Abstract
Information security can be of high moral value. It can equally be used for immoral purposes and have undesirable consequences. In this paper we suggest that critical theory can facilitate a better understanding of possible ethical issues and can provide support when finding ways of addressing them. The paper argues that critical theory has intrinsic links to ethics and that it is possible to identify concepts frequently used in critical theory to pinpoint ethical concerns. Using the example of UK electronic medical records the paper demonstrates that a critical lens can highlight issues that traditional ethical theories tend to overlook. These are often linked to collective issues such as social and organisational structures, which philosophical ethics with its typical focus on the individual does not tend to emphasise. The paper suggests that this insight can help in developing ways of researching and innovating responsibly in the area of information security.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
http://www.whitehouse.gov/cybersecurity. Accessed 05.06.2013.
References
Adam, A. (2001). Computer ethics in a different voice. Information and Organization, 11(4), 235–261.
Adams, A., & Blandford, A. (2005). Bridging the gap between organizational and user perspectives of security in the clinical domain. International Journal of Human-Computer Studies, 63(1–2), 175–202.
Alvesson, M., & Deetz, S. A. (2000). Doing critical management research. Beverley Hills, CA: Sage.
Alvesson, M., & Willmott, H. (2003). Studying management critically. Beverley Hills, CA: Sage.
Anderson, R. (2006). Anonymous data that Isn’t. Retrieved from http://www.lightbluetouchpaper.org/2006/08/09/anonymous-data-that-isnt/.
Aristotle. (2007). The Nicomachean ethics. USA: Filiquarian Publishing, LLC.
Avgerou, C. (2005). Doing critical research in information systems: Some further thoughts. Information Systems Journal, 15(2), 103–109.
Becker, M. (2005). Cassandra: Flexible trust management and its application to electronic health records, Technical Report UCAM-CL-TR-648, University of Cambridge, Computer Laboratory.
Becker, M. (2007). Information governance in NHS’s NPfIT: A case for policy specification. International Journal of Medical Informatics, 76, 432–437.
Benson, T. (2002a). Why general practitioners use computers and hospital doctors do not—part 1: Incentives. BMJ, 325(7372), 1086–1089.
Benson, T. (2002b). Why general practitioners use computers and hospital doctors do not—part 2: Scalability. BMJ, 325(7372), 1090–1093.
Bentham, J. (2009). An introduction to the principles of morals and legislation. New York: Dover Publications Inc.
Berg, M. (2008). Practices of reading and writing: The constitutive role of the patient record in medical work. Sociology of Health & Illness, 18(4), 499–524.
Blobel, B., Nordberg, R., Davis, J. M., & Pharow, P. (2006). Modelling privilege management and access control. International Journal of Medical Informatics, 75(8), 597–623.
Brey, P. (2008). The technological construction of social power. Social Epistemology, 22(1), 71–95. doi:10.1080/02691720701773551.
Brooke, C. (Ed.). (2009). Critical management perspectives on information systems (1st ed.). Amsterdam: Butterworth Heinemann.
Brown, P. J. B., & Sonksen, P. (2000). Evaluation of the quality of information retrieval of clinical findings from a computerized patient database using a semantic terminological model. Journal of the American Medical Informatics Association, 7(4), 392–403. doi:10.1136/jamia.2000.0070392.
Cecez-Kecmanovic, D., Klein, H. K., & Brooke, C. (2008). Exploring the critical agenda in information systems research. Information Systems Journal, 18(2), 123–135. doi:10.1111/j.1365-2575.2008.00295.x.
Chua, W. F. (1986). Radical developments in accounting thought. The Accounting Review, 61(4), 601–632.
Coombes, R. (2012). Into the abyss? How the health bill affects the NHS. BMJ, 344(1), e767–e767. doi:10.1136/bmj.e767.
Cross, M. (2006). Will connecting for health deliver its promises? BMJ, 332(7541), 599–601. doi:10.1136/bmj.332.7541.599.
De Lusignan, S., Wells, S. E., Hague, N. J., & Thiru, K. (2003). Managers see the problems associated with coding clinical data as a technical issue whilst clinicians also see cultural barriers. Methods of Information in Medicine, 42(4), 416–422. doi:10.1267/METH03040416.
Doherty, N. F., Anastasakis, L., & Fulford, H. (2009). The information security policy unpacked: A critical study of the content of university policies. International Journal of Information Management, 29(6), 449–457.
Doran, T., Kontopantelis, E., Valderas, J. M., Campbell, S., Roland, M., Salisbury, C., & Reeves, D. (2011). Effect of financial incentives on incentivised and non-incentivised clinical activities: Longitudinal analysis of data from the UK quality and outcomes framework. BMJ, 342(1), d3590–d3590. doi:10.1136/bmj.d3590.
Fairclough, N. (1995). Critical discourse analysis: The critical study of language. New York: Longman.
Feenberg, A. (1993). Critical theory of technology (New ed.). USA: Oxford University Press Inc.
Feenberg, A. (1999). Questioning technology (1st ed.). London: Routledge.
Feenberg, A. (2008). From critical theory of technology to the rational critique of rationality. Social Epistemology, 22(1), 5–28. doi:10.1080/02691720701773247.
Ferreira, A., Antunes, L., Chadwick, D., & Correia, R. (2010). Grounding information security in healthcare. International Journal of Medical Informatics, 79(4). doi:10.1016/j.ijmedinf.2010.01.009.
Ferreira, A., Cruz-Correia, R., Antunes, L., Chadwick, D., Lazakidou, A. A., & Siassiakos, K. M. (Eds.) (2008). Security of electronic medical records III handbook of research on distributed medical informatics and e-health, 2008.
Foucault, M. (1975). Surveiller et punir. Paris: Gallimard.
Freeden, M. (2003). Ideology: A very short introduction. Oxford: Oxford University Press.
Fulford, H., & Doherty, N. F. (2003). The application of information security policies in large UK-based organizations. Information Management and Computer Security, 11(3), 106–114.
Galliers, R. D., & Currie, W. (Eds.). (2011). The Oxford handbook of management information systems: Critical perspectives and new directions. Oxford: OUP.
Gilligan, C. (1990). In a different voice: Psychological theory and women’s development (Reissue.). Harvard: Harvard University Press.
Gramsci, A. (1971). Selections from the prison notebooks of Antonio Gramsci/edited and translated by Quinton Hoare and Geoffrey Nowell Smith. London: Lawrence and Wishart.
Gray, J., Orr, D., & Majeed, A. (2003). Use of read codes in diabetes management in a south London primary care group: Implications for establishing disease registers. BMJ, 326(7399), 1130.
Greenhalgh, T., Wood, G. W., Bratan, T., Stramer, K., & Hinder, S. (2008). Patients’ attitudes to the summary care record and HealthSpace: Qualitative study. BMJ, 336(7656), 1290–1295.
Greenhalgh, T., Stramer, K., Bratan, T., Byrne, E., Russell, J., & Potts, H. W. W. (2010). Adoption and non-adoption of a shared electronic summary record in England: A mixed-method case study. BMJ, 340(4), c3111–c3111. doi:10.1136/bmj.c3111.
Habermas, J. (1981). Theorie des kommunikativen Handelns. Frankfurt a.M: Suhrkamp.
Habermas, J. (1991). Erläuterungen zur Diskursethik. Frankfurt a.M: Suhrkamp.
Harry, L., Higgs, A., Korna, M., & Macfarlane, P. (2006). Does senior clinical input to clinical coding influence Healthcare Resource Group (HRG) allocation in acute children’s services? Clinician in Management, 14(4), 201–208.
Harvey, L. (1990). Critical social research. London: Unwin Hyman.
Hawkes, D. (2003). Ideology (2nd ed.). London: Routledge.
Hayrinen, K., Saranto, K., & Nykanen, P. (2008). Definition, structure, content, use and impacts of electronic health records: A review of the research literature. International Journal of Medical Informatics, 77(5), 291–304. doi:10.1016/j.ijmedinf.2007.09.001.
Hirschheim, R., & Klein, H. K. (1994). Realizing emancipatory principles in information systems development: The case for ETHICS. Management Information Systems Quarterly, 18(1), 83–109.
Hong, K., Chi, Y. Chao, L. & Tang, J. (2006). An empirical study of information security policy on information security elevation on Taiwan. Information Management and Computer Security, 14(2), 104 –115.
House of Commons Public Accounts Committee. (2009). The National Programme for IT in the NHS: Progress since 2006 (No. HC 153). London: The Stationery Office Ltd. Retrieved from http://www.publications.parliament.uk/pa/cm200809/cmselect/cmpubacc/153/15302.htm
Howcroft, D., & Trauth, E. (Eds.). (2005). Handbook of critical information systems research: Theory and application. London: Edward Elgar Publishing Ltd.
Hume, D. (1777). An Enquiry Concerning Human Understanding. In L. A. Selby-Bigge (Ed.). Project Gutenberg. Retrieved from http://www.gutenberg.org/etext/9662.
ISO (2005). Information technology - security techniques - code of practice for information security management - ISO 17799. International Standards Organization.
Jones, S. (2006). Antonio Gramsci (New ed.). London: Routledge.
Kant, I. (1986). Kritik der praktischen Vernunft. Ditzingen: Reclam.
Kant, I. (1998). Grundlegung zur Metaphysik der Sitten. Ditzingen: Reclam.
Klein, H. K., & Huynh, M. Q. (2004). The critical social theory of Jürgen Habermas and its implications for IS research. In J. Mingers & L. P. Willcocks (Eds.), Social theory and philosophy for information systems (pp. 157–237). Chichester: Wiley.
Krippendorff, K. (2004). Reliability in content analysis. Human Communication Research, 30(3), 411–433.
Ledley, R. S., & Lusted, L. B. (1959). Reasoning foundations of medical diagnosis. Science, 130(3366), 9–21.
Leveson, N. G. (2003). A new accident model for engineering safer systems, safety science. Amsterdam: Elsevier Science.
Leveson, N. G. (2010). A new approach to safety in software intensive systems Aeronautics and Astronautics Dept. Engineering Systems Division MIT. Technical Report, 2010.
MacIntyre, A. C. (2007). After virtue: A study in moral theory. Notre Dame: University of Notre Dame Press.
Mathieson, S. A. (2011). Scrapping the National Programme for IT: A journey not a destination. The Guardian. Retrieved from http://www.guardian.co.uk/healthcare-network/2011/sep/22/npfit-ends-cfh-andrew-lansley-bt-csc.
McGrath, K. (2005). Doing critical research in information systems: A case of theory and practice not informing each other. Information Systems Journal, 15(2), 85–101.
McLellan, D. (1995). Ideology (2nd ed.). Buckingham: Open University Press.
Mill, J. S. (2002). Utilitarianism (2nd Revised ed.). USA: Hackett Publishing Co, Inc.
Mingers, J., & Walsham, G. (2010). Towards ethical information systems: The contribution of discourse ethics. MIS Quarterly, 34(4), 833–854.
Morgan, M., & Beech, R. (1990). Variations in lengths of stay and rates of day case surgery: Implications for the efficiency of surgical management. Journal of Epidemiology and Community Health, 44(2), 90–105.
Mumford, E. (2001). Advice for an action researcher. Information Technology & People, 14(1), 12.
Myers, M. D. (1994). A disaster for everyone to see: an interpretive analysis of a failed IS project. Accounting, Management and Information Technologies, 4(4), 185–201.
Myers, M. D., & Klein, H. K. (2011). A set of principles for conducting critical research in information systems. MIS Quarterly, 35(1), 17–36.
Pyper, C., Amery, J., Watson, M., & Crook, C. (2004). Patients’ experiences when accessing their on-line electronic patient records in primary care. The British Journal of General Practice, 54(498), 38.
Reason, J. T., Carthey, J., & de Leval, M. R. (2001). Diagnosing “vulnerable system syndrome”: An essential prerequisite to effective risk management. Quality Health Care, 10 Suppl 2(0963-8172 (Print)), ii21–ii25.
Ryan, G. W., & Bernard, H. R. (2000). Data management and analysis methods. In N. K. Denzin & Y. S. Lincoln (Eds.), Handbook of qualitative research (2nd ed.). Thousand Oaks: Sage.
Sandhu, R. S., Coyne, E. J., Feinstein, H. L., & Youman, C. E. (1996). Role-based access control models. IEEE Computer, 29, 38–47.
Shaw, M., & Stahl, B. (2009). A quality assurance approach to healthcare: Implications for information systems. In Handbook of research on advances in health informatics and electronic healthcare applications: Global adoption and impact of information communication technologies, Vol. 1. Hershey: IGI Global.
Srirangalingam, U., Sahathevan, S. K., Lasker, S. S., & Chowdhury, T. A. (2006). Changing pattern of referral to a diabetes clinic following implementation of the new UK GP contract. The British Journal of General Practice, 56(529), 624.
Stahl, B. C. (2008a). Information systems: Critical perspectives. London: Routledge.
Stahl, B. C. (2008b). The ethical nature of critical research in information systems. Information Systems Journal, 18(2), 137–163. doi:10.1111/j.1365-2575.2007.00283.x.
Stahl, B. C., Doherty, N. F., & Shaw, M. (2012). Information security policies in the UK healthcare sector: A critical evaluation. Information Systems Journal,. doi:10.1111/j.1365-2575.2011.00378.x.
The Caldicott Committee. (1997). Report on the review of patient-identifiable information. London. Retrieved from http://www.dh.gov.uk/en/Publicationsandstatistics/Publications/PublicationsPolicyAndGuidance/DH_4068403.
UK HSCIC. (2012). Hospital episode statistics. Standard. Retrieved June 24, 2013, from http://www.hscic.gov.uk/hes.
Walsh, S. H. (2004). The clinician’s perspective on electronic health records and how they can affect patient care. BMJ, 328(7449), 1184–1187.
Walsham, G. (2005). Learning about being critical. Information Systems Journal, 15(2), 111–117.
Waring, J., & Bishop, S. (2013). McDonaldization or commercial re-stratification: Corporatization and the multimodal organisation of English doctors. Social Science and Medicine, 82, 147–155. doi:10.1016/j.socscimed.2012.12.023.
Wears, R. L. (2012). Can we make health IT safe enough for patients? Work: A Journal of Prevention Assessment and Rehabilitation, 41, 4484–4489. doi:10.3233/WOR-2012-0749-4484.
Whittle, A., & Spicer, A. (2008). Is actor network theory critique? Organization Studies, 29(4), 611–629. doi:10.1177/0170840607082223.
Willcocks, L. (2004). Foucault, power/knowledge and information systems: Reconstructing the present. In J. Mingers & L. Willcocks (Eds.), Social theory and philosophy for information systems (pp. 238–296). Chichester: Wiley.
Williams, J. G., & Mann, R. Y. (2002). Hospital episode statistics: Time for clinicians to get involved? Clinical Medicine, 2(1), 34–37. doi:10.7861/clinmedicine.2-1-34.
Zheng, Y., & Stahl, B. C. (2011). Technology, capabilities and critical perspectives: what can critical theory contribute to Sen’s capability approach? Ethics and Information Technology, 13(2), 69–80. doi:10.1007/s10676-011-9264-8.
Zheng, Y., & Stahl, B. C. (2012). Evaluating Emerging ICTs: A Critical Capability Approach to Technology. In I. Oosterlaken & J. van den Hoven (Eds.), The Capability Approach, Technology and Design (2012th ed., pp. 57–76). Springer.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Stahl, B.C., Doherty, N.F., Shaw, M. et al. Critical Theory as an Approach to the Ethics of Information Security. Sci Eng Ethics 20, 675–699 (2014). https://doi.org/10.1007/s11948-013-9496-6
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11948-013-9496-6