Policy Paper 3: Ethical Implications of Acceptable Use
Acceptable Use Policies (AUP) are written for the purpose of establishing a set of guidelines that is agreed upon by the user and the creator. In the case of employer and employee workstation and internet use, it is important for organizations to want their employees to work while they are at work and not take resources away. Watching YouTube or listening to Amazon Music takes away bandwidth that could be better used to help the company be more efficient. Not to mention ensure that the employee is getting paid for work vise play. Is this ethically considered stealing if the employee does not have 100% efficiency on their workload? It is worth mentioning that lack of home internet access use led to an increase in misuse by the user (Liyanagunawardena, Samarasinghe 2008).
To that point, AUPs can be seen as a way to control behaviors of the users. It would stand to reason that the best way to protect a company would be to control its users. However, research gate.net argues that AUP are immature and that its primary role is to justify disciplining employees and protecting the host vice proactively promoting effective and desirable security behaviors (Doherty 2011). To quote Bruce Schneier’s 2000 book Secrets and Lies, Digital Security in a Networked World:
“People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.”
Another aspect to the AUP to consider is monitoring. While monitoring in it of itself is not ethically bad, what is done with that information may be an infringement of privacy. Not all enforcers of the AUP are good people. IT staff members are dangerous in their knowledge of the systems, access to said systems, detection avoidance, and implied trust (Panko 2013). With monitoring potentially being part of their duties, they could very easily take data for nefarious reasons.
AUPs can include non-work specific functions such as social media use which is climbing in use by users and companies year over year. However, the use of social media can be a bane or a boon. When an employee decides to use social media to promote something good that happened at work it is clearly a good thing as it shines a positive image to the company. When an employee decides to scroll Facebook during a lull in work or on their lunch break, this could expose the user’s private life to those that are monitoring the user’s computer. As stated above, monitoring is not inherently bad.
An implication can arise when a user no longer agrees to the AUP or some change to the AUP. There could be something along the lines of storing passwords or personal data that the user may not want saved. However, some systems or workstations, require a user to agree to the AUP before they can utilize it. By declining to accept the user is unable to do their job and put them in hot water with the organization.
References
Liyanagunawardena, T. R., & Samarasinghe, K. (2008). Acceptable use policy and employee computer usage: case of Sri Lankan software development industry. Centaur.reading.ac.uk. https://centaur.reading.ac.uk/32334/
Doherty, N. F., Anastasakis, L., & Fulford, H. (2011). Reinforcing the security of corporate information resources: A critical review of the role of the acceptable use policy. International Journal of Information Management, 31(3), 201–209. c
Schneier, B. (2015). Secrets and lies: digital security in a networked world. John Wiley & Sons, Inc.
Panko, R. R., & Panko, J. L. (2019). Business data networks and security. Pearson.
Social media acceptable-use policy. (2009, December 1). SHRM. https://www.shrm.org/hr-today/news/hr-magazine/pages/1209tech3.aspx
Cyber Security Policy. (2021, August 17). GeeksforGeeks. https://www.geeksforgeeks.org/cyber-security-policy/