Are we loving  the attackers and prosecuting the victims?
In data security – I don’t subscribe to utilitarian ethics (which attempts to balance the benefit versus the damage of an act) and can lead to the ends justifying the means.
For data security and compliance – I personally implement the “Ten commandments” approach – if it’s not ethical to steal data then it’s never acceptable to steal data  – neither as an employee, contractor, consultant or hacker.
I recently read a short article by the Chazon Ish (who passed away in 1953 and is well known for both his saintliness and extreme breadth of knowledge). He speaks about the importance of distinguishing between the attacker and the victim.   He explains how we must carefully tread the line of understanding who is the attacker and who is the victim.  Basic morality dictates showing compassion to the victim and and harshness to the attacker.   Therefore – how terrible it is when we mistakenly reverse the roles and show compassion to the attackers and penalize the victims!
Translated to the world of security and compliance – we can understand that a basic component of data security in the workplace, is an ethical approach where we maintain a clear identification of who is the malicious attacker and deal with him in an uncompromising and harsh way.  The vast majority of employees are not malicious attackers and there is no reason to penalize them as long as they comply with the company’s acceptable usage policy. On the other hand, there is no ethical basis to treat an attacker with compassion.
Like Sun Tzu wrote in “The Art of War” – “When you lay down a law, make sure it is not disobeyed”.