Why This Matters
Cybersecurity isn't just an IT problem—it's fundamentally an ethical responsibility that sits at the intersection of stakeholder protection, corporate accountability, and digital trust. When you're tested on business ethics in the digital age, you're being asked to understand how organizations balance operational efficiency with their duty to protect employees, customers, and partners from harm. A data breach isn't just a technical failure; it's a breach of the implicit social contract between a business and everyone who entrusts it with their information.
These practices demonstrate core ethical principles: transparency, due diligence, informed consent, and proportional response. The exam will push you to connect specific security measures to broader frameworks like stakeholder theory, corporate social responsibility, and risk management ethics. Don't just memorize what each practice does—know which ethical obligation it fulfills and what happens when organizations cut corners. Understanding the "why" behind each practice will help you tackle FRQ scenarios where you must recommend or critique an organization's digital ethics posture.
Preventive Controls: Building Ethical Barriers
Preventive controls represent the proactive duty of care—the ethical obligation to anticipate harm and build defenses before incidents occur. These practices reflect the principle that organizations must invest in protection proportional to the sensitivity of data they hold.
Strong, Unique Passwords
- 12+ character passwords with mixed characters—this baseline reflects the ethical minimum for protecting user accounts from brute-force attacks
- Password managers enable compliance without placing unreasonable burden on employees, balancing security with usability
- Avoiding predictable information demonstrates understanding that human behavior creates vulnerabilities—ethics requires designing systems that account for this
Two-Factor Authentication (2FA)
- Layered verification embodies the defense-in-depth principle—no single point of failure should compromise stakeholder data
- Authentication apps over SMS represent best practice, as text messages can be intercepted through SIM-swapping attacks
- Mandatory 2FA for critical systems reflects proportional protection—higher-risk access points require stronger safeguards
Firewalls and Antivirus Software
- Firewalls monitor traffic flow at network boundaries, acting as gatekeepers that enforce organizational security policies
- Reputable antivirus software must be continuously updated—using outdated protection violates the duty of ongoing vigilance
- Defense-in-depth strategy means neither tool alone is sufficient; ethical security requires multiple overlapping protections
Compare: Strong passwords vs. 2FA—both prevent unauthorized access, but passwords rely on user behavior while 2FA adds a system-enforced barrier. If an FRQ asks about balancing user convenience with security obligations, this contrast illustrates the tension perfectly.
Data Protection: Safeguarding Stakeholder Trust
Data protection practices address the fiduciary responsibility organizations have when handling sensitive information. These controls recognize that data has value and vulnerability throughout its entire lifecycle—from creation to destruction.
Encryption for Sensitive Data
- Encryption in transit and at rest ensures data remains protected whether moving across networks or stored on servers
- AES (Advanced Encryption Standard) represents the current benchmark—using weaker standards when stronger ones are available raises ethical questions
- Secure key management is often overlooked; encryption is only as strong as the protection of the keys themselves
Regular Data Backups
- Automatic backups to secure locations fulfill the ethical obligation of business continuity—stakeholders depend on data availability
- Testing restoration processes separates genuine preparedness from security theater; untested backups may fail when needed most
- Geographic distribution of backups protects against localized disasters, reflecting comprehensive risk assessment
Secure Data Disposal
- Data wiping software ensures deleted files cannot be recovered, preventing downstream privacy violations
- Physical destruction of storage media may be necessary for highly sensitive data—proportionality matters
- Regulatory compliance (GDPR, HIPAA) makes secure disposal both an ethical and legal obligation
Compare: Encryption vs. secure disposal—encryption protects data during its useful life, while disposal addresses end-of-lifecycle obligations. Both reflect the principle that protection responsibilities extend across the entire data journey.
Access Management: The Ethics of Limitation
Access controls embody the ethical principle of minimal necessary intrusion—organizations should collect and access only what they need. These practices prevent both external breaches and internal misuse, recognizing that insiders can pose significant risks.
Least Privilege Principles
- Role-based access control (RBAC) limits exposure by matching permissions to job functions, reducing both risk and temptation
- Regular permission reviews acknowledge that roles change—yesterday's appropriate access may be today's vulnerability
- Audit trails create accountability, ensuring access decisions can be reviewed and justified
VPNs for Remote Access
- Encrypted tunnels protect company data when employees work outside secured networks
- Reputable VPN providers matter—free or poorly vetted services may themselves pose security risks
- Remote work policies must balance employee flexibility with organizational security obligations
BYOD Policy
- Clear acceptable use guidelines establish mutual expectations between employer and employee
- Required security measures on personal devices protect company data without requiring company-owned hardware
- Employee education ensures informed consent—workers must understand the risks they accept
Compare: Least privilege vs. BYOD policies—both manage access boundaries, but least privilege focuses on internal systems while BYOD addresses the blurred line between personal and professional technology. FRQs often explore this tension in remote work scenarios.
Detection and Response: Ethical Accountability
Detection and response practices reflect the ethical reality that prevention alone is insufficient. Organizations must prepare to identify breaches quickly and respond transparently, minimizing harm to affected stakeholders.
Network Monitoring
- Anomaly detection tools identify suspicious patterns before they escalate into full breaches
- Alert systems enable rapid response, reducing the window during which data remains exposed
- Log review practices demonstrate ongoing vigilance rather than passive reliance on automated systems
Incident Response Planning
- Documented response procedures ensure consistent, effective action during high-stress situations
- Assigned roles and responsibilities prevent confusion and delays when every minute matters
- Regular plan updates incorporate lessons learned—ethical organizations improve continuously
Security Audits and Assessments
- Periodic vulnerability assessments fulfill the duty of ongoing evaluation, not just initial compliance
- Combined automated and manual review catches issues that either approach alone might miss
- Prompt remediation distinguishes genuine security culture from checkbox compliance
Compare: Network monitoring vs. security audits—monitoring provides continuous surveillance while audits offer periodic deep evaluation. Both are necessary; neither alone satisfies the ethical obligation of comprehensive oversight.
Human Factors: The People Dimension
Technical controls fail without human cooperation. These practices recognize that employees are both the greatest vulnerability and the strongest defense—ethical organizations invest in their people, not just their systems.
Cybersecurity Awareness Training
- Regular training on phishing and social engineering addresses the most common attack vectors targeting human judgment
- Security culture development transforms compliance from obligation to shared value
- Reporting mechanisms empower employees to act on suspicions without fear of blame for false alarms
Software and System Updates
- Timely patch installation closes known vulnerabilities before attackers can exploit them
- Automatic updates remove human delay from the security equation where possible
- Vendor accountability matters—organizations must evaluate whether software providers maintain responsible update practices
Secure Wi-Fi Networks
- WPA3 encryption represents current best practice for wireless security
- Changed default credentials address a surprisingly common vulnerability—many breaches exploit factory settings
- Guest network isolation protects primary systems from less-controlled access points
Compare: Employee training vs. automatic updates—training addresses human vulnerabilities while automatic updates address technical ones. Both recognize that security requires removing friction from protective behaviors.
Quick Reference Table
|
| Duty of Care (Prevention) | Strong passwords, 2FA, Firewalls |
| Data Stewardship | Encryption, Backups, Secure disposal |
| Minimal Intrusion | Least privilege, RBAC, BYOD policies |
| Transparency & Accountability | Network monitoring, Audit trails, Incident response |
| Stakeholder Protection | VPNs, Wi-Fi security, Employee training |
| Continuous Improvement | Security audits, Software updates, Plan reviews |
| Proportional Response | Encryption strength matching data sensitivity, Physical destruction for high-risk media |
Self-Check Questions
-
Which two practices best illustrate the principle of defense-in-depth, and how do they complement each other?
-
An employee argues that least privilege policies slow down their work. Using stakeholder theory, explain why the organization should maintain these controls despite the inconvenience.
-
Compare and contrast encryption and secure data disposal—what stage of the data lifecycle does each address, and why are both ethically necessary?
-
If a company experiences a breach despite having firewalls and antivirus software, which practices would help them respond ethically, and what stakeholder obligations do those practices fulfill?
-
A startup claims it cannot afford comprehensive security audits. Using the concept of proportional duty of care, explain what minimum practices they should implement and why cutting corners creates ethical liability.