A major consideration for the use of cyber deception technologies for DCD is that of Internet safety and introducing vulnerabilities to the public, including the potential for third party vulnerabilities [ 6, 14 ]. Potential vulnerabilities may be introduced to the public that cause unintentional harm to neutral or third parties, and associated with potential cascading effects, which has been a longstanding ethical consideration in cyberwarfare [ 15 ]. Expanding on the concept of cyberwarfare immunity for all third-parties is required [ 16 ]. In applying such considerations to cyber deception technologies for DCD, such ethical considerations may not be required where deceptive assets are deployed within a network where legitimate users would not be accessing them. Furthermore, as the majority of current commercial-off-the-shelf (COTS) DCD solutions are for generating threat intelligence, as opposed to more offensive responses, then this ethical consideration may not need to be considered as in-depth with more potentially offensive responses. Alternatively, if COTS DCD solutions move beyond the current focus on generating threat intelligence and move towards more offensive responses then there will be a need to consider potential harm to neutral and third parties through cascading unintentional effects. Developing an understanding of any potential harms to neutral and third parties from DCD will be need to considered as part of wider DCD planning and lifecycle management.

With the deployment of cyber deception technologies for DCD there are potential ethical issues related to the morality of making users of a system part of an experiment without their awareness and consent. For example, there are concerns about privacy when using fake login props, defensive phishing or social engineering [ 7 ]. While there is an argument to be made about ethical issues when collecting attacker’s information without their consent [ 17 ], this is not usually an issue as attackers are typically anonymous when conducting illegal activities [ 7 ]. More recent cyber deception technologies for DCD do make claims for the covert exfiltration of digital forensics related to the attacker that can potentially be used for attribution, however, as these attackers are in breach of the Computer Misuse Act 1990 [ 18 ] these actions are arguably ethically justifiable.

Of more concern is the ethical issue regarding privacy in cyber deception is when a legitimate user encounters a cyber deception [ 7 ]. Since cyber deception should not target legitimate users, their data should be encrypted and deleted as soon as they are verified as legitimate users [ 7 ]. Therefore, there is some argument that cyber deception technologies should be made so that they have limited or no interactions with everyday users [ 7 ]. However, there is still an argument that cyber deception technologies for DCD should have deployment in parts of the network that legitimate users may use, as a specific strategy for targeting potential insider threats. Further, some cyber deception technology vendors have developed capabilities for deploying deception outside of the network (e.g. on GitHub) as a means of an early-warning system that an attack is occurring.

One potential ethical issue that may occur in the use of cyber deception technologies for DCD is entrapment [ 6, 7, 9 ]. Specifically, the use of honeytokens, honeyfiles, and honeypots can be potentially seen as entrapment [ 7, 9 ]. This is an ethical issue as entrapment can be considered as an encouragement for committing crimes that would not be committed otherwise [ 7 ]. On the other hand, entrapment can be considered as being passive and the attacker is the one that takes the active role in committing crime [ 7 ]. This demonstrates that it can be difficult to determine what is and is not ethical when using cyber deception techniques. Entrapment as an ethical issue for cyber deception technologies for DCD may not be applicable for all cyber deception tactics and strategies, as not all approaches utilize honey technologies to attract users into deceptive environments, for example, the use of deceptive signaling [ 19, 20 ].

One potential ethical issue that has application from the physical world to the virtual world, is that of cyber perfidy. Perfidy itself is taken from physical warfare whereby combatants are required to act in good faith [ 21 ]. For example, when an adversary surrenders they are not then harmed; or the use of false insignia to suggest they are actors from another nation, or to hide who they really are whilst harming others [22]. Perfidy as an ethical issue may have challenges in its application to cyberspace. In relation to cyber perfidy there is some discussion over using a neutral domain name or adversary insignia or signatures in pretending to be the enemy during a visible cyberattack, however, if an adversary is not killed, wounded or captured then this should not be considered as perfidy [23]. Further issues raised as to what happens if this attack is autonomous, or whether a system can recognize the emblems of an adversary in cyberspace [23]. Although using false credentials in a military cyberattack may be considered perfidious [23], of note is that the deception here is only considered in the arguments as part of an offensive cyber operation, rather than as part of DCD.

There are further assumptions that it is only military networks that are being targeted rather than civilian networks. [23] refers to use by the NSA and GCHQ of a deception technique where users were redirected to a honeypot before malicious code was then injected onto the user’s computer. Although this may parallel similar approaches to DCD the aim here was to target specific users, and it is unclear whether this may be considered perfidious unless it causes death, injury or capture of an enemy. The focus on perfidy and the physical harm that may result from perfidious actions ignores any harms that may be considered psychological. [23] argues that the use of cyberweapons which damages physical or virtual infrastructure or corrupts data belonging to the military may be considered as a morally permissible cyberattack, even when using a trusted certificate, software exploit or unauthorized credential. However, even though such capabilities may be considered as permissible they are moving beyond the capabilities of COTS cyber deception technologies.

With the use of cyber deception technologies for DCD there are ethical issues related as to who holds overall responsibility for the deception deployed, and how this may be impacted by the automation of responses. One argument suggests that the ethical responsibility for cyber deception lies with the software developers who create the deception technology itself [ 7, 9 ]. This is opposed to those who may actually plan the DCD, or those who order the procurement or deployment of COTS cyber deception technology across a system or network.

In assessing the ethical responsibility for DCD through applying concepts from cyberwarfare there is further support that those who create actions (whether attacks or exploits) should be those who are held ethically responsible for the outcomes of these [24]. However, due to limitations or biases in decision-making humans may not know the outcomes of such actions suggests that cyberattacks or exploits may have uncertain moral legitimacy [24]. Although there is an assumption here that a response to a cyberattack is being conducted by the ‘human in the loop’ rather than an autonomous response guided by AI and/or ML, as is the case with COTS cyber deception technologies.

One interesting ethical consideration for cyber deception technologies for DCD is to whether deceptive assets have the potential to cause harm to an attacker. Applying concepts from cyberwarfare it is not clear how an attack on a computer system or network may be conceptualized as leading to ‘damage’ or whether this has a psychological or physical impact on the target, or how they may perceive such ‘damage’ [24, 25, 26]. Dipert (2016) further argues that deception in cyberspace is not substantive compared to deception in warfare, and that ethical comparisons are difficult to justify where there are no intentional or negligent deaths or permanent destruction [25]. More recent research utilizing concepts from oppositional human factors (OHF) has found that some approached to DCD are able to cause confusion and surprise in attackers [ 10, 11, 13 ], however, it is again unclear as to whether this may translate into actual physical or psychological harm to an attacker.

In seeking to understand the psychological harms of cyberwarfare Canetti et al. (2016) extrapolate findings from research exploring the impact of more common online and offline harms [27]. Cyberoperations that target individuals, networks or facilities may not result in any suffering to an individual, and if non-combatants were targeted this would still not equate to cyberterrorism [27]. Victims of cyber-attacks in the form of identity theft have experienced psychological harm that is argued to be akin to that of burglary and home invasion, whilst being a victim of cyberbullying results in psychological trauma [27]. In an experimentational simulation of a cyberattack (an intrusive breach of privacy), Canetti et al. (2017) found that there was an increase in cortisol levels, which are indicative of a physiological response to stress [28]. Whilst Canetti et al. (2016) argue that as cyberattacks may cause such psychological and physiological harms then they should not be used against non-combatants as it is not morally acceptable [27]. However, if such attacks may be deployed against those who attack our computer networks then this would be considered acceptable. Further investigation is required to explore whether the use of cyber deception technologies for DCD, can lead to potential psychological or physiological harm to an attacker.

The principlist framework of ethics is argued to be grounded in reality and professional ethical practice that enables flexibility in making decisions [29]. Principlism itself is a deontological perspective to moral rightness, whereby the ethics are through fulfilling the prima facie act even if this produces negative consequences [29]. There may be three or four moral principles that are regarded to as prima facie duties in the deployment of cyber deception technologies for DCD in defending organizations against attackers. These should be identified by the organization itself as the ethical principles that they wish to adhere to, with the acknowledgement that such principles may sometimes clash with one another.

There needs to be a balance of human rights and security in cyberspace, the challenge is in which context one or the other becomes the priority [29]. For example, as individuals we have the right to privacy, and cyber deception technologies for DCD may seek to enhance this through the use of the deployment of deceptive assets seeking to prevent cyberespionage or ransomware attacks that breach an individual’s right to privacy. Rights associated with profiling and cyber security may not be applicable in the case of cyber deception, as if individuals are already intruding in our computer networks then they are already in breach of the Computer Misuse Act 1990 [ 18 ]. However, as cyber deception technologies for DCD may covertly extract digital forensics for threat intelligence then the potential for misattribution of an attacker also needs to be considered as an ethical issue.

Across the existing literature on the ethics of cyberwarfare and cyberdefense for organizations there is a consensus that a response to a cyberattack must be proportionate to the magnitude and scope of the provocation [ 14, 16, 24 ]. This includes the fact that there should be no overreaction of acts of vigilantism [ 14, 16 ] or impact on third parties [26], or on privacy [30]. The principle of proportionality may be applied to cyber deception technologies for DCD, for example, delays or tarpits are considered a cyber deception technique that is used to slow down an attacker, it has low impact on the legitimate users as attackers are usually in a more of a hurry [ 7, 17 ]. The main ethical issue regarding the use of tarpits is if the network decides to delay the network long after the attacker is gone in anticipation of another attack.

Stevens (2020) argues that measures by organizations should be viewed in terms of subsidiarity and proportionality [ 14 ]. With the case of subsidiarity, the measures used to avert a cyberattack may be considered ethically justified when the threat could not have been averted or minimized using a less invasive measure, or applied in a less invasive measure [ 14 ]. In terms of proportionality, this would be argued to maintain a balance between the imminent harm avoided by an organization against harm to an innocent third party or even potentially an attacker [ 14 ]. Stevens (2020) argues that in calculating the parameters of a defensive measure than there is a need to foresee the consequences of our actions alongside the harms averted to a degree of reasonable certainty [ 14 ].

As the key of focus of currently available COTS cyber deception technologies for DCD is on generating threat intelligence, then the use of deceptive assets overall may be considered as a proportional response to a cyberattack. The potential harm posed by the use of cyber deception assets is beneath that of the harm posed by an attacker to an organization, whether they are conducting cyberespionage, or seeking to inject ransomware into a network.

Expanding on the ethics of cybersecurity to how organizations may ethically conduct DCD, Stevens (2020) explores the right to self-defense in cyberspace as ethical justification for specific cy-berdefense measures [ 14 ]. Stevens (2020) classifies measures that includes deception as potentially ethically problematic depending on their application [ 14 ]. Some measures may be considered as acts of cybervigilantism if an attack has finished and the action may be considered as punishment or having a retaliatory nature then they may not be ethically justified if conducted by a private organization as opposed to a law enforcement agency [ 14 ]. However, such arguments may not be applicable to DCD, whereby deceptive assets are utilized during an attack, whilst covert exfiltration of digital forensics may not be considered as an act of cybervigilantism.

In warfare self-defense is linked to liability to harm an attacker, where there is a necessity to harm an attacker to achieve a justifiable goal, and such responses should never knowingly inflict disproportionate harm to an attacker [31]. Adapting Jenkins (2016) [31] discussion of cyberwarfare as ideal war, if defenders incorporate cyberweapons into cyber deception technologies against attackers then this could be considered as ethically justified if the response is proportionate and there is no risk to non-combatants, although such an argument is currently theoretical. A point to consider here is that DCD efforts, to date, have sought to generate threat intelligence and disrupt attacker decision-making rather than, for example, encourage them to download a document that may include malware. The debate here is how harm to the attacker may be considered, and what ethics may relate to causing changes in an attacker’s cognition through cyber deception. A further point Jenkins (2016) raises with offensive cyber operations is how far operations should be aimed downstream to focus on targets that will enable the desired effects to be achieved [31]. Applying this concept to DCD it brings about the question of who the defender wishes to deceive, an attacker who may be conducting the attack on behalf of others, or whoever may have given the orders and instructions for an attack. The desired effects of the cyber deception may wish to focus on the decision-making beyond the initial attacker, and instead seek to disrupt those who may be running cyber-attacks.