Responsibility and Blame in Computer Security

Dorothy E. Denning

• 1. Responsibility
• 1.1 Moral Responsibility
• 1.2 Formal Contracts
• 1.3 Informal Agreements
• 1.4 Laws and Regulations
• 1.5 Standard Practices
• 1.6 Declarations
• 1.7 Consistency
• 1.8 The Dynamics of Responsibility
• 2. Failure to Meet Responsibilities
• 2.1 Incompetence
• 2.2 Insincerity
• 2.3 Blindness
• 2.4 Vagueness
• 2.5 Conflicts
• 2.6 Unforeseen Circumstances
• 2.7 Impossibility
• 3. Blame
• 3.1 Responsibilities
• 3.2 Causes of Failure
• 3.3 Taking Responsibility
• 4. Summary
• Acknowledgments
• End Notes

This paper introduces a set of distinctions relating to responsibility and failure that allow us to analyze situations in which something goes wrong. These distinctions are used to analyze a computer break-in in order to discover who might be blamed and possible explanations for their failure to meet their responsibilities. The results of such an analysis can then be used to design new human practices or computer systems that lead to better computer security. The distinctions also provide road maps for assessing our own responsibilities and avoiding many situations that lead to blame and negative consequences to ourselves and others.

1. Responsibility

In his essay, Peter Neumann raises the question of how can we realistically “place the blame” for undesired system and human behavior. Since “blame” means “to hold responsible,” we must first ask what it means to be responsible.

To be responsible for something is to be accountable for it. When we say that a person has a responsibility, we mean that he or she has an obligation or commitment in some domain of action. There are several ways in which one can acquire responsibility: morals, formal contracts, informal agreements, laws and regulations, standard practices, and declarations.

1.1 Moral Responsibility

Moral responsibility refers to living a life that is “right” or “good.” Although individuals and cultures often disagree about what is right, some people argue that there is an absolute moral standard that can and should govern all. Philosophers and religious leaders continue to search for this standard, and some claim to have found it, for example, in the Ten Commandments. Moral responsibility is often used to justify statements such as “Scientists are responsible for how their work is used.” In practice, complete agreement about moral issues is difficult to reach, not only because of individual and cultural differences, but because moral statements are often vague and difficult to interpret.

1.2 Formal Contracts

A formal contract is a legally binding agreement between two or more parties. Each party to the contract is held responsible for the obligations incurred by the terms of the contract.

1.3 Informal Agreements

People often make informal agreement in their everyday actions with each other, for example, to attend a meeting or complete a report. Although there is no formal contract, the parties of an agreement are held responsible for their promises.

1.4 Laws and Regulations

Societies have laws and regulations. Some predate our arrival into the community; others are passed after we arrive. Even if we don’t agree with them, we are held responsible for abiding by them.

1.5 Standard Practices

The customs or standard practices of the communities in which people live also define responsibilities. By community, I mean family, friends, clubs, organization of employment, neighborhood, city, country, and so forth. Like laws and regulations, the communities we live in hold us responsible for abiding by the standards even if we don’t agree with them. A company, for example, may expect its programmers to follow certain standards for software development, or its computer users to pick passwords that satisfy certain criteria.

1.6 Declarations

We can take responsibility by making a declaration and commitments to support that declaration. For example, I might declare responsibility for my health and make a commitment to exercise daily and follow current standards for eating properly.

Every action we take or fail to take has consequences to others and to ourselves. We can take responsibility for our actions in order to minimize the negative consequences or maximize the positive ones.

1.7 Consistency

Different responsibilities may be consistent. For example, the laws governing murder are guided by and generally consistent with moral principles about killing. Standard practices about telling the truth are likewise governed by moral principles regarding honesty.

However, responsibilities can be inconsistent. For example, people who fight in a war must face the conflict between performing their military duties and following moral principles against killing. If one’s declared responsibilities or moral principles come into conflict with laws or standard practices, then one must decide whether to follow the laws and practices, possibly adopting different principles; violate the laws and practices, accepting the risks and consequences; or attempt to change the laws and practices so that they are consistent with one’s principles.

1.8 The Dynamics of Responsibility

Our responsibilities are not fixed. We can re-negotiate agreements, rewrite contracts, make new declarations, change our moral principles, pass laws, and set new standards. Being responsible does not mean that one has to stick with current obligations.

Back to the top

Go to: 2. Failure to Meet Responsibilities

Home > Research Resources > Computing Security > Responsibility and Blame in Computer Security

HOME | IN THE NEWS | RESEARCH RESOURCES
TEACHING RESOURCES | STUDENT RESOURCES
LINKS | THE GALLERY | STAFF

The Research Center on Computing & Society
at Southern Connecticut State University
501 Crescent Street • New Haven, CT 06515
Director: (203) 392-6790 • e-mail: webmaster@computerethics.org

© 2000 – 2007 – Research Center on Computing & Society