Plagiarism in IT Security - Walking a Fine Line

Friday, December 09, 2011

Rafal Los


As many of you are familiar by now, I ran into a recent incident where an individual was shamelessly copying my work (and that of many, many others) and putting their own name on it and calling it original - then posting it to their company blog. 

The result was one of the fastest and most sincere resolutions I've personally ever witnessed, and while I don't need to recap the whole issue in this post (because you can read it here) one thing kept coming up over and over...

The idea of content control, was a common theme in discussions on Twitter, in person, and on the web over the issue of plagiarism. 

At the heart of the matter is the case where an employee works for a company, call them ACME Widget Corp, and posts (supposedly) original content to the corporate website.  The content is clearly written by an individual, on behalf of a company or organization (since it is their website)... but who's really responsible for it?

On one side of this argument is the camp that believes that the content is owned by the organization who's site is being posted to, and that it is the organization's responsibility to ensure the content is original and appropriate.  There are many organizations out there that sympathize with folks who believe this... and I know friends who work at these types of organizations. 

Believe me when I tell you that you wouldn't want to try and be a blogger or writer on one of these sites.  The process is painful, and works glacial speeds.  Here's how it works - you write some content, then submit it to the review process, which generally includes content management, legal and PR. 

That whole process probably takes 2-3 weeks, if you're lucky.  I dare you to try and generate timely and worthwhile content in the information security industry at that pace.  What's worse, for those that know who I'm talking to, odds are your marketing group gets a chance to review too - and will infuse anything you write with corporate marketing speak. 

Are you sure you want that?  This is a sure-fire way to stifle creativity, and destroy the value of a blog - and forget about having an opinion.  You can't disagree with anyone, comment on anything even remotely inflammatory, or have an edge.  No thank you.

On the other end of the spectrum is the type of organization that lets their content creators write what ever they wish.  This becomes dangerous because your organization risks legal or other challenges from employees or writers who go cavalier.  This isn't necessarily desirable either - because in cases where there is absolute freedom of content, and no policing... poor decisions can lead your company or organization down the path of law suit, negative publicity, or other ugly things. 

The good news is that when you receive the privilege to write on behalf of the organization, and let me assure you that it's a privilege and not a right - you go through media and ethics training and sign one of these pieces of paper that says you will comply with company standards and won't be a general .  (see what I did just there? self-censorship!)

If I had to pick, I'd go with self-policing every day.  I think people need the freedom to create and need to be held accountable for their own actions.  While I think that the appropriate model is (as we do here at HP) training, accountability, and creative freedom with occasional review - not every organization is willing to take that risk on their bloggers. 

At the end of the day though, shouldn't we all be professionals?  I know it's nice to think that everyone is honest - but as the Information Security world expands and there is a massive influx of people trying to make a name for themselves - there will be dishonesty.  This is where the community comes in.

As with the incident I was unfortunately involved in, crowd-sourcing is the way to go.  When the community looks out for itself, polices itself, and takes care of its own issues - that's how we all move forward. 

Companies that host blogs and various content have a responsibility too though... they are responsible to do the right thing when the unfortunate happens and someone points out that their writers or content generators are less-than-original.  When content organizations respond quickly, appropriately, and with honest intentions - the community grows stronger, and the wrong doesn't feel so bad.

Michelle Gorel, VP Public Relations for AVNET, sums it up wonderfully...

"The Internet has created an environment that encourages creativity and the sharing of ideas, knowledge and expertise.  This is a great opportunity for everyone to have a voice.  At the same time, there’s also the risk of abuse.  So it’s up to all of us to work together as a community to protect that environment by respecting the creation of original content and monitoring ourselves.   No one person or organization has the ability to see and know as much as we can all together – that’s the power of crowd sourcing."

I think self-policing, strong ethics policies, and swift review of questionable content is the way forward - let by the crowd-sourced vigilance that makes Information Security such a great community to be a part of. 

Let's stay vigilant, and let's keep our content fresh, original, and cutting-edge.

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Security Awareness
Information Security
Intellectual Property internet Copyright Professional Ethics Plagiarism Media IT Security
Post Rating I Like this!
Aaron Cooper Looking at his linked-in profile, it seems he's been terminated. I kinda feel sorry for him.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.