Ac 2007-2158: the Role of Information Warfare in Information Assurance Education: a Legal and Ethical Perspective

Typically, information assurance (IA) professionals utilize information warfare (IW) techniques learned in professional development courses when performing vulnerability and security assessments. With cyber crime on the rise, both government and industry have come to rely on academia to properly train future IA professionals, reducing the need for professional developmental courses. This presents a topic for debate since there is some disagreement if it is legally or ethically appropriate to teach IW techniques in an academic setting due to the many risks involved. In order to address the questions raised by teaching these skills, we examine the legal and ethical responsibilities of IA professionals and how this affects educational programs. We identify several key knowledge areas and skill sets that IA professionals require and examine the benefits and risks that are associated with teaching these skills. The legal aspects of the issue are addressed by examining important computer security laws, such as the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley (SOX) Act and the Federal Criminal Code, and how they affect education at the institution, instructor and student level. Evaluation of the ethical issues is done by using the ACM Code of Ethics as well as two ethical theories: utilitarianism, based on maximizing the good consequences for society; and deontology, where ethical actions are based on an individual's duties and the rights of others. We conclude by offering our recommendations for creating an IA program by addressing the need for cyber defense exercises and test-bed environments. In addition, we provide some topics for consideration on how to safely teach these skills and reduce the possibility of an incident.