Scientifically Document and Evaluate Societal Decisions Systematically

Maturity Level Practices Risk Analysis Risk Immature Level Adopt a standard risk process Involve business management Create a culture of communications and responsibility Document and communicate risk findings Calculate quantitative risk analysis for organization Analyze fraud and ethical risk Develop a Code of Ethics for organizational sustainability Provide an Anonymous Reporting Mechanism for Ethical Violations Price insurance with discounts for controls Heed new regulations Pay attention to the intent of regulation Adhere to standards and regulations addressing ethics Consider legal responsibility beyond regulation Lead ethically via management example and Code of Ethics Assign ethical risk accountability Manage projects responsibly Learn the context of the product development Configure software for policy choice Train for compliance and ethical risk Develop and follow soft law Inform/communicate ethical issues to stakeholders Evaluate the outrage factor Personalize risk Consider risk beyond the expected Adopt a Code of Ethics addressing stakeholder concerns Design security into the product Calculate risk from the stakeholder perspective Sell safety and security to customers Care for ethics within product development/procurement Address risk in software Document and evaluate safety decisions systematically Train and think in ethics Consider societal risk widely Calculate risk from the societal perspective Adopt a Code of Ethics that addresses societal concerns Avoid ignoring undesirable decisions Research unknown risk scientifically Think outside the engineer role √ Self-Protection Level Compliance Focused Level Stakeholder Concern Level Social Concern Level √ √ √ Mgmt Leader- Compliship ance √ √ √ √ √ √ √ Develop-ment Engineering √ √ √ √ √ √ &

Conclusion - Benefits LOWER LEVELS: TO COMPLIANCE More stability Fewer lawsuits Rare regulatory judgments Improved community reputation HIGHER LEVELS New products (potentially revolutionary) Better customer relationships Better long term employee, vendor relationships Long term community respect Feeling of pride, good will

Consent Notification Purpose of Research: The purpose of this research is to gain an understanding of current ethical risk practices at U. S. organizations. Statistics of interest include distribution of maturity levels and activities with strong and weak statistical values. Preliminary research results should be available at website: www. cs. uwp. edu/staff/lincke/Ethical. Risk. htm available within one week after this event. Consent: Participation in this research is voluntary. If you choose to participate, please complete the appropriate section of this survey related to your current or a recent past employment position: security/risk practitioner, manager, developer/engineer, or legal personnel. Please complete the Qualtrics survey by 3 PM Monday. Whether or not you choose to participate in the survey, copies of the questionnaire available for download at www. cs. uwp. edu/staff/lincke/Ethical. Risk. htm. Benefits: This survey will enable you to evaluate the ethical risk maturity of your organization (with a sample size of 1), against best practices in leading research, and to determine useful options to increase that maturity. At the end of the Qualtrics survey you may download a copy of your responses in pdf form. Also know that you are contributing to an initial evaluation of this ethical risk maturity model for research purposes. Risk: To ensure anonymity, we are not asking for your name or your organization’s name, and the Qualtrics survey is anonymous (no IP addresses are stored). All statistics will be provided in research only based on career category. No statistics will be provided by organization or any other identifier, other than that the survey was conducted at an ‘industry-oriented security conference’. Be aware that any written (text) comments may be published verbatim, with identifier based on career category. If you choose to retract a descriptive comment, you may contact the researcher Susan Lincke by phone at 708 -453 -2069. Confidentiality: These survey results will remain anonymous on Qualtrics. Aggregated statistics will be published by career category.

Questions or Comments? (Would be appreciated) Take the Manager Survey: http: //uwparkside. qualtrics. com/jfe/form/SV_9 ss. Hzq. Olblo. F 7 w. N Word Doc: www. cs. uwp. edu/staff/lincke/Ethical. Risk. htm.