Five units, read in sequence, form one continuous journey. Chapter 5 asks the question every earlier step assumed a good answer to: was the research collected, analysed, and published in a way that respects the people, organisations, and property the study touched?
Sign in to mark this article as read and track your progress.
A common misreading of research ethics is that it is a gate to pass at the beginning (get IRB approval) or the end (check the plagiarism report) of a project. It is neither. Ethics obligations arise at every stage of the research process, and the obligation at each stage is specific to what that stage involves.
| Stage | Research obligation | Ethics or IPR question it raises |
|---|---|---|
| Defining the problem (Ch. 1) | The problem statement fixes what data will be collected and from whom | Does the scope require scanning systems you do not own, or accessing data about identifiable people? |
| Literature review (Ch. 2) | You build on and cite others' published work | Are you citing correctly, or reusing your own prior text without disclosure? |
| Data collection (Ch. 3) | You acquire samples, traffic, or survey responses | Do the people whose data you are using know and agree? Does the DPDP Act or CERT-In's mandate apply? |
| Writing up (Ch. 4) | You present findings in a thesis or paper | Are you reporting the actual results of the actual tests that were run? Is the methodology honest enough to allow replication? |
| Publication (Ch. 5) | You make the work public | If a vulnerability was discovered during the research, has responsible disclosure been followed before publication? |
The WannaCry and Mirai examples introduced in Chapter 1 were not incidental illustrations. Seen through Chapter 5's framework:
Chapter 1 observed that a widely repeated attack succeeded not because of one clever trick but because of a structural weakness. Chapter 2 made that observation defensible by holding the methodology to the standards the field expects. Chapter 3 supplied the tools to turn an observation into a testable claim. Chapter 4 made the result legible to other researchers in a structure and citation style they already know how to read.
This chapter asks the question all four assumed had been answered: was the work collected, analysed, and published in a way that respects the people, the organisations, and the property the study touched?
That question does not arise at the end. It arises the moment the problem is defined, reappears when the first dataset record is collected, is implicit in every number reported in the results section, and is the final obligation before the paper is submitted.
A student's thesis project scanned 500 IoT devices found via a Shodan query, ran a custom script to test each for a known default-credential vulnerability, and documented which devices were vulnerable and which firmware version each ran. The student did not obtain consent from device owners and has not contacted any manufacturer. Before she submits the thesis, identify the specific ethics obligation that arose at the problem-definition stage, the data-collection stage, and the publication stage — and state what she should do now, before submission, about each one.