Computer security researchers prevent, discover, and fix flaws in devices and cyberinfrastructures, thereby impacting national security, business practices, information privacy, and personal safety. However, these researchers must also navigate ethical dilemmas about how to use big data and shared networked resources to discover vulnerabilities; how to safely expose these problems; and how to best ensure that critical vulnerabilities are fixed. This proposed research will analyze the scholarly discourse and private reflections of computer security researchers over time. The goal is to reveal insights about how people, changes in technology, and changes in research practices shaped ethical cultures in security research and how ethics shaped research practice. Through this analysis of a technical research community, the proposed research will demonstrate how an ethical culture was developed and sustained in order to explore the limits of ethical self-regulation. It will identify the strengths and weaknesses of ethics self-regulation and draw upon ethical practices within computer security to inform other computing research communities. Project outcomes will contribute to ethics pedagogy for information and computing researchers and develop case studies for use by students and practitioners that demonstrate best practices for self-regulation.
The proposed research will utilize multiple methods, including citation analysis, content analysis, and interviews, to illuminate and evaluate the ethical culture of computer security research. The project asks four questions: R1) How has the computer security community formed an ethical research culture? R2) How are ethics expectations communicated among researchers? R3) What sociotechnical factors support and challenge sustaining ethical practices? R4) How effective is ethical self-regulation in computer security research? The research will be conducted in four phases. Phase I will examine the development of ethics controversies and community responses through an analysis of key ethics moments in the last twenty years of computer security research through citation and discourse analysis. Phase II will interview diverse computer security researchers identified by the citation and discourse analysis to trace how the community developed and changed its approach to ethics over time. Phase III will conduct a stakeholder assessment of the strengths and weaknesses of ethical self-regulation in computer security research. Phase IV will create and evaluate educational case studies based on the empirical findings for students, as well as policy recommendations for conference review committees and researchers struggling to identify best practices for ethical computer security research.
