Science and Engineering Ethics

, Volume 20, Issue 3, pp 675–699 | Cite as

Critical Theory as an Approach to the Ethics of Information Security

  • Bernd Carsten Stahl
  • Neil F. Doherty
  • Mark Shaw
  • Helge Janicke
Original Paper


Information security can be of high moral value. It can equally be used for immoral purposes and have undesirable consequences. In this paper we suggest that critical theory can facilitate a better understanding of possible ethical issues and can provide support when finding ways of addressing them. The paper argues that critical theory has intrinsic links to ethics and that it is possible to identify concepts frequently used in critical theory to pinpoint ethical concerns. Using the example of UK electronic medical records the paper demonstrates that a critical lens can highlight issues that traditional ethical theories tend to overlook. These are often linked to collective issues such as social and organisational structures, which philosophical ethics with its typical focus on the individual does not tend to emphasise. The paper suggests that this insight can help in developing ways of researching and innovating responsibly in the area of information security.


Information security Critical theory Information security policy Medical records 


  1. Adam, A. (2001). Computer ethics in a different voice. Information and Organization, 11(4), 235–261.CrossRefGoogle Scholar
  2. Adams, A., & Blandford, A. (2005). Bridging the gap between organizational and user perspectives of security in the clinical domain. International Journal of Human-Computer Studies, 63(1–2), 175–202.CrossRefGoogle Scholar
  3. Alvesson, M., & Deetz, S. A. (2000). Doing critical management research. Beverley Hills, CA: Sage.Google Scholar
  4. Alvesson, M., & Willmott, H. (2003). Studying management critically. Beverley Hills, CA: Sage.Google Scholar
  5. Anderson, R. (2006). Anonymous data that Isn’t. Retrieved from
  6. Aristotle. (2007). The Nicomachean ethics. USA: Filiquarian Publishing, LLC.Google Scholar
  7. Avgerou, C. (2005). Doing critical research in information systems: Some further thoughts. Information Systems Journal, 15(2), 103–109.CrossRefGoogle Scholar
  8. Becker, M. (2005). Cassandra: Flexible trust management and its application to electronic health records, Technical Report UCAM-CL-TR-648, University of Cambridge, Computer Laboratory.Google Scholar
  9. Becker, M. (2007). Information governance in NHS’s NPfIT: A case for policy specification. International Journal of Medical Informatics, 76, 432–437.CrossRefGoogle Scholar
  10. Benson, T. (2002a). Why general practitioners use computers and hospital doctors do not—part 1: Incentives. BMJ, 325(7372), 1086–1089.CrossRefGoogle Scholar
  11. Benson, T. (2002b). Why general practitioners use computers and hospital doctors do not—part 2: Scalability. BMJ, 325(7372), 1090–1093.CrossRefGoogle Scholar
  12. Bentham, J. (2009). An introduction to the principles of morals and legislation. New York: Dover Publications Inc.Google Scholar
  13. Berg, M. (2008). Practices of reading and writing: The constitutive role of the patient record in medical work. Sociology of Health & Illness, 18(4), 499–524.CrossRefGoogle Scholar
  14. Blobel, B., Nordberg, R., Davis, J. M., & Pharow, P. (2006). Modelling privilege management and access control. International Journal of Medical Informatics, 75(8), 597–623.CrossRefGoogle Scholar
  15. Brey, P. (2008). The technological construction of social power. Social Epistemology, 22(1), 71–95. doi: 10.1080/02691720701773551.CrossRefGoogle Scholar
  16. Brooke, C. (Ed.). (2009). Critical management perspectives on information systems (1st ed.). Amsterdam: Butterworth Heinemann.Google Scholar
  17. Brown, P. J. B., & Sonksen, P. (2000). Evaluation of the quality of information retrieval of clinical findings from a computerized patient database using a semantic terminological model. Journal of the American Medical Informatics Association, 7(4), 392–403. doi: 10.1136/jamia.2000.0070392.CrossRefGoogle Scholar
  18. Cecez-Kecmanovic, D., Klein, H. K., & Brooke, C. (2008). Exploring the critical agenda in information systems research. Information Systems Journal, 18(2), 123–135. doi: 10.1111/j.1365-2575.2008.00295.x.CrossRefGoogle Scholar
  19. Chua, W. F. (1986). Radical developments in accounting thought. The Accounting Review, 61(4), 601–632.Google Scholar
  20. Coombes, R. (2012). Into the abyss? How the health bill affects the NHS. BMJ, 344(1), e767–e767. doi: 10.1136/bmj.e767.
  21. Cross, M. (2006). Will connecting for health deliver its promises? BMJ, 332(7541), 599–601. doi: 10.1136/bmj.332.7541.599.CrossRefGoogle Scholar
  22. De Lusignan, S., Wells, S. E., Hague, N. J., & Thiru, K. (2003). Managers see the problems associated with coding clinical data as a technical issue whilst clinicians also see cultural barriers. Methods of Information in Medicine, 42(4), 416–422. doi: 10.1267/METH03040416.Google Scholar
  23. Doherty, N. F., Anastasakis, L., & Fulford, H. (2009). The information security policy unpacked: A critical study of the content of university policies. International Journal of Information Management, 29(6), 449–457.CrossRefGoogle Scholar
  24. Doran, T., Kontopantelis, E., Valderas, J. M., Campbell, S., Roland, M., Salisbury, C., & Reeves, D. (2011). Effect of financial incentives on incentivised and non-incentivised clinical activities: Longitudinal analysis of data from the UK quality and outcomes framework. BMJ, 342(1), d3590–d3590. doi: 10.1136/bmj.d3590.
  25. Fairclough, N. (1995). Critical discourse analysis: The critical study of language. New York: Longman.Google Scholar
  26. Feenberg, A. (1993). Critical theory of technology (New ed.). USA: Oxford University Press Inc.Google Scholar
  27. Feenberg, A. (1999). Questioning technology (1st ed.). London: Routledge.Google Scholar
  28. Feenberg, A. (2008). From critical theory of technology to the rational critique of rationality. Social Epistemology, 22(1), 5–28. doi: 10.1080/02691720701773247.CrossRefGoogle Scholar
  29. Ferreira, A., Antunes, L., Chadwick, D., & Correia, R. (2010). Grounding information security in healthcare. International Journal of Medical Informatics, 79(4). doi: 10.1016/j.ijmedinf.2010.01.009.
  30. Ferreira, A., Cruz-Correia, R., Antunes, L., Chadwick, D., Lazakidou, A. A., & Siassiakos, K. M. (Eds.) (2008). Security of electronic medical records III handbook of research on distributed medical informatics and e-health, 2008.Google Scholar
  31. Foucault, M. (1975). Surveiller et punir. Paris: Gallimard.Google Scholar
  32. Freeden, M. (2003). Ideology: A very short introduction. Oxford: Oxford University Press.CrossRefGoogle Scholar
  33. Fulford, H., & Doherty, N. F. (2003). The application of information security policies in large UK-based organizations. Information Management and Computer Security, 11(3), 106–114.CrossRefGoogle Scholar
  34. Galliers, R. D., & Currie, W. (Eds.). (2011). The Oxford handbook of management information systems: Critical perspectives and new directions. Oxford: OUP.Google Scholar
  35. Gilligan, C. (1990). In a different voice: Psychological theory and women’s development (Reissue.). Harvard: Harvard University Press.Google Scholar
  36. Gramsci, A. (1971). Selections from the prison notebooks of Antonio Gramsci/edited and translated by Quinton Hoare and Geoffrey Nowell Smith. London: Lawrence and Wishart.Google Scholar
  37. Gray, J., Orr, D., & Majeed, A. (2003). Use of read codes in diabetes management in a south London primary care group: Implications for establishing disease registers. BMJ, 326(7399), 1130.CrossRefGoogle Scholar
  38. Greenhalgh, T., Wood, G. W., Bratan, T., Stramer, K., & Hinder, S. (2008). Patients’ attitudes to the summary care record and HealthSpace: Qualitative study. BMJ, 336(7656), 1290–1295.CrossRefGoogle Scholar
  39. Greenhalgh, T., Stramer, K., Bratan, T., Byrne, E., Russell, J., & Potts, H. W. W. (2010). Adoption and non-adoption of a shared electronic summary record in England: A mixed-method case study. BMJ, 340(4), c3111–c3111. doi: 10.1136/bmj.c3111.
  40. Habermas, J. (1981). Theorie des kommunikativen Handelns. Frankfurt a.M: Suhrkamp.Google Scholar
  41. Habermas, J. (1991). Erläuterungen zur Diskursethik. Frankfurt a.M: Suhrkamp.Google Scholar
  42. Harry, L., Higgs, A., Korna, M., & Macfarlane, P. (2006). Does senior clinical input to clinical coding influence Healthcare Resource Group (HRG) allocation in acute children’s services? Clinician in Management, 14(4), 201–208.Google Scholar
  43. Harvey, L. (1990). Critical social research. London: Unwin Hyman.Google Scholar
  44. Hawkes, D. (2003). Ideology (2nd ed.). London: Routledge.Google Scholar
  45. Hayrinen, K., Saranto, K., & Nykanen, P. (2008). Definition, structure, content, use and impacts of electronic health records: A review of the research literature. International Journal of Medical Informatics, 77(5), 291–304. doi: 10.1016/j.ijmedinf.2007.09.001.CrossRefGoogle Scholar
  46. Hirschheim, R., & Klein, H. K. (1994). Realizing emancipatory principles in information systems development: The case for ETHICS. Management Information Systems Quarterly, 18(1), 83–109.CrossRefGoogle Scholar
  47. Hong, K., Chi, Y. Chao, L. & Tang, J. (2006). An empirical study of information security policy on information security elevation on Taiwan. Information Management and Computer Security, 14(2), 104 –115.Google Scholar
  48. House of Commons Public Accounts Committee. (2009). The National Programme for IT in the NHS: Progress since 2006 (No. HC 153). London: The Stationery Office Ltd. Retrieved from
  49. Howcroft, D., & Trauth, E. (Eds.). (2005). Handbook of critical information systems research: Theory and application. London: Edward Elgar Publishing Ltd.Google Scholar
  50. Hume, D. (1777). An Enquiry Concerning Human Understanding. In L. A. Selby-Bigge (Ed.). Project Gutenberg. Retrieved from
  51. ISO (2005). Information technology - security techniques - code of practice for information security management - ISO 17799. International Standards Organization.Google Scholar
  52. Jones, S. (2006). Antonio Gramsci (New ed.). London: Routledge.Google Scholar
  53. Kant, I. (1986). Kritik der praktischen Vernunft. Ditzingen: Reclam.Google Scholar
  54. Kant, I. (1998). Grundlegung zur Metaphysik der Sitten. Ditzingen: Reclam.Google Scholar
  55. Klein, H. K., & Huynh, M. Q. (2004). The critical social theory of Jürgen Habermas and its implications for IS research. In J. Mingers & L. P. Willcocks (Eds.), Social theory and philosophy for information systems (pp. 157–237). Chichester: Wiley.Google Scholar
  56. Krippendorff, K. (2004). Reliability in content analysis. Human Communication Research, 30(3), 411–433.Google Scholar
  57. Ledley, R. S., & Lusted, L. B. (1959). Reasoning foundations of medical diagnosis. Science, 130(3366), 9–21.CrossRefGoogle Scholar
  58. Leveson, N. G. (2003). A new accident model for engineering safer systems, safety science. Amsterdam: Elsevier Science.Google Scholar
  59. Leveson, N. G. (2010). A new approach to safety in software intensive systems Aeronautics and Astronautics Dept. Engineering Systems Division MIT. Technical Report, 2010.Google Scholar
  60. MacIntyre, A. C. (2007). After virtue: A study in moral theory. Notre Dame: University of Notre Dame Press.Google Scholar
  61. Mathieson, S. A. (2011). Scrapping the National Programme for IT: A journey not a destination. The Guardian. Retrieved from
  62. McGrath, K. (2005). Doing critical research in information systems: A case of theory and practice not informing each other. Information Systems Journal, 15(2), 85–101.CrossRefGoogle Scholar
  63. McLellan, D. (1995). Ideology (2nd ed.). Buckingham: Open University Press.Google Scholar
  64. Mill, J. S. (2002). Utilitarianism (2nd Revised ed.). USA: Hackett Publishing Co, Inc.Google Scholar
  65. Mingers, J., & Walsham, G. (2010). Towards ethical information systems: The contribution of discourse ethics. MIS Quarterly, 34(4), 833–854.Google Scholar
  66. Morgan, M., & Beech, R. (1990). Variations in lengths of stay and rates of day case surgery: Implications for the efficiency of surgical management. Journal of Epidemiology and Community Health, 44(2), 90–105.CrossRefGoogle Scholar
  67. Mumford, E. (2001). Advice for an action researcher. Information Technology & People, 14(1), 12.CrossRefGoogle Scholar
  68. Myers, M. D. (1994). A disaster for everyone to see: an interpretive analysis of a failed IS project. Accounting, Management and Information Technologies, 4(4), 185–201.Google Scholar
  69. Myers, M. D., & Klein, H. K. (2011). A set of principles for conducting critical research in information systems. MIS Quarterly, 35(1), 17–36.Google Scholar
  70. Pyper, C., Amery, J., Watson, M., & Crook, C. (2004). Patients’ experiences when accessing their on-line electronic patient records in primary care. The British Journal of General Practice, 54(498), 38.Google Scholar
  71. Reason, J. T., Carthey, J., & de Leval, M. R. (2001). Diagnosing “vulnerable system syndrome”: An essential prerequisite to effective risk management. Quality Health Care, 10 Suppl 2(0963-8172 (Print)), ii21–ii25.Google Scholar
  72. Ryan, G. W., & Bernard, H. R. (2000). Data management and analysis methods. In N. K. Denzin & Y. S. Lincoln (Eds.), Handbook of qualitative research (2nd ed.). Thousand Oaks: Sage.Google Scholar
  73. Sandhu, R. S., Coyne, E. J., Feinstein, H. L., & Youman, C. E. (1996). Role-based access control models. IEEE Computer, 29, 38–47.CrossRefGoogle Scholar
  74. Shaw, M., & Stahl, B. (2009). A quality assurance approach to healthcare: Implications for information systems. In Handbook of research on advances in health informatics and electronic healthcare applications: Global adoption and impact of information communication technologies, Vol. 1. Hershey: IGI Global.Google Scholar
  75. Srirangalingam, U., Sahathevan, S. K., Lasker, S. S., & Chowdhury, T. A. (2006). Changing pattern of referral to a diabetes clinic following implementation of the new UK GP contract. The British Journal of General Practice, 56(529), 624.Google Scholar
  76. Stahl, B. C. (2008a). Information systems: Critical perspectives. London: Routledge.CrossRefGoogle Scholar
  77. Stahl, B. C. (2008b). The ethical nature of critical research in information systems. Information Systems Journal, 18(2), 137–163. doi: 10.1111/j.1365-2575.2007.00283.x.CrossRefGoogle Scholar
  78. Stahl, B. C., Doherty, N. F., & Shaw, M. (2012). Information security policies in the UK healthcare sector: A critical evaluation. Information Systems Journal,. doi: 10.1111/j.1365-2575.2011.00378.x.Google Scholar
  79. The Caldicott Committee. (1997). Report on the review of patient-identifiable information. London. Retrieved from
  80. UK HSCIC. (2012). Hospital episode statistics. Standard. Retrieved June 24, 2013, from
  81. Walsh, S. H. (2004). The clinician’s perspective on electronic health records and how they can affect patient care. BMJ, 328(7449), 1184–1187.CrossRefGoogle Scholar
  82. Walsham, G. (2005). Learning about being critical. Information Systems Journal, 15(2), 111–117.CrossRefGoogle Scholar
  83. Waring, J., & Bishop, S. (2013). McDonaldization or commercial re-stratification: Corporatization and the multimodal organisation of English doctors. Social Science and Medicine, 82, 147–155. doi: 10.1016/j.socscimed.2012.12.023.CrossRefGoogle Scholar
  84. Wears, R. L. (2012). Can we make health IT safe enough for patients? Work: A Journal of Prevention Assessment and Rehabilitation, 41, 4484–4489. doi: 10.3233/WOR-2012-0749-4484.Google Scholar
  85. Whittle, A., & Spicer, A. (2008). Is actor network theory critique? Organization Studies, 29(4), 611–629. doi: 10.1177/0170840607082223.CrossRefGoogle Scholar
  86. Willcocks, L. (2004). Foucault, power/knowledge and information systems: Reconstructing the present. In J. Mingers & L. Willcocks (Eds.), Social theory and philosophy for information systems (pp. 238–296). Chichester: Wiley.Google Scholar
  87. Williams, J. G., & Mann, R. Y. (2002). Hospital episode statistics: Time for clinicians to get involved? Clinical Medicine, 2(1), 34–37. doi: 10.7861/clinmedicine.2-1-34.CrossRefGoogle Scholar
  88. Zheng, Y., & Stahl, B. C. (2011). Technology, capabilities and critical perspectives: what can critical theory contribute to Sen’s capability approach? Ethics and Information Technology, 13(2), 69–80. doi: 10.1007/s10676-011-9264-8.
  89. Zheng, Y., & Stahl, B. C. (2012). Evaluating Emerging ICTs: A Critical Capability Approach to Technology. In I. Oosterlaken & J. van den Hoven (Eds.), The Capability Approach, Technology and Design (2012th ed., pp. 57–76). Springer.Google Scholar

Copyright information

© Springer Science+Business Media Dordrecht 2013

Authors and Affiliations

  • Bernd Carsten Stahl
    • 1
  • Neil F. Doherty
    • 2
  • Mark Shaw
    • 1
  • Helge Janicke
    • 1
  1. 1.De Montfort UniversityLeicesterUK
  2. 2.Loughborough UniversityLoughboroughUK

Personalised recommendations