Ethical Practices for Cybersecurity Investments & Purchases
Stakeholder theory is understanding and accounting for all company stakeholders by company leaders during the decision-making process. Internal stakeholders are employees, managers, and owners, while external stakeholders are suppliers, society, government, creditors, shareholders, and customers. "...companies that focus on stakeholder value maximize shareholder value in the long run" (Ledecky, 2021). This drives the requirement to invest in cybersecurity products and services. It is in the organization's best interest to protect all stakeholder information, not just its own. Think about all the times a company had customer data breached. This loses the trust of customers and damages the company’s reputation. Now imagine losing the faith of primary suppliers. It's challenging to deliver products and services to customers when suppliers are not willing to do business with you. This applies to all stakeholders, each having their interests in need of protection. It's vital to realize that you must worry about all parties involved with the organization and not just your shareholders when making cybersecurity decisions.
Social Contract Theory
Social Contract Theory "is the hypothesis that human beings, as they have evolved to come together to live in communities and society and thus encountering interdependencies, must come to a common agreement regarding relationships and the responsibilities and rights of society’s members" (Byerly, 2014, p. 328). Social contracts are fundamental to human civilization. With the interdependence of cyberspace in our daily lives, new social contracts are needed for this brand-new domain of human interaction. Social contract theory applies when making cybersecurity investments. With an increased reliance on storing stakeholder information and disinformation campaigns, it's essential to establish policies throughout cyberspace to create a safer digital realm for everyone. For example, it wouldn't be challenging to sell stakeholder information for profit. However, relinquishing this right to sell the data and creating rules that best protect stakeholder information benefits everyone. It is vital to have a digital code of ethics to maximize the utility of cyberspace.
Safeguarding stakeholder information is just one of many ethical issues requiring constant consideration when making any cybersecurity decision. "For companies that handle sensitive customer and client information, it's also important to consider both legal and ethical implications of security breaches" (Steen, 2013). Some other examples include disinformation campaigns and purchasing stakeholder information.
It's no secret that today's world has a massive disinformation problem. "You can't believe everything you read on the internet" - Abraham Lincoln, 1923. To be crystal clear, this is a fake quote to drive home the point. Abraham wasn't alive, and the internet didn't exist in 1923, but someone may believe this false quote without knowing these facts. "Disinformation is false or misleading information spread with the intention to deceive. It’s distinct from misinformation, which is the unintentional spread of false information (Atlantic Council, n.d.). It's not challenging to create a false narrative for the benefit of an individual or organization. Organizations should have as much transparency as possible with stakeholders and be honest and truthful when conducting operations. It all goes back to stakeholder theory. If trust is lost with stakeholders, the organization could collapse on itself. It also ties into the cyber social contract. If everyone is being truthful and acting with integrity during operations, the digital world will be better. Unfortunately, society is quite a long way from this, and it might even get worse before it gets better.
As already mentioned, selling your stakeholder information is not in the best interest of the cyber social contract or the stakeholder theory. But what about buying stakeholder information to gain new clients? Advertising campaigns do this all the time. Therefore, selling stakeholder information is very enticing for many firms. Having all the information on your ideal customer and creating targeted ads is worth a lot of money these days. It helps firms sell their products. Unfortunately, when you buy this type of data, you are part of the problem. There can't be a seller if there isn't a buyer. It might be harmless on the surface, but you purposely engage in an activity where the stakeholder didn't permit you to pass around their data from firm to firm. Even if you explicitly state you will buy and sell a client's data in the terms and conditions, you are still engaging in unethical behavior since almost no one reads the terms in conditions of anything. Arguably, these terms and conditions are made long on purpose, so people won't read them and blindly agree to some awful terms.
In the growing realm of cyberspace, people, and especially organizations, need to consider all stakeholders involved in every cybersecurity decision. This will intuitively help make the cyber social contract better as more businesses work to make cyberspace a better place for everyone. But, unfortunately, with the legal and illegal buying and selling of information and large amounts of disinformation campaigns toxifying the digital world, it seems like cyberspace will get darker before it sees the light. This makes it important now more than ever to engage in activities that are ethically and morally right.
Atlantic Council. (n.d.). Disinformation. https://www.atlanticcouncil.org/issue/disinformation/
Byerly, R. T. (2014). The social contract, social enterprise, and business model innovation.
Social Business, 4(4), 325-343. https://doi.org/10.1362/204440814x14185703122883
Ledecky, M. (2021, March 14). Looking beyond shareholders: What is stakeholder theory? EVERFI. https://everfi.com/blog/community-engagement/what-is-stakeholder-theory/
Steen, M. (2013, February). Cyber security and the obligations of companies. Santa Clara University. https://www.scu.edu/ethics/focus-areas/business-ethics/resources/cyber-security-and-the-obligations-of-companies/