First of two articles

If you're working with at least two other IT/security professionals, and you're not breaking any rules, look around -- there's a good chance one of them is.

That's the net result of Dark Reading's "Security Scruples" reader survey, which tested the attitudes and ethics of some 648 IT and security pros over the last two weeks.

The survey, which asked IT people about their beliefs and behavior in both real and hypothetical security situations, suggests that about two thirds of them agree on the conventions for proper conduct -- and the other third might be doing anything from peeking at colleagues' personal data to actively stealing information from the company.

"I do know [IT] people who believe they have not only the right, but the duty to check up on other employees," says survey participant John Morgus, IT manager at Kenworth Northwest Motor Trucks. "I personally feel they are indulging their curiosity for their own reasons."

The data from the survey bears out Morgus' contention that there are at least a few IT people in most situations who will go their own way -- often against the conventional professional ethic. In virtually every question that we asked, a large majority agreed on how to do the "right thing" -- but they were nearly always contradicted by a minority who said they would do the exact opposite.

For example, when we asked readers whether they have ever used their security privileges to peek at information they are not authorized to access, nearly 63 percent of respondents said no. About 27 percent said they have accessed unauthorized data, but only a few times in their careers. And approximately 10 percent -- some 65 people -- said they abuse their security privileges on a regular basis.

Other questions yielded a similar breakdown or responses. When we asked readers what they would do if they found a list of victims of a forthcoming layoff, 68 percent of readers said they would leave the file alone. But 23 percent said they would sneak a peek, and about 8.5 percent said they would not only peek, but share the data with other employees in the organization.

In another hypothetical situation, we asked readers what they would do if they walked into their boss' empty office and found their own performance review up on the computer screen. Some 64 percent said they would leave the room; 33 percent said they would sneak a peek, and another three percent said they would print or email the document so they could read it in more detail.

Respondents' choices in hypothetical situations seemed consistent with their general attitudes about security. While 64 percent of those surveyed said it is "never okay" to access data without authorization, the other 26 percent said that IT people and/or top executives should have the rights to any data they wish. About seven percent agreed with the traditional hacker credo, which states that anyone with the skills to access the data should be allowed to have it, as long as they don't hurt the data in the process.

Some IT people peek at unauthorized data simply because they can, and their natural curiosity gets the best of them, survey respondents said. "Some people want to know what goes on behind closed doors, and in managers' meetings," says Lonny Cross, network security engineer for the Supreme Court of Oklahoma.

"Regrettably, though, there are a few IT staffers who have a superiority complex and see it as their right to treat everybody else in the company like lesser beings," notes Denver Greiner, an independent consultant. "That includes looking at anything on any system under their control."

But the desire to access or steal company data isn't limited to IT people. According to a study published last week by Prefix Security, a U.K. firm, about 37 percent of the males surveyed said they believe it is acceptable to take database information and sales leads. The majority of the 1,000 respondents in the Prefix study admitted to stealing data or confidential documents, but many of those respondents do not perceive their actions as "wrong."

The ethics of IT security aren't always clear, some professionals say. "The fundamental elements for ethics exist almost universally, but the real problems come in when people are instructed in the situational ethic -- that the ends justify the means," says Charles Tuite, operations coordinator at Ball State University. "We need a licensing or other program that contains a code of ethics."

Many other respondents agreed, though most were skeptical that a broad code of ethics for IT security could be developed and enforced. ISC2, which administers the CISSP security certification, does maintain some ethical rules, but respondents said they are not widely understood or recognized.

And many IT people have a different set of standards for others than they do for themselves. In our survey, only 53 percent of respondents said they would report a colleague who was abusing security privileges to access payroll information, personnel files, or executive plans. 41 percent said they would tell the colleague not to do it again, but keep it quiet; two percent said they would ask the colleague to show them how to gain access to the unauthorized information themselves.

Similarly, there was a small but significant minority who said they wouldn't report an offer from a competitor to steal corporate data. In a hypothetical offer of $50,000, two percent of respondents said they would steal and sell their company's customer list. Another 14 percent said they would decline the offer but would not report it to anyone.

Many respondents said they believe the ethics of IT and security managers -- or lack thereof -- are reflective of the attitudes and morals of society as a whole. "Look at today's generation -- or the last 20 years," says Eric Nooden, IS manager at Rockford Gastroenterology Associates. "Our decline in morals and personal responsibility is partially to blame. Then again, look at technology -- our laws are just now starting to catch up to it."

Virtually all of the respondents said the key to avoiding ethical problems in IT organizations is to hire the right people. "One of the toughest issues we face right now is doing employee background checks," said one security manager. "Insiders can do the most damage."

— Tim Wilson, Site Editor, Dark Reading