Ethical decision‑making in cybersecurity is rarely straightforward. Professionals are often required to act under pressure, with incomplete information, competing priorities, and real consequences for organizations, customers, and the public. Recognizing this reality, ISC2 is developing a new series of case studies under the banner of its Code of Professional Conduct program—designed to help members reflect on how ethical and professional responsibilities emerge in everyday practice.
The Ethics in Practice case studies are not intended to serve as compliance exercises or hypothetical thought experiments detached from reality. Instead, they are inspired by situations that cybersecurity professionals regularly face: ambiguous technical findings, operational tradeoffs, escalation dilemmas, and uncertainty about timing, impact and risk. These scenarios reflect the gray areas where professional judgment matters most.
Importantly, the case studies are not investigations and are not designed to assign blame, determine right or wrong outcomes, or evaluate specific organizations or individuals. Each scenario is constructed to encourage reflection – both individually and within teams – on how the principles of the Code of Professional Conduct can be applied when the path forward is not immediately clear.
Each case study will present a realistic scenario followed by key considerations and reflection prompts. These elements are meant to help practitioners think critically about questions such as:
- When is escalation warranted if facts are still emerging?
- How should professionals balance rapid action with potential operational impact?
- What responsibilities arise when customer trust, service availability, and risk reduction are all in tension?
Where appropriate, the case studies will also connect directly back to the Code of Professional Conduct, highlighting how its principles—such as sound judgment, accountability, prompt reporting and harm reduction—can guide decision‑making even when outcomes are uncertain. Supporting resources, including the Ethical Decision-Making Guide, will be referenced to help members apply these concepts in practice.
As this series evolves, ISC2 views Ethics in Practice as a living resource; one that reflects the complexity of the cybersecurity profession and supports meaningful discussion across roles, sectors, and experience levels. Members will also be invited to suggest scenarios they would like to see explored, ensuring the case studies remain relevant to the challenges facing the community today.
Through these case studies, ISC2 aims to reinforce that ethical and professional conduct is not just a set of rules, but an ongoing practice—shaped by context, judgment, and a commitment to doing what is right, even when the answer is not obvious.
Do you have an idea for a scenario you’d like us to cover? Email us at codeofconducttaskforce@isc2.org
