The field of computer security lacks systematic ethical decision-making guidelines, leading researchers to struggle with normative practice amid ambiguous ethical boundaries. Method: This study conducts the first large-scale empirical analysis of 1,154 top-tier conference papers alongside in-depth interviews with 24 security researchers, employing qualitative coding and data-driven analysis. Contribution/Results: We identify three core challenges: (1) highly inconsistent ethical reporting practices; (2) absence of a consensus ethical framework; and (3) neglect of harm–benefit trade-offs in ethical decision-making. Findings reveal an overreliance on institutional review board (IRB) compliance at the expense of substantive ethical reflection. To address these gaps, we propose actionable interventions: (a) a domain-specific ethical decision-making model; (b) strengthened methodological norms for ethical disclosure; and (c) agile-yet-rigorous ethical review standards for security research—establishing the first empirically grounded, systematic foundation for ethical governance in the discipline.

Ethical questions are discussed regularly in computer security. Still, researchers in computer security lack clear guidance on how to make, document, and assess ethical decisions in research when what is morally right or acceptable is not clear-cut. In this work, we give an overview of the discussion of ethical implications in current published work in computer security by reviewing all 1154 top-tier security papers published in 2024, finding inconsistent levels of ethics reporting with a strong focus of reporting institutional or ethics board approval, human subjects protection, and responsible disclosure, and a lack of discussion of balancing harms and benefits. We further report on the results of a semi-structured interview study with 24 computer security and privacy researchers (among whom were also: reviewers, ethics committee members, and/or program chairs) and their ethical decision-making both as authors and during peer review, finding a strong desire for ethical research, but a lack of consistency in considered values, ethical frameworks (if articulated), decision-making, and outcomes. We present an overview of the current state of the discussion of ethics and current de-facto standards in computer security research, and contribute suggestions to improve the state of ethics in computer security research.