Karsten Weber: Cybersecurity and Ethics

Highlights summarized by Arne Sonar

Highlights of the VEIL

This term’s third Virtual Ethical Innovation Lecture (VEIL) was held by Prof. Dr. phil. habil. Karsten Weber. He is co-head of the Institute for Social Research and Technology Assessment (IST) and one of the directors of the Regensburg Center of Health Sciences and Technology (RCHST) at the Ostbayerische Technische Hochschule (OTH) Regensburg. Besides that, he holds an honorary professorship at the Brandenburg University of Technology Cottbus-Senftenberg. In his talk he mainly focused on tensions between the different aims of cybersecurity and ethics as well as the potential consequences for technological innovations arising from this.


Introducing his presentation, Karsten Weber pointed out that the vulnerability of computers and other forms of network devices to cyber and/or hacker attacks is an issue of almost daily occurrence. Examples for these kinds of attacks are, e.g., illegal access to financial data, manipulation of important data, theft or misuse of personal data and trade secrets, damage to or destruction of computer systems as well as shutdowns, malfunctions or destruction of critical infrastructure (e.g., energy or water supplies). As Karsten Weber pointed out, there is a variety of intentions for committing these assaults, ranging from a simple and seemingly harmless display of the basic ability to do so (committed by perpetrators that are often diminutively denoted as “scriptkiddies”) to criminal and terrorist activity (e.g., virtual bank robbery, cyber terrorism). Other assaults may also qualify as cyber warfare when carried out, for example, by state actors or groups associated with state authorities.

Cybersecurity Awareness and Hollywood

Following on from his introduction, Karsten Weber elaborated on the history of cybersecurity, which can be traced back to the late 1960s. Professional and public recognition widely was reached in the 1980s due to the rapid dissemination of computers and the appearance of the very first computer viruses. According to Karsten Weber, another important cause for the increased attention paid to the vulnerability of computer systems to cyberattacks and the related issue of cybersecurity at that time, and especially to its political and military dimensions, can also be attributed to movies like “Wargames” and books like “The Cuckoo’s Egg” written by Clifford Stoll. In addition, Karsten Weber also emphasized the importance of the development of the Internet in the 1990s, which led to an increased awareness in society that computer systems are a potential target of cyberattacks that were no longer limited to malware being spread only through the exchange of media for data storage (e.g., floppy disks).

Computer, Information and Cybersecurity

Addressing the historical roots of the term cybersecurity, Karsten Weber showed that issues covered by this term, which is commonly used today, tended to be discussed under both the terms computer security and information security in the 1960s, even though the aspects they covered were quite similar in essence. In this context, he referred to papers by Willis Ware (1967), which mark the beginning of debates that continue to this day and addresses aspects (e.g., attack vectors, attacks threats and motives) that are still relevant in current debates. Normative questions regarding social impacts of computers also were raised at this time. For example, Weber referred to Alan F. Westin’s book “Privacy and Freedom”, also published in 1967, and mentioned that since then, relating computer or cybersecurity with ethics and social implications has steadily increased to the point where it is now a regular issue in scholarly debates.

Lack of Cybersecurity and Negative Social Impacts

Karsten Weber continued to say that the scales for measuring the potential impact of different forms of threats (e.g., cybercrime, cyberterrorism, cyberwar) can vary. Attacks on computer systems could have multidimensional effects: They can affect the individual life as well as the social, corporate, or political domain. Since a comparison of concrete damage therefore appears to be quite difficult, Karsten Weber raised the issue that corresponding reports often highlight the consequences of a cyberattack by its economic key figures only (e.g., financial damage, costs). However, a lack of cybersecurity often causes damages being notoriously difficult to measure because they reach far beyond monetary costs. based on his remarks, Karsten Weber therefore arrived at the first of four central theses of his presentation:

“1. Fear of cyberattacks could be a barrier to innovation since users might fear that innovative technology is more vulnerable (than existing technology).”

He also elaborated that within public discourse a lack of cybersecurity as well as the high economic damages of cyberattacks could be used as an argument against innovative technologies or new technological pathways (e.g., e-government). To support his thesis and to illustrate the genuine economic scale of the potential damage from cyberattacks, Karsten Weber illustrated the rise of the financial damage caused by cyberattacks from 13-226 billion dollars in 2003 to about 1 trillion dollars in 2020. This lead Karsten Weber to his second thesis:

“2. Fear of economic burdens caused by cyberattacks could be a barrier to innovation as innovative technology actually seems to be more vulnerable (than existing technology).”

From this perspective, he stated, it might be plausible to argue that the price to invest in innovations might be not worthwhile because economic benefits could be out of proportion to the potential economic damage caused by cyberattacks.

Citing Andrew Odlyzko (2019), however, Weber stressed that the main obstacle to cybersecurity must be found elsewhere: Besides ensuring cybersecurity itself, there are at least also other equally relevant social, economic, and political objectives which need to be addressed. Here, Karsten Weber’s comments primarily focused on the discrepancy, highlighted by Odlyzko, between the rigidity of cybersecurity rules ensuring systems security and human demand for flexible systems. This implies that an exclusive focus on cybersecurity should not necessarily be aimed for in relation to other objectives.

Competing and conflicting aims and values

The discrepancy between cybersecurity and, for example, moral values like privacy, trust, freedom, informed consent, dignity, solidarity, fairness, equality, autonomy, beneficence, or non-maleficence, is also an extensively taken up topic in the scientific literature. This in turn reflects the fact that the provision of cybersecurity is and needs to be associated with a wide range of moral values and principles. In this context, Karsten Weber argued that the technical requirements of a very strict security architecture (e.g., protecting the confidentiality of data or communications) may negatively affect and reduce the usability, efficiency, or quality of service.

Besides moral values and technical requirements, Karsten Weber mentioned that economic considerations are relevant for achieving a certain level of cybersecurity as well. Cybersecurity is expensive and its worth as a preventive measure is difficult to quantify, he said. Because effective cybersecurity is rarely an advertisement for the need for more cybersecurity, however, this in turn would result in a so-called “prevention paradox”. In addition, Karsten Weber discussed the importance of the political sphere for cybersecurity: Due to political influence, a backdoor for decryption is often advocated by governmental actors (e.g., for security reasons). This led to the third thesis:

“3. The multitude of interests regarding cybersecurity could be a barrier to innovation since innovative technology could jeopardize these interests.”

Cybersecurity as a Multi-Dimensional Challenge

Concluding his presentation, Karsten Weber advocated that various aspects such as technical requirements, moral values, and other factors influence (e.g., the design of) technologies and therefore must be taken into account, among other things, when it comes to creating appropriate conditions for cybersecurity. According to Karsten Weber, if this is accepted, the question is much more how to achieve a specific balance between these values, requirements, and goals that all stakeholders concerned can agree to. In this respect, Karsten Weber finally pointed out that cybersecurity in itself would probably never be achievable for all stakeholders at the same time and to the same extent. For this to happen, the interests of stakeholders involved are often far too different for that as well as power and influence are usually very unequally distributed. This led Karsten Weber to the fourth and final thesis of his talk:

“4. Because, from a moral perspective, active conduct is often seen as more problematic than inaction, and innovation frequently affects cybersecurity negatively, often innovation appears to be morally more questionable (than sticking to old technology).”


Questions being raised (and addressed) within the aftermath of the talk revolved, e.g., around the discrepancies between fixed rules for security and inflexible systems, the possibilities of global rules/norms for cybersecurity or the need for application-oriented rules for specific areas/applications. Furthermore, there was a discussion on whether there could be some kind of comprehensive list of moral rules concerning cybersecurity as well as the question, whether measurements providing cybersecurity really make systems inflexible. Another question addressed the point whether it is possible and desirable to quantify/measure the worth of ethics and cybersecurity at all.


Especially with a focus on the increased value and importance of data and the everyday ubiquitous dissemination of innovative technology throughout all realms of social life, cybersecurity, despite its relative long historically tradition, has not lost its topical relevance nowadays. Notwithstanding its high importance, however, it must not be neglected that cybersecurity is often also related to other aspects such as technical challenges and requirements or moral values and principles, some of which are also competitive, but which must be considered at least as relevant.


Ware W. H. (1967). Security and Privacy in Computer Systems. Proceedings of the April 18-20, 1967, Spring Joint Computer Conference – AFIPS’67 (Spring), 279-282. https://doi.org/10.1145/1465482.1465523

Odlyzko, A. (2019). Cybersecurity is not very important. ACM Ubiquity, June 2019, 1-23. https://doi.org/10.1145/3333611