A Client Opts for a Less Secure System (Sample Scenarios from the CSTB)
A business owner designs a database management system with security protections, but the client opts for less security.
Three years ago Diane started her own consulting business. She has been so successful that she now has several people working for her and many clients. Their consulting work includes advising on how to network microcomputers, designing database management systems, and advising about security.
Presently she is designing a database management system for the personnel office of a medium-sized company. Diane has involved the client in the design process, informing the CEO, the director of computing, and the director of personnel about the progress of the system. It is now time to make decisions about the kind and degree of security to build into the system. Diane has described several options to the client. Because the system is going to cost more than they planned, the client has decided to opt for a less secure system. She believes the information they will be storing is extremely sensitive. It will include performance evaluations, medical records for filing insurance claims, salaries, and so forth.
With weak security, employees working on microcomputers may be able to figure out ways to get access to this data, not to mention the possibilities for on-line access from hackers. Diane feels strongly that the system should be much more secure. She has tried to explain the risks, but the CEO, director of computing and director of personnel all agree that less security will do. What should she do? Should she refuse to build the system as they request?
From: Anderson, R.E., Johnson, D.G., Gotterbarn, D., & Perrolle, J. (1993) Using the new ACM code of ethics in decision making, Communications of the ACM, Volume 36 Issue 2, Feb. 1993, Pages 98-107.
(Adapted from: Johnson, D. G. Computer Ethics, Second Ed. Prentice Hall, Englewood Cliffs, N.J., 1993.)