The question of whether ethical theories appealing to human morality can serve as a means of protection against information system security breaches has been recognized by several authors. The existing views concerning the role of ethics in information systems security can be divided into two categories. These are (1) expressions about the use of human morality and (2) arguments claiming that the use of ethics is useless or, at best, extremely restricted. However, the former views are general statements lacking concrete guidance and the latter viewpoint is based on cultural relativism, and can be thus classified as descriptivism. This paper claims that the use of ethical theories and human morality is useful for security, particularly given that Hare’s Overriding thesis has validity — though it has its limitations, too. This paper further argues that descriptivism (including the doctrine of cultural relativism) leads to several problems, contradictions and causes detrimental effects to our well-being (and security). Therefore, an alternative approach to using ethics in minimizing security breaches that is based on non-descriptive theories is proposed. The use of non-descriptivism will be demonstrated using Rawls’ concept of the “veil of ignorance.” The limitations of non-descriptivism, and appealing to human morality in a general sense, will also be discussed. Finally, suggestions for future research directions are outlined.