IT Professionals and Ethics | Ethics in IT

Slide 1 of 33  |  ETH-W1-02  |  Week 1
IT Professionals:
Relationships and Obligations
Professionalism  •  Codes of Ethics  •  Stakeholder Obligations  •  Compliance vs. Ethics
Warehouse memo: SAP paid $3.9 billion in fines after subsidiaries bribed government officials across multiple countries to secure software contracts. The software worked. The sales process was criminal. The engineers who built the product were not the ones in the dock -- but the organization they worked for ran a global corruption operation. At what point does an IT professional's obligation to their employer end and their obligation to everyone else begin?
33 Slides ETH-W1-02 Week 1 Ethics in IT
Slide 2 of 33
Professional vs. Worker
The distinction matters more than it first appears. One carries obligations beyond the employment contract.
Worker
Exchanges labor for compensation. Obligations are contractual: show up, perform the agreed tasks, follow instructions from supervisors within legal limits. The ethical horizon is narrow: do not steal from the employer, do not lie on your timesheet, comply with workplace policy.
Professional
Holds specialized knowledge and skill that others rely upon and cannot independently verify. Bound by a code of ethics that operates independent of the employment contract. Obligations extend to clients, users, third parties, and the public -- not just the employer. Cannot fully discharge ethical obligations by following orders.
The Critical Difference
A lawyer cannot follow client instructions to commit perjury. A doctor cannot comply with an employer's instruction to falsify test results. An engineer cannot simply implement what management requests when the implementation poses unreasonable safety or harm risk. The professional's duty to the public is not subordinate to the employer relationship.
Is IT a Profession?
The debate continues. IT lacks the formal licensure of law and medicine. Entry is not gated by board exams with enforceable ethical standards. But the social impact of IT decisions rivals those of licensed professions. The practical implication: IT professionals should hold themselves to professional standards even where no external enforcement exists.
Slide 3 of 33
What Makes a Profession
Sociology of professions identifies consistent characteristics. Most of them apply -- with complications -- to IT.
Specialized Knowledge
Acquired through extended formal education. Clients cannot independently evaluate the quality of the work -- they must trust the professional's judgment. This information asymmetry is what creates both the professional's power and the ethical obligation not to abuse it.
Autonomy and Judgment
Professionals exercise independent judgment -- they are not merely executing instructions. A professional who blindly follows every instruction from a superior, even into clearly unethical territory, has abdicated professional judgment. Autonomy is both a privilege and a responsibility.
Self-Regulation
Professional bodies (ACM, IEEE, ISACA, (ISC)2) establish codes of conduct and have some disciplinary capability. Certification bodies can revoke credentials. Bar associations can disbar lawyers. None of these mechanisms are as strong in IT as in law or medicine, which is itself an ethical problem for the field.
Service Orientation
Professions exist to serve clients and society, not just to generate income. Medicine exists for patients. Law exists for justice. Engineering exists for the public good. IT's stated purpose is value creation -- but the alignment between that and public good requires active, deliberate attention.
Slide 4 of 33
Relationship: Employer
The primary employment relationship. Where most day-to-day ethical decisions originate.
Obligations to Employer
Competent performance of assigned work. Honest representation of skills and work product. Protection of confidential and proprietary information. Avoidance of conflicts of interest. Compliance with legitimate workplace policies. These are the baseline obligations every employee holds regardless of professional status.
Limits of That Obligation
Loyalty to employer does not require participation in fraud, deception of customers, violation of applicable law, or actions that pose unreasonable risk to public safety. An IT professional who follows an employer's instruction to do any of these things bears personal ethical responsibility -- the instruction does not transfer it.
Intellectual Property
Work product created during employment using employer resources generally belongs to the employer. This is both a legal and ethical obligation. Using company code, algorithms, or customer data to benefit a subsequent employer or personal venture violates both the employment agreement and the trust placed in the professional.
Handling Unethical Instructions
First response: clarify intent and scope. Second: express concern and propose alternatives. Third: escalate through appropriate internal channels. If internal channels fail or are complicit, the professional must weigh the obligation to resist against the personal cost -- and document the entire process.
Slide 5 of 33
Relationship: Client
The client pays for expertise. The professional's obligation goes beyond delivering what was requested to delivering what is actually needed.
Competence
Accept only engagements for which you have or can acquire the necessary competence. Do not overrepresent your capabilities to win work. A professional who takes a contract they cannot perform, then subcontracts it without disclosure, has violated the trust relationship from the outset.
Honest Advice
Tell clients what they need to hear, not what they want to hear. If a client's planned approach is insecure, inadequate, or likely to fail, the professional's obligation is to say so clearly -- even if the client resists, even if the contract does not require it, and even if the honest advice threatens the business relationship.
Conflicts of Interest
Disclose any personal interest that could compromise your ability to give objective advice. Recommending a vendor in which you hold an undisclosed financial interest is a conflict of interest regardless of whether the vendor is actually the best choice. Disclosure is required; the client then decides.
Confidentiality
Client information acquired during an engagement is confidential. It cannot be used for personal benefit, shared with competitors, or disclosed to third parties without consent. This obligation survives the end of the engagement and often the end of the professional relationship.
Slide 6 of 33
Relationship: Supplier
The vendor relationship. Ethics flow both directions -- from IT professional to vendor and from vendor to IT professional.
Procurement Ethics
Selection decisions must be based on merit, capability, and total cost of ownership -- not personal relationships, gifts, or indirect compensation. IT professionals who influence purchasing decisions and have undisclosed relationships with vendors have a conflict of interest that must be disclosed and managed.
What Constitutes a Gift
Free software licenses, hospitality, conference tickets, meals, referral fees, future employment discussions -- all can constitute inducements. Most organizations have formal gift policies defining acceptable limits. The ethical test is independent of the dollar value: would this influence your recommendation?
Vendor Evaluation Honesty
Providing dishonest vendor references -- positive to maintain a relationship, or negative to favor a competitor -- harms the organizations relying on those references. IT professionals asked to provide vendor assessments have an obligation to be accurate, balanced, and to disclose the basis of their evaluation.
What Would You Do?
A vendor offers you a free all-expenses-paid trip to their annual user conference in Las Vegas. You are currently evaluating three competing products including theirs. Your manager says it is your call. What do you do?
Slide 7 of 33
Relationship: User
Users are often the most important stakeholders and the least represented in the decisions that affect them.
The Absent Stakeholder Problem
Users are typically not in the room when system requirements are written, features are designed, or deployment decisions are made. The IT professional is often their only advocate in those conversations. When no one asks "how does this affect users?" the professional has an ethical obligation to ask it.
Accessibility
Building systems that exclude users with disabilities is both a legal risk (ADA, Section 508) and an ethical failure. Accessibility is not a feature request -- it is a baseline obligation. Systems that work for everyone by default are the professional standard; systems that require users to request accommodation are the ethical minimum floor.
Informed Consent
Users should understand what a system does with their data, how it makes decisions that affect them, and what their options are. EULA acceptance is not meaningful consent -- a 50-page document in legalese accepted under compulsion is theater, not ethics. Plain language disclosure is an ethical standard, not a legal one.
Safety-Critical Systems
When systems affect health, safety, or physical integrity, user protection becomes an absolute obligation. Medical device software, autonomous vehicle systems, industrial control systems, and critical infrastructure all operate under a higher ethical duty of care than consumer entertainment applications.
Slide 8 of 33
Relationship: Society
The broadest stakeholder. No employment contract defines this relationship -- it emerges from the social power that technology confers.
Public Safety
IT professionals who become aware of system flaws that pose significant public safety risks have an obligation that overrides employer confidentiality in extreme cases. A security researcher who discovers that a public utility's SCADA system can be remotely compromised cannot simply accept a vendor's "we will get to it eventually."
Democratic Institutions
Systems that manipulate elections, suppress political participation, or enable state surveillance of political dissidents harm democratic institutions. IT professionals asked to build or operate such systems have the same ethical choice that confronted engineers in every other field where technology was weaponized against civil society.
Economic Inclusion
Systems that systematically exclude people from economic participation -- lending, employment, housing, insurance -- on the basis of protected characteristics or as the incidental byproduct of biased design create measurable social harm. The duty to avoid this harm rests with the professionals who build and maintain these systems.
The Scope of Responsibility
You will never meet most of the people affected by the systems you build. That does not reduce your responsibility to them. The ACM Code puts it directly: "Contribute to society and to human well-being, acknowledging that all people are stakeholders in computing." All people. Not just the ones paying.
Slide 9 of 33
When Obligations Conflict
The hardest professional ethics problems occur when obligations to different stakeholders point in opposite directions.
Employer vs. User
Employer instructs you to build a feature that harvests user contacts without explicit disclosure. Employer's interest: competitive advantage from social graph data. User's interest: control over who can see their private contact relationships. The conflict is real and the resolution is not automatic.
Client vs. Society
Client requests a system that technically complies with applicable law but creates discriminatory outcomes for communities that have no legal recourse. Legal compliance satisfies the client. But the system causes measurable harm to people who had nothing to do with the contract. Whose interest governs?
A Priority Framework
When obligations conflict: public safety and welfare generally takes precedence. Then come legal obligations. Then professional ethical codes. Then organizational obligations. Then individual preference. This is not a rigid algorithm -- it is a hierarchy for structuring reasoning when interests collide.
The Role of Documentation
When you identify a conflict between stakeholder obligations and resolve it, document the reasoning. "I was told to" is not a resolution -- it is a transfer. If you proceed with something you believe is ethically questionable, record your objection and the decision chain that overrode it. This matters later.
Slide 10 of 33
ACM Code of Ethics: Structure
The 2018 ACM Code is the most comprehensive professional ethics code in computing. Understanding its structure prepares you to apply it.
Section 1: General Moral Imperatives
Contribute to society. Avoid harm. Be honest and trustworthy. Be fair. Honor property rights. Give proper credit. Respect privacy. Honor confidentiality. These are baseline obligations every computing professional holds regardless of role or employer.
Section 2: Professional Responsibilities
Strive for excellence in professional practice. Know and respect existing laws. Accept and provide professional review. Provide comprehensive and thorough evaluations. Honor contracts and agreements. Improve public understanding of computing. Access computing resources only when authorized.
Section 3: Leadership Principles
Articulate social responsibilities. Manage personnel and systems to enhance quality of life. Acknowledge and support proper use of computing resources. Create systems that enhance the quality of working conditions. Support policies that protect the dignity of users.
Key Point
The ACM Code is aspirational and not externally enforced by state authority. The (ISC)2 Code of Ethics for CISSP holders is more specific and carries the threat of certification revocation. ISACA's Code applies to CISA/CISM holders. Know which codes apply to your certifications.
Slide 11 of 33
(ISC)2 Code of Ethics
The four canons of the (ISC)2 Code. The order matters -- higher canons take precedence over lower ones.
1 Protect society, the common good, necessary public trust and confidence, and the infrastructure. The public interest is the highest obligation. A CISSP who discovers a public safety risk cannot subordinate that to employer confidentiality.
2 Act honorably, honestly, justly, responsibly, and legally. Personal integrity is the second canon. Honesty in all professional dealings, compliance with law, and accountability for one's actions.
3 Provide diligent and competent service to principals. Principals are employers, clients, and contractors. Competence, professionalism, and delivery on commitments. This comes third -- below public interest and personal integrity.
4 Advance and protect the profession. Contribute to the body of knowledge. Mentor others. Support professional development. Refrain from actions that bring the profession into disrepute. Lowest priority -- but still an obligation.
The Hierarchy in Practice
If following your employer's instruction (Canon 3) would require you to lie (Canon 2) in a way that endangers the public (Canon 1), the higher canon governs. The code resolves the conflict explicitly: you do not comply with employer instructions that violate the higher obligations.
Slide 12 of 33
Compliance vs. Ethics
One of the most practically important distinctions in professional life. Compliance is the floor. Ethics requires more.
What Compliance Provides
A checklist of minimum required behaviors. HIPAA compliance means implementing required technical safeguards and having required policies. PCI DSS compliance means meeting the 12 control requirements. Compliant organizations have documented, auditable evidence that they met the minimum standard. This is valuable and necessary -- but it is not an ethical ceiling.
What Compliance Cannot Provide
Compliance frameworks are backward-looking -- they define requirements based on past harms. Novel harms are not covered. The spirit of a regulation may be violated while the letter is technically satisfied. Compliance with a standard that is inadequate to the actual risk does not fulfill the ethical obligation to protect the people who trust you with their data.
The "We Are Compliant" Defense
Organizations that lead with "we are compliant" when asked about ethics are revealing their priorities. Compliance establishes the floor. Ethics asks: given what we know, what should we do? The answer often requires going beyond the checklist. "We complied with HIPAA" does not end the inquiry when 10 million patient records were breached.
Building an Ethical Culture
Compliance is enforced from outside. Ethics is internalized. Organizations with strong ethical cultures ask "should we?" alongside "are we required to?" They invest in ethics training, create safe reporting channels, and actually use them. The difference between compliance-as-theater and genuine ethical culture is visible in how organizations respond when they discover their own failures.
Slide 13 of 33  |  Case Study
Case Study: SAP and the FCPA
One of the largest Foreign Corrupt Practices Act settlements in US history. A global technology company, a bribery network, and a question about professional responsibility.
In 2024, SAP SE agreed to pay approximately $220 million to resolve FCPA violations involving bribing government officials in South Africa, Tanzania, Uganda, Kenya, Ghana, Indonesia, and Panama to secure software contracts. A related settlement in 2021 had already addressed $8 million in South African contracts. Total exposure exceeded $3.9 billion when combined with related settlements and disgorgement.
The Mechanism
SAP subsidiaries used third-party agents and intermediaries to funnel payments to government officials. These payments secured software license deals and maintenance contracts with state-owned enterprises and government ministries. The bribery was organized, systematic, and extended across multiple countries and business units over years.
The Technology Connection
SAP's products are enterprise software -- ERP systems, HR systems, financial management systems. The software itself was not defective. The sales process was corrupt. The IT professionals who implemented the software for these government clients were working for organizations that secured those contracts through criminal means.
Slide 14 of 33  |  Case Study
SAP FCPA: Consequences and Analysis
What the case reveals about organizational ethics and the IT professional's position within corrupt organizations.
1 SAP agreed to disgorgement of approximately $118 million in improper profits plus $103 million in penalties to the US DOJ and SEC, in addition to separate settlements with South African authorities totaling over $3.5 billion including disgorgement obligations.
2 The FCPA (Foreign Corrupt Practices Act) prohibits US-listed companies and their subsidiaries from bribing foreign government officials, regardless of where the bribery occurs. Jurisdiction is triggered by US securities listing, not by the location of the act.
3 Individual employees faced personal prosecution in several jurisdictions. The "I worked for the company" defense did not shield individuals who were directly involved in structuring payments to officials.
4 SAP's internal compliance program existed but failed to detect or stop the scheme. A compliance program that exists on paper but does not operate in practice provides no ethical or legal protection.
What Would You Do?
You are a SAP implementation consultant working on a government contract in one of the affected countries. You begin to suspect that the contract was secured improperly. You have no direct evidence. Your next project assignment depends on this deployment going well. What is your ethical obligation?
Slide 15 of 33
The Obligation of Competence
Representing yourself as capable of work you cannot perform is both an ethical and professional failure -- not just a business risk.
Know Your Limits
The ACM Code requires practitioners to provide service "only in their areas of competence." This is not a passive prohibition -- it requires active self-assessment. Technology changes faster than any practitioner can keep current. Knowing what you do not know is a professional competency, not a weakness to hide.
The Estimation Problem
Project estimation is an ethics issue. Knowingly providing unrealistic estimates to win contracts, secure approval, or avoid conflict creates downstream harm for clients, colleagues, and users. An estimate you do not believe is honest is a form of deception regardless of whether it is technically a "lie."
Certification and Misrepresentation
Claiming certifications, credentials, or experience you do not have is fraud. In security contexts it is particularly dangerous -- organizations make risk decisions based on the claimed expertise of the professionals they hire. A security consultant who misrepresents their penetration testing experience creates real security risks for clients who trust that representation.
Continuous Development
The obligation to maintain competence in a rapidly evolving field is ongoing. This includes technical competency and ethical competency -- the frameworks, regulations, and societal understanding of harm that shape what professional practice requires. CPE requirements in certifications like CISSP exist because competence decays without investment.
Slide 16 of 33
Honesty in Professional Communication
Truth-telling in professional contexts is more complex than it sounds. Omission, framing, and timing all matter.
Lies of Commission
Stating something false. Claiming a system is secure when you know it has critical vulnerabilities. Representing a project as on track when it is not. Certifying that testing was completed when it was not. These are direct violations of the professional honesty obligation and, in many contexts, they are fraud.
Lies of Omission
Failing to disclose known information that the other party has a legitimate interest in knowing. Delivering a system that meets every specified requirement while knowing the specification missed a critical security concern -- and not mentioning it -- is a lie of omission. The client trusted your expertise, not just your compliance with the spec.
Framing and Spin
Technically true statements designed to mislead. "We have never had a reported breach" -- because you have no detection capability. "This feature has been thoroughly reviewed" -- by one intern for 20 minutes. Professional communication must not only be technically accurate -- it must not be designed to create false impressions.
The Standard
Would the recipient of this communication, if they knew everything you know, feel they had been given an honest picture? If no, the communication has an honesty problem, regardless of whether any individual statement is technically false.
Slide 17 of 33
Conflicts of Interest
A conflict of interest exists when a personal interest could compromise -- or appears to compromise -- your professional judgment.
Types of Conflict
Financial: holding equity in a vendor you are evaluating. Personal: your former manager runs a company bidding on a contract you are reviewing. Role: being asked to audit a system you built. All three types create the same structural problem: your judgment may be compromised, and stakeholders relying on your judgment cannot know it.
Disclosure and Recusal
When a conflict exists, the obligation is disclosure to the appropriate parties, followed by a decision about whether recusal is required. The person with the conflict does not unilaterally decide whether it is material -- that determination is made by the parties whose interests are at stake.
The Appearance Standard
Many professional codes require avoiding even the appearance of a conflict, not just actual conflicts. If your recommendation could reasonably be suspected of being influenced by a personal interest -- even if it was not -- the professional response is disclosure. The appearance of impropriety is itself a problem in positions of trust.
Post-Employment Conflicts
Knowledge of former employer systems, clients, and strategies creates potential conflicts in subsequent roles. Working for a competitor on matters where your former employer's confidential information would be advantageous is a conflict of interest -- and potentially a breach of fiduciary duty -- regardless of whether any data was physically transferred.
Slide 18 of 33
Professional Privacy Obligations
IT professionals with system access hold more personal data on more people than almost any other role in an organization.
The Trust Relationship
When users put data into systems, they are trusting the professional community that built and maintains those systems to handle it responsibly. They did not consent to the DBA reading their messages, the sysadmin browsing medical records, or the developer using customer PII to build test environments without anonymization.
Curiosity Is Not Authorization
Having access to data does not mean you are authorized to view it. Many IT professionals treat privileged access as permission to explore. Reading the CEO's emails because you are curious, looking at salary data because you have database access, reviewing HR files because you can -- these are all ethical violations regardless of whether any policy explicitly prohibits them.
Test Data Practices
Using real production data in development and test environments is an extremely common professional practice that is also an extremely common ethical violation. Real names, real SSNs, real medical records in a development database with weaker access controls than production is a routine privacy risk that professional developers have an obligation to eliminate through data masking and synthetic data generation.
Minimum Necessary Access
Privileged access should be requested only for specific, documented purposes and relinquished when those purposes are complete. Holding permanent administrative access to systems you rarely touch is both a security risk and a privacy ethics problem. The standard is minimum necessary, not maximum convenient.
Slide 19 of 33
IP and Professional Obligations
IT professionals interact with intellectual property constantly. The obligations are both legal and ethical.
Work-for-Hire Doctrine
Code, documentation, systems, and other creative work produced by an employee within the scope of employment generally belongs to the employer. Using company-developed intellectual property in outside ventures without authorization is not a gray area -- it is a clear violation of both the employment agreement and professional ethics.
Open Source Compliance
Incorporating GPL-licensed code in a closed-source commercial product violates the license. Incorporating LGPL code in ways that restrict user freedom similarly. These violations are both legal and ethical failures. A professional who does not understand the licensing implications of the code they incorporate has a competence obligation to learn before they use it.
Attribution
Using code, frameworks, or designs from other sources without attribution -- even when the license does not require it -- is professional plagiarism. It misrepresents the scope and originality of your contribution. Code review and portfolio work that does not disclose heavy use of external sources is dishonest to the people evaluating it.
Ethical Violation Pattern
An engineer builds an internal tool using GPL-licensed libraries. The company decides to commercialize it. The engineer does not disclose the license constraints because it would complicate the commercialization. This is an active ethical violation: the engineer knows information that is material to the business decision and withholds it.
Slide 20 of 33
Professional Dissent
The mechanisms available to IT professionals who believe their organization is acting unethically -- and the costs associated with each.
Voice
The first tool: raise concerns internally. Request meetings, write formal objections into the record, use ethics hotlines, escalate through compliance channels. Voice costs the least and should always be the starting point. Document every step -- the record matters if things escalate.
Exit
If internal channels fail, resignation is a professional statement. An engineer who leaves a company because they were asked to build something they believe is harmful makes a professional decision with professional consequences. Exit does not prevent disclosure -- it is not itself a resolution -- but it removes personal complicity.
External Disclosure
Reporting to regulators (SEC, OSHA, FTC, EPA depending on domain), law enforcement, or the press. This carries the highest personal cost and the strongest professional justification. Required when internal channels are captured, when the harm is severe, and when the violations are ongoing and unaddressed.
The Professional Standard
Professional codes generally require IT professionals to report significant violations to appropriate parties. The ACM Code (Section 2.10): "Support professional accountability. Conduct themselves ethically and encourage others to do so." This does not mean every internal disagreement warrants external disclosure -- but it does mean professional obligation does not stop at organizational boundaries.
Slide 21 of 33
Security Professionals: Elevated Obligations
Access to vulnerabilities, attack tools, and sensitive security data creates professional obligations beyond those of general IT roles.
Authorized Access Only
A penetration tester who exceeds the scope of an authorized engagement -- testing systems not listed in the contract, pivoting to connected networks not in scope -- has committed unauthorized access regardless of their professional intent. Scope documentation is not a formality; it is the boundary of ethical conduct.
Vulnerability Handling
Vulnerabilities discovered in the course of professional work belong in responsible disclosure channels -- not for sale, not for personal use, not held as leverage. Selling a zero-day exploit to a buyer whose use of it you have not vetted is an ethical problem that professional security culture is still actively debating.
Dual-Use Knowledge
Security professionals have offensive knowledge. The obligation to use that knowledge only for authorized defensive purposes is not just a legal requirement -- it is the defining characteristic of professional security practice. Exploitation of systems outside authorized engagements is criminal regardless of the professional's credentials.
Client Data Encountered During Engagements
Penetration testers and incident responders encounter highly sensitive client data. Professional ethical obligations require treating that data with the strictest confidentiality, not retaining it beyond engagement needs, and certainly not using it for competitive intelligence, personal gain, or future leverage.
Slide 22 of 33
IT Professionals and AI Ethics
Developing and deploying AI systems creates professional responsibilities that did not exist a decade ago.
Transparency About Limitations
AI professionals have an obligation to communicate system limitations honestly to the organizations deploying them. A model that performs well on benchmark data but poorly on real-world edge cases -- if deployed in high-stakes contexts without disclosure of those limitations -- creates foreseeable harm. Forecast accuracy must be honest, not optimistic.
Disparate Impact Testing
Before deploying any system that makes decisions affecting people, test for differential performance across demographic groups. Disparate impact that is discovered after deployment and harm has occurred is a foreseeable failure of professional due diligence. The technical capability to test exists; the obligation to use it is professional.
Human Oversight
Do not deploy automated systems in high-stakes domains without meaningful human review capability. A professional who builds a loan approval system with no appeals process, no explainability mechanism, and no human override capability has failed the obligation to protect the users affected by the system's decisions.
Slide 23 of 33
Professional Accountability
Accountability requires that there be identifiable humans who can be held responsible for system outcomes -- before those outcomes occur, not after.
Accepting Responsibility
Professional accountability means owning your decisions and their consequences -- including consequences you did not anticipate. "I did not know" is only a defense if it was reasonable not to know. A professional who failed to test for a foreseeable failure mode bears responsibility for the consequences that followed.
Diffusion of Responsibility
In large technology organizations, accountability is systematically diffused. The algorithm was built by team A, deployed by team B, approved by committee C, and reviewed by auditor D. When it causes harm, each team points to the others. Accountability architecture must be designed as deliberately as system architecture.
Error and Learning
Professional accountability includes acknowledging errors promptly and learning from them. Organizations that conceal errors, revise history, or punish individuals for honest reporting create the conditions for repeated failures. Post-incident reviews that identify process improvements are accountability in action.
Proactive Responsibility
Accountability is not only reactive. A professional who anticipates a category of harm and says nothing until it occurs has not met a proactive professional obligation. Raising concerns about design decisions, deployment contexts, or testing adequacy before harm occurs is the higher standard of professional responsibility.
Slide 24 of 33
Professional Development as Ethics
Failing to maintain professional competence is itself an ethical failure -- not just a career risk.
The Obligation to Stay Current
You are trusted with systems that affect people. If you implement solutions using obsolete security practices, deprecated algorithms, or superseded frameworks because you stopped learning, you have harmed the people who trusted your expertise. The profession moves; you must move with it.
Teaching as Obligation
Senior professionals have an obligation to transfer knowledge. Hoarding expertise creates single points of failure, undermines organizational resilience, and fails less experienced colleagues who need mentorship. Knowledge sharing is part of the social contract of professional community.
What Would You Do?
You are a senior developer who discovers a junior colleague has implemented a critical authentication feature using MD5 hashing with no salt. You know this is dangerously inadequate. The deadline is tomorrow. The feature works as specified in the requirements document, which said nothing about hashing strength. What is your next action?
Slide 25 of 33
Maintaining Ethics Under Organizational Pressure
Individual professional ethics must be resilient against organizational incentive structures that push toward compromise.
Timeline Pressure
"Ship it now, fix it later." Security testing gets cut. Accessibility audit gets deferred. Privacy impact assessment gets skipped. These decisions create downstream harms that are foreseeable at the time the shortcuts are taken. The professional who stays silent during those decisions is complicit in the outcome.
Revenue Pressure
Features that harm users but drive engagement metrics. Data practices that violate user trust but improve ad targeting revenue. Products designed to create addictive usage patterns. The commercial incentive and the ethical obligation frequently point in opposite directions. The professional must name that conflict rather than quietly resolving it in favor of revenue.
Career Pressure
Raising ethical concerns can harm career advancement in organizations that do not value ethical culture. The professional who stays quiet to protect their next promotion has made an explicit trade: personal benefit for ethical compliance. That trade has a name: rationalization. Acknowledging the trade honestly is the first step to resisting it.
Pre-commitment Strategy
Decide in advance what you will not do regardless of organizational pressure. Make those commitments specific, not abstract. "I will not deploy code to production without security review" is a specific commitment that is much harder to rationalize away under deadline pressure than "I take security seriously."
Slide 26 of 33
Ethics in Global Practice
IT work frequently crosses jurisdictions. Professional obligations do not always align with local law or local culture.
Corruption in Local Markets
In some markets, unofficial payments to government officials are normalized business practice. The FCPA (US law) and UK Bribery Act apply to conduct in those markets regardless. The professional's ethical obligation is also independent of local normalization -- widespread corruption does not make corruption ethical.
Privacy Standards Across Jurisdictions
GDPR applies to EU residents' data regardless of where the processing company is located. A US company with EU users is subject to GDPR. The professional implementing systems that process personal data has an obligation to understand which regulatory regimes apply -- ignorance does not provide compliance cover.
Labor Practices in Supply Chains
The manufacturing of hardware components, the operations of data centers in certain jurisdictions, and the conditions of content moderation contractors in lower-wage markets are supply chain ethics issues. Technology companies that tout their ethics while outsourcing harmful work to invisible supply chain actors are not meeting the full ethical standard.
Operating in Authoritarian Contexts
Technology deployed in support of authoritarian governments -- surveillance of dissidents, censorship infrastructure, social credit systems -- raises professional ethics questions that transcend local legal compliance. The professional who builds systems for authoritarian use must weigh the obligation to protect individual human dignity against the local legal requirement to comply.
Slide 27 of 33
Professional Ethics and Public Behavior
IT professionals in public roles carry ethical obligations that extend to their public communications and associations.
Speaking as a Professional
When an IT professional speaks publicly about technical topics -- security vulnerabilities, data practices, AI capabilities, regulatory compliance -- they carry implicit professional authority. Misinformation from apparent experts causes disproportionate harm. Accuracy and appropriate uncertainty communication are professional obligations in public discourse.
Employer Confidentiality in Public
Discussing confidential employer information on social media, at conferences, or in public forums -- even without naming the employer -- is an ethical violation. System architecture details, security incidents, client information, financial performance, and personnel matters are all confidential absent explicit permission to disclose.
Peer Review and Criticism
Honest technical critique of published work, public systems, and professional conduct is valuable and professionally necessary. Critique should be accurate, specific, and proportionate. The professional standard for criticism is the same as the standard for all professional communication: factual, constructive, and not designed to mislead.
Slide 28 of 33
Codes vs. Judgment
Ethics codes are necessary but not sufficient. The harder work is developing the judgment to apply them to situations the codes did not anticipate.
What Codes Cannot Do
Codes enumerate principles written before your specific situation existed. They cannot tell you how much weight to give each principle when they conflict. They cannot tell you at what threshold a business practice crosses from aggressive-but-acceptable to unethical. They provide vocabulary and direction -- not verdicts.
Developing Judgment
Ethical judgment develops through exposure to cases, deliberate reflection on your own decisions, discussion with colleagues you respect, and feedback when your reasoning was wrong. It cannot be shortcut. A professional who has only ever followed instructions without evaluating them has not developed ethical judgment -- they have developed compliance habits.
The Question that Builds Judgment
For any professional decision you make this week: who does this affect who was not consulted? What would a professional I respect say about this decision if they knew everything I know? Is there a version of this that better serves all the people it touches? Ask this repeatedly. The answers build judgment.
Slide 29 of 33
Applied Scenario Analysis
Use the frameworks from this module. Identify which stakeholder relationship is implicated and which professional obligation applies.
1 A developer is asked to implement usage analytics that track detailed user behavior. The privacy policy does not mention this. The product manager says "users agreed to general data collection in the terms." Which stakeholder relationship is the primary concern, and what is the professional obligation?
2 A security consultant discovers during a penetration test that the client is storing thousands of customer passwords in plaintext. The engagement scope was limited to network perimeter testing. What is the professional obligation -- and does it extend beyond the contracted scope?
3 You are on the procurement committee evaluating a cloud storage vendor. Your former manager now works as VP of Sales at one of the vendors under evaluation. You believe their product is the best choice on merit. What is the professional obligation regarding disclosure?
4 A database administrator has access to customer purchasing records. She notices her neighbor's name in the data and is curious what they buy. She views the records briefly and closes the application. Has she committed an ethical violation? Which code provision applies?
Slide 30 of 33
Protecting the Profession
Individual professional conduct reflects on and affects the entire profession. Ethics is not only a personal obligation -- it is a collective one.
Shared Reputation
When IT professionals build systems that harm users, build backdoors for authoritarian governments, or misrepresent security capabilities, the entire professional community's credibility is affected. Trust in IT professionals as a class depends on the aggregate behavior of individual practitioners.
Raising Standards
Every IT professional who insists on ethical standards in their organization raises the baseline for the entire profession. Every professional who mentors others in ethical reasoning expands the community of practitioners who approach their work with moral seriousness. Ethics culture is contagious in both directions.
The Long Game
Professional reputations are built across decades and lost in days. The IT professional who consistently does the right thing -- even when it is costly, even when it is unpopular -- builds a reputation that survives organizational changes, technological shifts, and economic cycles. The shortcuts almost never are.
Slide 31 of 33  |  Exercises
Practice Exercises
Written responses required for exercises 2 and 3.
1 Map the SAP FCPA case to the five stakeholder relationships covered in this module. For each relationship, identify which obligation was violated and by whom within the organization.
2 Write a one-page analysis of whether IT should be recognized as a formal profession with licensure requirements similar to law or medicine. Address the information asymmetry argument, the public harm argument, and the practical barriers to licensure.
3 You are asked by your employer to build a feature you believe violates user privacy. Write the email you would send to your manager documenting your concerns, the specific professional ethics provisions that apply, and the alternatives you propose.
4 Compare the (ISC)2 Code of Ethics canon hierarchy with the ACM Code's priority structure. In a scenario where protecting the public and serving your employer conflict, how does each code resolve the tension?
Slide 32 of 33
Key References
Primary sources for the frameworks and cases covered in this module.
Codes and Standards
ACM Code of Ethics and Professional Conduct (2018) -- acm.org/code-of-ethics. (ISC)2 Code of Ethics -- isc2.org/ethics. IEEE Code of Ethics -- ieee.org/about/corporate/governance/p7-8.html. ISACA Code of Professional Ethics -- isaca.org/resources/isaca-journal/issues/2022/volume-1/code-of-professional-ethics.
Regulatory References
Foreign Corrupt Practices Act (15 USC 78dd-1) -- full text available through DOJ.gov. UK Bribery Act 2010 -- legislation.gov.uk. DOJ FCPA Resource Guide (2nd ed., 2020) -- justice.gov/criminal-fraud/file/1292051/download.
SAP Case Documents
US DOJ Press Release, January 2024: "SAP Agrees to Pay $220 Million." SEC Litigation Release No. 25985. Prior settlement: DOJ Press Release, February 2021, regarding South Africa and Panama conduct. All available via justice.gov and sec.gov enforcement actions.
Further Reading
Reynolds, George W.: "Ethics in Information Technology" (current edition). Johnson, Deborah G.: "Computer Ethics" (4th ed.). Floridi, Luciano: "The Ethics of Artificial Intelligence." Zuboff, Shoshana: "The Age of Surveillance Capitalism."
Slide 33 of 33  |  Summary
Module Summary
Professional ethics is not an add-on to technical skill. It is a dimension of professional competence that affects every stakeholder relationship you hold.
The IT professional holds obligations to employer, client, supplier, user, and society simultaneously. When those obligations conflict, the order of priority matters. Public safety and welfare come first. Not profit. Not the employment relationship. Public safety first.
8 Facts to Carry Out of This Lecture
1 A professional's duty extends beyond the employment contract to clients, users, and the public. Following orders does not transfer moral responsibility.
2 The five stakeholder relationships are: employer, client, supplier, user, and society. Each creates distinct ethical obligations with different limits.
3 (ISC)2 Canon order: public good first, then personal integrity, then service to principals, then profession. Higher canons override lower ones when they conflict.
4 Compliance is the floor, not the ceiling. "We are compliant" ends the legal inquiry; it does not end the ethical one.
5 SAP FCPA: systematic bribery across multiple countries over years led to $3.9 billion in combined settlements. Organizational compliance programs that only exist on paper provide no protection.
6 Conflicts of interest must be disclosed -- and the threshold is appearance of conflict, not just actual conflict. The disclosure decision belongs to the affected parties, not the person with the conflict.
7 Having system access does not equal authorization to view data. Curiosity is not a legal basis for data access, and it is not a professional ethics basis either.
8 When professional obligations to different stakeholders conflict, escalate internally first, document everything, and know that professional obligation does not stop at organizational boundaries.