Ethics Case Analysis: IVK IT Crisis

A stakeholder analysis of an ethical dilemma presented in The Adventures of an IT Leader,www.hbs.edu

Cover Image for Ethics Case Analysis: IVK IT Crisis
Source: https://pixabay.com/images/id-5302810/
Richard Welsh
Richard Welsh

Stockholder/Stakeholder Theory: Why Business Decisions Happen

Stockholder and stakeholder theory together constitute important areas from which to consider ethical implications of business decisions. In practice, the resolution of business dilemma is often considered on the spectrum between these two frameworks. Stockholder theory is a concentrated focus on profit, while stakeholder theory attempts to expand on this with more ethical considerations.

The basis of any business is to provide profit to its owners, or shareholders in the case of a publicly traded company. Business achieves that by producing value for its consumers with products and services. Under stockholder theory, the utmost good that a business firm can achieve is to maximize profit for the firm by maximizing value to the customer. The only restrictions to this goal are that profit is achieved in a legal and non-fraudulent manner. Provided that profit is produced by supplying the market’s demand, everyone wins. Problems arise, however, because this loose framework for ethical action seems to motivate pushing the boundaries of what are legal and non-fraudulent. A firm acting under stockholder theory may find itself focusing on profit as the only motive, at the expense of consumers.

Stakeholder theory injects more of a sense of balance into the framework by expanding the scope of what interests should be considered during business strategy. Stakeholder theory not only considers the needs of owners of the firm, but also anyone that is logically affected by business activities. Really, business owners are not the sole parties affected by the success (or lack thereof) of the firm. Under stakeholder theory, pursuit of profit must be balanced with the needs of many other considerations involved with business activities.

Ethical Issues Involved and Unethical Assumptions / Actions in the Case

Ethical issues :

Along with the immediate damage that may be caused by a cyber-attack, there are many ethical dilemmas that accompany such a situation. There are many difficult decisions that need to be made in response to the attack; there is no easy cut and dried way to respond to something like this. Depending on the way that the organization responds, there is likely much more to be lost than whatever may have been stolen. There are four primary ethical issues that deserve attention in this case.

  • How much information about the attack should be shared?

    Sharing too many details could be harmful as well as not sharing enough.

  • Who should be alerted about the attack and when should they be alerted?

    IVK needs to decide who deserves to know about the attack. If information is to be shared, it needs to decide how much preparation is needed before letting people know.

  • Who should be held accountable for the attack?

    Everything happens for a reason. IVK needs to decide if any fault needs to be assigned. Did this attack occur due to someone’s misgivings, or was it a truly unforeseeable event?

  • What should be done in response to the attack?

    There are many ways that IVK can proceed once it suspects that it has been targeted. The unique circumstances involved with this situation should be considered when choosing how to proceed.

Unethical Assumptions / Actions

This case is rife with serious considerations that surround any such attack cyber-attack. With the decided course of action, the firm is taking on considerable risk to safeguard against negative business consequences. IVK corporation wants to prevent any further damage to the firm. The decisions that IVK made seem to align with stockholder theory, however, their actions places everyone under a considerable amount of risk and protects nothing. Focusing on protecting stockholder profits is typically too narrow of a focus that leads to a short-sighted perspective and will likely cause more problems down the road.

IVK decided to repair the damage done by the attack and carry on, hoping that no sensitive information was stolen during the attack. This is highly irresponsible, and perhaps the most serious unethical move regarding the cyber-attack. By hoping for the best, but not preparing for the worst, the firm is making the riskiest decision possible. Depending on what exactly really happened during the attack, now there are more problems waiting to happen. The best possible outcome for stockholders would be for nothing bad to have actually happened, so no value will be lost to the firm as a result of the attack.

Assuming the intruders were probably just tricksters is again taking on a terrible amount of risk. However, this risk is disproportionately placed on stakeholders outside of the firm. If IVK is wrong about this, they are giving the hackers the opportunity to make good use of the information that they have stolen. If identity or financial information has been stolen, IVK’s customers will now certainly lose money and the customer’s banks will now be in the position to clean up the mess.

IVK decided to keep all information related to the attack secret from the public, which seems to clarify their unethical intentions. If information theft had occurred, this decision gives customers absolutely no chance to safeguard their assets.

Not to mention, potential and actual investors would certainly like to know about the cyber-attacks taking place, but IVK makes no mention of the attack at the analysist conference. The knowledge may lead investors to take their funds elsewhere, but that is their right to do so. Withholding information relevant to investor’s ability to make informed decisions may be infringing on their rights.

Stakeholders Involved in the Case Gives a Complete Picture of what Matters to the Business

The overlapping concerns of stakeholders
Figure 1: The overlapping concerns of stakeholders

Stockholder theory is often seen as unethical in practice, as the focus is too narrow. By zoning in on profits and ignoring all other effects, the bigger picture is missed, including important factors that have real effects on the situation. Stockholders are just one area of concern in the broader realm of stakeholders in the company. There are many stakeholders involved in the success (or failure) of the firm, including:

  • Stockholders (their investment is at risk)
  • Executives (their reputation is at risk)
  • Customers (their private data is at risk)
  • Suppliers (may be impacted if the business has problems)
  • Employees (will have to respond to the threat and if the attack is severe, jobs may be at risk)
  • Marketing (will have to respond to fallout of risk)
  • Hackers and others involved in the attack (maybe the hacker was funded)

This is not an exhaustive list of stakeholders; many others may occur. Stockholders are the obvious stakeholder and too often, the narrow focus of business decisions. This narrow focus may lead to decisions that seem right at the time, leading to favorable short-term outcomes. However, in the long-term, all the needs of all positive stakeholders need to be met. Considering hackers as a stakeholder deserves special consideration.

Note that in figure one, each member has its own individual areas of concerns, as well as overlapping or neighboring interests with each member. The hackers are the prime example of a stakeholder with a negative interest in the firm. If the firm ignores this groups interest, it may well consume the rest of the interest of the entire group, as the hackers begin to act on their acquired information.

This is not an exhaustive list of stakeholders; many others may occur. Stockholders are the obvious stakeholder and too often, the narrow focus of business decisions. This narrow focus may lead to decisions that seem right at the time, leading to favorable short-term outcomes. However, in the long-term, all the needs of all positive stakeholders need to be met. Considering hackers as a stakeholder deserves special consideration. Note that in figure one, each member has its own individual areas of concerns, as well as overlapping or neighboring interests with each member. The hackers are the prime example of a stakeholder with a negative interest in the firm. If the firm ignores this groups interest, it may well consume the rest of the interest of the entire group, as the hackers begin to act on their acquired information.

How to Proceed Based on High Ethical Standards: Act Prudently and Publicly

It is understandable that IVK would like to proceed with the best possible consequences following the cyber-attack that it suffered. However, executives need to hedge the risk that it is facing by taking some precautionary measures, and make sure that it considers the interest of interested stakeholders. DoS attacks are not rare phenomena, and oftentimes, these attacks are used to penetrate an organization to compromise sensitive information. If the organization responds appropriately, there should not be much of a falling out. The community surrounding the firm should be aware that cyber-attack is an everyday risk but would expect an appropriate response when it happens. Ascribing to the highest ethical standards based on stakeholder theory, IVK should take the following actions:

  • Build mirror production system to keep the company functioning

    This represents the best tradeoff between securing the system and continuing operations.

  • Stay aware of any other security threats in case the attack was a distraction

    The DoS attack could be the beginning of a more elaborate attack. The firm needs to heighten security on all fronts and make sure that it is not focusing too narrowly on the known threat itself, while letting their guard down to other forms of attack.

  • Investigate the source of the attack

    While the source may never be found, it would be helpful to know who launched the attack and what motives they had. If IVK can gain knowledge that the attacker was indeed a hobbyist or prankster instead of cybercriminals looking to gather sensitive data, then it may be able to rest assured that more malicious attacks are not going to be following the attack.

  • Invest in protection against future attack

    It is imperative that IVK protects itself better from any further attacks in the future and publishes this information. Cybersecurity is not going to get less serious, and if the attacker or other cybercriminals this that this corporation is vulnerable and careless, then it is almost guaranteed that they will be attacked again soon.

  • Disclose the facts known of the DoS attack

    With good faith, IVK should disclose what it knows about the attack within reason before the conference takes place. There is no harm in using some tact with disclosure of the attack, but it should not be held secret. Stakeholder response to the attack may even be positive if IVK handles the situation swiftly and thoroughly, especially if the extent of the attack was downtime and data corruption.

  • At the conference, discuss what the company is doing to address the problem

    The attack deserves some attention at the analysist conference as well. The CIO could easily turn a negative into a positive here by showing that he and IVK Corporation is responding to the situation competently.

References

Austin, R. D., Nolan, R. L., & O'Donnell, S. (2009). The Adventures of an IT Leader. Harvard Business Press.