IB Business Management Information Systems (MIS) Guide

Your Business Data Is Worth More Than You Think - And Someone Is Planning to Steal It

A deep dive into MIS, cybercrime, AI, VR, IoT and why it is relevant for your exams (and for your life)

Let's go back to Easter 2025. Millions of shoppers fired up the M&S app to grab a Percy Pig Easter egg or place a click-and-collect order. Nothing happened. It didn't work. The app was dead. The website was dead. And behind the scenes, one of Britain's most iconic retailers was struggling to regain normality - because a hacker had simply picked up the phone.

That's right. No weapons or explosive Hollywood-style hack. No genius sitting in a dark room for hours with seven monitors. The criminals behind the attack on Marks & Spencer in April 2025 used something far simpler: a phone call. They rang M&S's IT helpdesk, pretended to be an employee, and talked their way into getting a password reset. From there, they took down one of the UK's biggest retailers for weeks.

By the time everything settled, M&S had lost over £750 million in market value, suffered £300 million in lost operating profit, and had customer data - names, addresses, order histories - stolen from its databases. Online orders were suspended for 46 days. And the whole catastrophe started because one person on an IT helpdesk didn't question who they were speaking to.

Today we are covering Management Information Systems. It's the stuff that's reshaping every business on the planet right now, including the brands you use every single day.

Part 1: Data Analytics - Netflix Knows You Better Than You Know Yourself

Let's start with something all my students already use without thinking much about it. You open Netflix after school, and before you've even thought about what you want to watch, it's already showing exactly the kind of show you're in the mood for. Or Spotify Wrapped drops in December and somehow summarises your entire year in music with scary accuracy. How?

Data analytics. Every click, every pause, every song you skip after three seconds - it's all being collected, processed, and turned into decisions about what to show you next.

IB Business Management Definition - AO1

Data analytics is the process of analysing, developing, and transforming data to extract useful information and draw meaningful conclusions in order to support decision making. It uses statistical methods and tools - including machine learning - to analyse data from multiple sources and make predictions.

Data analytics as the business world's version of a really nosy - but incredibly useful - best friend. It doesn't just tell you what happened in the past (though it does that too, through descriptive statistics like bar charts, infographics, and pie charts). It uses that history to predict what's going to happen next.

Managers use this to make smarter decisions: what products to stock, which customers are about to churn, where to open the next store. Is there anything wrong at all with it? The predictions are only as good as the data going in. Garbage in, garbage out - as the saying goes in data science. If your data is biased, outdated, or just plain wrong, your brilliant machine learning model is going to give you the perfect wrong answers.

IB Business Management Real-life Example:

Zara (Inditex, Spain) is possibly the best retail example of data analytics in action. The brand collects point-of-sale data from thousands of stores worldwide in real time. Store managers report on what customers are asking for that isn't on the shelves, and that data flows directly into production decisions. New designs can go from concept to store in under three weeks. Competitors take weeks or even months to do the same job. That's the competitive advantage data analytics creates when it's done well.

Part 2: Databases - Where All That Data Actually Lives

So all this data is being collected - from your Netflix habits, your online orders, your Spotify skips. Where does it actually go? The answer is to a database.

IB Business Management Definition - AO1

A database is a computerised and structured collection of data that is stored and organised in a way that allows for the efficient retrieval, use, and management of the data.

Databases can be hosted physically on a business's own premises - think of massive server rooms humming away in a corporate headquarters - or increasingly, they're held online in the cloud. Amazon's Relational Database Service (RDS) and Google's Cloud SQL are examples you'll want to know for the exam.

Businesses hold enormous amounts of private data about their customers, employees, and suppliers. That creates a massive responsibility around data integrity (keeping data accurate and complete) and data security (keeping it safe from people who shouldn't have it).

Techniques like data encryption (scrambling data so it's unreadable without the right key) and regular backups (so you don't lose everything if something goes wrong) are standard practice for any serious business. The M&S story above shows what happens when those protections aren't enough - or when a human falls for a social engineering trick and hands over the keys to the kingdom.

IB Business Management Exam Tip:

When discussing databases in the exam, always connect them to the bigger MIS picture. Databases don't exist in isolation - they integrate with data analytics software, visualisation tools, and decision-support systems. Showing these links will push you into the higher mark bands.

Part 3: Cybercrime and Cybersecurity - The M&S Story Gets Worse

Back to Easter 2025. Let's break down exactly what happened at M&S - because it's basically an advanced lesson in every cybercrime concept your IB Business examiner could throw at you.

The attack started as early as February 2025, when hackers from a group called Scattered Spider infiltrated M&S's systems. They used social engineering - manipulation, deception, pretending to be someone they weren't - to trick IT helpdesk staff into resetting passwords and handing over access credentials. No fancy tech or hacking required. Just a convincing phone manner.

Once inside, they stole a critical file containing the password hashes for every single user on M&S's network. They cracked those hashes, got real passwords, and then deployed Dragon-Force ransomware - malicious software that encrypted M&S's servers and held them hostage.

IB Business Management Definition - AO1

Cybercrime refers to any criminal activity committed using the internet or other digital platforms - including hacking, identity theft, phishing scams, viruses, malware, ransomware, and cyberstalking.

Cybersecurity is the management process of protecting an organisation's internet-connected systems - hardware, software, and data - from cyberattacks, including theft, damage, or unauthorised access.

The consequences were fatal. Online shopping - about a third of M&S's clothing sales - was suspended for 46 days. The share price fell 15%. Over £750 million in market value was wiped out. Customer data was stolen. And this is a FTSE 100 company with dedicated cybersecurity teams we are talking about. Imagine the impact on a small business with no resources for this stuff.

"It's a really stark illustration of how the real world is underpinned by the digital domain, and if something is damaged digitally it can have knock-on effects in reality." - Wise words from Professor Oli Buckley, Loughborough University

What should businesses be doing?

Your IB Business specification & syllabus wants you to know the practical measures businesses must take. Here's what M&S should have done better - and what every business needs in place:

Preventative measures: Firewalls, regular software updates, anti-virus software, multi-factor authentication (MFA) for all accounts - especially admin accounts. Train every single employee about phishing, strong passwords, and social engineering. Consider hiring a specialist cybersecurity consultant to conduct regular vulnerability assessments.

Contingency planning: Every business must have a plan for when an attack happens - not just if. This includes: who leads the response, how systems get isolated to contain the damage, how data gets restored from backups, and how customers are communicated with. M&S's slow, unclear communication during the attack was criticised heavily and eroded customer trust.

One more thing worth noting: Cybercrime is a global issue. M&S faced not just financial losses but potential fines under UK GDPR (data protection law) for the breach of customer information. Businesses operating across borders face regulations in multiple jurisdictions - which adds a whole extra layer of complexity to cybersecurity management.

IB Business Management Real-life Example:

The M&S attack wasn't an isolated incident. In the same wave of attacks, Co-op and Harrods were also targeted by Scattered Spider. By July 2025, the group had expanded its operations to hit LVMH and Louis Vuitton in France. This is what IB Business examiners mean when they say cybercrime is a global issue - these groups operate across borders, targeting major brands in multiple countries simultaneously.

Part 4: Critical Infrastructure - The Foundation Nobody Sees

You've probably never thought about what keeps your favourite apps running. Not the app itself - but the physical and digital plumbing underneath it. This is what we call critical infrastructure.

IB Business Management Definition - AO2

Critical infrastructures refer to the systems and structures necessary for the efficient functioning of an organisation. Key examples include artificial neural networks (ANNs), data centres, and cloud computing.

There's a reason this is assessed at AO2 - the IB wants you to be able to apply and analyse these concepts, not just define them. So let's analyse each one properly.

Artificial Neural Networks (ANNs)

The name sounds intimidating, but the idea is actually quite elegant. An artificial neural network is a computing system designed to mimic how your brain works - processing huge amounts of information through interconnected layers of artificial "neurons" to recognise patterns and make decisions.

Your face recognition on your iPhone? That's an ANN. When Google Translate handles a whole paragraph and somehow gets the nuance right? ANN. When Spotify notices you've been listening to a lot of melancholy indie music lately and curates a playlist to match your mood? Yep, ANN.

IB Business Management Real-life Example:

Google DeepMind's Alpha-Fold used ANNs to solve one of biology's greatest puzzles: predicting the 3D structure of proteins. This has huge implications for pharmaceutical businesses developing new drugs. What would have taken researchers decades of lab work can now be done in hours. For businesses in the pharmaceutical sector, this is a game-changing competitive advantage.

Data Centres

Think of a data centre as the world's biggest, most secure filing cabinet. They're physical buildings - sometimes the size of several football pitches - packed with servers, storage systems, cooling equipment, and security measures.

Every time you stream a video, send an email, or load a webpage, a data centre somewhere in the world is doing work. They're the physical homes of the internet. The limitation? They're massively expensive to build and run - requiring constant power (and cooling to stop all those servers melting), high-level physical security, and reliable internet connectivity.

Cloud Computing

IB Business Management Definition - AO2

Cloud computing refers to the delivery of computing resources and services - including data storage, processing power, and software - via the internet. Businesses can access these services on demand without needing to invest in and maintain their own physical infrastructure.

Cloud computing is basically the business world's version of renting rather than buying. Why invest millions in your own data centre when you can pay Amazon Web Services (AWS), Microsoft Azure, or Google Cloud a monthly fee and use theirs?

It's flexible, scalable, and far cheaper upfront. A start-up with three employees can access the same computing power as a corporation. That's democratising in a really significant way by making the same technology available to absolutely everyone.

But there is a problem: cybersecurity. When your data is stored on someone else's servers - a third-party cloud provider - you're trusting that they have strong enough security. The M&S attack, remember, got in through a third-party supplier (their IT helpdesk provider, Tata Consultancy Services). Cloud-based data and services are a major target for cybercriminals, precisely because they hold so much valuable information.

IB Business Management Exam Tip:

For AO2 questions on critical infrastructure, always discuss both benefits AND limitations. Cloud computing is brilliant for cost and flexibility, but the cybersecurity vulnerability is a significant trade-off. ANNs are powerful, but they require enormous volumes of high-quality data - and can reflect biases in that data.

Can you provide a balanced analysis? = higher marks.

Part 5: Virtual Reality - A Lot More Than Just Gaming

Be honest - when someone says "virtual reality" you immediately picture someone flailing around your living room with a VR headset on, walking into the furniture. Fair enough. But in the business world, VR is a genuinely serious and rapidly growing technology.

IB Business Management Definition - AO2

Virtual reality (VR) is the use of computer-generated environments that enable users to immerse themselves and interact in simulated settings in real time.

The business applications go well beyond gaming. One of the most valuable uses is in staff training and development. Imagine you're training to be a surgeon. You don't want your first practice run to be on an actual patient. VR lets trainee surgeons perform virtual operations thousands of times before ever picking up a real scalpel - in a safe, controlled environment where mistakes don't cost lives. Airlines use the same principle for pilot training in flight simulators.

How Are businesses using VR right now?

The IB Business specification includes a helpful list of real applications - and they're worth knowing for the exam:

• Architecture and construction: virtual walkthroughs of buildings before they're built

• Entertainment: immersive concerts and film experiences

• Medical and healthcare: simulated surgeries and patient care training

• Product design and prototyping: testing designs before manufacturing

• Sports training: athletes rehearsing scenarios virtually

• Education: virtual visits to historical landmarks

• Real estate: virtual property tours

IB Business Management Real-life Example:

IKEA has used VR so customers can virtually "walk through" a room furnished with IKEA products before buying anything. Apple Vision Pro, launched in 2024, represents a major push from Apple into spatial computing - a premium VR/AR device priced at $3,499 aimed initially at business professionals who want to use it as a productivity tool. The market for VR is expected to grow significantly as hardware becomes cheaper and software more sophisticated.

The main limitation is cost. High-quality VR requires significant capital expenditure on specialised hardware and software - which puts it out of reach for many small and medium-sized businesses right now. But as with all technology, prices are falling fast.

Part 6: The Internet of Things - Is Your Fridge Watching You?

This one genuinely starts to feel like science fiction, but it's already absolutely everywhere in your life. The Internet of Things (IoT) is the idea that everyday physical objects - your phone, your smartwatch, your thermostat, your fridge (yes, really) - are all connected to the internet, quietly collecting and sharing data.

IB Business Management Definition - AO2

The Internet of Things (IoT) refers to the network of interconnected devices and appliances connected over the internet. These devices can collect, analyse, and share data using sensors, embedded processors, and communication technologies such as Wi-Fi, Bluetooth, and cellular networks.

You ask Alexa what the weather is, and Amazon is logging not just your question, but when you asked for it, what you asked before and after, and whether you bought the umbrella they suggested. Your Tesla monitors driving behaviour, adjusts braking algorithms, and sends usage data back to Tesla HQ overnight. A smart supermarket shelf can detect when a product is running low and automatically trigger a reorder.

For businesses, IoT means one thing above everything else: data. Vast, continuous, real-time data about how customers behave, how products are used, how assets are performing. That data feeds directly into analytics systems, enabling smarter decisions, lower costs, and better customer experiences.

IB Business Management Real-life Example:

Amazon Go stores use IoT at scale - hundreds of ceiling-mounted cameras and weight sensors on shelves track exactly what you pick up. When you walk out, your account is charged automatically. No checkout, no cashiers. It's a fully IoT-powered retail experience. Amazon has been expanding this model globally, and competitors like Tesco have trialled similar technology in the UK.

But of course, there are issues. IoT devices are notoriously vulnerable to cyberattacks. A hacker who gains access to an IoT device doesn't just mess with your smart speaker - in a business context, they could access the entire network the device is connected to. Cybersecurity and data privacy are major concerns for any business relying on IoT. Additionally, IoT requires well-designed critical infrastructure to function properly - and staying on top of rapidly evolving IoT technology is expensive and time-consuming.

Part 7: Artificial Intelligence - The Big Boss

You've been using Chat-GPT. You've seen AI art. You've probably asked an AI to help summarise your notes at some point this week. Artificial intelligence is no longer a future concept - it's already embedded in almost every business process on earth.

IB Business Management Definition - AO2

Artificial intelligence (AI) refers to management information systems that enable the simulation of human intelligence in machines programmed to think and learn in similar ways to human beings. It includes the ability to navigate maps, process natural language, and make complex decisions.

Machine learning (ML) is a branch of AI that allows systems to learn from big data and improve their performance without being explicitly reprogrammed.

Think about what that means in practice. Your email spam filter learns what spam looks like and gets better over time - without anyone reprogramming it. A bank's fraud detection system learns the patterns of your spending and flags anything unusual in real time. TikTok's algorithm (possibly the most powerful recommendation engine ever built) figures out within 30 minutes of you opening the app exactly what will keep you watching.

AI is being used across virtually every industry: diagnosing cancer from medical scans in healthcare, detecting fraud in real time in finance, personalising education in EdTech, optimising delivery routes in logistics. The EU AI Act, which came into force in 2024, represents the world's first major attempt to regulate AI - classifying AI systems by risk level and imposing strict rules on high-risk applications like hiring algorithms and credit scoring. Businesses operating in the EU need to take this regulation seriously.

IB Business Management Real-life Example:

Klarna, the Swedish buy-now-pay-later fintech giant, announced in 2024 that AI had replaced the equivalent of 700 customer service workers, handling two-thirds of customer chats with equal satisfaction scores to human agents. Meanwhile, NHS England has been trialling AI diagnostic tools that can detect diabetic retinopathy (a major cause of blindness) from eye scans with greater accuracy than human clinicians. The implications for businesses - and society - are enormous.

The limitations AI brings

Not everything AI offers is good news for businesses. There are significant challenges:

Data dependency: AI needs enormous volumes of high-quality data to function. If the training data is biased (for example, if a hiring AI was trained mostly on data from male applicants), the AI will replicate and amplify those biases - with real-world consequences for fairness and legality.

Infrastructure demands: Running advanced AI models requires powerful (and expensive) computing systems. Not every business can afford this at scale.

Integration complexity: AI doesn't operate in isolation. It needs to integrate with big data systems, IoT devices, databases, and data analytics platforms. Getting all these pieces to work together is technically complex and costly.

IB Business Management Exam Tip: The Big Picture - MIS as a System

Here's what your examiner really wants you to understand: none of these technologies exist in isolation.

Your IoT devices generate data → that data is stored in databases → data analytics tools process it → AI and machine learning extract insights → managers use those insights to make decisions.

It's one interconnected system. And the whole thing sits on critical infrastructure - cloud servers, data centres, ANNs - all of which must be protected by robust cybersecurity. Pull this picture together in an exam answer and you'll stand out.

Key Terms Cheat Sheet

IB Business Management Exam Practice Questions

These are original practice questions I have aligned to IB Assessment Objectives. They are not from past papers.

AO1 · 2 Marks

Define the term "ransomware" and state one example of how it can disrupt a business's operations.

AO1 · 2 marks

Distinguish between a database hosted on-premises and one hosted via cloud computing.

AO2 · 4 marks

Explain two ways in which a retail business could use the Internet of Things (IoT) to improve its operational efficiency.

AO2 · 4 marks

Explain the relationship between data analytics and artificial intelligence in supporting management decision making.

AO3 · 6 marks

Analyse the potential impact of a major ransomware attack on the stakeholders of a large e-commerce business. Use real-world examples where relevant.

AO3 · 6 marks

With reference to a business you have studied, analyse the costs and benefits of adopting cloud computing as a key element of its management information system.

AO4 · 10 marks

"Businesses that invest heavily in artificial intelligence will always gain a long-term competitive advantage over rivals who do not." To what extent do you agree with this statement? Justify your answer.

Exam Practice Model Answers

Each question includes a full model answer, an examiner note explaining what the marks reward, and a simplified mark scheme. Answers are written to the standard of a high-achieving HL student - aim to match the depth, not necessarily the exact wording. IB mark schemes always credit equivalent valid responses.

1- AO1, 2 Marks

Define the term "ransomware" and state one example of how it can disrupt a business's operations.

Ransomware is a form of malicious software (malware) that, once deployed on a victim's systems, encrypts files or entire networks and renders them inaccessible. The attacker then demands a ransom - typically in cryptocurrency - in exchange for a decryption key to restore access to the affected systems.

One example of operational disruption: a ransomware attack can force a business to suspend its e-commerce platform entirely, preventing customers from placing online orders and resulting in significant lost revenue until systems are restored. In the M&S attack of April 2025, online shopping was suspended for 46 days, costing an estimated £3.8 million per day in lost sales.

Lawrence's Note:

This is a straightforward AO1 definition question. One mark is awarded for a clear definition of ransomware (it must include the idea of encryption and/or blocking access AND the demand for payment). The second mark is for a distinct, specific example of operational disruption - "the business can't operate" alone is too vague. Specificity earns marks at IB, be precise.

Mark Scheme

[1]

Award one mark for a definition that identifies ransomware as malware/malicious software that encrypts systems or blocks access and demands payment to restore it.

[1]

Award one mark for a specific, valid example of operational disruption (e.g. suspension of online orders, inability to process payments, loss of access to customer databases, halting of production systems). Accept any valid response.

2- AO1, 2 Marks

Distinguish between a database hosted on-premises and one hosted via cloud computing.

An on-premises database is physically located and maintained within the business's own facilities. The organisation owns the hardware and software infrastructure, bears the full cost of purchase, maintenance, security, and upgrades, and has complete direct control over how the data is stored and accessed.

In contrast, a cloud-based database is hosted and managed by a third-party provider - such as Amazon Web Services (RDS) or Google Cloud SQL - and accessed remotely via the internet. The business pays a subscription or usage-based fee and does not need to invest in or maintain its own physical infrastructure. However, the business has less direct control over its data, and cybersecurity becomes a shared responsibility between the business and the cloud provider.

Lawrence's Note:

"Distinguish" means you must show a clear contrast - not just describe each separately. The key differences to draw out are: ownership of infrastructure, cost structure (capital vs. operating expenditure), level of control, and cybersecurity responsibility. A response that only defines one or states features without contrasting will not earn both marks. Note that real-world examples (AWS, Google Cloud SQL) strengthen the answer but are not strictly required at AO1.

Mark Scheme

[1]

Award one mark for identifying a key feature of on-premises hosting (e.g. owned infrastructure, higher upfront capital cost, direct control, maintained on-site).

[1]

Award one mark for a contrasting feature of cloud-based hosting that clearly differentiates it from on-premises (e.g. hosted by third party, subscription-based, accessible remotely, lower capital expenditure, reduced direct control). A mark may be awarded for explicitly stating the contrast between the two.

3- AO2, 4 Marks

Explain two ways in which a retail business could use the Internet of Things (IoT) to improve its operational efficiency.

1

Automated inventory management: IoT-enabled sensors on shelves can monitor stock levels in real time and automatically trigger replenishment orders when products fall below a defined threshold. This removes the need for manual stock checks, reduces the risk of overstocking or stockouts, and streamlines supply chain operations. For example, Amazon Go stores use weight sensors on shelves to track inventory continuously, reducing labour costs and improving stock accuracy. The result is a more efficient use of staff time and a reduction in wasted resource.

2

Smart energy management: IoT devices such as connected thermostats, lighting systems, and refrigeration units can automatically adjust to actual usage patterns in-store - dimming lights in empty aisles, regulating temperature more precisely, or shutting down equipment during off-hours. This reduces energy consumption and operating costs without requiring manual oversight. For a large supermarket chain running hundreds of stores, the cumulative savings from IoT-driven energy management can be significant, directly improving operational efficiency and reducing overhead costs.

Lawrence's Note

AO2 "explain" questions at 4 marks reward two distinct, developed points. The formula is: identify the use of IoT → explain the mechanism → link explicitly to operational efficiency. A student who only identifies IoT applications without explaining the efficiency link will score 1 mark per point at most. Real-world examples (Amazon Go, Tesco) strengthen the analysis but the link to efficiency is what earns the second mark per point. Do not describe two aspects of the same application - they must be genuinely distinct ways.

Mark Scheme

[1+1]

For each way: award one mark for identifying a valid IoT application in retail, and one mark for explaining how this specifically improves operational efficiency (e.g. reduces cost, saves labour time, reduces waste, speeds up processes). Accept any two distinct, valid IoT applications including: automated inventory management, smart energy systems, customer traffic tracking, connected logistics/delivery monitoring, automated checkout (cashier-less stores), predictive maintenance of equipment.

Max [4]

Maximum of 2 marks if only one way is explained, regardless of depth. Maximum of 2 marks if two ways are identified but the efficiency link is absent for both.

4- AO2, 4 Marks

Explain the relationship between data analytics and artificial intelligence in supporting management decision making.

Data analytics and artificial intelligence are closely interconnected components of a management information system, and their relationship is fundamentally one of interdependence.

Data analytics involves the collection, processing, and interpretation of large volumes of data - using statistical methods and visualisation tools - to extract meaningful patterns and insights. These processed insights provide the foundation on which AI systems are built and trained. Specifically, machine learning - a key branch of AI - uses the structured outputs of data analytics as its training input. The more high-quality, well-organised data that analytics provides, the more accurately the AI can learn, identify patterns, and generate predictive models.

In practice, this means AI systems improve the speed and scale at which data analytics can be applied to decision making. For example, a retail business may use data analytics to identify that a particular product category is declining in sales. An AI system, trained on historical sales and customer behaviour data, can then predict which specific products are at risk, suggest pricing adjustments, and flag reorder quantities - all in real time, far faster than a human analyst could. Together, data analytics and AI give managers a more complete, timely, and accurate picture on which to base strategic and operational decisions.

Lawrence's Note

This question is asking for the relationship - not just definitions of each. The highest-scoring responses will show that data analytics feeds AI (it provides the data AI needs to learn), and that AI enhances the output and speed of analytics (it processes at a scale no human team could). A response that defines both separately but does not show how they interact together is capped at 2 marks. The link to management decision making must also be explicit - the question is not just "what is AI and what is data analytics?"

Mark Scheme

[1]

Award one mark for demonstrating an understanding of data analytics as processing/interpreting data to extract insights.

[1]

Award one mark for demonstrating an understanding of AI/machine learning using data to learn and make predictions.

[1]

Award one mark for explaining the directional relationship: data analytics provides the input (data) that AI/ML systems learn from and build upon.

[1]

Award one mark for linking the combined effect of both to improved management decision making (e.g. faster, more accurate, real-time, predictive, at greater scale). Accept a valid real-world example that demonstrates the link.

5- AO3, 6 Marks

Analyse the potential impact of a major ransomware attack on the stakeholders of a large e-commerce business. Use real-world examples where relevant.

A ransomware attack on a large e-commerce business can have severe and wide-ranging consequences across multiple stakeholder groups, with impacts that are both immediate and long-lasting.

Customers are among the most directly affected stakeholders. The attack typically disrupts online services - preventing customers from placing orders, accessing accounts, or using loyalty programmes. Beyond inconvenience, customers may have their personal data exposed: names, addresses, order histories, and in some cases masked payment information. The April 2025 ransomware attack on M&S resulted in the theft of personal data for millions of customers, forcing the company to issue password reset requests and notify affected individuals. Research suggests that approximately 60% of consumers avoid a breached retailer following a cyberattack, meaning customer loss can be a significant long-term consequence. The damage to customer trust may outlast the technical recovery by months or years.

Shareholders and investors face immediate and measurable financial losses. The encryption of critical systems forces the business to suspend revenue-generating operations. In M&S's case, the suspension of online orders - representing roughly a third of clothing and home sales - generated estimated daily losses of £3.8 million. Investor confidence fell sharply, with over £750 million wiped from M&S's market capitalisation in the days following the attack, and pre-tax profits for the half-year period collapsing from £391.9 million to just £3.4 million. Even where cyber insurance partially offsets direct costs, the reputational damage continues to affect shareholder value.

Employees face uncertainty, increased workload, and in some cases job insecurity. During the M&S attack, nearly 200 job listings were removed from the company's website as the business paused recruitment - suggesting knock-on effects for hiring and workforce planning. Staff in customer service roles face heightened pressure as they manage increased complaints and queries, while IT and operations teams must work intensively to restore systems.

However, the severity of the impact varies depending on the quality of the business's contingency planning. Businesses with robust incident response plans, comprehensive data backups, and cyber insurance in place can contain the damage more effectively. The M&S case also illustrates that strong brand equity and customer loyalty can partially cushion the reputational impact - some customers actively chose to shop in M&S stores in solidarity during the crisis. This suggests that while a ransomware attack is always damaging, its ultimate impact on stakeholders is shaped significantly by how well-prepared the business was beforehand.

Lawrence' s Note

AO3 "analyse" questions require more than a list of impacts - they require development, real-world grounding, and some level of critical judgement. The model answer covers three distinct stakeholder groups in depth and closes with a nuanced qualifier (impact depends on contingency planning). This is the structure that pushes answers into the top mark band: impact → development → example → qualification. Avoid treating all stakeholders as equally affected - the best responses show differentiated understanding. You do not need to cover every possible stakeholder, but you must cover at least two substantively.

Mark Scheme

Indicative Band Descriptors

[5–6]

A well-developed analysis of the impact on at least two stakeholder groups, with specific development of each point and relevant real-world examples. Some attempt to qualify or contextualise the analysis (e.g. acknowledging that impact varies by preparedness, brand strength, or type of attack). Clear, organised, and free of significant factual errors.

[3–4]

Analysis of at least two stakeholder groups with reasonable development. Real-world examples present but may be limited or generic. Limited qualification or nuance. Generally accurate.

[1–2]

Identifies one or two stakeholder impacts but with limited development. Response reads more as a list than an analysis. Few or no real-world examples. Limited connection between the attack and the specific stakeholder consequence.

6- AO3, 6 Marks

With reference to a business you have studied, analyse the costs and benefits of adopting cloud computing as a key element of its management information system.

Business used: Netflix

Netflix is one of the most prominent examples of a business that has committed entirely to cloud computing infrastructure - migrating all of its operations to Amazon Web Services (AWS) between 2008 and 2016. Analysing Netflix's experience allows for a nuanced evaluation of both the substantial benefits and the real costs of this strategic choice.

Benefits: The most significant benefit for Netflix has been scalability. By using cloud computing, Netflix can instantly scale its computing capacity up or down to meet demand - for example, when a highly anticipated series is released and viewership spikes overnight. This would be impossible to manage cost-effectively with on-premises data centres, which would require enormous permanent capacity that sits idle most of the time. Cloud computing also dramatically reduced Netflix's capital expenditure - instead of investing billions in physical infrastructure, the company pays AWS on a usage basis. This frees up capital for content production, which is Netflix's primary source of competitive advantage. Additionally, cloud infrastructure gives Netflix's developers the tools to process and analyse vast quantities of user data in real time, powering its recommendation algorithm - one of its most strategically important competitive assets.

Costs and limitations: However, the reliance on a third-party cloud provider introduces significant cybersecurity vulnerability. Netflix's entire operation depends on the security of AWS's systems - any breach of the cloud provider's infrastructure could expose Netflix's data and disrupt its service globally. There is also the issue of vendor dependency: Netflix is deeply tied to AWS, giving Amazon considerable pricing power in contract negotiations. Furthermore, operating costs can become significant at scale - Netflix's annual AWS bill reportedly runs to billions of dollars, creating a substantial and growing operating expense that rises with user growth.

On balance, for a streaming business where technical scalability and real-time data processing are core operational requirements, the benefits of cloud computing outweigh the costs. However, this judgement may not hold for businesses in more sensitive industries - such as healthcare or finance - where data sovereignty and regulatory compliance may make on-premises hosting more appropriate despite the higher upfront cost.

Lawrence's Note

This question demands both a named business and genuine two-sided analysis - it is not enough to list benefits only. The phrase "with reference to a business you have studied" is an instruction, not a suggestion. Any well-known business is acceptable - Apple, Amazon, Spotify, Zara, NHS, etc. - provided the analysis is relevant and specific to that business. The top marks go to responses that not only present costs and benefits but offer a reasoned judgement on which outweighs the other, given the specific context of the business chosen.

Mark Scheme

Indicative Band Descriptors

[5–6]

Clearly named business with specific, relevant reference throughout. Well-developed analysis of at least two distinct benefits AND at least one cost/limitation. Some evaluative element - e.g. qualifying which outweighs the other, or noting that the balance depends on the type of business. Answers may be awarded 6 if the analysis is particularly thorough and the evaluative conclusion is well-reasoned.

[3–4]

Named business present but references may be generic. Two-sided analysis attempted but one side may be underdeveloped. Limited evaluative conclusion.

[1–2]

One-sided response (benefits only, or costs only), OR no business named/referenced. Little development of individual points. Essentially a list of features of cloud computing rather than an analysis in context.

7- AO4, 10 Marks

"Businesses that invest heavily in artificial intelligence will always gain a long-term competitive advantage over rivals who do not." To what extent do you agree with this statement? Justify your answer.

The statement contains a kernel of truth - AI investment can and does generate significant competitive advantages - but the word "always" makes it too absolute. Whether AI investment translates into sustainable long-term advantage depends on a range of business-specific and contextual factors, and the evidence suggests a more nuanced picture.

Arguments in support of the statement:

There are compelling examples where heavy AI investment has produced durable competitive advantages. Amazon's AI infrastructure underpins almost every aspect of its business model: its recommendation engine (reportedly responsible for 35% of total revenue), its supply chain and logistics optimisation, its cashier-less Amazon Go stores, and its AWS cloud services. The cumulative effect of these AI investments has created network effects and data advantages that are extremely difficult for competitors to replicate - a true, sustained competitive moat.

Similarly, Netflix has invested heavily in AI-driven personalisation. Its recommendation algorithm reduces churn by presenting each user with content tailored specifically to them, creating a stickier product than competitors offering a less personalised experience. Without this AI capability, Netflix would simply be another streaming library - the AI investment is a key differentiator.

In both cases, AI investment has also produced significant operational efficiency gains - reducing costs, speeding up processes, and enabling the business to do things at a scale that human labour alone could not achieve. Klarna, the fintech company, reported in 2024 that AI had replaced the equivalent work of 700 customer service agents, reducing costs while maintaining customer satisfaction levels.

Arguments against the statement - why "always" is too strong:

However, several factors can prevent AI investment from translating into long-term competitive advantage. First, AI investment carries substantial risk. AI systems are only as good as the data they are trained on - biased, incomplete, or low-quality data produces unreliable outputs, and businesses have faced legal, reputational, and regulatory consequences as a result. The EU AI Act (2024) now imposes strict requirements on high-risk AI applications, and non-compliance carries heavy financial penalties.

Second, investment alone is not sufficient. AI requires integration with broader MIS infrastructure - IoT devices, databases, data analytics platforms - and the cultural and organisational capability to use AI insights effectively. A business that invests heavily in AI tools but lacks the internal skills to interpret and act on their outputs will not gain an advantage. The technology is only as valuable as the human decision-making that surrounds it.

Third, in some sectors - particularly highly regulated industries such as healthcare, finance, and legal services - the pace of AI adoption is constrained by compliance requirements, meaning that heavy AI investment may not rapidly translate into competitive advantage even if the tools are excellent.

Finally, if AI tools are widely available via cloud platforms (as they increasingly are through services like Microsoft Azure AI or Google Vertex AI), the competitive advantage from AI investment may be temporary rather than permanent. If every competitor can access similar tools at similar cost, the advantage is quickly competed away.

Conclusion:

On balance, I agree that strategic AI investment can generate significant long-term competitive advantages - particularly for businesses where data is at the core of the value proposition, such as e-commerce, streaming, and fintech. However, the statement overstates the case by using "always." AI investment creates the potential for competitive advantage, but realising that potential depends on data quality, organisational capability, integration with wider MIS, and the regulatory environment. A business that invests heavily in AI without addressing these supporting factors may not gain a lasting edge - and may in fact create new vulnerabilities, particularly around cybersecurity and data compliance. The most accurate framing is that AI investment is a necessary but not sufficient condition for long-term competitive advantage in the modern business environment.

Lawrence's Note

AO4 essays are assessed on the quality of your argument and the strength of your justification - not on how many points you include. The model answer demonstrates:

(1) a clear, nuanced position stated early;

(2) well-developed arguments on both sides, each anchored with specific real-world examples;

(3) engagement with the specific language of the statement ("always" is the word to interrogate); and...

(4) a justified, qualified conclusion that doesn't sit on the fence but acknowledges complexity. A common mistake is writing a list of advantages and disadvantages without connecting them to a coherent argument. The IB Business examiner wants to see you think, not just recall facts.

Mark Scheme

Stay well,

Explore Topics:

IB Business Management Hub Page

IB Business Management Module 5 Operations Management Hub Page

IB Business Management Toolkit Page

IB Business Management Activity Book Page

IB Business Management Crisis Management & Contingency Planning Page