Traditionally, most cyber security research papers have neglected to properly reflect upon the ethics of their work. Those that do often only include the obligatory line mentioning "IRB approval." We believe this lack of ethical reflection is fundamentally due to the inaccessibility and over-generalization of current ethics standards and analysis approaches. The goal of our work is to solve this problem.
Although since we began our work a number of ethics standards have been updated to somewhat better reflect current research practices, in our research we take an empirical approach to identifying what ethical issues exist and therefore need addressing, rather than focusing on laying out ethical principles themselves. Our key assumption is that most of the ethical dilemmas that researchers actually grapple with are both specific and similar to ones that have been encountered in prior research over time, evolving slowly. Thus, such dilemmas should be best reflected in papers describing their work in detail.
In this work we propose a decision-tree-style user interface for a knowledge base of ethics practices sourced from top cyber security conference papers mentioning ethics. Papers were sampled semi-randomly by topic, and vetted against standards like the Menlo Report and the ACM Code of Ethics, while also taking the papers themselves, being peer-reviewed, as votes for the practices they describe or leave out.
Such a UI-based approach to ethics is a departure from traditional lengthy prose-based approaches that outline ethical best-practices across sometimes hundreds of pages. This new approach aims to not only be accessible to newer researchers with minimal training, or those who are otherwise not yet ethics experts - by way of being user-friendly and easy to search and generate ethical analysis reports from - but to also be relatively quickly modifiable and maintainable by the community, and provide:
1) comprehensive coverage of the conditions that affect the ethics of any given cyber security research action, at a fine-grained, concrete level, rather than giving only abstract principles or focusing on ICT in general; 2) quick access to sources for all rules in the knowledge base, for transparency and further reference so that researchers can make their own informed decisions; and 3) information on open ethical questions, serving as a database for future research topics in cyber security ethics, and as a gauge of the confidence level of each of the guidelines in the knowledge base.
Our ultimate hope for this effort is to create a community-maintained ethics website that internal- and conference-ethics committees can use to supplement submission evaluations. This would in turn incentivize researchers to use the tool when planning their research, creating a virtuous cycle of ethical awareness.
Although cyber security ethics is a quite specific field, it, along with AI, is perhaps the most active area of ICT ethics. Advances in this area thus anticipate cross-fertilization to other domains of computer science ethics, including AI.
Please do not hesitate to contact us at the address below if you would like to work with us to make this decision tool publicly available. We are looking for collaborators in any area including piloting the tool with your conference, lab, or organization; or working together on the UI, maintenance of the knowledge base, developing user training materials, user test studies, or further ethics research for or with the tool.
For more information on the decision tool, check out the video on this page or contact the authors.