Send email Copy Email Address
2026-06-17
Eva Michely

"Ethical responsibility is an integral part of academic freedom": In conversation with Thorsten Helfer and Jannik Zeiser

Since July 2024, Thorsten Helfer and Jannik Zeiser have been establishing and expanding the Research Ethics Office at CISPA. As trained philosophers, both enjoy delving into the challenges of applied ethics. In the interview, they talk about the ethical questions that arise in cybersecurity research and the ethical cornerstones of their work.

Is the Research Ethics Office at CISPA something of a unicorn in cybersecurity research?

Thorsten: There are other ethics review boards at other institutions, both in computer science departments and at other research institutions, but to our knowledge, there is no other Ethics Office within the community that consists of people who deal exclusively with research ethics issues in cybersecurity research. In that sense, we are a unicorn.

You have helped establish the CISPA Research Ethics Office from the start. What was your mindset as you approached this task?

Thorsten: We are a research center for cybersecurity. This means that most of our research is ethical research. From the very beginning, it has been important to me that we help make the research even better—that we make the world a better place by improving the research.

Jannik: We’re not here to make research more difficult. We believe it is our job to facilitate high-quality research while also considering ethical perspectives. As philosophers, we are outsiders, even though we have acquired a good understanding of CISPA research by now. We want to learn from our researchers about their research so that we can solve ethical challenges together.

What does your role at the Research Ethics Office entail? 

Jannik: A key focus is the Research Ethics Review Board, which we help oversee and in which we serve as members. We also provide guidance when re­searchers have questions about research ethics. In addition, we offer workshops and training ses­sions on research ethics in cyber­security and AI, which is also an integral part of the PhD Kickoff Days. And then there’s our Ethics Sandbox, a monthly discussion event. 

Thorsten: We also participate in research projects. For example, we are currently involved in a research project led by Sascha Fahl on ethics in cryptography. Another focus is build­ing networks in the field of ethics and cybersecurity. For example, we’re part of the USENIX Research Ethics Committee. We’re also cur­rently looking for points of contact within the Helmholtz Association to connect with other Ethics Review Boards or units that deal with research ethics. Our goal is to build an infrastructure that could institutionalize a larger net­ work for research ethics. 

What ethical questions arise in cybersecurity research?

Jannik: User studies and personal data play a major role, especially in usable security, but it goes far beyond that. For example, when researching vulnerabilities in devices that are connected to the internet and that may react unex­pectedly. It is a major challenge that research often affects people, even though it cannot be classified as a traditional User study. It is crucial to identify and assess the risks in cooperation with the researchers: How likely is it that sensitive systems will fail, or that other harm will be caused to people?

Thorsten: Ultimately, people— as beings susceptible to well­-being—are connected to many digital systems. Even researchers in cryptography must ask them­ selves: What kind of research am I conducting? What can be done with my research? Could countries that want to increase surveillance of their populations use my research for that purpose? Privacy issues arise in AI research anyway: What do we feed into the models, what data do we train them on? Research ethics is also relevant for vulnerability research, which raises questions, for instance, about responsible disclosure—that is, when and to whom I should report the vulnerabilities I have discovered. All of these research topics, and others besides, open up ethical considerations.

What are the ethical cornerstones that guide your work? Is there an ethical consensus within the discipline?

Thorsten: There is one major cornerstone, the Menlo Report, which sets out a number of key values. Various conferences have also issued ethics guidelines for research ethics. We have written down our own CISPA Research Ethics Framework. It builds heavily on these guidelines, but it is also philosophically more precise, because we are probably two of the first full-time philosophers to be active in this field.

Jannik: Our approach is values­ based. It would probably be too much to go into all the details right now. But broadly speaking, it revolves around six core values that are also found in our CISPA Research Ethics Framework: autonomy, well­being, justice, privacy, sustainability in the sense of environmental protection, and epistemic progress—that is, the acquisition of knowledge.

How interesting! To what extent does epistemic progress count as an ethical value?

Thorsten: Epistemic progress doesn't come up very often in other frameworks. I think this has to do with the fact that ethics is often seen as an obstacle to research. But you have to ask your­self what the value is of what you’re doing. And in many proj­ects, that value is measured by epistemic progress. You can’t act as if there was always a clear ethical answer. Rather, you have to bal­ance the different values against one another: How can we recon­cile epistemic progress with, say, minor sacrifices in well­being? How significant must the increase in knowledge be for us to accept other trade­offs?  

USENIX Security, a major scientif­ic conference in cybersecurity, requires an Ethics Section in scientific papers. Is this a hurdle for early-career researchers?

Thorsten: Ethics is not part of their academic training, so re­searchers may not have a system­atic way of thinking about it. It is helpful that we can support them with our expertise. However, it is not the case that we dictate to re­searchers how they should resolve ethical issues. We can't take the responsibility for people's research away from them—ethical responsibili­ty is an integral part of academ­ic freedom. I believe that those ethics sections help people reflect on ethical questions and potentially identify problems. These are all intelligent people who have come this far in academia for a reason. And when you ask intelligent peo­ple intelligent questions, they will come up with intelligent answers.

Both of you are trained philosophers. What professional challenges do you most enjoy about your work? 

Jannik: I find it exciting to learn new things and work my way into new topics. It doesn’t really matter whether the subject is philosophy or leans more toward computer science, even though there are, of course, limits to my technical understanding that I can’t push beyond. What sets philosophy apart is an interest in questions that usually cannot be answered empirically, but that are normative or involve concepts or conceptual analyses. But I feel very comfortable in this more applied field.

 Thorsten: Just like Jannik said: I enjoy learning new things. Previously, in my academic work, I always wondered how exciting applied ethics could be compared to theoretical philosophical questions. But since I started working at CISPA, I’ve realized that all of it is pretty cool. The more I delve into it, the more questions I encounter, the cooler I find it. You leave no stone of a question unturned and find that there’s yet another interesting aspect that you haven’t looked at yet; that a new problem emerges that you didn’t expect in this way. In part, this is pure philosophical, applied ethics. The fact that, as a philosopher, you can do something that has such a direct, meaningful impact, that is very cool.

 

Find out more about research ethics at CISPA in our latest CISPA Zine.