J OURNAL O NLINE Business corporations increasingly rely on their computer-based information systems to conduct themselves and make decisions. Executive management has urged these corporations to ensure a secure system, lest the data become vulnerable to unauthorized access and inappropriate disclosure (confidentiality of information), disruption or illegal utilization (availability of information), and improper modification (integrity of information). Decisions based on insecure and unreliable information can lead to disastrous consequences. Hence, information security is justifiable as a primary concern. However, a secure system not only depends on what the authorized actions and the authorized users require, but it is also viewed differently in different cultures such that how it is interpreted is “dictated by the individuals’ needs, customs and the law.” 1 Furthermore, enforcing confidentiality, upholding integrity and ensuring availability rely on the assumption of trust, provided to the required supporting services, that the data are correct and trustworthy and that any attempt to deny service may be atypical. Finally, ensuring a secure system requires a security policy and a security mechanism. Information security is the policy, and information security management is the mechanism. Information Security: Not Just a Hard Technical, but Also a Soft Legal/ Ethical Concern Information security must necessarily and sufficiently cover the technical, legal and ethical aspects of information security management, as abusing information systems is a technical issue as well as a management problem. 2 Information security management must also deal with technical as well as sociotechnical problems. That is, what makes up a secure system depends on what is required to carry out the authorized actions and satisfy the authorized users, and what is secure and authorized can be interpreted differently in different cultures, customs, corporate conventions and individual philosophical outlooks. 3 It follows that the information security tools must be sufficiently diversified to handle the legal and ethical aspects, not just the technical aspects, of information security problems. As a result, physical and logical countermeasures, referred to as technical controls, have been implemented to handle the hard technical issues, and computer or cyberlaws, 4 computer or IT ethics, 5 or cyberethics 6 have been developed to deal with the soft legal and ethical/moral issues. The Argument As technology advances, for example, the growth of the Internet, which has changed the rules for security, 7 and as hackers are always lurking to find a loophole somewhere, the existing control tools become impotent, and new tools are continuously needed. In addition, as legislations always lag behind the event, new laws are required. Though slow and time-consuming, progress in developing new tools and new laws has been incremental. In the case of computer ethics, its adoption is even slower. However, despite the potential barriers to, and the difficulties in, the application of ethical principles for information security management, it is argued that: •฀฀ There฀exists฀a฀relationship฀between฀computer฀ethics฀and฀ information security •฀฀ It฀is฀necessary,฀but฀not฀sufficient,฀to฀trust฀people฀by฀setting฀ a number of ethical rules. Education may help toward ethical awareness and action, such that computer ethics may actually, and not just theoretically, help information security management. Impact of Computer Ethics on Information Security The relationship between information security and computer ethics does not look, on the surface, readily obvious, and even appears remote. It is, however, credible. Culture, customs, trust and privacy that characterize security fall within the realm of ethics. Computer ethics alert information security management to ethical considerations and warn potential offenders of ethical consequences in situations where the technical tools or the legal measures fail. In these cases, an ethical decision may be helpful in bringing about a solution. Furthermore, this conclusion is consistent with the following premises with respect to technical controls, computer laws and computer ethics: •฀฀ Premise 1: The information security management community has applied control tools to meet the information security objectives of safeguarding confidentiality against unauthorized access, upholding integrity and maintaining availability. However, detecting computer crime is difficult, because the act is either traceless or difficult to trace. Quantifying the damage is problematic since the victims all too often withhold reporting the crime for reasons including fear of recrimination and bad publicity. 8 Therefore, the technical control tools are ineffective, with respect to legal issues. •฀฀ Premise 2: Computer laws have been enacted in various nations at an ever-increasing rate since the late 1980s, when FEATURE Computer Ethics: A Potent Weapon for Information Security Management By Wanbil W. Lee, D.B.A., FBCS, FIMA, FHKIE, and Keith C.C. Chan, Ph.D. 1