Working in cybersecurity gives you access to systems, logs, and communications.
While serving as a cybersecurity engineer at a tech start-up at a previous company, I came across something during a routine review of daily monitoring checks.
An external message with the subject line “RIF LIST”
(RIF = Reduction in Force. A company-wide layoff).
I wasn’t part of HR. I wasn’t a recipient of the email. But because of my role monitoring the organization’s network activity and email traffic, I saw it in flight.
And in that moment, I was hit with a very real question… am I ethically allowed to open this email?
The Access Paradox
In my role, I was tasked with reviewing potentially malicious traffic. That meant monitoring network activity, reviewing emails for phishing or malware campaigns, and proactively implementing countermeasures to protect against new threats.
Technically, this email wasn’t outside the scope of what I was allowed to see. But ethically? That was murky territory.
I hadn’t been notified of the RIF in advance, as I had been in the past, and I quickly assumed that meant I was on the list. My mind raced:
- Am I allowed to open this email to confirm my fate?
From a technical perspective, I could. But ethically, the email wasn’t intended for me. It would have been using privileged access for personal gain. - Can I warn others if I don’t know exactly who is impacted?
Sharing something speculative, even if well-intentioned, could lead to panic or broken trust. It didn’t feel right. - Would using a company benefit, like a vacation bonus, in light of this knowledge be considered unethical?
The company had a policy: take 5 consecutive days off and earn a bonus. I hadn’t taken advantage of it before. Now, with the possibility of being laid off, I considered it. Was this unethical, or simply using a benefit while I still could?
Turning to Religious Guidance
As someone who values not just professional ethics but spiritual integrity, I turned to a few trusted religious leaders to ask:
“Is opening that email considered stealing information?”
“If I didn’t go looking for it, but came across it during my duties, is acting on it permitted?”
“Does taking a vacation bonus in this context count as taking unfair advantage?”
The conversations were illuminating.
One leader emphasized the principal of geneivat da’at, the Torah prohibition against misleading or deceiving others, and how it could apply even to unspoken assumptions or exploiting trust in a workplace.
Another drew from the ethics of surveillance in Halacha (Jewish law), pointing out that just because you have access doesn’t mean you have ownership. It comes down to intent: was I performing my job duties, or using privileges access for personal gain?
Several other discussions took place in that timeframe, leading me to the following.
- I did not open the RIF email.
- I did not tell anyone about it, because I didn’t actually know who it impacted.
- I did take the vacation bonus, a benefit openly offered by the company to all employees, something I hadn’t used before.
I operated under the assumption that I might be laid off, but I chose not to act on unconfirmed or unintended information. That was the ethical boundary I held.
Reflections on Cyber Ethics, Religion, and Restraint
This wasn’t just about an email or a layoff. It was about the hidden decisions cybersecurity professionals face every day. This experience served as a reminder of a deeper truth in our field: access is not the same as entitlement.
Right alongside threat detection, incident response, or red teaming, this experience emphasized that cybersecurity is as much about character as it is about code.
Daniel Elice 
Leave a comment