Critical Success Factors: Boss, I Think Someone Stole Our Data Case Study

Exclusively available on Available only on IvyPanda® Made by Human No AI

Introduction

The success of any organization must be able to determine its strength and weaknesses (Denolf, Trienekens, Wognum, van der Vorst, & Omta, 2015). The paper at hand is aimed to analyze how the Critical Success Factors (CSFs) can be applied to the case study “Boss, I Think Someone Stole Our Data” to understand the level of organizational readiness, benefits of the company, and risk factors that will have to be addressed. The analysis will be supported by case examples and recommendations on risk management. Initial categories of risk are going to be identified and presented using the Example Risk Checklist.

Critical Success Factors (CSFs)

Regardless of the service or product, the organization offers, its success is determined by its ability to observe and maintain Critical Success Factors (CSFs). If the company fails to ensure that all the criteria are met, even the most elaborately designed project is likely to fail (Buh, Kovačič, & Indihar Štemberger, 2015). CSFs refers to a set of particular business characteristics (typically limited by 8) that may exercise a direct or indirect influence upon the viability of the idea underlying it and, therefore, upon the effectiveness of the expected outcome. The problem with CSFs is that they cannot be clearly defined as they are not universal for all enterprises. Every business and even every project within the same company may have its unique CSFs (Tan, Shen, Langston, Lu, & Yam, 2014). However, it is still possible to identify their major types:

  • industry CSFs (appearing as a set of standards for a particular field or industry);
  • strategy CSFs (characterizing the most effective, competitive parameters of the strategy selected within the business);
  • environmental CSFs (referring to the most favorable strategic moves in the given economic circumstances);
  • temporal CSFs (those that may not be permanent for the business but are used to meet the current needs of the organization to foster its future development) (Romanosky, Hoffman, & Acquisti, 2014).

As far as the given case study (Flayton Electronics) is concerned, the most demonstrative example from the case that allows determining the main CSFs is the issue of a data breach and the information security system that is currently unable to protect the information from unauthorized use. It is clear from the case that the company’s secret data can be modified, recorded, and even destroyed by third-side parties due to the staff’s negligence. Since the organization is unable to provide integrity and confidentiality, this means that security is presently the most pressing problem that has to be addressed by the major business strategy. This implies that not only computer systems must protect information from disclosure but also managers and employees must receive proper training to be capable of quickly resolving the situation in case another data breach suddenly occurs. Therefore, the most applicable CSFs at the current stage of its development are:

  • staff education and coaching;
  • management loyalty and commitment;
  • staff motivation and orientation;
  • high-quality data and reporting systems;
  • improved protection of computers;
  • improved system of communication;
  • quick and effective decision-making;
  • the increased role of the quality department;
  • the capability of immediate action;
  • improved abilities of managers;
  • well-developed strategies.

Project Benefits, Organizational Readiness and Risk Culture

The key problem with the risk culture was that such data breaches affected the whole company, bringing all its processes into chaos. Moreover, it was next to impossible to find the one who was to blame for the whole failure. Even if all employees had been questioned, it would have been hard to determine who had caused the chaos (and who was legally responsible for it), how it was going to be solved, and what consequences were to be expected (Sen & Borle, 2015). At Clayton’s, the major concern was not even the data breach but the obligation of the company to protect the private information provided by its customers. Besides, there was a delicate concern since the company did not know what best way to choose to notify its clients about the possibility that their information could have been stolen. The majority of customers and other stakeholders wanted to know if the company had been subjected to the attack. Finally, there was no effective strategy that would allow the company to avoid future problems in this aspect.

After the team realized that the situation might repeat and the customer data could get breached once again, they came up with an immediate response to the problem. The organizational readiness for the situation was first and foremost supported by the fact that the CEO, Brett Clayton, did not ignore the issue, but was completely involved in it throughout the whole process (Biener, Eling, & Wirfs, 2015). All the employees somehow connected to the issue of data protection tried to collect more details on the problem to detect possible reasons that could bring about such deplorable consequences.

Another problem of risk culture was that the organization not only undermined its security policy but also put at risk all the customer information. However, the benefit of the project implemented by the organization was that the company guaranteed that all the information provided by its clients would be protected against any cyber attack whatsoever (Allodi & Massacci, 2017). Therefore, the customer could be sure that his/her card information would not be stolen at least because Flayton Electronics would not want any compromised cases on their hands. Performing any operations connected with their cards without their consent would be considered a legal offense and could undermine the legitimacy of the company’s actions.

That was why, to ensure that all the mentioned benefits could be materialized, the company had to do everything it could to protect the private information of its clients. The CEO opted for the implementation of the PCI system, which did not function at its full potential due to certain flaws in its firewall. In this particular case, it was not maintained properly, which impeded the work of the whole system and could not ensure total protection of data.

From the legal perspective, if the organization is unable to guarantee that the client receives all the due benefits, the company is obliged to suffer the consequences (fines, loss of customer loyalty, undermined image, and competitive disadvantage). Thus, no matter if the company was or was not ready for the blow, its direct responsibility was to ensure that no customer information was disclosed.

Recommendations

To save its reputation, the company must prove that the security breach was unexpected. The fact that the organization tried to implement a PCI system and did not achieve any success at least proves that some steps were taken to improve the situation. The problem was majorly in the firewall, which could bring about the notorious breach. This situation demonstrates that all the steps necessary for prevention were taken but did not lead to any results.

As for future recommendations, they are:

  • the company must develop a solid plan that would allow its leaders to solve similar problems without letting customers know about them;
  • effective internal control is necessary to ensure that all the components of the plan are implemented accordingly;
  • preventive measures are crucial for detecting all problems occurring the systems; if any inconsistencies are found, they are removed immediately;
  • all the key stakeholders must be informed about all serious occasions;
  • the company must learn to identify if all its processes are adequate, its software is updated, its team is committed, and its staff is qualified enough.

Initial Categories of Risk

The initial categories of risk include (Feri, Giannetti, & Jentzsch, 2016):

RBS level 0RBS level 1RBS level 2Example of risk
0. Project RiskTechnical-related concerns
  1. Defined by the scope
  2. Defined by technical issues
  3. Technology
  4. Reliability
  5. Safety
  6. Security
  • Wrong scope
  • The inability of the equipment to maintain security
  • Technological advances
  • Different views of reliability
  • Cyberattack
  • Customer information at risk
Management Risks
  1. Operational management
  2. Resources
  3. Communication
  4. Image
  • Flaws in OS
  • No resources or no access to them
  • Inability to reach compromise with the client
  • Marred reputation
Commercial Risks
  1. Contractual Terms
  2. Procurement
  3. Partnerships
  • The contract is breached;
  • Suppliers are incapable of providing the materials indicated in the document
  • Partnerships are at stake due to the breach
External Risks
  1. Legislation
  2. Competition
  3. Social
  • Legal proceeding;
  • Competition problems due to the highly competitive environment;
  • Social problems owing to the marred image

References

Allodi, L., & Massacci, F. (2017). Security events and vulnerability data for cybersecurity risk estimation. Risk Analysis, 37(8), 1606-1627.

Biener, C., Eling, M., & Wirfs, J. H. (2015). Insurability of cyber risk: An empirical analysis. The Geneva Papers on Risk and Insurance Issues and Practice, 40(1), 131-158.

Buh, B., Kovačič, A., & Indihar Štemberger, M. (2015). Critical success factors for different stages of business process management adoption–A case study. Economic Research-Ekonomska Istraživanja, 28(1), 243-257.

Denolf, J. M., Trienekens, J. H., Wognum, P. N., van der Vorst, J. G., & Omta, S. O. (2015). Towards a framework of critical success factors for implementing supply chain information systems. Computers in Industry, 68(1), 16-26.

Feri, F., Giannetti, C., & Jentzsch, N. (2016). Disclosure of personal information under risk of privacy shocks. Journal of Economic Behavior & Organization, 123(2), 138-148.

Romanosky, S., Hoffman, D., & Acquisti, A. (2014). Empirical analysis of data breach litigation. Journal of Empirical Legal Studies, 11(1), 74-104.

Sen, R., & Borle, S. (2015). Estimating the contextual risk of data breach: An empirical approach. Journal of Management Information Systems, 32(2), 314-341.

Tan, Y., Shen, L., Langston, C., Lu, W., & Yam, M. (2014). Critical success factors for building maintenance business: A Hong Kong case study. Facilities, 32(5/6), 208-225.

More related papers Related Essay Examples
Cite This paper
You're welcome to use this sample in your assignment. Be sure to cite it correctly

Reference

IvyPanda. (2021, January 10). Critical Success Factors: Boss, I Think Someone Stole Our Data. https://ivypanda.com/essays/critical-success-factors-in-data-breach-case/

Work Cited

"Critical Success Factors: Boss, I Think Someone Stole Our Data." IvyPanda, 10 Jan. 2021, ivypanda.com/essays/critical-success-factors-in-data-breach-case/.

References

IvyPanda. (2021) 'Critical Success Factors: Boss, I Think Someone Stole Our Data'. 10 January.

References

IvyPanda. 2021. "Critical Success Factors: Boss, I Think Someone Stole Our Data." January 10, 2021. https://ivypanda.com/essays/critical-success-factors-in-data-breach-case/.

1. IvyPanda. "Critical Success Factors: Boss, I Think Someone Stole Our Data." January 10, 2021. https://ivypanda.com/essays/critical-success-factors-in-data-breach-case/.


Bibliography


IvyPanda. "Critical Success Factors: Boss, I Think Someone Stole Our Data." January 10, 2021. https://ivypanda.com/essays/critical-success-factors-in-data-breach-case/.

If, for any reason, you believe that this content should not be published on our website, please request its removal.
Updated:
This academic paper example has been carefully picked, checked and refined by our editorial team.
No AI was involved: only quilified experts contributed.
You are free to use it for the following purposes:
  • To find inspiration for your paper and overcome writer’s block
  • As a source of information (ensure proper referencing)
  • As a template for you assignment
Privacy Settings

IvyPanda uses cookies and similar technologies to enhance your experience, enabling functionalities such as:

  • Basic site functions
  • Ensuring secure, safe transactions
  • Secure account login
  • Remembering account, browser, and regional preferences
  • Remembering privacy and security settings
  • Analyzing site traffic and usage
  • Personalized search, content, and recommendations
  • Displaying relevant, targeted ads on and off IvyPanda

Please refer to IvyPanda's Cookies Policy and Privacy Policy for detailed information.

Required Cookies & Technologies
Always active

Certain technologies we use are essential for critical functions such as security and site integrity, account authentication, security and privacy preferences, internal site usage and maintenance data, and ensuring the site operates correctly for browsing and transactions.

Site Customization

Cookies and similar technologies are used to enhance your experience by:

  • Remembering general and regional preferences
  • Personalizing content, search, recommendations, and offers

Some functions, such as personalized recommendations, account preferences, or localization, may not work correctly without these technologies. For more details, please refer to IvyPanda's Cookies Policy.

Personalized Advertising

To enable personalized advertising (such as interest-based ads), we may share your data with our marketing and advertising partners using cookies and other technologies. These partners may have their own information collected about you. Turning off the personalized advertising setting won't stop you from seeing IvyPanda ads, but it may make the ads you see less relevant or more repetitive.

Personalized advertising may be considered a "sale" or "sharing" of the information under California and other state privacy laws, and you may have the right to opt out. Turning off personalized advertising allows you to exercise your right to opt out. Learn more in IvyPanda's Cookies Policy and Privacy Policy.

1 / 1