Benevolent Deception

Last week I asked if a business continuity practitioner should refuse an assignment if the client places restrictions on the plan.  This same issue could face an information assurance professional when working with a client.  This week we take a look at benevolent deception.

Both DRII and BCI assert in their codes of ethics that the BC professional must act in the client’s best interests.  But the problem is that a client could be mistaken about their best interests.  What if the BC (or information assurance) professional is in a position to serve the client’s best interests by deceiving him or her?  Consider the following case:

Exaggerating the Danger

A BC professional recognizes that her company’s data backup system is woefully inadequate by industry standards.  But she also understands that the risk of total data failure is so small that the upper management is not likely to be persuaded to invest in a more reliable backup system.  However, she could use some outdated server failure numbers to inflate the risk to the point where management will take notice.  Would this be acceptable?

Most commentators do not think that this deception is permissible.  But why is this?  There are some cases where it might be permissible for a professional to deceive a client for the client’s best interests.  Consider the following real life case:

Cancer Survival

By the time Lance Armstrong discovered that he had cancer, it had spread to his brain and filled up his lungs.  His doctor gave him a 1% chance of survival, but he told Armstrong that he had a 50/50 chance of survival in order to keep his spirits up, knowing that having hope has been shown to increase a patient’s chances of surviving cancer.  As we know, Armstrong survived.  Did the doctor act wrongly?

Most people would say that the doctor did not act wrongly, even though he deceived Armstrong.  The doctor applied what is known in the medical profession as “therapeutic benefit;” deceiving a patient for the patient’s own best interests.   

Therapeutic benefit is used less and less often today as doctors recognize the patient’s right to be told the truth about their condition, even when the truth may hurt.  There is no simple rule that will determine when benevolent dishonesty is permissible.  Some have suggested a "thank you" theory which states that it is OK to deceive someone if they will thank you for it later, but of course it is hard to know if a “thank you” will along come later, especially when protecting again a threat that may never occur.  Plus, what happens if the professional turns out to be wrong in his or her assessment? 

I don’t have an answer here.  I only raise these questions to generate discussion that will help the profession formalize the duties of the professional.

Last Week’s Quiz Question

What Vermont town is also the name of a foreign country?

This one is embarrassing.  I thought that there was only one Vermont town that shared the name of a foreign country, but students found no fewer than four examples: Peru, Jamaica, Georgia, and Caledonia.  Our winner is Linda Rosa.  Congratulations Linda!

This Week’s Quiz Question

Why did Vermonters huddle around their television sets at 10:00am., on December 28, 2009?

The winner receives four tickets to the Brookfield Ice Harvest: http://tinyurl.com/ydv4avg

Send your entries to jorlando@norwich.edu

Mechanic or Doctor?

Consider the following case (loosely based on an example from John Glenn):

Restrictions on the Plan
A Business Continuity consultant is hired to provide a company with a BC plan. The managers tells him before he begins that they will not accept a plan that suggests changes to the company’s disaster communications system because they are convinced that a phone tree works just fine and anything more is overkill. Should the BC professional refuse the assignment?

I’ve asked this question of business continuity professionals at a number of public talks and the responses fall into two categories:

Accept
Each organization operates under restrictions, and the BC profession's job is to deliver the best possible plan within those restrictions.

Refuse
The BC professional cannot put his or her name on a plan that he or she does not endorse, and thus should refuse the assignment on grounds of professional integrity (This is Glenn’s position).

The disagreement goes beyond this particular example to a more fundamental choice between competing visions of the BC professional. Compare the following two cases:

Mechanic
A 25 year old man takes his car to a mechanic for new rear shock absorbers. He tells the mechanic that he wants big truck shocks installed to raise the back end and make the car look “tough.” The mechanic tells him that the shocks will transfer weight to the front of the car and ruin its suspension when he hits a bump. The man replies that he will avoid bumps. The mechanic tells the man that he’s heard that line before and there is no way he will avoid hitting bumps. The man cannot be shaken from his position, and the mechanic finally relents with the comment “OK, it’s your car, but don’t say I didn’t warn you.”

Doctor
A patient comes to her doctor with a stuffy nose and asks for antibiotics. Her doctor informs her that she has a cold, which is a virus, and that antibiotics will not help a virus. The patient insists on the antibiotics, claiming that because she is paying for the visit and the medication, he must write her a prescription for what she wants. The doctor refuses on grounds that it would violate his professional integrity to write her a prescription that he knows will not do her any good.

Both the mechanic and the doctor are professionals faced with a customer requesting a service that they do not believe is in the customer’s best interests. But the mechanic acquiesces to the customer’s request, while the doctor refuses. The mechanic feels that it is his job to merely inform the customer of the facts and serve the customer’s wishes, while the doctor feels a higher professional calling that prevents him from agreeing to wishes that violate his professional integrity.

The choice between accepting or refusing the assignment in the Restrictions on the Plan example boils down to whether the duties of the BC professional are more akin to those of a mechanic or a doctor. If the BC professional simply serves the wishes of the client, like the mechanic, then the BC professional can provide a plan that he or she does not personally endorse. If, instead, the BC professional serves the best interests of the client, like the doctor, then the professional should refuse those assignments that require a plan that he or she cannot endorse.

The BC profession will need to choose between the paradigm of the mechanic and the doctor as it moves ahead. But even within those paradigms, there is considerable nuance between different cases, and exploring those cases will help guide the profession into the future.

Last Week’s Quiz Question
When were women first admitted to the Norwich University Corps of Cadets?

Answer: 1974

Winner: Marc Ariano

Marc receives a Personal H1Ni Protection Kit, including full-body rubber suit with 6 hour oxygen supply, airborn/food pathogen eradicating radiation kit, and webcam to communicate with family from a distance.

This Week’s Quiz Question
What Vermont town is also the name of a foreign country?

The winner receives a comprehensive, self-paced training course in SOX auditing, which can be completed in just under three minutes (including coffee break).

Send your entries to jorlando@norwich.edu

Compliance? We Don't Need No Stinking Compliance!

By Mark Fisher, MSIA instructor

I recently attended a conference where speaker after speaker talked about information security and compliance.  In the exhibit hall there were rows upon rows of vendors trying to sell products and services to help companies become compliant with Sarbanes-Oxley, Gramm-Leach-Bliley, or the Payment Card Industries Data Security Standard (PCI-DSS).   Everywhere I turned it was compliance, compliance, and more compliance.

I am not criticizing those companies.  It is important for organizations to comply with the applicable laws and regulations and it is very legitimate for vendors to advertise how their products and services can help reach those goals.  As a security consultant to community banks I know first-hand how focused on compliance my clients can be and I have used the need for compliance to sell my own services to them upon occasion.

One thing that concerns me is that we, as a profession, may be focusing too much on compliance to justify spending money and time on information security products.  I fear that by focusing on compliance in the near-term we are weakening our position in the long.  We want the organizations we serve to have a good program to effectively manage the IT-related risks that they face.  Unfortunately, that can be a hard sell sometimes and our organizations often balk at doing what we think they need to do.  To get them moving in the right direction we break out the big stick - compliance.  We tell them that they need to be compliant with X or bad things will happen to the organization.  Faced with that immediate, tangible requirement the organization opens up its wallet and starts doing the things we want them to do.  Score one for the good guys!

The long-term risk is that someday the organization will meet the minimum compliance requirements.  Meeting the compliance requirements doesn’t sound like a bad thing, but as IA professionals we understand that being compliant does not mean that the organization has an effective IT risk management program any more than having a driver's license means that you are a good driver.   The risk is that we will say "Congratulations on becoming compliant with X, now you need to do Y and Z" and the organization will say "Hold on! For years you have been using compliance to justify every IT Security expenditure.  Now you are telling us we need to do more? Why should I believe you?"  At that point we have lost credibility and will have a much harder time getting people to do what we know they should do.

Every one of us has to sell the idea of security to people every day.  We need to justify to our organizations why they need to spend hard-earned money on our projects rather than put it in their pockets or spend it on other activities.  As professionals, we owe it to those that we serve to have honest discussions about what we really want them to do and why.  In the short-term explaining risk management may be harder than just using the threat of non-compliance, but in the long-term organizations that understand and embrace the need for strong IT risk management will be in a much stronger position than those who chase after compliance alone.

Last Week’s Quiz Question

In 1992, Vermont’s capital city of Montpelier was inundated by flood waters in mid-winter.  What caused the flood, and what is the name of the river? 

Answer:  The Winooski River flooded due to an ice jam.

Winner: Srinivas Chandrasekar

Srinivas receives the very first information security textbook, published in 1964, entitled: “Protecting your data center from intrusion and malicious attack: Understanding the tensile strength of steel and concrete.”  Congratulations Srinivas.

This Week’s Quiz Question

When were women first admitted to the Norwich University Corps of Cadets?

The winner receives a Personal H1Ni Protection Kit, including full-body rubber suit with 6 hour oxygen supply, airborn/food pathogen eradicating radiation kit, and webcam to communicate with family from a distance.

Send your entries to jorlando@norwich.edu