Ethics in IT — Week 1 · Checkpoint
Week 1 Checkpoint
Three modules. Three cases. The patterns that connect them all.
13 slides ~15 minutes ETH-04 · The Factionless
By the end of this checkpoint, you will be able to recite the three pillars from this week, recognize the patterns shared by VW, SAP, and Sony, and articulate the institutional mechanisms that produce ethical failures even without bad actors.
Slide 2 of 13
What You Covered This Week
Three modules building toward one capability: making and defending hard ethical calls.
ETH-01: Overview of Ethics
Three domains (morality, ethics, law). Four frameworks (stockholder, stakeholder, utilitarian, deontological). Decision process. VW case.
ETH-02: Ethics for IT Professionals
Worker vs. professional. Five professional relationships. Four codes (ACM, IEEE, AITP, PMI). Compliance ≠ ethics. SAP case.
ETH-03: Cybersecurity Ethics
Four core tradeoffs. Three perpetrator tiers. Reasonable assurance. IR ethics. Sony case.
The arc of Week 1: from how to think (frameworks) → how to act professionally (codes & relationships) → how to apply that thinking under cybersecurity-specific pressure.
Slide 3 of 13
Pillar 1: Ethics ≠ Morality ≠ Law
The most common ethical mistake in technical work is conflating the three.
"It's legal" is not a defense. "Everyone does it" is not a code. "I followed the rules" satisfies one of the three. Professionals work in the intersections.
Slide 4 of 13
Pillar 2: Four Frameworks
Apply multiple. The most defensible decision survives scrutiny under several.
Stockholder
Friedman. Maximize shareholder return within legal rules. Ethics = compliance.
Stakeholder
Freeman. Obligations to all affected parties — not only shareholders.
Utilitarian
Bentham/Mill. Greatest good for greatest number. Outcomes matter.
Deontological
Kant. Some acts are inherently right or wrong. Duty over outcome.
The "3 of 4" rule: if three frameworks say "stop" and one says "go," that's a strong signal. Apply this to every hard call you face this term.
Slide 5 of 13
Pillar 3: Five Relationships
An IT professional sits at the center of five obligation streams. Daily priority is one order; ethical priority inverts.
Slide 6 of 13
Pillar 4: Reasonable Assurance
The cybersecurity standard. Proportional, not absolute. Before-incident, not after.
Asset Value
PII / health / financial data require more than public information.
Threat Landscape
Calibrate to realistic threats; not every org needs a bank's controls.
Known Vulns
Unpatched + breach = indefensible regardless of attacker.
IR Plan
Absence of one (when data is sensitive) is itself an ethical failure.
The negligence floor: known, patchable vulnerabilities left open while a breach happens. No attacker-sophistication argument changes this.
Slide 7 of 13
Three Cases at a Glance
Different industries. Different decades. Same underlying mechanism.
The connecting thread: in each case, no single rogue actor caused the failure. The failure was distributed across an organization where each individual decision was small, defensible-in-isolation, and nudged the institution closer to the line.
Slide 8 of 13
VW: Institutional Drift
Six years. Multiple engineering teams. Many people knew. None said stop.
The mechanism
Defeat device software detected emissions tests and activated full controls only during testing. NOx emissions during normal driving reached 40× the legal limit.
The decision wasn't a single act — it was a series of incremental institutional decisions over years.
The professional lesson
The personal code of ethics is the thing that breaks the incremental drift before the decision has already been made.
Every engineer who maintained the code had a moment to refuse. None did. Each individual choice was small. The aggregate was catastrophic.
Slide 9 of 13
SAP: Compliance ≠ Ethics
$220M settlement. The IT systems were the deception infrastructure.
The mechanism
SAP subsidiaries paid bribes to government officials in South Africa and other countries. The payments flowed through fake entities and were falsely characterized in accounting systems.
IT professionals built and maintained the systems that processed, classified, and concealed the payments.
The professional lesson
Compliance with applicable law is the floor. Professional ethics codes generally require more.
"I built the system as specified" is not a defense when the system's purpose is to deceive. The professional obligation is to refuse instructions that require falsification.
Slide 10 of 13
Sony: Proportionality Failure
The breach was the trigger. The ethical failure was the years before it.
The mechanism
Attackers exfiltrated 100 TB of data including SSNs and medical records of 47,000 current and former employees.
Sony had been pre-warned about security vulnerabilities. The data was unsegregated and inadequately protected for its sensitivity.
The professional lesson
Reasonable assurance is a before-the-incident standard. Treating it as an after-the-incident standard is itself the failure.
Cybersecurity ethics is mostly about quiet decisions made when no alarm is sounding — resource allocation, data minimization, vulnerability management.
Slide 11 of 13
The Common Pattern
Three different industries. One mechanism. The thing every IT professional should be able to recognize.
What an IT professional can do: recognize step 1. Refuse the small compromise. The personal code of ethics works at the start of the chain — not at the end.
Slide 12 of 13
Looking Ahead: Week 2
From foundations and cases to specific domains: privacy, expression, intellectual property.
ETH-05: Privacy
The right to privacy. Federal vs. state law. Health, financial, and behavioral data. Surveillance at work and at home.
ETH-06: Freedom of Expression
First Amendment in cyberspace. Section 230. Platform moderation. The legal and ethical limits of speech online.
ETH-07: Intellectual Property
Copyright, patents, trademarks, trade secrets. Fair use. DMCA. Software licensing. Open source ethics.
How to prepare: the four-framework analysis you practiced this week applies to every Week 2 topic. The cases will change — the analytical move stays the same.
Slide 13 of 13
Week 1 Takeaways
The eight ideas to carry forward.
1Three domains — morality (individual), ethics (group), law (society). They overlap but never perfectly.
2Four frameworks — apply at least three to every hard call. The "3 of 4 says stop" rule is your best heuristic.
35-step decision process — Recognize, Facts, Options, Decide, Reflect. Skipping the first two is the most common failure.
4Five professional relationships — employer, client, supplier, user, society. Daily priority inverts under ethical conflict.
5Four codes — ACM, IEEE, AITP, PMI. PMI alone has strong individual consequence (PMP revocation).
6Compliance ≠ ethics. Compliance is the floor; ethics is the ceiling; the gap is where professional judgment lives.
7Reasonable assurance = asset value + threat landscape + known vulns + IR plan, calibrated. Known unpatched vulns + breach = indefensible.
8The pattern — VW, SAP, Sony all show the same mechanism: small compromises, normalized over time, compounded into catastrophe. The personal code stops it at step 1.
Week 1 complete. Take the Week 1 quiz when you've finished this checkpoint. Then move to Week 2: Privacy, Freedom of Expression, Intellectual Property.