Responsibility and Blame in Computer Security

Dorothy E. Denning

• 1. Responsibility
• 1.1 Moral Responsibility
• 1.2 Formal Contracts
• 1.3 Informal Agreements
• 1.4 Laws and Regulations
• 1.5 Standard Practices
• 1.6 Declarations
• 1.7 Consistency
• 1.8 The Dynamics of Responsibility
• 2. Failure to Meet Responsibilities
• 2.1 Incompetence
• 2.2 Insincerity
• 2.3 Blindness
• 2.4 Vagueness
• 2.5 Conflicts
• 2.6 Unforeseen Circumstances
• 2.7 Impossibility
• 3. Blame
• 3.1 Responsibilities
• 3.2 Causes of Failure
• 3.3 Taking Responsibility
• 4. Summary
• Acknowledgments
• End Notes

2. Failure to Meet Responsibilities

In practice, people do not always meet their obligations. The reasons include incompetence, insincerity, blindness, vagueness, conflicts, unforeseen circumstances, and impossibility.

2.1 Incompetence

A person may be incompetent to perform a promised task in the time allowed. Competence is always tied to a particular domain of action. A person may be competent at writing research papers about computer security, but incompetent at implementing protection mechanisms on a given system. Some people are absolved of crimes committed because they are judged to be incompetent in making moral choices.

Many people are incompetent in the domain of managing promises. Rather than re-negotiate an agreement so that a task can be revised, postponed, or assigned to another, the person simply fails to complete the task by the specified time. People who accept more requests than they can satisfy may be incompetent at saying “no” or at assessing their own competence at performing the assigned tasks.

2.2 Insincerity

A person may agree to something that he or she has no intention of doing. If a person has a recurrent pattern of making promises that the person is either incompetent to satisfy or insincere about keeping, then others will make an assessment that the person is untrustworthy. Trust is established only when a person consistently keeps his or her promises.

2.3 Blindness

A person may be unaware of existing laws or customs, thereby violating them. This is particularly easy when traveling to different parts of the world or interacting with people having different cultural backgrounds. A new employee may be blind to the computer security practices of the organization, and fail to follow the practices for passwords and virus protection.

2.4 Vagueness

The obligations behind a given responsibility may be vague. For example, if you have asked me for a report “soon,” then I may consider the end of the week to be acceptable, whereas you may consider that late. Moral statements are often vague, making it difficult to determine responsibilities. For example, suppose I say that I am responsible for how my research is used. Does it mean than I am responsible for crimes committed by terrorists who cover up their dealings using cryptosystems learned by reading my book Cryptography and Data Security?

2.5 Conflicts

Responsibilities can come into conflict because of inherent inconsistencies, as with moral principles, or because of inconsistencies arising from the impossibility of doing two things at once. For example, if I have assumed responsibility for the security of my employer’s system and for my family, then I might find myself with conflicting obligations if I discover an intruder on the system just as I am getting ready to leave the office for a planned vacation with my family. People who take on more commitments than they can handle may find themselves in a constant struggle over conflicting obligations.

2.6 Unforeseen Circumstances

A person my fail to meet an obligation because of an emergency, accident, or some other unforeseen circumstance. For example, I may miss a meeting because I got in an automobile accident and am lying unconscious in the hospital. People have been accused of unauthorized computer access for trying to log into a system to which they were not authorized by dialing a wrong number. Unforeseen circumstances arise because of our inability to predict the future.

2.7 Impossibility

A person may fail to meet an obligation because the obligation is impossible, though that impossibility might not be recognized. For example, a person might be unable to develop a “totally secure system,” depending on the interpretation of “totally secure.”

Back to the top

Go to: 3. Blame

Home > Research Resources > Computing Security > Responsibility and Blame in Computer Security

HOME | IN THE NEWS | RESEARCH RESOURCES
TEACHING RESOURCES | STUDENT RESOURCES
LINKS | THE GALLERY | STAFF

The Research Center on Computing & Society
at Southern Connecticut State University
501 Crescent Street • New Haven, CT 06515
Director: (203) 392-6790 • e-mail: webmaster@computerethics.org

© 2000 – 2007 – Research Center on Computing & Society