Ethical decision making: Improving the quality of acceptable use policies

While there is extensive literature on the positive effects of institutionalising ethics in organisational culture, our extensive research in information security culture has found no evidence of organisations encouraging ethical decision making in situations where information security might be at risk. Security policies, in particular acceptable use policies, have traditionally been written with a strategy of deterrence in mind, but in practice they rely mostly on deontological ethics, i.e. employees doing the right thing, to work. As far back as 1990, evidence has been reported of a widening socio-technical gap, where employees no longer always act according to expected social norms in an organisation. This change in moral behaviour is reducing the effectiveness of acceptable use policies in an organisation. In this paper, an alternative approach to the development of security policies is proposed to encourage ethical decision making based on consequential ethics. Acceptable use policies will need to distinguish between guidelines, standards and procedures, and guidelines will need to be written in such a way that the policy continuously acknowledges that employees are no longer expected to blindly follow these guidelines. And, as acceptable use policies can no longer cover all the possible risks related to an employee’s behaviour, the policy will need to emphasise both explicitly an implicitly that employees are expected to make an ethical judgement on all their actions that may possibly endanger the organisation’s security. This will in turn have positive effects on the usability and suitability of the acceptable use policy to the organisation.