What Will the Future of Cybersecurity Bring Us, and Will It Be Ethical? The Hunt for the Black Swans of Cybersecurity Ethics

Although the ethics of cybersecurity might seem to be simple, the matter can be surprisingly complicated. This paper discusses the results of an extensive study aimed at uncovering the anticipated, emerging ethical issues related to cybersecurity. First, it discusses the “strong signals”, i.e., the “mainstream” worries and concerns. Then, it uncovers the “weak signals” - the hidden, less-discussed concerns, which may still define the upcoming future of the ethics of cybersecurity. The results of the study are also compared to the outcomes of a similar experiment conducted two years ago, in order to see if the upcoming ethical dilemmas anticipated back then have in fact become a reality.


I. INTRODUCTION
Ethics aim at determining what is wrong and what is right, and setting up standards of acceptable, moral behaviors in certain situations. Cybersecurity directly affects people's wellbeing; this is why ethics play a prominent role in it. In the context of cybersecurity, ethical principles are in fact at the core of cybersecurity practices, as they refer to responsible use of technologies, in order to protect individuals and ensure they live well [1], [2], [3], [4]. Although the ethics of cybersecurity might seem to be simple -protect the data of good guys, do not let the bad guys in -it can be surprisingly complicated [5]. This paper discusses the results of a broad Horizon Scanning campaign aimed at uncovering the anticipated, emerging ethical issues related to cybersecurity.

II. BACKGROUND -WHY CAN CYBERSECURITY ETHICS BE SO COMPLEX?
Unlike other experts whose professions give them plenty of power, and whose fields of expertise affect people's lives, The associate editor coordinating the review of this manuscript and approving it for publication was Tyson Brooks . such as healthcare professionals or lawyers, the professionals who deal with cybersecurity do not have an established, universal code of conduct yet [1]. Naturally, there are a number of laws which regulate how to navigate cybersecurity; but legal does not necessarily mean ethical [5]. It has been discussed that even if such a code was created, it would never fit all the cybersecurity-related contexts. Rather, the guidelines and procedures should be tailored to the activities and challenges of a given practice [6].
Despite the lack of a universal code of conduct, there have been some suggestions of the principles that the ethical cybersecurity should be built upon. One such set has been proposed by Formosa et al. and encompasses: Another, more straightforward approach has been employed by Van Impe, who proposed these commandments: • ''Do not use a computer to harm other people. • Protect society and the common good. • Be trustworthy, meaning only enter commitments you can keep, and uphold trusted connections with people.
• Have a plan for coordinated vulnerability disclosure.
• Respect human rights.
• Disclose data on a need-to-know basis and maintain privacy.
• Comply with legal standards.'' [8] With the constant emergence and development of new technologies, cybersecurity evolves as well. While this in general brings new advantages and opportunities to the society, it also often gives rise to new, unprecedented adverse phenomena and vulnerabilities [2]. This means that new ethical challenges arise, too [9]. The outbreak of the COVID-19 pandemic, and the accompanying shift in the significance of digital technologies has too sparked further dialogue on the issues of cybersecurity and its ethics [10], [11].
Technologies as such are never ethically neutral; rather, they mirror the values of their designers, vendors and users [6]. The knowledge of the possible ethical problems is crucial for both the cybersecurity professionals and users alike, in order to be prepared for them. Knowing what may happen and how others handled similar situations may help solve dilemmas if and when they arise [5]. This is why it is crucial to comprehensively scrutinize the ethical issues related to cybersecurity in a regular manner, and concentrate on both the ethical dilemmas that have already been confronted, and the possible, anticipated issues that are yet to arise. This paper presents the outcome of such a study.

III. MATERIALS AND METHODS -STUDY DESIGN
This work showcases the results of a follow-up to the 2019-2020 horizon scanning study which was described in [10] and [12]. The study aimed at finding the emerging ethical dilemmas related to cybersecurity.
In order to find out whether the anticipated future dilemmas have changed or not, and if any of them had already become a reality, another study was conducted in April-October 2022. It aimed at examining the new sources, the opinions in which were given after the first study was completed.

A. HORIZON SCANNING
The horizon scanning study was selected as the method of choice. It was decided that this technique would be the best one for obtaining this kind of answers.
Horizon Scanning is a foresight process. There exist several definitions of the technique, ranging from the ''attempt to systematically imagine the future in order to better plan a response'' [13], a ''systematic examination of sources to detect early signs of important developments'' [14] or the means of evaluating ''the importance of 'things to come''' [15]. It aims at uncovering the ''weak'' signals, i.e., the ones which are not commonly known or discussed, which are not among the ''mainstream'' concerns. The method has been known for several decades. It started with commercial organizations from a variety of sectors, but was later adopted by public bodies as well. The main objective of a study of this kind is to supplement the process of planning, be it research, funding or policymaking one.
Generally, Horizon Scanning has been used in relation to the early lifecycle of technologies; it is often employed to check for challenges, opportunities, or to grasp trends in a broad manner. It does not study the ''signals'' in great depth; rather, it is there to provide early warnings.
Horizon Scanning, unlike a survey, does not rely solely on scientific papers and book chapters. Instead, a multitude of sources are scanned, including (but not limited to): • professional press • non-scientific books (including grey literature), • patents, • the news media, • meetings/conference proceedings, • government bodies' reports, • surveys, • the social media, • blogs, • wikis. . . [16]. There is no universal framework of Horizon Scanning. Instead, the adopted model should take into account the peculiarities of the scanned sector; hence, a number of models have been described in the subject literature. The choice of the scanning method is also up to the researcher and their needs; typically more than one method is applied, either sequentially or in parallel [15].

B. THE COURSE OF THE STUDY
The study design followed the general principles described in [12], with the necessary modifications taking into account the experience and expertise gained over the years following the initial study, as well as the conclusions drawn from it. Specifically, the search strings consisted of the combinations of three keywords, from the following three groups: Group 3: • concern • controversy • issue • issues • matter • problem • question Then, the results of the search were initially scanned by the researchers performing the study, to check whether they may potentially be of interest. As the search results tend to be noisy, they were analyzed by the researchers until they remained relevant. After removing duplicates, 4298 various items were taken into consideration. On top if that, several hundred social media posts (Twitter, Facebook, Instagram, YouTube), sourced using the same criteria were analyzed. In total, 319 items were selected for an in-depth analysis. The types of content included: books and book chapters, reports, whitepapers, magazines, various websites, blogposts, curricula, webinars, opinion videos, and comment sections. In this study, a number of scientific articles and book chapters were also taken into consideration if they seemed interesting; however, as it turned out in the first study, they rarely deviate from the mainstream and the ''strong signals'', so they were not the main interest of the study.
Subsequently, the main ethical concerns/issues/dilemmas discussed in the selected sources were extracted. All of them were used to build the word cloud (Fig. 2); the most interesting and relevant findings have been discussed in detail below.

IV. RESULTS -THE FINDINGS
A. THE OLD FINDINGS Figure 1 summarizes the findings of the first study. As visible, most of the ethical concerns identified in it pertained to the various aspects of privacy. Other strong(er) signals encompassed the questions of freedom of speech, freedom of expression, surveillance and censorship.
In turn, although the 2022 study highlighted the issue of privacy as the most important one, the second most popular ethical dilemma has changed. As seen in Figure 2, the question of the so-called ethical hacking has received a great deal of interest. The issues of bias and consent have also been discussed in multiple sources. The identified strong and weak signals have been discussed in greater detail below. The majority of sources deem users' privacy as the main ethical issue related to cybersecurity. Some of the most common and serious threats to privacy are leaks, breaches and misuse of data [17]. In order to secure data privacy, organizations need to tackle its most prominent challenges, that is treating data privacy not as an afterthought, but as an inseparable aspect of data collection, taking into account the legal regulations, such as GDPR [18] or the California Consumer Privacy Act, but also the variety of devices and access point, especially in case of remote work and bringyour-own-device policies in place, and scaling the measures to the ever-growing amounts of processed data [19], [20]. Experts notice that the new laws have indeed given the users a bigger say in what happens to their data; however, there is still a lot to be done as far as aligning business' strategy of companies in order not to infringe on the users' privacy [21].
The issue with cybersecurity is that the practices, aimed at protecting valuable data and assets, often infringe on people's privacy as well. Finding the equilibrium between people's need for security and protecting their privacy may prove to be real struggle. In order to achieve this, the concept of people's dignity is essential, which includes people's right to privacy, and confidentiality itself as something which should be respected [22]. Data privacy is such a burning question, as the concerns about it do not pertain to cybercriminals only; just the opposite, the cybersecurity experts should respect the users' privacy, too. This can be problematic, as keeping information safe from hackers sometimes requires losing privacy from some other party, for example, one that is responsible for monitoring the data. Sometimes even, the objectives of cybersecurity and privacy seem to collide. The question arises: what is the amount information that cybersecurity experts can see in the name of ensuring security compliance before it stops being ethical? [5], [23] Again, cybersecurity professionals are thought to be the first to defend against breaches and other cyberthreats, and consequently, they are trusted to protect users' privacy. If the experts do not do their work carefully enough, e.g., they use outdated encryption, or their practices are otherwise poor, it is deeply unethical [1].

2) STRONG SIGNAL 2: ETHICAL HACKING, ETHICAL HACKERS
Ethical hackers, also known as white hat hackers, are cybersecurity experts who are tasked with breaking into systems in order to uncover any security vulnerabilities it may have. The main difference between white hats and ''conventional'' cybersec experts is that the former concentrate of finding the system's vulnerabilities whilst the latter concentrate mostly on preventing attacks and unauthorized access [24].
It is said that attacking your system yourself is the best way of checking if it is able to withstand a cyberattack [25]. This way, not only the vulnerabilities can be uncovered and removed, but also the staff can be appropriately trained. Yet, employing ethical hackers, as well as their mere existence, give rise to a number of ethical dilemmas.
First of all, there is the question of trust between the organization and the hacker. The organization assumes that the white hat they employ has the adequate experience, training and will not to harm to them. There are now various courses which provide ethical hacking certification; there is no official licensing system in place yet, though [26]. The critical line which differentiates ethical hackers from threat actors is that the white hats follow ethics. The basic necessary principles they have to follow are: doing no harm, staying legal, keeping within the agreed upon boundaries, reporting the found vulnerabilities, and respecting data sensitivity and confidentiality [27].
Some ethical dilemmas related to ethical hackers is that what they should do if, when performing a simulated attack, they uncover forbidden, illegal materials on the client's hard drive. If, for example, when being tasked to hack a system, they find child pornography there, should they keep it a secret for the confidentiality's sake, or report it to the authorities? [28].

3) STRONG SIGNAL 3: BIASED AI DECISIONS
The ''very real'' ethical issues around the biased AI cybersecurity algorithms are mentioned again. They must be tackled in order not to affect the whole progress of AI and trust [21]. When it comes to employing artificial intelligence (AI)/ machine learning (ML) in cybersecurity, some people wonder whether artificial intelligence should be even used in the first place. Yet, cybercriminals have no ethics, and they use AI with malicious intent. If defenders do not use AI to defend systems, cyberthreat actors are far more likely to win. In fact, the risks of not using AI are far greater than the issues related to AI itself. Thus, in the context of cybersecurity, ''the use of AI is not only ethical but morally imperative.'' [29].
Another problem is that although technology should be value neutral, algorithms are only as smart as the data they were trained on [30], i.e., if the dataset contains racial, gender or any other kind of prejudice, the bias will be reflected in the algorithmic output. In cybersecurity, it is particularly important to rid of any potential bias, as it may have serious real-life impacts, like in the case of faulty facial recognition algorithms which led to arrests of innocent people in the USA [31].
One of the measures taken in order to get rid of the ethical dilemmas if to follow the principles of AI explainability and fairness [32], [33].

4) OTHER STRONG(ER) SIGNALS
Other ethical dilemmas of cybersecurity that were identified previously pertain to the ethical use of data. It is generally agreed upon that the handling of data should always base on empathy, i.e., remembering that it is a person who is involved and affected by data; prioritizing data ownership and control, by letting the users make decisions on their personal boundaries of data use; being transparent in relation to how much and what the data is collected for; taking accountability for the security of data; and preserving equality, by ridding of any prejudice or bias that might have driven the data collection process [19], [32].
There is the ethical duty to disclose vulnerabilities or risks once they have been identified, so that the affected parties can make their decisions and act accordingly (for example, a company having a vulnerability in their system must let their customers know about it) [34]. As there is no one-size-fits-all solution, each organization must develop their own practice, with the ethical principles in mind [3].
The ethical dilemmas related to the ransomware attacks have also been extensively discussed, as during the pandemic the number of ransomware attacks has drastically risen [12]. The biggest ethical dilemma is whether one should pay ransom to cybercriminals. Naturally, this seems to be the easiest way to get the data back (provided the criminals will hold up their end of bargain). Yet, reinforcing the behavior will only encourage criminals to go on with their actions and demand even bigger amounts of money. Then, there have been propositions to make paying ransom illegal -would it be ethical, though? If payments were against the law, it could further punish the victims of ransomware attacks who were simply willing to get their stolen data back [35].

C. THE ''WEAK SIGNALS'' -THE ANTICIPATED, EMERGING ETHICAL ISSUES OF CYBERSECURITY
This section presents the most interesting findings of the study -the ''weak signals'' of the anticipated ethical issues of cybersecurity.
Firstly, the new, state-of-the-art technologies, such as IoT and Cloud Computing, have also posed an array of cybersecurity-related ethical dilemmas, which keep emerging with the development and progression of the technologies.

1) HIDDEN/WEAK SIGNAL 1: INTERNET OF THINGS-RELATED ETHICAL ISSUES OF CYBERSECURITY
First and foremost, the cybersecurity-related ethical dilemmas of the cybersecurity of the Internet of Things (IoT) also pertain to the users' privacy. The users often are not aware what kind of data and how much of it is collected by the devices [36]. The risk of the devices being compromised is rising, as they are heavily interconnected and many of them have been reported to be very easily hacked (as in the case of hackable baby monitors). And as the IoT devices are prevalent in our daily lives, they may collect very personal and intimate details. Thus, the smart devices, if hacked, may indicate e.g. when we are home and when not -which poses another serious security risk. Also, the data collected by the devices also has a great market value.
In many cases, the users are required to give their consent, and decide what to share and what not to share before they can even turn their devices on, which is ethical -but who cares to ensure that the users are tech-savvy enough to understand what they are really consenting to? In this context, it is also unethical if the Terms and Conditions are written in a technical jargon or prolonged artificially, so that they are less understandable.
There are security threats of the IoT which may not be easily manageable, or manageable at all -in some cases it is enough to change a password, but what if it is an IoT-enabled cardiac implant that gets compromised? In addition to that, such a breach may be life-threatening if a hacker forces it to administer irregular pacing, or switches the device off completely.
Another noteworthy ethical issue is the question of who is responsible for ensuring proper cybersecurity of the IoT devices -regulators, retailers, manufacturers, or maybe the users themselves. The regulators and governments are not able to keep up with the pace the new threats/ technologies in cybersecurity emerge. Retailers do not design the devices and do not install safety precautions themselves. On the other hand it may be against the manufacturers' interest to apply too strict security measures.
Lastly, with how the technology is progressing, we may not be able not to use IoT in the future -so the issues of cybersecurity and the related ethical dilemmas must be solved as soon as possible.

2) HIDDEN/WEAK SIGNAL 2: CLOUD COMPUTING AND ITS CYBERSECURITY
A broad range of the cloud computing-related cybersecurity ethical issues stem from the fact that it is not always clear who is the owner of the data once it ''goes cloud''. First of all, the question arises if the users, once they decide to use a cloud service, retain ownership of the information, especially in the cases when the data is generated using the service, or the provider can claim ownership of the data, too. This dilemma is also related to the issue of various jurisdiction and laws which may be based on the location of the server rather than the user. These considerations relate to cybersecurity as they would influence the outcome of a data breach. These dilemmas, in turn, are strongly intertwined with the questions of informed consent.
The risk of potential intrusions has additional dimensions with cloud computing -a breach into a cloud service does not affect one user, but a multitude of people. Yet, as [9] notice, this technology brings so many advantages that when considering its ethics, the users are often able to accept the potential small harms that come with it.

3) OTHER HIDDEN/WEAK SIGNALS
In this section, the identified hidden/ weak signals (herein referred to as HWS) have been discussed in alphabetical order.
HWS3: Admitting when you are not powerful enough.
No matter how much money is spent on cybersecurity, the government itself does not possess enough power to test all their networks and asset. In this case, the help of devoted ethical hackers is a must in order to improve the country's cyberdefense capabilities. It would be unethical if the government did not admit that and as a result, did not ask for the support from the skilled experts [37].

HWS4: AI in security leads to arms race
Another concern related to the use of AI/ML in cybersecurity is that employing AI in cybersecurity actively contributes to the arms race with threat actors. The ethical dilemma here is whether to use the AI tools for cybersecurity or let criminals gain the upper hand by doing nothing [29].
HWS5: Bad for business? Some business owners are said to be reluctant to employ cybersecurity measures as they may interrupt the business procedures or cause inconvenience to customers or workers. Yet, as the proper maintenance of the security system is as significant as providing the services to the customers, this too becomes the question of ethics [38].

HWS6: Children and cybersecurity
Owing to the number of children who use Internet every day, and the even lower age at which they start using Internet-enabled devices, it is crucial to instill the principles of cybersecurity in them. Additionally, in the times of the COVID-19 pandemic, online classes became the new reality all over the world. This is why children must be made aware of the potential dangers that using the Internet brings.
It is also the parents' responsibility to routinely check on children's devices and ensure their safety, even if it may seem to be counter-intuitive wrt parenting. Although it may not seem to be easy, children should also be taught cyber-ethics. This will both keep them safe online and help them grow and develop further IT competencies in the future [39].

HWS7: Data ownership
With device and software evolution, the amount and types of data collected has drastically increased. The data may then be used to profile the users and predict their behaviors. Even if the profile is built entirely by means of artificial intelligence algorithms, all the ''subsequent actions are intentional'' [40].
HWS8: Ethical cybersecurity research Ethical way of conducting research has been mentioned before; generally, scientists are expected to follow the ethical principles by default. Over the centuries, the ethical dilemma of whether the results justify the means has been raised innumerable times. Yet, there still happen the situations which cause a public outcry, like the case of the researchers from the University of Minnesota, who admitted to systematically sneaking critical vulnerabilities into the Linux Kernel code base, and wrote an article about it -all in the name of research. It was all the more shocking as they did so without the users' consent to become the proverbial guinea pigs. The researchers kept on performing these non-consensual tests until being called out by the community. As the researchers did not take the responsibility for what they did, the whole university got banned from the Linux Kernel group. As Kaufmann asks, the question arises whether in case of cybersecurity research the ends justify the means, and how to obtain consent if it may influence the findings [27].

HWS9: Health tracking
With health tracking, there exists the dilemma of whether organizations ought to create ''digital twins'' in code, in order to experiment on them. This also applies to the healthcare-services-related cybersecurity, as the ''twin'' may be exploited in a number of ways [41].
HWS10: Inevitable shortfall of cybersecurity staff Some sources express the worry that the pace of digital transformation and development of technologies do not go hand in hand with the available cybersecurity talent, knowledge and expertise; thus, managing cyber risk is becoming an increasingly challenging task [42].
HWS11: Intrusive advertising Advertisement campaigns are also seen as violating basic human rights, by invading the customers' privacy [43]. Another issue relates to the fact that for the sake of personalized ads, companies also collect data in order to track and profile users, and sell the information to data brokers [44].

HWS12: Lack of empathy
This issue is related to penetration/phishing or other attack simulations aimed at testing the unaware employees of a company. The approach that blames, belittles or even punishes the people who failed the tests is does not empower them to change their behavior. Instead, the testees have to be approached in an empathetic, understanding way [45]. VOLUME 11, 2023

HWS13: Misinformation, disinformation and Deep Fakes
In the context of cybersecurity, there is the worry that disinformation, and most notably the deep fake technology, will be increasingly used in order to invade people's privacy, misuse their identity, phish their personal information, and so on [41].
HWS14: Monetizing the culture of fear.
With the omnipresence of digital threats and the vast attack and threat actor catalogues, it is easy to instill panic or fear, both in individual end-users and organizations. It has been mentioned that some security consultants may be very eager to play on that and make their clients spend much more money that it is necessary. The ethical dilemma which arises here is whether charging large sums is exploitation or just how free market works [6]. A similar moral dilemma is when a cybersecurity expert promises more than they are able to achieve, or even manipulates data for the sake of earning more, as it is possible to make a network more secure, but never completely secure [6].
A similar issue relates to what companies say about their actions towards securing the data they handle, what they actually do, and if it is proportional to the value of the data, especially in the cases of big companies which collect vast amounts of sensitive and personal data, and they attract the cybercriminals' attention [44].

HWS15: Neurotechnology
The state-of-the-art advances of neurotechnology make it now possible to change a person's behavior or thought patterns [41]. While this itself is a source of ethical dilemmas, it also raises a lot of cybersecurity-related issues.
With neurotechnologies, it is crucial to ensure that patients enjoy their full advantages whilst the potential harm is minimized. The chief concern is the patients' data and privacy security, especially in the cases when the sensitive data is recorded and stored. Patients must be aware of what data can be extrapolated from their neural information collected and express their personal boundaries concerning the scope of the collected info.
If the devices can be hacked, which can also result in interrupting therapy, the cybersecurity measures must be imposed hospital-wide and with regard to the patients linked to the network. Manufacturers have to be held accountable for identifying and ridding of possible vulnerabilities [46].

HWS16: No Internet for you
What Russia has been doing in the ongoing war in Ukraine, as well as the situations in China or Iran have shown that restricting or preventing the access to the Internet may become a powerful means of controlling a nation or keeping the citizens in a bubble of information which the government is favorable of. The aforementioned countries have been known to oppose democratic values, so what they are doing with the Internet access comes as no surprise. Still, what about other countries? Can we be sure that they will not/ do not keep us in information bubbles, partially by means of cybersecurity technologies?

HWS17: Quantum computers
There are voices worrying that various threat actors, including nation-states will soon employ quantum computers in order to crack the existing encryption mechanisms. This in turn will lead to a severe disruption to all the services which rely on encryption, such as the financial sector, ecommerce, and so on. The blockchain-based technologies will be vulnerable to this kind of attacks as well. If organizations do not switch to post-quantum cryptography quickly enough, it will lead to a major disaster. The ethical approach to this situation includes preparing for it -a.k.a. becoming ''crypto-agile'' -by adopting the security mechanisms once they become available [47].
HWS18: Quis custodiet ipsos custodes? This Latin phrase, which translates into ''who watches the watchers'', refers to the situations when security teams interfere with other legitimate operations including hacking, like in the case of the Google security team shutting down a counterterrorist operation conducted by a Western government. The fact that Google not only decided to stop the operation but also made it public has raised a lot of ethical controversy [48].
HWS19: Phishing dilemma Specifically, the phishing readiness tests have sparked controversy, when the messages to the employees were crafted in order to resemble an e-mail from the finance and payroll department of a company, with the promise of paying them a bonus for their contribution in the times of the COVID-19 pandemic. The link in the message led to a simulating phishing exercise. The particular incident was criticized as taking the test too far, as using such an emotive bait it resulted in upsetting the employees and breaking trust and the sense of security amongst them, thus undermining the cybersecurity efforts. If a phishing test is to be successful training, not tricking, it may not be thought of just as a ''gotcha'' exercise. Even if the results of the exercise are not satisfactory, they should be turned into a learning experience, by providing the staff with helpful, engaging feedback, not punishment [45]. HWS20: Resource allocation Cybersecurity measures cost a lot of money, owing to the number of resources they require, such as time, expertise or skilled personnel. Yet, consequences of the lack of adequate cybersecurity measures often entail much higher costs. The situation in which the lack of balance between allocating funds for anything else and well-resourced cybersecurity is an ethical issue too, especially when people's life and well-being is at stake (e.g., in a hospital) [3].

HWS21: Testing new technologies.
Actually, all the new cybersecurity-related technologies should be tested with ethics in mind, i.e., taking into account the possible risks to the users. With new, emerging technologies, the risks may not be anticipated by the experts, simply because they have not been dealt with before. Another point to consider is that although the direct participants may have expressed their consent, the tests may pose indirect risks to other related parties [9].

HWS22: To teach or not to teach (cybersecurity)?
Another signal related to cybersecurity ethics is the ways it is taught. Cybersecurity as a subject is quite unique, as the practical skills a student learns may be directly related to an illegal activity, no matter if they do it just out of curiosity, or with malicious intent. It is also not always clear whether the students (this is particularly true in the case of online courses) are not based in companies or even countries which support global cybercrime or are openly against democratic values, like Russia or China [49], [50]. These concerns may lead to the question if cybersecurity/ hacking should be even taught at all. This is why teachers and instructors teaching cybersecurity should put emphasis on the questions of ethics, and teach ''liberal'', democratic values alongside them. This way, the students are empowered with the ability to think critically about what they do and what the consequences of these actions may be, rather than having to bear with the repercussions and regret after it is too late. Another suggestion is not to teach ''the whole story'' and let the students figure the rest out themselves, and show them the test dummy sites which let students practice their newly acquired skills without breaking the law [49], [51].
''There is too much potential to do harm, deliberately or through unintended consequences of decisions made, in our craft to send them out without an understanding of ethical issues and how to address them. (. . .) I cannot tell [the students] what to think, but they ought to know how they reached their own conclusions and whatever they decided to do, be able to do it on purpose not just drift into it unthinking.'' (comment by m.robertson8_291084, in [49].

HWS23: The environmental impact of cybersecurity
The growing need for cybersecurity measures generates a greater demand for computing power in order to process the incoming data as quickly and efficiently as possible. This consumes vast amounts of energy. The ethical dilemma here is striking the balance between saving energy and ensuring the best cybersecurity possible [21].
HWS24: The ethics of cybersecurity experts and how to recruit them.
''Cybersecurity professionals have an obligation to both their organizations and the general public to carry out their duties ethically. It's crucial to know where to draw the moral line and stay ethically sound while aiming to better the security of any network they are protecting.'' [1] Actually, cybersecurity experts have to possess the same knowledge and skills as their criminal counterparts -i.e., a cybersecurity professional should know how to copy credit card data, infiltrate users' data and so on. Therefore, they are able to do it as well. As the safety of the users'/ customers' critical data is in the hands of the cybersecurity experts, they must demonstrate to their supervisors that they are able to handle it. The cybersecurity professionals also deal with private, sensitive, or proprietary data and they have to adhere to the ''butler's credo'' -always keep what they see strictly confidential, no matter how juicy the gossip they found on a client's hard drive may be.
As there exist no straightforward, generally recognized certification or accreditation, it usually must be demonstrated by the experts' behavior. It is generally advised for the supervisors to demonstrate ethical behaviors so that the workers adopt them as well. It is also considered to be the ethical responsibility of the employers to recruit the staff who is not going to take advantage of their unique power. In other words, it is not enough to concentrate on the technical skills of a candidate; the employers should have their staff's moral standards in mind, too [22], [38].
HWS25: . . .and workforce in general Workforce faces a number of various cyber-dangers, such as hacking, identity and data theft, data breaches, phishing, and so on. They have to be made to practice digital hygiene, which in turn contributes to better cyber ethics and improved cybersecurity [52].
HWS27: Unequal access to cybersecurity Just like the general unequal access to the Internet, the lack of equality when it comes to access to cybersecurity is a serious ethical issue.
HWS28: Vigilante ''testers'', rouge white-hackers and scientist Searching for vulnerabilities is an inseparable part of developing products. However, the tests performed without consent are dangerously similar to cybercrime. Some hackers, who do not work for any organizations, may feel the urge to perform simulated attacks and search for system vulnerabilities by themselves. Whilst they may be well-motivated and have good intentions only, this may be the source of many ethical issues. First of all, they usually do not ask permission to hack into systems. Then, if they do uncover a vulnerability, they may be tempted to monetize it in an illegal manner, which shifts them from white to black hats [53]. Another issue is related to the situations when they found vulnerabilities but the organization does nothing to fix itshould the hackers announce it publicly, in order to warn people? [5], [27] HWS29: Weaponization of technology A.k.a. can we trust technology to ''fight a war for us'' [41]?

HWS30: Whistle-blowers' issues
The first and foremost question concerning whistleblowing is the most general one -is it ethical? Edward Snowden, when revealing thousands of documents proving massive invasion of privacy, had to violate contracts and break the law to expose it. For almost a decade, the public has come to a satisfactory conclusion whether this was ethical or not. Cybersecurity faces very similar dilemmas -for example, if a cybersecurity experts finds a harmful vulnerability a company does not want to fix. Is it ethical to violate the contract with the client and break the business' privacy in order to warn the users whose privacy might be in danger? [5] As new regulations were put in place, concerns have been expressed wondering if the incentives from regulators could VOLUME 11, 2023 58803 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.  lead to an increase in cyber-whistleblowing, i.e., people being able to report all forms of cyber misconduct, such as data breaches or vulnerabilities in systems, and being protected by law.
Without proper mechanisms in place for dealing with reports in an ethical way, as by nature cyber-whistleblowing differs from other complaints and poses different challenges, each company should determine how to react to cybersecurity-related whistleblowing, who is responsible for handling the complaints, and de facto ''identify and address potential concerns before they become full-blown whistleblower complaints, which can then take on a life of their own'' [54].
HWS31: When security turns into surveillance ''This is where I think one of the key ethical dimensions comes in. How one treats intelligence activity or law enforcement activity driven under democratic oversight within a lawfully elected representative government is very different from that of an authoritarian regime. Or is it?'' [48] There are voices against too many cybersecurity measures, as it may be used by governments for mass surveillance, e.g., like in the case of facial recognition systems, which are said to compromise fundamental privacy rights of citizens [55]. In such cases, when there is lack of balance between privacy and security, the same platforms and technologies believed to be able to foster democracy and security are used against exposed citizens [56].
HWS32: Zero-day trading Another ethical dilemma related to cybersecurity may be the question of trading zero-day exploits. There have existed companies that pay hackers to disclose found software vulnerabilities to them, rather than to the vendors. The companies are supposed to protect the affected users before the vendors fix the problem. While this seems to be a very ethical thing to do, there have been documented cases when such companies were contacted by wealthy ''contractors'' who offered to buy the bugs for substantial amounts of money and urged to do it in secret. As Madsen remarks, ''buying 0-days is something every single country does now, (. . .) that includes your country as well.'' Since zero-day exploits have even been used by nation states attacking other ones, vulnerability researchers have to make ethical decisions concerning who they are selling the bugs to, and if money can buy everything [57]. Figure 3 shows the identified hidden/weak signals -the anticipated emerging cybersecurity-related ethical issues.

V. CONCLUSION
This paper has presented the results of a broad study of the anticipated, emerging cybersecurity-related ethical issues. The outcome of this follow-up study shows that data, technology and cybersecurity are living things [58]. They continuously evolve, and so do the accompanying ethical issues. The development of technology will lead to the rise of even more, new ethical dilemmas [59]. In the span of two years between the studies, there has been a noticeable shift in the most pressing ethical dilemmas of cybersecurity. The results presented in this paper can thus contribute to drawing the attention to the most urgent problems and provide the starting point for both the discussions on the matter and taking immediate, targeted actions.
As cybersecurity has broad implications for management, each major decision should be made in accordance with ethical standards. The same system can bring either benefit or harm, depending on the ethics underlying its application [34]. Consequently, the discussion on the ethical dilemmas of cybersecurity must continue, and the list has to be updated, preferably in the form of an interand multidisciplinary dialogue [60]. Then, the outcomes of the discussions have to be transformed into meaningful actions [61].
The future will tell if the worries come true and the anticipated ethical dilemmas related to cybersecurity become mainstream, or if we are in for even more surprises.