Is 8

Ace your studies with our custom writing services! We've got your back for top grades and timely submissions, so you can say goodbye to the stress. Trust us to get you there!

Order a Similar Paper Order a Different Paper

Two questions need help with.

Read Chapter 12

Unit VIII Journal

Questions 1


Identify a skill or knowledge that you learned in this course, and explain how you can apply it to increase success in your career in a real-world scenario.

Your journal entry must be at least 200 words in length. No references or citations are necessary.

Questions 2

Unit VIII Essay


In this final assignment, you will develop a paper that reviews some of the main topics covered in the course. Compose an essay to address the following:

Identify the components of an information system using the five-component framework and provide a brief summary of each.

Explain Porter’s five forces model.

Management information systems incorporate software and hardware technologies to provide useful information for decision-making. Explain each of the following information systems and use at least one example in each to support your discussion:

A collaboration information system.

A database management system.

A content management system.

A knowledge management/expert system.

A customer relationship management system.

An enterprise resource planning system.

A social media information system.

A business intelligence/decision support system.

An enterprise information system.

Identify and discuss one technical and one human safeguard to protect against IS security threats.

There are several processes that can be used to develop information systems and applications such as SDLC and SCRUM (Agile Development). Provide a brief description of SDLC and SCRUM and then discuss at least one similarity and one difference between SDLC and SCRUM.

Sum up your paper by discussing the importance of MIS.

Your paper must be at least three pages long, and you must use at least two resources. Be sure to cite all sources used in APA format and format your essay in APA style.

Lesson 10

Information Systems Security

Lesson Preview


This lesson provides an overview of the major components of information systems security. We begin in Q10-1 by defining the goals of IS security and then, in Q10-2, discuss the size of the computer security problem. Next, in Q10-3, we address how you, both as a student today and as a business professional in the future, should respond to security threats. Then, in Q10-4, we ask what organizations need to do to respond to security threats. After that, Q10-5 through Q10-7 address security safeguards. Q10-5 discusses technical safeguards that involve hardware and software components, Q10-6 addresses data safeguards, and Q10-7 discusses human safeguards that involve procedure and people components. Q10-8 then summarizes what organizations need to do when they experience a security incident, and we wrap up the lesson with a preview of IS security in 2031.

Unfortunately, threats to data and information systems are increasing and becoming more complex. In fact, the U.S. Bureau of Labor Statistics estimates that demand for security specialists will increase by more than 32 percent between 2018 and 2028 with a median salary of $99,730. This is strong growth considering computer occupations are projected to grow at 13 percent and all occupations at 5 percent.1 If you find this topic attractive, majoring in information systems with a security specialty would open the door to many interesting jobs.

Q10-1 What Is the Goal of Information Systems Security?


Information systems security is really about trade-offs. In one sense, it’s a trade-off between security and freedom. For example, organizations can increase the security of their information systems by taking away users’ freedom to choose their own passwords and force them to choose stronger passwords that are difficult for hackers to crack.

Another way to look at information systems security, and the primary focus of this lesson, is that it’s a trade-off between cost and risk. To understand the nature of this trade-off, we begin with a description of the security threat/loss scenario and then discuss the sources of security threats. Following that, we’ll state the goal of information systems security.

The IS Security Threat/Loss Scenario


Figure 10-1 illustrates the major elements of the security problem that individuals and organizations confront today. A threat is a person or organization that seeks to obtain or alter data or other IS assets illegally, without the owner’s permission and often without the owner’s knowledge. A vulnerability is an opportunity for threats to gain access to individual or organizational assets. For example, when you buy something online, you provide your credit card data; when that data is transmitted over the Internet, it is vulnerable to threats. A safeguard is some measure that individuals or organizations take to block the threat from obtaining the asset. Notice in Figure 10-1 that safeguards are not always effective; some threats achieve their goal despite safeguards. Finally, the target is the asset that is desired by the threat.

 Figure 10-1: Threat/Loss Scenario
Figure 10-2 shows examples of threats/targets, vulnerabilities, safeguards, and results. In the first two rows, a hacker (the threat) wants your bank login credentials (the target) to access your bank account. If you click on links in emails, you can be directed to phishing sites that look identical to your bank’s website. Phishing sites don’t typically use https. If, as shown in the first row of Figure 10-2, you always access your bank’s site using https rather than http (discussed in Q10-5), you will be using an effective safeguard, and you will successfully counter the threat.

Figure 10-2: Examples of Threat/Loss






Hacker wants to steal your bank login credentials

Hacker creates a phishing site nearly identical to your online banking site

Only access sites using https

No loss

Effective safeguard


Loss of login credentials

Ineffective safeguard

Employee posts sensitive data to public Facebook group

Public access to not-secure group

Passwords Procedures Employee training

Loss of sensitive data

Ineffective safeguard

If, however, as described in the second row of Figure 10-2, you access what appears to be your bank’s site without using https (i.e., an unsecured site), you have no safeguard at all. Your login credentials can be quickly recorded and resold to other criminals.

The bottom row of Figure 10-2 shows another situation. Here an employee at work obtains sensitive data and posts it on what he thinks is a work-only Facebook group. However, the employee errs and instead posts it to a public group. The target is the sensitive data, and the vulnerability is public access to the group. In this case, there are several safeguards that should have prevented this loss; the employee needed passwords to obtain the sensitive data and to join the private, work-only group. The employer has procedures that state employees are not to post confidential data to any public site, such as Facebook, but these procedures were either unknown or ignored. A third safeguard is the training that all employees are given. Because the employee ignores the procedures, though, all of those safeguards are ineffective and the data is exposed to the public.

What Are the Sources of Threats?


Figure 10-3 summarizes the sources of security threats. The type of threat is shown in the columns, and the type of loss is shown in the rows.

Figure 10-3: Security Problems and Sources


Human Error

Computer Crime

Natural Disasters


Unauthorized Data Disclosure

Procedural mistakes


Disclosure during recovery

Incorrect Data Modification

Procedural mistakes
Incorrect procedures
Ineffective accounting controls
System errors


Incorrect data recovery

Faulty Service

Procedural mistakes
Development and installation errors


Service improperly restored

Denial of Service (DoS)


DoS attacks

Service interruption

Loss of Infrastructure


Terrorist activity

Property loss

Human Error
Human errors and mistakes include accidental problems caused by both employees and nonemployees. An example is an employee who misunderstands operating procedures and accidentally deletes customer records. Another example is an employee who, in the course of backing up a database, inadvertently installs an old database on top of the current one. This category also includes poorly written application programs and poorly designed procedures. Finally, human errors and mistakes include physical accidents, such as driving a forklift through the wall of a computer room.

Computer Crime
The second threat type is computer crime. This threat type includes employees and former employees who intentionally destroy data or other system components. It also includes hackers who break into a system and virus and worm writers who infect computer systems. Computer crime also includes terrorists and those who break into a system to steal for financial gain.

Natural Events and Disasters
Natural events and disasters are the third type of security threat. This category includes fires, floods, hurricanes, earthquakes, tsunamis, avalanches, and other acts of nature. Problems in this category include not only the initial loss of capability and service, but also losses stemming from actions to recover from the initial problem.

What Types of Security Loss Exist?


Five types of security loss exist: unauthorized data disclosure, incorrect data modification, faulty service, denial of service, and loss of infrastructure. Consider each.

Unauthorized Data Disclosure
Unauthorized data disclosure occurs when a threat obtains data that is supposed to be protected. It can occur by human error when someone inadvertently releases data in violation of policy. An example at a university is a department administrator who posts student names, identification numbers, and grades in a public place, when the releasing of names and grades violates state and federal law. Another example is employees who unknowingly or carelessly release proprietary data to competitors or to the media. WikiLeaks is a famous example of unauthorized disclosure; the situation described in the third row of Figure 10-2 is another example.

The popularity and efficacy of search engines have created another source of inadvertent disclosure. Employees who place restricted data on websites that can be reached by search engines might mistakenly publish proprietary or restricted data over the Web.

Of course, proprietary and personal data can also be released and obtained maliciously. Pretexting occurs when someone deceives by pretending to be someone else. A common scam involves a telephone caller who pretends to be from a credit card company and claims to be checking the validity of credit card numbers: “I’m checking your Mastercard number; it begins with 5491. Can you verify the rest of the number?” Thousands of Mastercard numbers start with 5491; the caller is attempting to steal a valid number.

Phishing is a similar technique for obtaining unauthorized data that uses pretexting via email. The phisher pretends to be a legitimate company and sends an email requesting confidential data, such as account numbers, Social Security numbers, account passwords, and so forth.

Spoofing is another term for someone pretending to be someone else. If you pretend to be your professor, you are spoofing your professor. IP spoofing occurs when an intruder uses another site’s IP address to masquerade as that other site. Email spoofing is a synonym for phishing.

Sniffing is a technique for intercepting computer communications. With wired networks, sniffing requires a physical connection to the network. With wireless networks, no such connection is required: Wardrivers simply take computers with wireless connections through an area and search for unprotected wireless networks. They use packet sniffers, which are programs that capture network traffic to monitor and intercept traffic on unsecured wireless (or wired) networks. Even protected wireless networks are vulnerable, as you will learn. Spyware and adware are two other sniffing techniques discussed later in this lesson.

Other forms of computer crime include hacking, which is breaking into computers, servers, or networks to steal data such as customer lists, product inventory data, employee data, and other proprietary and confidential data.

Finally, people might inadvertently disclose data during recovery from a natural disaster. During a recovery, everyone is so focused on restoring system capability that they might ignore normal security safeguards. A request such as “I need a copy of the customer database backup” will receive far less scrutiny during disaster recovery than at other times.

Incorrect Data Modification
The second type of security loss in Figure 10-3 is incorrect data modification. Examples include incorrectly increasing a customer’s discount or incorrectly modifying an employee’s salary, earned days of vacation, or annual bonus. Other examples include placing incorrect information, such as incorrect price changes, on a company’s website or company portal.

Incorrect data modification can occur through human error when employees follow procedures incorrectly or when procedures have been designed incorrectly. For proper internal control on systems that process financial data or control inventories of assets, such as products and equipment, companies should ensure separation of duties and authorities and have multiple checks and balances in place.

A final type of incorrect data modification caused by human error includes system errors. An example is the lost-update problem discussed in Lesson 5.

Computer criminals can make unauthorized data modifications by hacking into a computer system. For example, hackers could hack into a system and transfer people’s account balances or place orders to ship goods to unauthorized locations and customers.

Finally, faulty recovery actions after a disaster can result in incorrect data changes. The faulty actions can be unintentional or malicious.

Faulty Service
The third type of security loss, faulty service, includes problems that result because of incorrect system operation. Faulty service could include incorrect data modification, as just described. It also could include systems that work incorrectly by sending the wrong goods to a customer or the ordered goods to the wrong customer, inaccurately billing customers, or sending the wrong information to employees. Humans can inadvertently cause faulty service by making procedural mistakes. System developers can write programs incorrectly or make errors during the installation of hardware, software programs, and data.

Usurpation occurs when computer criminals invade a computer system and replace legitimate programs with their own, unauthorized ones that shut down legitimate applications and substitute their own processing to spy, steal and manipulate data, or achieve other purposes. Faulty service can also result when service is improperly restored during recovery from natural disasters.

Denial of Service
Human error in following procedures or a lack of procedures can result in denial of service (DoS), the fourth type of loss. For example, humans can inadvertently shut down a Web server or corporate gateway router by starting a computationally intensive application. An OLAP application that uses the operational DBMS can consume so many DBMS resources that order-entry transactions cannot get through.

Computer criminals can launch an intentional denial-of-service attack in which a malicious hacker floods a Web server, for example, with millions of bogus service requests that so occupy the server that it cannot service legitimate requests. Also, computer worms can infiltrate a network with so much artificial traffic that legitimate traffic cannot get through. Finally, natural disasters may cause systems to fail, resulting in denial of service.

Loss of Infrastructure
Many times, human accidents cause loss of infrastructure, the last loss type. Examples are a bulldozer cutting a conduit of fiber-optic cables and a floor buffer crashing into a rack of Web servers.

Theft and terrorist events also cause loss of infrastructure. For instance, a disgruntled, terminated employee might walk off with corporate data servers, routers, or other crucial equipment. Terrorist events also can cause the loss of physical plants and equipment.

Natural disasters present the largest risk for infrastructure loss. A fire, flood, earthquake, or similar event can destroy data centers and all they contain.

You may be wondering why Figure 10-3 does not include terms such as viruses, worms, and Trojan horses. The answer is that viruses, worms, and Trojan horses are techniques for causing some of the problems in the figure. They can cause a denial-of-service attack, or they can be used to cause malicious, unauthorized data access or data loss.

Finally, a new threat term has come into recent use. An Advanced Persistent Threat (APT) is a sophisticated, possibly long-running computer hack that is perpetrated by large, well-funded organizations such as governments. APTs can be a means to engage in cyberwarfare and cyber-espionage.

An example of an APT is a group called APT41 (Double Dragon), which is allegedly a covert, financially motivated, state-sponsored hacking group based out of China. In 2020, security researchers at FireEye released a detailed report describing APT41’s tools, tactics, and procedures.2 More specifically, it showed how APT41 is targeting healthcare and technology companies. Before 2015 the hacking group was focused on stealing intellectual property (source code). But since 2017 the group has focused on hacking supply chains, cryptocurrency manipulation, intelligence gathering, and injecting malware into legitimate software updates sent to consumers. If you work in the military or for intelligence agencies, you will certainly be concerned, if not involved, with APTs. We return to this topic in Q10-9.

Goal of Information Systems Security


As shown in Figure 10-1, threats can be stopped, or if not stopped, the costs of loss can be reduced by creating appropriate safeguards. Safeguards are, however, expensive to create and maintain. They also reduce work efficiency by making common tasks more difficult, adding additional labor expense. The goal of information security is to find an appropriate trade-off between the risk of loss and the cost of implementing safeguards.

Business professionals need to consider that trade-off carefully. In your personal life, you should certainly employ antivirus software. You should probably implement other safeguards that you’ll learn about in Q10-3. Some safeguards, such as deleting browser cookies, will make using your computer more difficult. Are such safeguards worth it? You need to assess the risks and benefits for yourself.

Similar comments pertain to organizations, though they need to go about it more systematically. The bottom line is not to let the future unfold without careful analysis and action as indicated by that analysis. Get in front of the security problem by making the appropriate trade-off for your life and your business.

Knowledge Check

Q10-2 How Big Is the Computer Security Problem?


We do not know the full extent of the financial and data losses due to computer security threats. Certainly, the losses due to human error are enormous, but few organizations compute those losses, and even fewer publish them. However, a 2019 security report by Risk Based Security reported the loss of 15 billion personal records in a record 7,000 security incidents.3 Some of the more notable data breaches include the loss of user accounts at Sina Weibo (538 million), OxyData (380 million), Zynga (218 million), and Capital One (100 million). And that’s not even counting the loss of more than 137 million financial records from Canva or the loss of 161 million Dubsmash accounts. More than 84 percent of user records stolen were taken by external attackers via Web vulnerabilities (89 percent) or direct hacking (10 percent). Keep in mind that these are only the companies that made the news and voluntarily reported their losses.

Losses due to natural disasters are also enormous and nearly impossible to compute. The 2011 earthquake in Japan, for example, shut down Japanese manufacturing, and losses rippled through the supply chain from the Far East to Europe and the United States. One can only imagine the enormous expense for Japanese companies as they restored their information systems.

Furthermore, no one knows the cost of computer crime. For one, there are no standards for tallying crime costs. Does the cost of a denial-of-service attack include lost employee time, lost revenue, or long-term revenue losses due to lost customers? Or if an employee loses a $2,000 laptop, does the cost include the value of the data that was on it? Does it include the cost of the time of replacing it and reinstalling software? Or if someone steals next year’s financial plan, how is the cost of the value that competitors glean determined?

Protecting data from internal hackers is an important issue, as discussed in the Ethics Guide.

Second, all the studies on the cost of computer crime are based on surveys. Different respondents interpret terms differently, some organizations don’t report all their losses, and some won’t report computer crime losses at all. Absent standard definitions and a more accurate way of gathering crime data, we cannot rely on the accuracy of any particular estimate. The most we can do is look for trends by comparing year-to-year data, assuming the same methodology is used by the various types of survey respondents.

Figure 10-4 shows the results of a survey performed by Accenture plc, a multinational professional services company, and the Ponemon Institute. It shows the percentage of companies experiencing the most common types of attacks. It appears the most common attack type was malware (98 percent).5 Unfortunately, this type of attack doesn’t seem to be decreasing anytime soon. Other types of attacks are also fairly stable over time, except for ransomware, which has increased dramatically. Figure 10-5 shows that the costs for these attacks are all increasing over time.

 Figure 10-4: Percentage of Companies Experiencing Attack by Attack Type

Source: Based on Accenture, The Cost of Cyber Crime Study, March 2019.

 Figure 10-5: Computer Crime Costs

Source: Based on Accenture, The Cost of Cyber Crime Study, March 2019.

In addition to this data, Accenture also surveyed losses by type of asset compromised. It found that information loss was the single most expensive consequence of computer crime averaging $5.9M in losses annually per firm in 2018. Business disruption was the second highest cost, at $4.0M. Equipment losses and damages were only $0.5M of the lost value. Clearly, value lies in data and not in hardware!

Accenture also reported that 60 percent of internal costs related to cybercrime come from discovery (36 percent) and containment (24 percent). The next most costly activities were investigation (22 percent) and recovery (18 percent).

The 2019 Cost of Computer Crime Study includes an in-depth analysis of the effect of different security policies on the savings in computer crime. The bottom line is that organizations that spend more to create the safeguards discussed in Q10-4 through Q10-7 (later in this lesson) experience less computer crime and suffer smaller losses when they do. Security safeguards do work!

If you search for the phrase computer crime statistics on the Web, you will find numerous similar studies. Some are based on dubious sampling techniques and seem to be written to promote a particular safeguard product or point of view. Be aware of such bias as you read.

Using the Accenture study, the bottom line, as of 2019, is:

· Ransomware and malicious insider attacks are increasingly serious security threats.

· Information loss and business disruption are principal costs of computer crime.

· Discovery and containment account for over half of the internal costs related to cyber intrusions.

· Security safeguards work.

Q10-3 How Should You Respond to Security Threats?


As stated at the end of Q10-1, your personal IS security goal should be to find an effective trade-off between the risk of loss and the cost of safeguards. However, few individuals take security as seriously as they should, and most fail to implement even low-cost safeguards.

Figure 10-6 lists recommended personal security safeguards. The first safeguard is to take security seriously. You cannot see the attempts that are being made, right now, to compromise your computer. However, they are there.

Figure 10-6: Personal Security Safeguards

· Take security seriously

· Create strong passwords

· Use multiple passwords

· Send no valuable data via email or IM

· Use https at trusted, reputable vendors

· Remove high-value assets from computers

· Clear browsing history, temporary files, and cookies (CCleaner or equivalent)

· Regularly update antivirus software

· Demonstrate security concern to your fellow workers

· Follow organizational security directives and guidelines

· Consider security for all business initiatives

Unfortunately, the first sign you receive that your security has been compromised will be bogus charges on your credit card or messages from friends complaining about the disgusting email they just received from your email account. Computer security professionals run intrusion detection systems to detect attacks. An intrusion detection system (IDS) is a computer program that senses when another computer is attempting to scan or access a computer or network. IDS logs can record thousands of attempts each day. If these attempts come from outside the country, there is nothing you can do about them except use reasonable safeguards.

If you decide to take computer security seriously, the single most important safeguard you can implement is to create and use strong passwords. We discussed ways of doing this in Lesson 1. To summarize, do not use any word, in any language, as part of your password. Use passwords with a mixture of upper- and lowercase letters and numbers and special characters.

Such nonword passwords are still vulnerable to a brute force attack in which the password cracker tries every possible combination of characters. A brute force attack can crack a six-character password of either upper- or lowercase letters in a couple minutes. However, a brute force attack of a six-character password having a mixture of upper- and lowercase letters, numbers, and special characters can take hours. A 10-digit password of only upper- and lowercase letters can take years to crack, but one using a mix of letters, numbers, and special characters may require hundreds of years. A 12-digit, letter-only password may require thousands of years, and a 12-digit mixed password may take millions of years. All of these estimates assume, of course, that the password contains no word in any language. The bottom line is this: Use long passwords with no words, 12 or more characters, and a mix of letters, numbers, and special characters.

In addition to using long, complex passwords, you should also use different passwords for different sites. That way, if one of your passwords is compromised, you do not lose control of all of your accounts. Attackers use credential stuffing, or the automated injection of stolen usernames and passwords, to gain access to multiple websites. Credential stuffing is becoming very common because of password reuse, or the use of login information to access multiple sites.

Make sure you use very strong passwords for important sites (like your bank’s site), and do not reuse those passwords on less important sites (like your social networking sites). Some sites are focused on innovating products and may not allocate the same amount of resources to protect your information. Guard your information with a password it deserves.

Never send passwords, credit card data, or any other valuable data in email or IM. As stated numerous times in this text, most email and IM is not protected by encryption (see Q10-5), and you should assume that anything you write in email or IM could find its way to the front page of The New York Times tomorrow.

Buy only from reputable online vendors using a secure https connection. If the vendor does not support https in its transactions (look for https:// in the address line of your browser), do not buy from that vendor.

You can reduce your vulnerability to loss by removing high-value assets from your computers. Now, and especially later as a business professional, make it your practice not to travel out of your office with a laptop or other device that contains any data that you do not need. In general, store proprietary data on servers or removable devices that do not travel with you. (Microsoft 365, by the way, uses https to transfer data to and from SharePoint. You can use it or a similar application for processing documents from public locations such as airports while you are traveling.)

Your browser automatically stores a history of your browsing activities and temporary files that contain sensitive data about where you’ve visited, what you’ve purchased, what your account names and passwords are, and so forth. It also stores cookies, which are small files that your browser receives when you visit websites. The cookie might contain data such as the date you last visited, whether you are currently signed in, or something else about your interaction with that site. Cookies enable you to access websites without having to sign in every time, and they speed up processing of some sites.

A third-party cookie is a cookie created by a site other than the one you visited. Such cookies are generated in several ways, but the most common occurs when a Web page includes content from multiple sources. For example, Amazon designs its pages so that one or more sections contain ads provided by the ad-servicing company DoubleClick. When the browser constructs your Amazon page, it contacts DoubleClick to obtain the content for such sections (in this case, ads). When it responds with the content, DoubleClick instructs your browser to store a DoubleClick cookie. That cookie is a third-party cookie. In general, third-party cookies do not contain the name or any value that identifies a particular user. Instead, they include the IP address to which the content was delivered.

On its own servers, when it creates the cookie, DoubleClick records that data in a log, and if you click on the ad, it will add the fact of that click to the log. This logging is repeated every time DoubleClick shows an ad. Cookies have an expiration date, but that date is set by the cookie creator, and they can last many years. So, over time, DoubleClick and any other third-party cookie owner will have a history of what they’ve shown, what ads have been clicked, and the intervals between interactions.

But the opportunity is even greater. DoubleClick has agreements not only with Amazon but also with many others, such as Facebook. If Facebook includes any DoubleClick content on its site, DoubleClick will place another cookie on your computer. This cookie is different from the one that it placed via Amazon, but both cookies have your IP address and other data sufficient to associate the second cookie as originating from the same source as the first. So, DoubleClick now has a record of your ad response data on two sites. Over time, the cookie log will contain data to show not only how you respond to ads but also your pattern of visiting various websites on all those sites in which it places ads.

Unfortunately, some cookies contain sensitive security data and may be used to track you in ways you may not realize. The best safeguard is to remove your browsing history, temporary files, and cookies from your computer and to set your browser to disable history and cookies.

CCleaner is a free, open source product that will do a thorough job of securely removing all such data (CCleaner). You should make a backup of your data before using CCleaner.

Removing and disabling cookies presents an excellent example of the trade-off between improved security and cost. Your security will be substantially improved, but your computer will be more difficult to use. You decide, but make a conscious decision; do not let ignorance of the vulnerability of such data make the decision for you.

We will address the use of antivirus software in Q10-5. The last three items in Figure 10-6 apply once you become a business professional. With your coworkers, and especially with those whom you manage, you should demonstrate a concern and respect for security. You should also follow all organizational security directives and guidelines. Finally, consider security in all of your business initiatives.

Knowledge Check

Q10-4 How Should Organizations Respond to Security Threats?


Q10-3 discussed ways that you as an individual should respond to security threats. In the case of organizations, a broader and more systematic approach needs to be taken. In 2020, 53 percent of global CEOs were “extremely concerned” about the impact of cyber threats on their organizations.7 To begin, senior management needs to address two critical security functions: security policy and risk management.

See what a typical workday would look like for someone who works as a security engineer in the Career Guide.

Security Policy


Considering the first, senior management must establish a company-wide security policy, or a document that states the rules and procedures that protect an organization’s information systems and data. Take, for example, a data security policy that states the organization’s posture regarding data that it gathers about its customers, suppliers, partners, and employees. At a minimum, the policy should stipulate:

· What sensitive data the organization will store?

· How it will process that data?

· Whether data will be shared with other organizations?

· How employees and others can obtain copies of data stored about them?

· How employees and others can request changes to inaccurate data?

The specifics of a policy depend on whether the organization is governmental or nongovernmental, on whether it is publicly held or private, on the organization’s industry, on the relationship of management to employees, and on other factors. As a new hire, seek out your employer’s security policy if it is not discussed with you in new-employee training.

A common pitfall of creating security policies is to make too many overly strict rules. Too many authoritarian rules can irritate employees and make them feel like they’re not trusted. They can even reduce employee productivity or, worse, drive away key employees. Too many security policies can also lead to information security fatigue, or a reluctance to deal with information security due to feeling overwhelmed. Users can become overwhelmed when they’re asked to make too many complex security decisions. They can also become weary from a constant barrage of bad news about data breaches, malware, DoS attacks, and so on. Hopelessness sets in, and employees just stop trying.

Information security fatigue can be reduced by making security policies less complex and easier to follow. Information security managers need to balance the security of the organization with the productivity and satisfaction of employees. More policies don’t necessarily make organizations more secure. In fact, too many rules may actually make organizations less secure.

Risk Management


The second senior management security function is to manage risk. Risk cannot be eliminated, so manage risk means to proactively balance the trade-off between risk and cost. This trade-off varies from industry to industry and from organization to organization. Financial institutions are obvious targets for theft and must invest heavily in security safeguards. On the other hand, a bowling alley is unlikely to be much of a target, unless, of course, it stores credit card data on computers or mobile devices (a decision that would be part of its security policy and that would seem unwise, not only for a bowling alley but also for most small businesses).

To make trade-off decisions, organizations need to create an inventory of the data and hardware they want to protect and then evaluate safeguards relative to the probability of each potential threat. Figure 10-3 is a good source for understanding categories and frequencies of threat. Given this set of inventory and threats, the organization needs to decide how much risk it wishes to take or, stated differently, which security safeguards it wishes to implement.

A good analogy of using safeguards to protect information assets is buying car insurance. Before buying car insurance you determine how much your car is worth, the likelihood of incurring damage to your car, and how much risk you are willing to accept. Then you transfer some of your risk to the insurer by buying a safeguard called an insurance policy. Instead of buying just one insurance policy, organizations implement a variety of safeguards to protect their data and hardware.

An easy way to remember information systems safeguards is to arrange them according to the five components of an information system, as shown in Figure 10-7. Some of the safeguards involve computer hardware and software. Some involve data; others involve procedures and people. We will consider technical, data, and human safeguards in the next three questions.

Q10-5 How Can Technical Safeguards Protect Against Security Threats?


Technical safeguards involve the hardware and software components of an information system. Figure 10-8 lists primary technical safeguards. Consider each.

 Figure 10-8: Technical Safeguards

Identification and Authentication


Every information system today should require users to sign on with a username and password. The username identifies the user (the process of identification), and the password authenticates that user (the process of authentication).

Passwords have important weaknesses. In spite of repeated warnings (don’t let this happen to you!), users often share their passwords, and many people choose ineffective, simple passwords. In fact, a 2020 Verizon report noted that 80 percent of confirmed data breaches involved stolen credentials, or passwords obtained from a brute force password attack.8 There’s a good chance your password will be stolen at some point. Because of these problems, some organizations choose to use smart cards and biometric authentication in addition to passwords.

Smart Cards
A smart card is a plastic card similar to an older credit card with a magnetic stripe but with an embedded microchip. The microchip, which holds far more data than a magnetic strip, is loaded with identifying data. Users of smart cards are required to enter a personal identification number (PIN) to be authenticated.

Biometric Authentication
Biometric authentication uses personal physical characteristics such as fingerprints, facial features, and retinal scans to authenticate users. Biometric authentication provides strong authentication, but the required equipment is expensive. Often, too, users resist biometric identification because they feel it is invasive.

Biometric authentication is in the early stages of adoption. Because of its strength, it likely will see increased usage in the future. It is also likely that legislators will pass laws governing the use, storage, and protection requirements for biometric data. For more on biometrics, search for biometrics at TechTarget.

Note that authentication methods fall into three categories: what you know (password or PIN), what you have (smart card), and what you are (biometric).

Single Sign-On for Multiple Systems


Information systems often require multiple sources of authentication. For example, when you sign on to your personal computer, you need to be authenticated. When you access the LAN in your department, you need to be authenticated again. When you traverse your organization’s WAN, you will need to be authenticated to even more networks. Also, if your request requires database data, the DBMS server that manages that database will authenticate you yet again.

It would be annoying to enter a name and password for every one of these resources. You might have to use and remember five or six different passwords just to access the data you need to perform your job. It would be equally undesirable to send your password across all of these networks. The further your password travels, the greater the risk it can be compromised.

Instead, today’s operating systems have the capability to authenticate you to networks and other servers. You sign on to your local computer and provide authentication data; from that point on your operating system authenticates you to another network or server, which can authenticate you to yet another network and server, and so forth. Because this is so, your identity and passwords open many doors beyond those on your local computer; remember this when you choose your passwords!



Encryption is the process of transforming clear text into coded, unintelligible text for secure storage or communication. Considerable research has gone into developing encryption algorithms (procedures for encrypting data) that are difficult to break. Commonly used methods are DES, 3DES, and AES; search the Web for these terms if you want to know more about them.

A key is a string of bits used to encrypt the data. It is called a key because it unlocks a message, but it is a string of bits, expressed as numbers or letters, used with an encryption algorithm. It’s not a physical thing like the key to your apartment.

To encrypt a message, a computer program uses the encryption method (say, AES) combined with the key (say, the word “key”) to convert a plaintext message (in this case, the word “secret”) into an encrypted message. The resulting coded message (“U2FsdGVkX1+b637aTP80u+y2WYlUbqUz2XtYcw4E8m4=”) looks like gibberish. Decoding (decrypting) a message is similar; a key is applied to the coded message to recover the original text. With symmetric encryption, the same key is used to encode and to decode. With asymmetric encryption, two keys are used; one key encodes the message, and the other key decodes the message. Symmetric encryption is simpler and much faster than asymmetric encryption.

A special version of asymmetric encryption, public key encryption, is used on the Internet. With this method, each site has a public key for encoding messages and a private key for decoding them. Before we explain how that works, consider the following analogy.

Suppose you send a friend an open combination lock (like you have on your gym locker). Suppose you are the only one who knows the combination to that lock. Now, suppose your friend puts something in a box and locks the lock. Now, neither your friend nor anyone else can open that box. That friend sends the locked box to you, and you apply the combination to open the box.

A public key is like the combination lock, and the private key is like the combination. Your friend uses the public key to code the message (lock the box), and you use the private key to decode the message (open the lock).

Now, suppose we have two generic computers, A and B. Suppose B wants to send an encrypted message to A. To do so, A sends B its public key (in our analogy, A sends B an open combination lock). Now B applies A’s public key to the message and sends the resulting coded message back to A. At that point, neither B nor anyone other than A can decode that message. It is like the box with a locked combination lock. When A receives the coded message, A applies its private key (the combination in our analogy) to unlock or decrypt the message.

Again, public keys are like open combination locks. Computer A will send a lock to anyone who asks for one. But A never sends its private key (the combination) to anyone. Private keys stay private.

Most secure communication over the Internet uses a protocol called https. With https, data are encrypted using a protocol called the Secure Sockets Layer (SSL), which is also known as Transport Layer Security (TLS). SSL/TLS uses a combination of public key encryption and symmetric encryption.

The basic idea is this: Symmetric encryption is fast and is preferred. But the two parties (say, you and a website) don’t share a symmetric key. So, the two of you use public key encryption to share the same symmetric key. Once you both have that key, you use symmetric encryption for the remainder of the communication.

Figure 10-9 summarizes how SSL/TLS works when you communicate securely with a website:

1. Your computer obtains the public key of the website to which it will connect.

2. Your computer generates a key for symmetric encryption.

3. Your computer encodes that key using the website’s public key. It sends the encrypted symmetric key to the website.

4. The website then decodes the symmetric key using its private key.

5. From that point forward, your computer and the website communicate using symmetric encryption.

 Figure 10-9: The Essence of https (SSL or TLS)
At the end of the session, your computer and the secure site discard the keys. Using this strategy, the bulk of the secure communication occurs using the faster symmetric encryption. Also, because keys are used for short intervals, there is less likelihood they can be discovered.

Use of SSL/TLS makes it safe to send sensitive data such as credit card numbers and bank balances. Just be certain that you see https:// in your browser and not just http://. Most browsers have additional plug-ins or add-ons (like HTTPS Everywhere) that can force https connections when available.



A firewall is a computing device that prevents unauthorized network access. A firewall can be a special-purpose computer, or it can be a program on a general-purpose computer or on a router. In essence, a firewall is simply a filter. It can filter traffic in a variety of ways including where network traffic is coming from, what types of packets are being sent, the contents of the packets, and if the packets are part of an authorized connection.

Organizations normally use multiple firewalls. A perimeter firewall sits outside the organizational network; it is the first device that Internet traffic encounters. In addition to perimeter firewalls, some organizations employ internal firewalls inside the organizational network. Figure 10-10 shows the use of a perimeter firewall that protects all of an organization’s computers and a second internal firewall that protects a LAN.

 Figure 10-10: Use of Multiple Firewalls

A packet-filtering firewall examines each part of a message and determines whether to let that part pass. To make this decision, it examines the source address, the destination address(es), and other data.

Packet-filtering firewalls can prohibit outsiders from starting a session with any user behind the firewall. They can also disallow traffic from particular sites, such as known hacker addresses. They can prohibit traffic from legitimate, but unwanted, addresses, such as competitors’ computers, and filter outbound traffic as well. They can keep employees from accessing specific sites, such as competitors’ sites, sites with pornographic material, or popular news sites. As a future manager, if you have particular sites with which you do not want your employees to communicate, you can ask your IS department to enforce that limit via the firewall.

Packet-filtering firewalls are the simplest type of firewall. Other firewalls filter on a more sophisticated basis. If you take a data communications class, you will learn about them. For now, just understand that firewalls help to protect organizational computers from unauthorized network access.

No computer should connect to the Internet without firewall protection. Many ISPs provide firewalls for their customers. By nature, these firewalls are generic. Large organizations supplement such generic firewalls with their own. Most home routers include firewalls, and Microsoft Windows has a built-in firewall as well. Third parties also license firewall products.

Malware Protection


The next technical safeguard in our list in Figure 10-8 concerns malware. Malware is a broad category of software that includes viruses, spyware, and adware.

· A virus is a computer program that replicates itself. Unchecked replication is like computer cancer; ultimately, the virus consumes the computer’s resources. Furthermore, many viruses also take unwanted and harmful actions. The program code that causes the unwanted actions is called the payload. The payload can delete programs or data—or, even worse, modify data in undetected ways.

· Trojan horses are viruses that masquerade as useful programs or files. The name refers to the gigantic mock-up of a horse that was filled with soldiers and moved into Troy during the Trojan War. A typical Trojan horse appears to be a computer game, an MP3 music file, or some other useful, innocuous program.

· A worm is a virus that self-propagates using the Internet or other computer network. Worms spread faster than other virus types because they can replicate by themselves. Unlike nonworm viruses, which must wait for the user to share a file with a second computer, worms actively use the network to spread. Sometimes, worms can propagate so quickly that they overload and crash a network.

· Spyware programs are installed on the user’s computer without the user’s knowledge or permission. Spyware resides in the background and, unknown to the user, observes the user’s actions and keystrokes, monitors computer activity, and reports the user’s activities to sponsoring organizations. Some malicious spyware, called key loggers, captures keystrokes to obtain usernames, passwords, account numbers, and other sensitive information. Other spyware supports marketing analyses such as observing what users do, websites visited, products examined and purchased, and so forth.

· In 2017, cryptocurrencies started to increase in value and attackers began cryptojacking victim computers, or installing hidden malware that mines cryptocurrency for attackers. Cryptojacking allowed hackers to mine cryptocurrencies without paying for expensive hardware or energy consumption.

· Adware is similar to spyware in that it is installed without the user’s permission and resides in the background and observes user behavior. Most adware is benign in that it does not perform malicious acts or steal data. It does, however, watch user activity and produce pop-up ads. Adware can also change the user’s default window or modify search results and switch the user’s search engine.

· Ransomware is malicious software that blocks access to a system or data until money is paid to the attacker. Some forms of ransomware like crypto malware encrypt your data and prevent you from accessing it until the ransom is paid (CryptoLocker). Other types of ransomware can prevent you from running applications or even lock you out of your operating system (Reveton). Attackers demand to be paid before they will allow access to your data or system.

Figure 10-11 lists some of the symptoms of adware and spyware. Sometimes these symptoms develop slowly over time as more malware components are installed. Should these symptoms occur on your computer, remove the spyware or adware using antimalware programs.

Figure 10-11: Spyware and Adware Symptoms

· Slow system startup

· Sluggish system performance

· Many pop-up advertisements

· Suspicious browser homepage changes

· Suspicious changes to the taskbar and other system interfaces

· Unusual hard-disk activity

Malware Safeguards
Fortunately, it is possible to avoid most malware using the following malware safeguards:

1. Install antivirus and antispyware programs on your computer. Your IS department will have a list of recommended (perhaps required) programs for this purpose. If you choose a program for yourself, choose one from a reputable vendor. Check reviews of antimalware software on the Web before purchasing.

2. Set up your antimalware programs to scan your computer frequently. You should scan your computer at least once a week and possibly more often. When you detect malware code, use the antimalware software to remove it. If the code cannot be removed, contact your IS department or antimalware vendor.

3. Update malware definitions. Malware definitions—patterns that exist in malware code—should be downloaded frequently. Antimalware vendors update these definitions continuously, and you should install these updates as they become available.

4. Open email attachments only from known sources. Also, even when opening attachments from known sources, do so with great care. With a properly configured firewall, email is the only outside-initiated traffic that can reach user computers.

Most antimalware programs check email attachments for malware code. However, all users should form the habit of never opening an email attachment from an unknown source. Also, if you receive an unexpected email from a known source or an email from a known source that has a suspicious subject, odd spelling, or poor grammar, do not open the attachment without first verifying with the known source that the attachment is legitimate.

1. Promptly install software updates from legitimate sources. Unfortunately, all programs are chock full of security holes; vendors are fixing them as rapidly as they are discovered, but the practice is inexact. Install patches to the operating system and application programs promptly.

2. Browse only reputable websites. It is possible for some malware to install itself when you do nothing more than open a Web page. Recently, malware writers have been paying for banner ads on legitimate sites that have malware embedded in the ad. One click, and you’re infected.

Design for Secure Applications


The final technical safeguard in Figure 10-8 concerns the design of applications. As you learned in the opening vignette, Emily and Jose are designing iMed with security in mind; iMed will store users’ privacy settings in a database, and it will develop all applications to first read the privacy settings before revealing any data in reports. Most likely, iMed will design its programs so that privacy data is processed by programs on servers; that design means that such data need be transmitted over the Internet only when it is created or modified.

By the way, a SQL injection attack occurs when users enter a SQL statement into a form in which they are supposed to enter a name or other data. If the program is improperly designed, it will accept this code and make it part of the database command that it issues. Improper data disclosure and data damage and loss are possible consequences. A well-designed application will make such injections ineffective.

As a future IS user, you will not design programs yourself. However, you should ensure that any information system developed for you and your department includes security as one of the application requirements.

Knowledge Check

Q10-6 How Can Data Safeguards Protect Against Security Threats?


Data safeguards protect databases and other organizational data. Two organizational units are responsible for data safeguards. Data administration refers to an organization-wide function that is in charge of developing data policies and enforcing data standards.

Database administration refers to a function that pertains to a particular database. ERP, CRM, and MRP databases each have a database administration function. Database administration develops procedures and practices to ensure efficient and orderly multiuser processing of the database, to control changes to the database structure, and to protect the database. Database administration was summarized in Lesson 5.

Both data and database administration are involved in establishing the data safeguards in Figure 10-12. First, data administration should define data policies such as “We will not share identifying customer data with any other organization” and the like. Then data administration and database administration(s) work together to specify user data rights and responsibilities. Third, those rights should be enforced by user accounts that are authenticated at least by passwords.

Figure 10-12: Data Safeguards

· Define data policies

· Data rights and responsibilities

· Rights enforced by user accounts authenticated by passwords

· Data encryption

· Backup and recovery procedures

· Physical security

The organization should protect sensitive data by storing it in encrypted form. Such encryption uses one or more keys in ways similar to that described for data communication encryption. One potential problem with stored data, however, is that the key might be lost or that disgruntled or terminated employees might destroy it. Because of this possibility, when data are encrypted, a trusted party should have a copy of the encryption key. This safety procedure is sometimes called key escrow.

Another data safeguard is to periodically create backup copies of database contents. The organization should store at least some of these backups off premises, possibly in a remote location. Additionally, IT personnel should periodically practice recovery to ensure that the backups are valid and that effective recovery procedures exist. Do not assume that just because a backup is made that the database is protected.

Physical security is another data safeguard. The computers that run the DBMS and all devices that store database data should reside in locked, controlled-access facilities. If not, they are subject not only to theft, but also to damage. For better security, the organization should keep a log showing who entered the facility, when, and for what purpose.

When organizations store databases in the cloud, all of the safeguards in Figure 10-12 should be part of the cloud service contract.

Legal Safeguards for Data


Some organizations have legal requirements to safeguard the customer data they collect and store. Laws can dictate how long records must be kept, with whom companies can share the data, and mandatory safe data storage requirements. Some data storage laws have direct implications for business.

For example, the Payment Card Industry Data Security Standard (PCI DSS) governs the secure storage and processing of credit card data. The Gramm-Leach-Bliley Act (GLBA), passed by Congress in 1999, protects consumer financial data stored by financial institutions, which are defined as banks; securities firms; insurance companies; and organizations that supply financial advice, prepare tax returns, and provide similar financial services.

For healthcare organizations, the privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 give individuals the right to access health data created by doctors and other healthcare providers. HIPAA also sets rules and limits on who can read and receive your health information.

Data protection laws may be stronger in other countries than in the United States. The General Data Protection Regulation (GDPR) is an EU privacy law enacted in 2018 that outlines data protection regulations designed to protect personal data. It regulates the collection, storage, and transfer of personal data within the EU. Although the GDPR is the most important EU privacy rule, many other nations with which U.S. firms do business are also developing strong commercial data privacy laws.

In 2019 British Airways was fined $222 million (£183 million) for violation of the new EU privacy law General Data Protection Regulation (GDPR).9 In 2018 British Airways lost 500,000 customer records in a data breach containing credit card and personal information. The UK’s Information Commissioner’s Office (ICO) wasted no time levying fines. British Airways is appealing the record fine, arguing there’s no proof that any of the stolen data has been used, or that they were negligent in storing customer data.

Q10-7 How Can Human Safeguards Protect Against Security Threats?


Human safeguards involve the people and procedure components of information systems. In general, human safeguards result when authorized users follow appropriate procedures for system use and recovery. Restricting access to authorized users requires effective authentication methods and careful user account management. In addition, appropriate security procedures must be designed as part of every information system, and users should be trained on the importance and use of those procedures. In this section, we will consider the development of human safeguards for employees. According to the survey of computer crime discussed in Q10-2, crime from malicious insiders is a frequent and expensive problem. This fact makes safeguards even more important.

Read about the COVID-19 related security threats in the Security Guide.

Human Safeguards for Employees


Figure 10-13 lists security considerations for employees. Consider each.

Figure 10-13: Security Policy for In-House Staff
Position Definitions
Effective human safeguards begin with definitions of job tasks and responsibilities. In general, job descriptions should provide a separation of duties and authorities. For example, no single individual should be allowed to both approve expenses and write checks. Instead, one person should approve expenses, another pay them, and a third should account for the payment. Similarly, in inventory, no single person should be allowed to authorize an inventory withdrawal and also to remove the items from inventory.

Given appropriate job descriptions, user accounts should be defined to give users the least possible privilege needed to perform their jobs. For example, users whose job description does not include modifying data should be given accounts with read-only privileges. Similarly, user accounts should prohibit users from accessing data their job description does not require.

Finally, the security sensitivity should be documented for each position. Some jobs involve highly sensitive data (e.g., employee compensation, salesperson quotas, and proprietary marketing or technical data). Other positions involve no sensitive data. Documenting position sensitivity enables security personnel to prioritize their activities in accordance with the possible risk and loss.

Hiring and Screening
Security considerations should be part of the hiring process. Of course, if the position involves no sensitive data and no access to information systems, then screening for information systems security purposes will be minimal. When hiring for high-sensitivity positions, however, extensive interviews, references, and background investigations are appropriate. Note, too, that security screening applies not only to new employees, but also to employees who are promoted into sensitive positions.

Dissemination and Enforcement
Employees cannot be expected to follow security policies and procedures that they do not know about. Therefore, employees need to be made aware of the security policies, procedures, and responsibilities they will have.

Employee security training begins during new-employee training, with the explanation of general security policies and procedures. That general training must be amplified in accordance with the position’s sensitivity and responsibilities. Promoted employees should receive security training that is appropriate to their new positions. The company should not provide user accounts and passwords until employees have completed required security training.

Enforcement consists of three interdependent factors: responsibility, accountability, and compliance. First, the company should clearly define the security responsibilities of each position. The design of the security program should be such that employees can be held accountable for security violations. Procedures should exist so that when critical data are lost, it is possible to determine how the loss occurred and who is accountable. Finally, the security program should encourage security compliance. Employee activities should regularly be monitored for compliance, and management should specify the disciplinary action to be taken in light of noncompliance.

Management attitude is crucial: Employee compliance is greater when management demonstrates, both in word and deed, a serious concern for security. If managers write passwords on staff bulletin boards, shout passwords down hallways, or ignore physical security procedures, then employee security attitudes and employee security compliance will suffer. Note, too, that effective security is a continuing management responsibility. Regular reminders about security are essential.

Companies also must establish security policies and procedures for the termination of employees. Many employee terminations are friendly and occur as the result of promotion or retirement or when the employee resigns to take another position. Standard human resources policies should ensure that system administrators receive notification in advance of the employee’s last day so that they can remove accounts and passwords. The need to recover keys for encrypted data and any other special security requirements should be part of the employee’s out-processing.

Unfriendly termination is more difficult because employees may be tempted to take malicious or harmful actions. In such a case, system administrators may need to remove user accounts and passwords prior to notifying the employee of his or her termination. Other actions may be needed to protect the company’s data assets. A terminated sales employee, for example, may attempt to take the company’s confidential customer and sales-prospect data for future use at another company. The terminating employer should take steps to protect those data prior to the termination.

The human resources department should be aware of the importance of giving IS administrators early notification of employee termination. If no blanket policy exists; the information systems department must assess each case on an individual basis.

Human Safeguards for Nonemployee Personnel


Business requirements may necessitate opening information systems to nonemployee personnel—temporary personnel, vendors, partner personnel (employees of business partners), and the public. Although temporary personnel can be screened, to reduce costs the screening will be abbreviated from that for employees. In most cases, companies cannot screen either vendor or partner personnel. Of course, public users cannot be screened at all. Similar limitations pertain to security training and compliance testing.

In the case of temporary, vendor, and partner personnel, the contracts that govern the activity should call for security measures appropriate to the sensitivity of the data and the IS resources involved. Companies should require vendors and partners to perform appropriate screening and security training. The contract also should mention specific security responsibilities that are particular to the work to be performed. Companies should provide accounts and passwords with the least privilege and remove those accounts as soon as possible.

The situation differs with public users of websites and other openly accessible information systems. It is exceedingly difficult and expensive to hold public users accountable for security violations. In general, the best safeguard from threats from public users is to harden the website or other facility against attack as much as possible. Hardening a site means to take extraordinary measures to reduce a system’s vulnerability. Hardened sites use special versions of the operating system, and they lock down or eliminate operating systems features and functions that are not required by the application. Hardening is actually a technical safeguard, but we mention it here as the most important safeguard against public users.

Finally, note that the business relationship with the public, and with some partners, differs from that with temporary personnel and vendors. The public and some partners use the information system to receive a benefit. Consequently, safeguards need to protect such users from internal company security problems. A disgruntled employee who maliciously changes prices on a website potentially damages both public users and business partners. As one IT manager put it, “Rather than protecting ourselves from them, we need to protect them from us.” This is an extension of the fifth safeguard in Figure 10-7.

Account Administration


The administration of user accounts, passwords, and help-desk policies and procedures is another important human safeguard.

Account Management
Account management concerns the creation of new user accounts, the modification of existing account permissions, and the removal of unneeded accounts. Information system administrators perform all of these tasks, but account users have the responsibility to notify the administrators of the need for these actions. The IS department should create standard procedures for this purpose. As a future user, you can improve your relationship with IS personnel by providing early and timely notification of the need for account changes.

The existence of accounts that are no longer necessary is a serious security threat. IS administrators cannot know when an account should be removed; it is up to users and managers to give such notification.

Password Management
Passwords are the primary means of authentication. They are important not just for access to the user’s computer, but also for authentication to other networks and servers to which the user may have access. Because of the importance of passwords, the National Institute of Standards and Technology (NIST) recommends that employees be required to sign statements similar to those shown in Figure 10-14.

Figure 10-14: Sample Account Acknowledgment Form

Source: National Institute of Standards and Technology, U.S. Department of Commerce. Introduction to Computer Security: The NIST Handbook, Publication 800–812.

I hereby acknowledge personal receipt of the system password(s) associated with the user IDs listed below. I understand that I am responsible for protecting the password(s), will comply with all applicable system security standards, and will not divulge my password(s) to any person. I further understand that I must report to the Information Systems Security Officer any problem I encounter in the use of the password(s) or when I have reason to believe that the private nature of my password(s) has been compromised.

When an account is created, users should immediately change the password they are given to one of their own. In fact, well-constructed systems require the user to change the password on first use.

Additionally, users should change passwords frequently thereafter. Some systems will require a password change every 3 months or perhaps more frequently. Users grumble at the nuisance of making such changes, but frequent password changes reduce not only the risk of password loss but also the extent of damage if an existing password is compromised.

Some users create two passwords and switch back and forth between those two. This strategy results in poor security, and some password systems do not allow the user to reuse recently used passwords. Again, users may view this policy as a nuisance, but it is important.

Help-Desk Policies
In the past, help desks have been a serious security risk. A user who had forgotten his password would call the help desk and plead for the help-desk representative to tell him his password or to reset the password to something else. “I can’t get this report out without it!” was (and is) a common lament.

The problem for help-desk representatives is, of course, that they have no way of determining that they are talking with the true user and not someone spoofing a true user. But they are in a bind: If they do not help in some way, the help desk is perceived to be the “unhelpful desk.”

To resolve such problems, many systems give the help-desk representative a means of authenticating the user. Typically, the help-desk information system has answers to questions that only the true user would know, such as the user’s birthplace, mother’s maiden name, or last four digits of an important account number. Usually, when a password is changed, notification of that change is sent to the user in an email. Email is sent as plaintext, however, so the new password itself ought not to be emailed. If you ever receive notification that your password was reset when you did not request such a reset, immediately contact IT security. Someone has compromised your account.

All such help-desk measures reduce the strength of the security system, and, if the employee’s position is sufficiently sensitive, they may create too large a vulnerability. In such a case, the user may just be out of luck. The account will be deleted, and the user must repeat the account-application process.

Systems Procedures


Figure 10-15 shows a grid of procedure types—normal operation, backup, and recovery. Procedures of each type should exist for each information system. For example, the order-entry system will have procedures of each of these types, as will the Web storefront, the inventory system, and so forth. The definition and use of standardized procedures reduce the likelihood of computer crime and other malicious activity by insiders. It also ensures that the system’s security policy is enforced.

Figure 10-15: Systems Procedures

System Users

Operations Personnel

Normal operation

Use the system to perform job tasks, with security appropriate to sensitivity.

Operate data center equipment, manage networks, run Web servers, and do related operational tasks.


Prepare for loss of system functionality.

Back up website resources, databases, administrative data, account and password data, and other data.


Accomplish job tasks during failure. Know tasks to do during system recovery.

Recover systems from backed up data. Perform role of help desk during recovery.

Procedures exist for both users and operations personnel. For each type of user, the company should develop procedures for normal, backup, and recovery operations. As a future user, you will be primarily concerned with user procedures. Normal-use procedures should provide safeguards appropriate to the sensitivity of the information system.

Backup procedures concern the creation of backup data to be used in the event of failure. Whereas operations personnel have the responsibility for backing up system databases and other systems data, departmental personnel have the need to back up data on their own computers. Good questions to ponder are “What would happen if I lost my computer or mobile device tomorrow?” “What would happen if someone dropped my computer during an airport security inspection?” “What would happen if my computer was stolen?” Employees should ensure that they back up critical business data on their computers. The IS department may help in this effort by designing backup procedures and making backup facilities available.

Finally, systems analysts should develop procedures for system recovery. First, how will the department manage its affairs when a critical system is unavailable? Customers will want to order and manufacturing will want to remove items from inventory even though a critical information system is unavailable. How will the department respond? Once the system is returned to service, how will records of business activities during the outage be entered into the system? How will service be resumed? The system developers should ask and answer these questions and others like them and develop procedures accordingly.

Security Monitoring


Security monitoring is the last of the human safeguards we will consider. Important monitoring functions are activity log analyses, security testing, and investigating and learning from security incidents.

Many information system programs produce activity logs. Firewalls produce logs of their activities, including lists of all dropped packets, infiltration attempts, and unauthorized access attempts from within the firewall. DBMS products produce logs of successful and failed log-ins. Web servers produce voluminous logs of Web activities. The operating systems in personal computers can produce logs of log-ins and firewall activities.

None of these logs adds any value to an organization unless someone looks at them. Accordingly, an important security function is to analyze these logs for threat patterns, successful and unsuccessful attacks, and evidence of security vulnerabilities.

Today, most large organizations actively investigate their security vulnerabilities. They may employ utilities such as Tenable’s Nessus or HCL’s AppScan to assess their vulnerabilities.

Many companies create honeypots, which are false targets for computer criminals to attack. To an intruder, a honeypot looks like a particularly valuable resource, such as an unprotected website, but in actuality the only site content is a program that determines the attacker’s IP address. Organizations can then trace the IP address back using free online tools, like DNSstuff, to determine who has attacked them.10 If you are technically minded, detail-oriented, and curious, a career as a security specialist in this field is almost as exciting as it appears on CSI. To learn more, check out DNSstuff, Nessus, or Security AppScan.

Another important monitoring function is to investigate security incidents. How did the problem occur? Have safeguards been created to prevent a recurrence of such problems? Does the incident indicate vulnerabilities in other portions of the security system? What else can be learned from the incident?

Security systems reside in a dynamic environment. Organization structures change. Companies are acquired or sold; mergers occur. New systems require new security measures. New technology changes the security landscape, and new threats arise. Security personnel must constantly monitor the situation and determine if the existing security policy and safeguards are adequate. If changes are needed, security personnel need to take appropriate action.

Security, like quality, is an ongoing process. There is no final state that represents a secure system or company. Instead, companies must monitor security on a continuing basis.

Knowledge Check

Q10-8 How Should Organizations Respond to Security Incidents?


The last component of a security plan that we will consider is incident response. Figure 10-16 lists the major factors. First, every organization should have an incident-response plan as part of the security program. No organization should wait until some asset has been lost or compromised before deciding what to do. The plan should include how employees are to respond to security problems, whom they should contact, the reports they should make, and steps they can take to reduce further loss.

Figure 10-16: Factors in Incident Response

· Have plan in place

· Centralized reporting

· Specific responses

· Speed

· Preparation pays

· Don’t make problem worse

· Practice

Consider, for example, a virus. An incident-response plan will stipulate what an employee should do when he notices the virus. It should specify whom to contact and what to do. It may stipulate that the employee should turn off his computer and physically disconnect from the network. The plan should also indicate what users with wireless computers should do.

The plan should provide centralized reporting of all security incidents. Such reporting will enable an organization to determine if it is under systematic attack or whether an incident is isolated. Centralized reporting also allows the organization to learn about security threats, take consistent actions in response, and apply specialized expertise to all security problems.

When an incident does occur, speed is of the essence. The longer the incident goes on, the greater the cost. Viruses and worms can spread very quickly across an organization’s networks, and a fast response will help to mitigate the consequences. Because of the need for speed, preparation pays. The incident-response plan should identify critical personnel and their off-hours contact information. These personnel should be trained on where to go and what to do when they get there. Without adequate preparation, there is substantial risk that the actions of well-meaning people will make the problem worse. Also, the rumor mill will be alive with all sorts of nutty ideas about what to do. A cadre of well-informed, trained personnel will serve to dampen such rumors.

Finally, organizations should periodically practice incident response. Without such practice, personnel will be poorly informed on the response plan, and the plan itself may have flaws that only become apparent during a drill.

Knowledge Check

Q10-9 2031?


What will be the status of information security by 2031? Will we have found a magic bullet to eliminate security problems? No. Human error is a constant; well-managed organizations will plan better for it and know how to respond better when it does occur, but as long as we have humans, we’ll have error. Natural disasters are similar. The horrific events surrounding Hurricane Katrina in 2005 and the Japanese tsunami in 2011, as well as Hurricane Sandy in 2012, have alerted the world that we need to be better prepared, and more companies will set up hot or cold sites and put more data in well-prepared clouds. So, we’ll be better prepared, but natural disasters are natural, after all.

Unfortunately, it is likely that sometime in the next 10 years some new, major incidents of cyberwarfare will have occurred. APTs will become more common, if indeed they are not already common but we don’t know it. Will some new nation or group enter the cyberwar picture? That also seems likely. Unless you’re in the security and intelligence business, there isn’t much you can do about it. But don’t be surprised if some serious damage is inflicted somewhere in the world due to APTs.

In 2013, privacy advocates were outraged at the existence of PRISM, the intelligence program by which the National Security Agency (NSA) requested and received data about Internet activities from major Internet providers. They claimed their privacy, or freedom from being observed by other people, was being destroyed in the name of security, the state of being free from danger. After the initial hullabaloo, it appears that Internet providers did not allow the government direct access to their servers but rather delivered only data about specific individuals, as legally requested according to security laws enacted after 9/11. If so, then PRISM represents a legal governmental request for data, different only in scale from a governmental request for banking data about an organized crime figure.

As of June 2020, Edward Snowden, the man who exposed the PRISM program, appears to be either an advocate for Internet freedom and privacy or a traitor who sold government secrets to China and Russia for private gain. Regardless of the reasons for the leak, the episode raises the question of what governmental intrusion should be allowed into private data. We can hope the revelation of the existence of PRISM will spark a public conversation on the balance of national security and data privacy. In 2018, the PRISM surveillance program was renewed by Congress and the president of the United States for an additional 6 years.

What about computer crime? It is a game of cat and mouse. Computer criminals find a vulnerability to exploit, and they exploit it. Computer security experts discover that vulnerability and create safeguards to thwart it. Computer criminals find a new vulnerability to exploit, computer security forces thwart it, and so it goes. The next major challenges will likely be those affecting mobile devices. But security on these devices will be improved as threats emerge that exploit their vulnerabilities. This cat-and-mouse game is likely to continue for at least the next 10 years. No super-safeguard will be devised to prevent computer crime, nor will any particular computer crime be impossible to thwart. However, the skill level of this cat-and-mouse activity is likely to increase, and substantially so. Because of increased security in operating systems and other software and because of improved security procedures and employee training, it will become harder and harder for the lone hacker to find some vulnerability to exploit. Not impossible, but vastly more difficult.

So, what will happen? Cloud vendors and major organizations will continue to invest in safeguards; they’ll hire more people (maybe you), train them well, and become ever more difficult to infiltrate. Although some criminals will continue to attack these fortresses, most will turn their attention to less protected, more vulnerable, midsized and smaller organizations and to individuals. You can steal $50M from one company or $50 from a million people with the same cash result. And, in the next 10 years, because of improved security at large organizations, the difficulty and cost of stealing that $50M will be much higher than stealing $50 a million times.

Part of the problem is porous national borders. People can freely enter the United States electronically without a passport. They can commit crimes with little fear of repercussions. There are no real electronic IDs. Cyber-gangs are well organized, financially motivated, and possibly state-sponsored. Electronic lawlessness is the order of the day. If someone in Romania steals from Google, Apple, Microsoft, or Boeing and then disappears into a cloud of networks in Uzbekistan, do those large organizations have the resources, expertise, and legal authority to pursue the attackers? What if that same criminal steals from you in Nashville? Can your local or state law enforcement authorities help? And if your portion of the crime is $50, how many calls to Uzbekistan do they want to make?

Take another look at Figure 10-6. Send a copy to your loved ones.

So What? New From Black Hat 2019

Hackers, security professionals, academics, and government agents flock to Las Vegas each year to attend two of the world’s largest and most well-known security conferences—Black Hat and Def Con. Black Hat caters to more of a professional and academic crowd of security professionals, corporations, and government entities, whereas Def Con attracts more general members of the hacking community. Despite the different target audiences of these events, travelers to Las Vegas typically attend both conferences as they occur back-to-back.


Each year speakers make briefings on how things can be hacked. Presenters show exactly how to exploit weaknesses in hardware, software, protocols, or systems. One session may show you how to hack your smartphone, whereas another may show you how to empty the cash out of an ATM.

Presentations encourage companies to fix product vulnerabilities and serve as an educational forum for hackers, developers, manufacturers, and government agencies. The following are topic areas that were some of the highlights from the 2019 Black Hat and Def Con conferences.

A number of talks this year centered on deepfakes—the creation of computer-generated imagery (they can be either photos or videos) in which the likeness of one individual is replaced by the likeness of another. It is possible to create high-fidelity deepfakes using powerful artificial intelligence and machine learning technologies. As processing power has continued to increase over time and specialized software that can be used to create these videos has become more widely available, the number of deepfakes being created and shared on the Web has risen drastically.

Early applications of deepfake videos were focused on pornography. Deepfake creators would generate videos with the faces of celebrities merged with the bodies of porn stars. Even more nefarious was the practice of deepfake creators generating videos of pornography actors with the faces of coworkers, classmates, or exes.

The quality of the computer-generated deepfakes is so high that even victims/targets who claim the videos are fake may not be believed. It has become a priority to be able to identify indicators of these fake videos to protect the integrity of information. New methods to do so were presented at Black Hat 2019.11

Internet of Things (IoT)
Households are gradually adopting more and more IoT devices. It is not uncommon to walk into a friend’s, family member’s, or neighbor’s house today and see a smart thermostat, Wi-Fi or Bluetooth lighting, Internet-connected security cameras or baby monitors, smart TVs, smart speakers, digital assistants, and so on.

An underlying principle of IoT devices is that they must be easily configurable and integrated with other IoT devices—for example, smart lighting that is linked with a smart security system and the lighting flashes red when the alarm goes off.

Another important feature of IoT devices is that they must be easily controlled by intuitive apps and digital assistants—for example, a homeowner walks into their dark house and tells Alexa to turn the lights on.

All of these integrations between IoT devices and apps mean that there are many potential vulnerabilities in the software that is used to communicate with and manage these devices. If IoT software was developed with a priority on security, easy integration between hundreds and thousands of different products would be much more difficult.

Def Con and Black Hat are often riddled with presentations about how smart devices can be hacked (often very easily!)—this year, presentations focused on how to compromise a variety of different motors and even the internal network of a Boeing aircraft.

Election Technology
The 2016 U.S. presidential election was clouded with a variety of rumors and allegations about misinformation campaigns. Even the integrity of the voting equipment was questioned. Accordingly, interest by information security professionals and hackers in technology used in any way for the election process has skyrocketed.

In an effort to identify potential hacking techniques that could be used against voting machines, Def Con created a Voting Village, where attendees can get direct access to tinker around with the same models of various technologies that are still used today to conduct elections.

A highlight this year in the Voting Village was the addition of a new microprocessor developed by the Defense Advanced Research Projects Agency (DARPA), which they submitted to allow people to have a chance to compromise it.13 Companies are relying more and more on external security experts to identify vulnerabilities in their products and digital services—this is just one more example of that collaboration.


1. What are the implications of deepfake videos for the world of politics, finance, or national security?

 Show Answer

2. Do you think it is illegal to create and post a deepfake video?

 Show Answer

3. What is your position on the adoption of IoT devices considering their tendency to have poor security controls? Are they worth the risk?

 Show Answer

4. If you could go to either Black Hat or Def Con, what topic area would be of most interest to you (technical security, behavioral security, hacking IoT devices, etc.)? Explain.

 Show Answer

Security Guide

Using Tech to Mitigate Covid-19 Risks
A key element of information security is identifying risk and determining the best course of action to deal with that risk. A common way to think about information security risk is to liken it to a medieval castle. Castles are notorious for leveraging a variety of security measures to keep occupants and resources on the inside safe. Defense mechanisms include a drawbridge, gate, moat, inner and outer walls, towers, and battlements.

Storming a castle with such defenses requires extensive planning, resources, time, and a winning strategy. Often, the burden is so high that the castle defenses act as an effective deterrent because external threats decide not to even waste their time, energy, or resources trying to gain entry.

Source: kora_sun/Shutterstock

Digital Defenses
In the digital world, organizations use a variety of defenses to keep networks, systems, and data safe. For example, physical security, like restricted parking, card swipes at doors, check-in stations in office lobbies, and role-based access controls to certain parts of an office building, helps ensure that unauthorized people can’t physically access sensitive systems and data.

Digital fortifications, like firewalls and intrusion detection systems, help ensure that nefarious actors cannot gain access to sensitive internal networks to steal, modify, delete, or corrupt data. Finally, security education training and awareness (SETA) programs and security policies help increase the chances that those behind “castle walls” don’t inadvertently leave a “door” or “window” unlocked that might allow an enemy to easily gain entry.

In addition to the standard security posture organizations use to build their secure digital castles, other mechanisms are used to help ensure the longevity of an organization in the event of other risks (e.g., a natural disaster).

For example, disaster recovery plans and the more expansive business continuity plans are put in place so that organizations have a procedure in place to restore critical systems in the event of disruption but also help ensure the likelihood that some degree of normal business operations can be maintained during a crisis.

Mitigating COVID-19
However, despite all of the security measures and risk-mitigation strategies that organizations had developed and implemented, few were ready for the impact of the COVID-19 pandemic. The sweeping effects of a highly contagious virus had not been accounted for by most organizations, and widespread stay-at-home orders and social distancing measures translated to office buildings being shuttered for extended periods of time.

In short, a new form of risk had been introduced to organizations—a risk introduced by one of its greatest assets—its very own employees. As organizations started thinking about steps to gradually reopen business to bring people back into office spaces, innovative solutions were proposed on how the risks of working in an office could be minimized to help avoid the need to shut down operations once more.

The following list introduces some technologically based measures that organizations are developing to help reduce risk and promote a safe environment for employees:14

· Thermal cameras. Having a fever was one of the most consistent symptoms of COVID-19. Thermal cameras have been identified as an effective way to identify people who may be symptomatic. Placing a thermal camera at the entrance of an office building could be used to screen employees as they come in to work. Anyone displaying increased body temperature could be notified and sent home.

· Risk segmentation. While working from home was permitted by many organizations during the initial stages of the pandemic, it may only be permitted for high-risk employees once office work resumes. Identifying employees whose age or preexisting conditions would render them especially or moderately susceptible to the virus would allow organizations to adopt different mitigation strategies for different groups instead of implementing sweeping protocols that may not be necessary for everyone (e.g., everyone is mandated to work from home indefinitely).

· Phone apps. One thing people usually have nearby is their phone. This habit provides organizations with a number of opportunities for keeping track of where employees are located and how they are interacting with other employees. Apps can be used to track employee movements to help monitor and enforce social distancing. Some apps are even embedding gamification to help motivate employees to follow safety protocols (e.g., “You get bonus points today for not gathering in collaborative work groups > 5 people!”).

· Surveys. Data collected from employees about their activities and their symptoms can be used to identify potential risks. Some companies are deploying daily or weekly surveys to identify employees who may have engaged in risky behavior or who may be in the early stages of having the virus. Daily snapshots of employees can be used to make decisions about who is eligible to come to the office. It has also been proposed that a digital thermometer could be linked to an app so that employees could submit daily temperature readings to an employer before getting the green light to come back to work.

 Discussion Questions

1. The list presented in the article entails a number of solutions that would require data collection from employees. Do you think employers have a right to collect these types of data?

 Show Answer

2. When a person or an organization is granted power, it can often be difficult for this power to be relinquished. If organizations put a number of monitoring and surveillance mechanisms in place to track employees so risk can be identified/mitigated, do you think employers will readily curtail these activities once the threat from the pandemic has subsided?

 Show Answer

3. Can you think of any other innovations not listed in the article that companies could use to try to mitigate the risks introduced by employees who may have the virus and be contagious?

 Show Answer

4. The comparison of information security to a digital castle has been used for many years. However, the landscape of technology has changed drastically with the mass proliferation of laptops, mobile devices, wearables, and so on. Do you think the digital castle model still holds true today? Why or why not?

 Show Answer

Career Guide

Source: Chris Heywood, Northrop Grumman, Cyber Systems Engineer

· Name: Chris Heywood

· Company: Northrop Grumman

· Job Title: Cyber Systems Engineer

· Education: Carnegie Mellon University, Weber State University

1. How did you get this type of job?

I knew I wanted to be in cybersecurity ever since I was a junior in college. I started applying to all kinds of cybersecurity jobs and would go to any job fair I could find. I practiced and practiced interviewing and worked really hard to understand technical concepts in networking and security. My hard work paid off as I was able to land my first internship in cybersecurity. Shortly after my internship, I was able to get a graduate degree and landed another internship for my current company. After a very successful internship, I was offered a full-time position as a cyber systems engineer. It took a lot of hard work and education, but it has been worth it!

2. What attracted you to this field?

I always thought it would be awesome to know how to break into systems and know how to defend systems from hackers. After seeing YouTube videos demonstrating how easy it is for hackers to steal usernames, passwords, and even data about bank accounts, I decided that I would love to protect myself and others from the malicious intents of hackers and to keep our information safe.

3. What does a typical workday look like for you (duties, decisions, problems)?

Every day at my work is very different. Some days I could be looking for vulnerabilities in highly sensitive systems, and other days I could be writing policy for our organization. Most of my days involve me looking at systems and deciding how much cybersecurity risk the system has based off the vulnerabilities I find and then making plans on how to better secure those systems. Each day presents unique challenges that I love to solve.

4. What do you like most about your job?

Working in the security industry gives me a lot of opportunities to learn about securing the many changing technologies out there. The greatest thing about loving your job is that it’s more of a hobby than it is a job. I get to learn about how to physically and virtually break into systems, secure systems, encrypt communications, engineer secure networks, and hunt for threats in my organization.

5. What skills would someone need to do well at your job?

When I am looking for someone to hire on my team, some of the main skills that I look for are the abilities to communicate comfortably with others, work well on a team, and have the desire to keep on learning. Having a technical and analytical background will also be valuable to someone who is joining cybersecurity.

6. Are education or certifications important in your field? Why?

Education and certifications are very valuable in the cybersecurity field. Many organizations will require that you have at least a bachelor’s degree in any IT-related field and hold at least one cybersecurity certification. This will ensure that you can effectively demonstrate your knowledge of cybersecurity to protect your organization’s information technology. With new cyber threats and vulnerabilities emerging daily, it is vital to continue your education in cybersecurity.

7. What advice would you give to someone who is considering working in your field?

Work really hard to understand how information technology works and don’t be afraid to experiment with it. Set up labs and virtual machines to help you understand how networking, system administration, and cybersecurity work. Apply the things that you learn in classes and get as much practical experience as you can. Start implementing free cybersecurity tools in your home network and become an expert. Watch YouTube tutorials on how to set up, exploit, and secure environments. Most of all, have fun and enjoy what you are doing to learn cybersecurity concepts.

8. What do you think will be hot tech jobs in 10 years?

I think that there will continue to be many hot tech jobs in 10 years. Technology isn’t going away anytime soon, and I expect the need for professionals in the tech industry will be at its highest. We will start to see more jobs in the fields of IoT, the cloud, robotics, data science, software engineering, and cybersecurity. It’s a great time to be part of the tech industry!

Ethics Guide

White Hat, Blackballed
Howard stared at the phone waiting for the next call to come in—surprisingly, it was another few minutes before the red light flickered, the piercing ringtone was triggered, and he was rattled into action. “Hello, thank you for calling customer service . . . how can I help you today?” Every time he uttered those words, he felt a little piece of himself crumble on the inside. He didn’t know how much longer he could do this job without having a breakdown.

Howard had been working in the customer service call center for a few years. It had been a necessary financial solution for him while going to school. His ambition, however, was not serving customers but actually information security.

He was currently in his final year of an undergraduate management information systems program, and he was specializing in the security track. He’d spent a few years waffling around and testing out different majors, but luckily, he had finally found something that he could get excited about.

He loved it so much that information security actually felt more like a hobby to him than something he had to study or work at. He would never admit it to his friends, but the weekends he told them he couldn’t join them he was actually at home reading Kevin Mitnick books, testing out newfound security software, or sifting through security sites and message boards to find out the latest news from the security world. He had even checked out the dark web a few times just to see what it was all about.

However, he had started to get bored with just tinkering around on his home network. Sure, using steganography applications to hide data in images was cool at first, but after a few dozen times, it lost its luster. Packet sniffing with Wireshark had been entertaining for a while, but his home network only had a few devices connected to it, so there wasn’t much traffic to check out. He needed a bigger sandbox to test out his skills.

To liven things up, he had decided to bring his laptop to work with him so that he could start tinkering around with his security tool arsenal on the company network. It wasn’t a huge company, and the IT staff was clearly not a priority—it was a pretty small shop.

If he could find a few problems on the network and show them to his boss, maybe he could even get a job on the IT team and get out of customer service. After all, wouldn’t he basically be doing what a white hat hacker does but for free? How could this be a problem?

Source: vchal/Shutterstock

White Hat
It only took about a week for Howard to accumulate a treasure trove of data on the company network. Even though he had access to the call center Wi-Fi network as an employee, he wanted to pretend that he was an outside hacker to see if he could first gain access and then find sensitive data.

He used a method he found on YouTube to break into the Wi-Fi and then used his packet sniffing tool to start scoping things out. He quickly found out that the custom software platform that had been developed for the company’s call center had very few security measures in place. In fact, it looked like each user’s credentials were sent every few minutes in plaintext in the packet header—within about a half hour, Howard had been able to jot down the username and password of everyone that was working that shift, even the supervisor.

Once he had this list of employee credentials, he wanted to go for the crown jewels—the HR system. Based on his knowledge of the tendency for people to reuse the same password for multiple accounts, he figured a high percentage of the passwords used for the call center system would have been used for the HR platform as well.

Logging in to the HR account of his boss seemed like it would be pushing it, so he tested out the passwords for a few of his call center coworkers. Three of the five passwords worked, and he was able to log in to their HR accounts. He felt wrong checking out pay slips or looking at anything too sensitive, so he took screenshots of their contact information and added them to the archive of everything else he had documented.

Finally, he saved the files onto a USB drive. “I am going to be a hero!” he said to himself as he walked down the hall to talk to his supervisor. As he turned the corner, he wondered how much more they would pay him in his new position as an IT security worker—how could they turn him down?

It took Howard all of 15 minutes to run through his impromptu presentation. He felt a rush of adrenaline as he explained, step-by-step, how he had compromised the network, scooped up user credentials, and, ultimately, found his way into multiple HR accounts.

In his excitement, he failed to notice the evolution of his supervisor’s demeanor from inconvenienced to annoyed to irate. Howard closed his presentation by asking for the supervisor to consider him the next time a spot on the IT staff became available. He was completely blindsided by his supervisor’s response:

“Howard, I am not sure you understand the gravity of this situation. Do we want our company to be safe and secure—of course! And we can and will take your analysis to the IT group to have them shore up some of these vulnerabilities. However, the nature of what you have done is very serious.

“First, you spent company time to play hacker, and that is not what we are paying you to do. Second, you violated the privacy of multiple fellow employees by logging into their HR accounts, and even though you only took screenshots of relatively benign information, there is no way for me to know that you weren’t looking at more sensitive areas. Third, you dropped all of this information, including your methods, onto a USB drive. What happens if someone takes this from you or if you drop it in the parking lot on your way out? You have created a hacking care package for someone else that could potentially use this info to inflict serious damage!

“I am going to have to ask you to leave for the day and to not return until I talk with management—I need to think about this more, but I am afraid you may have compromised your job here.”

Howard couldn’t believe what he was hearing. He was just trying to practice his security skills but also help the company by pointing out where it had vulnerabilities—he was trying to protect the company! It’s not like he broke the law, and as far as he could tell, he didn’t think he had even done anything wrong according to the employee handbook. As he walked out to his car, he wondered if he would ever see this place again.

Discussion Questions

1. Consider Howard’s unsanctioned efforts to investigate and report security vulnerabilities on the company network, activities outside his role.

a. Is this behavior ethical according to the categorical imperative?

b. Is this behavior ethical according to the utilitarian perspective?

2. How do you think the employees whose records Howard accessed would react if they found out about his behavior?

3. If Howard had asked his supervisor for permission to engage in this type of behavior, do you think he would have been given permission to proceed?

4. If you were Howard’s supervisor, what would you do? What if there was nothing in the employee handbook relevant to these activities and Howard did not technically break the law? Would that change your response in this situation?

Active Review


Use this Active Review to verify that you understand the ideas and concepts that answer the lesson’s study questions.

· Q10-1 What is the goal of information systems security?

Define threat, vulnerability, safeguard, and target. Give an example of each. List three types of threats and five types of security losses. Give different examples for the three rows of Figure 10-2. Summarize each of the elements in the cells of Figure 10-3. Explain why it is difficult to know the true cost of computer crime. Explain the goal of IS security.

· Q10-2 How big is the computer security problem?

Explain why it is difficult to know the true size of the computer security problem in general and of computer crime in particular. List the takeaways in this question and explain the meaning of each.

· Q10-3 How should you respond to security threats?

Explain each of the elements in Figure 10-6. Define IDS, and explain why the use of an IDS program is sobering, to say the least. Define brute force attack and credential stuffing. Summarize the characteristics of a strong password. Explain how your identity and password do more than just open doors on your computer. Define cookie and explain why using a program like CCleaner is a good example of the computer security trade-off.

· Q10-4 How should organizations respond to security threats?

Name and describe two security functions that senior management should address. Summarize the contents of a security policy. Describe the causes of security fatigue and how to prevent it. Explain what it means to manage risk. Summarize the steps that organizations should take when balancing risk and cost.

· Q10-5 How can technical safeguards protect against security threats?

List five technical safeguards. Define identification and authentication. Describe three types of authentication. Explain how SSL/TLS works. Define firewall, and explain its purpose. Define malware and name six types of malware. Describe six ways to protect against malware. Summarize why malware is a serious problem. Explain how iMed Analytics is designed for security.

· Q10-6 How can data safeguards protect against security threats?

Define data administration and database administration, and explain the difference. List data safeguards. Explain how laws like GLBA, HIPAA, GDPR, and PCI DSS protect consumer data.

· Q10-7 How can human safeguards protect against security threats?

Summarize human safeguards for each activity in Figure 10-12. Summarize safeguards that pertain to nonemployee personnel. Describe three dimensions of safeguards for account administration. Explain how system procedures can serve as human safeguards. Describe security monitoring techniques.

· Q10-8 How should organizations respond to security incidents?

Summarize the actions that an organization should take when dealing with a security incident.

· Q10-9 2031?

What, in the opinion of the authors, is likely to happen regarding cyberwarfare in the next 10 years? Explain how the phrase cat and mouse pertains to the evolution of computer crime. Describe the types of security problems that are likely to occur in the next 10 years. Explain how the focus of computer criminals will likely change in the next 10 years. Explain how this is likely to impact smaller organizations, and you.

Using Your Knowledge with iMed Analytics
As an employee, investor, or advisor to iMed Analytics, you can use the knowledge of this lesson to understand the security threats to which any business is subject. You know the need to trade off cost versus risk. You also know three categories of safeguards and the major types of safeguards for each. And you know what it means to design for security. You can also help ensure that iMed Analytics employees and iMed users create and use strong passwords.

Using Your Knowledge


· 10-1. Credit reporting agencies are required to provide you with a free credit report each year. Most such reports do not include your credit score, but they do provide the details on which your credit score is based. Use one of the following companies to obtain your free report: Equifax, Experion, and TransUnion.

a. You should review your credit report for obvious errors. However, other checks are appropriate. Search the Web for guidance on how best to review your credit records. Summarize what you learn.

b. What actions can you take if you find errors in your credit report?

c. Define identity theft. Search the Web and determine the best course of action if someone thinks he or she has been the victim of identity theft.

· 10-2. Suppose you lose your company laptop at an airport. What should you do? Does it matter what data are stored on your disk drive? If the computer contained sensitive or proprietary data, are you necessarily in trouble? Under what circumstances should you now focus on updating your résumé for your new employer?

· 10-3. Suppose you alert your boss to the security threats discussed in Q10-1 and to the safeguards discussed in Q10-4. Suppose she says, “Very interesting. Tell me more.” In preparing for the meeting, you decide to create a list of talking points.

a. Write a brief explanation of each threat discussed in Q10-1.

b. Explain how the five components relate to safeguards.

c. Describe two to three technical, two to three data, and two to three human safeguards.

d. Write a brief description about the safeguards discussed in Q10-4.

e. List security procedures that pertain to you, a temporary employee.

f. List procedures that your department should have with regard to disaster planning.

Collaboration Exercise


Using the collaboration IS you built in Lesson 1, collaborate with a group of students to answer the following questions.

The purpose of this activity is to assess the current state of computer crime.

· 10-4. Search the Web for the term computer crime and any related terms. Identify what you and your teammates think are the five most serious recent examples. Consider no crime that occurred more than 6 months ago. For each crime, summarize the loss that occurred and the circumstances surrounding the loss, and identify safeguards that were not in place or were ineffective in preventing the crime.

 Show Answer

· 10-5. Search the Web for the term computer crime statistics and find two sources other than the Accenture surveys cited in Q10-2.

a. For each source, explain the methodology used and explain strengths and weaknesses of that methodology.

 Show Answer

b. Compare the data in the two new sources to that in Q10-2 and describe differences.

 Show Answer

c. Using your knowledge and intuition, describe why you think those differences occurred.

 Show Answer

· 10-6. Go to Accenture and download the Cost of Cyber Crime Study (or a more recent report if one is available).

a. Summarize the survey with regard to safeguards and other measures that organizations use.

 Show Answer

b. Summarize the study’s conclusions with regard to the efficacy of organizational security measures.

 Show Answer

c. Does your team agree with the conclusions in the study? Explain your answer.

 Show Answer

· 10-7. Suppose that you are asked by your boss for a summary of what your organization should do with regard to computer security. Using the knowledge of this lesson and your answer to questions 10-4 through 10-6, create a PowerPoint presentation for your summary. Your presentation should include, but not be limited to:

a. Definition of key terms

b. Summary of threats

c. Summary of safeguards

d. Current trends in computer crime

e. What senior managers should do about computer security

f. What managers at all levels should do about computer security

Case Study




In the closing months of 2014, one of the most high-profile cyberattacks to date would be reported. The attack targeted systems housed at the headquarters of Sony Pictures in Culver City, California. It was triggered by the impending release of a controversial movie that would be hitting theaters in the coming weeks (titled The Interview). The plot of the comedy movie featured criticisms of North Korean leadership and centered around an assassination attempt of Kim Jong-un by two well-known American actors.

Source: Piotr Swat/Shutterstock

The cyberattack resulted in extensive damage to Sony Pictures, including the release of highly sensitive employee data, internal email, intellectual property (e.g., unreleased films and resources for films under production), and so on. Additionally, upon seizing extensive amounts of data from Sony Pictures systems, the attackers then deployed malware to wipe vast amounts of data from the company’s computing infrastructure.

While it was logical that some entity either within or associated with North Korea was behind the attacks, making such an attribution without evidence could be perceived as speculative, irresponsible, and diplomatically damaging. Investigations were launched to follow a trail of “digital bread crumbs” to identify the origin of the attack. Roughly a month after the attack, the Federal Bureau of Investigation (FBI) found that destructive malware linked to the North Korean government had been used to carry out the attack.15

This claim was made based on similarities between the Sony Pictures malware and other malware attacks that had been carried out by other North Korean attackers as well as IP addresses used in the attack that were linked to North Korean infrastructure. Despite lingering questions about the FBI’s assessment, an emerging cybersecurity company, Crowdstrike, reaffirmed the FBI’s attribution by reporting similarities between the culprits associated with the Sony Pictures hack and attacks that had taken place against South Korea going back almost 10 years.

Striking While the Iron Is Hot


CrowdStrike was cofounded in 2011 by George Kurtz and Dmitri Alperovitch to provide a more intelligence-based and comprehensive security platform that would go beyond simple malware protection.17 While reporting on the Sony Pictures hack in 2014 was a source of exposure for the company, CrowdStrike had already been involved in a number of important operations, including assisting the U.S. government in investigations of Chinese military hackers and investigating Russian hackers accused of international intelligence gathering activities. Later, the company would be involved in linking Russian intelligence groups with accessing the Democratic National Committee’s (DNC) information systems during the 2016 presidential campaign.18

In a world increasingly dependent on technology and in which security was and continues to be a growing concern, CrowdStrike was poised for massive growth. Over the years, CrowdStrike enhanced and expanded its security solution offerings. In light of its robust lineup of tools, the company was named one of Forbes’s most promising companies, included in the Deloitte Fast 500 in 2015, featured in CNBC’s Disruptor 50 list and Forbes’s Cloud 100 list in 2017, and listed as a top place to work on numerous occasions by Forbes (in addition to many other accolades).19

The company’s growing list of products and accomplishments brought in multiple rounds of funding; by 2018 CrowdStrike was valued at $3 billion and in total had raised $481 million.20 In June 2019, the company had its initial public offering (IPO) with an initial share price listed at $34; shares closed at the final bell listed at $58, thereby raising over $600 million total.

Strike That


With CrowdStrike’s development of new products and tools and its inherently modular nature that allows customers to configure security solutions that work best for them, the company should be on a trend of sustained growth. However, in early fall of 2019, the company’s shares took a hit when President Trump mentioned CrowdStrike on a call with the Ukrainian president; it turns out the two were discussing the 2016 presidential campaign and the DNC breach.

Being a leader in the information security space has its perks, but being the go-to company called upon to get involved in nation-state-sponsored hacking investigations, cyberwar operations, and digitally based political entanglements has its risks. Will CrowdStrike be able to navigate these dangerous waters, or is it only a matter of time before they become the next target?


· 10-8. What lessons did the Sony Pictures hack teach the world about cyberwarfare?

 Show Answer

· 10-9. What advice would you give executives at CrowdStrike if they wanted to grow their business? How could they increase revenues?

 Show Answer

· 10-10. Why does CrowdStrike’s appointment to the Forbes list of best places to work point to long-term success for the company?

 Show Answer

· 10-11. What is CrowdStrike’s current stock price? How has CrowdStrike’s stock been performing over the past year? What might be driving CrowdStrike’s valuation? Also, do an Internet search to see if CrowdStrike has been involved in any political or government investigations recently. Is there any relationship between these two searches?

 Show Answer

· 10-12. The article closes by pointing out the risks of getting involved with politics, foreign affairs, and so on. If you were an executive at CrowdStrike, would you recommend avoiding involvement in these types of investigations moving forward?

 Show Answer

· 10-13. How might CrowdStrike be affected in a cyberwar? Would it be affected if a traditional kinetic war broke out? Explain your answer.

 Show Answer

· 10-14. How might an increase in the quantity and size of data breaches affect CrowdStrike’s revenue?

 Show Answer

Complete the following writing exercises

1. 10-15. Suppose you need to terminate an employee who works in your department. Summarize security protections you must take. How would you behave differently if this termination were a friendly one?

2. 10-16. Suppose you were just notified that your company has experienced a major data breach. You’ve lost customer records, including usernames, email addresses, passwords, addresses, and phone numbers for all 500,000 of your customers. Estimate the direct costs for notification, detection, escalation, remediation, and legal fees. Suppose the attackers contact you and offer to destroy all records, tell no one about the data breach, and show you how to patch the security hole. The only trick is they want to be hired as a “consultant” and have $600,000 deposited into their European bank account. Would you pay the “consulting” fee? Justify your decision.

Lesson Preview


Information systems are critical to organizational success and, like all critical assets, need to be managed responsibly. In this lesson, we will survey the management of IS and IT resources. We begin by discussing the major functions and the organization of the IS department. Then we will consider planning the use of IT/IS. Outsourcing is the process of hiring outside vendors to provide business services and related products. For our purposes, outsourcing refers to hiring outside vendors to provide information systems, products, and applications. We will examine the pros and cons of outsourcing and describe some of its risks. Finally, we will conclude this lesson by discussing the relationship of users to the IS department. In this last section, you will learn both your own and the IS department’s rights and responsibilities. We continue this discussion in 2031 with new challenges: the gig economy and automated labor.

Q11-1 What Are the Functions and Organization of the IS Department?


The major functions of the information systems department1 are as follows:

· Plan the use of IS to accomplish organizational goals and strategies.

· Manage outsourcing relationships.

· Protect information assets.

· Develop, operate, and maintain the organization’s computing infrastructure.

· Develop, operate, and maintain applications.

We will consider the first two functions in Q11-2 and Q11-3 of this lesson. The protection function was the topic of Lesson 10. The last two functions are important for IS majors but less so for other business professionals; therefore, we will not consider them in this text. To set the stage, consider the organization of the IS department.

How Is the IS Department Organized?


Figure 11-1 shows typical top-level reporting relationships. As you will learn in your management classes, organizational structure varies depending on the organization’s size, culture, competitive environment, industry, and other factors. Larger organizations with independent divisions will have a group of senior executives such as those shown here for each division. Smaller companies may combine some of these departments. Consider the structure in Figure 11-1 as typical.

Figure 11-1: Typical Senior-Level Reporting Relationships
The title of the principal manager of the IS department varies from organization to organization. A common title is chief information officer, or CIO. Other common titles are vice president of information services, director of information services, and, less commonly, director of computer services.

In Figure 11-1, the CIO, like other senior executives, reports to the chief executive officer (CEO), though sometimes these executives report to the chief operating officer (COO), who, in turn, reports to the CEO. In some companies, the CIO reports to the chief financial officer (CFO). That reporting arrangement might make sense if the primary information systems support only accounting and finance activities. In organizations such as manufacturers that operate significant nonaccounting information systems, the arrangement shown in Figure 11-1 is more common and effective.

The structure of the IS department also varies among organizations. Figure 11-1 shows a typical IS department with four groups and a data administration staff function.

Most IS departments include a Technology office that investigates new information systems technologies and determines how the organization can benefit from them. For example, today many organizations are investigating social media and elastic cloud opportunities and planning how they can use those capabilities to better accomplish their goals and objectives. An individual called the chief technology officer, or CTO, often heads the technology group. The CTO evaluates new technologies, new ideas, and new capabilities and identifies those that are most relevant to the organization. The CTO’s job requires deep knowledge of information technology and the ability to envision and innovate applications for the organization.

The next group in Figure 11-1, Operations, manages the computing infrastructure, including individual computers, in-house server farms, networks, and communications media. This group includes system and network administrators. As you will learn, an important function for this group is to monitor the user experience and respond to user problems.

The third group in the IS department in Figure 11-1 is Development. This group manages the process of creating new information systems as well as maintaining existing ones.

The size and structure of the development group depend on whether programs are developed in-house. If not, this department will be staffed primarily by business and systems analysts who work with users, operations, and vendors to acquire and install licensed software and to set up the system components around that software. If the organization develops programs in-house, then this department will include programmers, test engineers, technical writers, and other development personnel.

The last IS department group in Figure 11-1 is Outsourcing Relations. This group exists in organizations that have negotiated outsourcing agreements with other companies to provide equipment, applications, or other services. You will learn more about outsourcing later in this lesson.

Figure 11-1 also includes a Data Administration staff function. The purpose of this group is to protect data and information assets by establishing data standards and data management practices and policies.

There are many variations on the structure of the IS department shown in Figure 11-1. In larger organizations, the operations group may itself consist of several different departments. Sometimes, there is a separate group for data warehousing and data marts.

As you examine Figure 11-1, keep the distinction between IS and IT in mind. Information systems (IS) exist to help the organization achieve its goals and objectives. Information systems have the five components we have discussed throughout this text. Information technology (IT) is simply technology. It concerns the products, techniques, procedures, and designs of computer-based technology. IT must be placed into the structure of an IS before an organization can use it.

Security Officers


After Target Corp. lost 98 million customer accounts, it created a new C-level security position to help prevent these types of losses.2 Many organizations reeling from large-scale data breaches are creating similar executive security positions. A chief security officer, or CSO, manages security for all of the organization’s assets: physical plant and equipment, employees, intellectual property, and digital. The CSO reports directly to the CEO. A chief information security officer, or CISO, manages security for the organization’s information systems and information. The CISO reports to the CIO.

Both positions involve the management of staff, but they also call for strong diplomatic skills. Neither the CSO nor the CISO has line authority over the management of the activities he or she is to protect and cannot enforce compliance with the organization’s security program by direct order. Instead, they need to educate, encourage, even cajole the organization’s management into the need for compliance with the security program (discussed in Lesson 10).

What IS-Related Job Positions Exist?


IS departments provide a wide range of interesting and well-paying jobs. Many students enter the MIS class thinking that the IS departments consist only of programmers and tech support engineers. If you reflect on the five components of an information system, you can understand why this cannot be true. The data, procedures, and people components of an information system require professionals with highly developed interpersonal communications skills.

Figure 11-2 summarizes the major job positions in the IS industry. With the exception of tech support engineers and possibly test QA engineers, all of these positions require a 4-year degree. Furthermore, with the exception of programmer and test QA engineer, they all require business knowledge. In most cases, successful professionals have a degree in business. Note, too, that most positions require good verbal and written communications skills. Business, including information systems, is a social activity.

Figure 11-2: Job Positions in the Information Systems Industry



Knowledge, Skill, and Characteristics Requirements

Technical sales

Sell software, network, communications, and consulting services.

Quick learner, knowledge of product, superb professional sales skills.

Technical writer

Write program documentation, help-text, procedures, job descriptions, and training materials.

Quick learner, clear writing skills, high verbal communications skills.

Network administrator

Monitor, maintain, fix, and tune computer networks.

Diagnostic skills, in-depth knowledge of communications technologies and products.

Tech support engineer

Help users solve problems and provide training.

Communications and people skills. Product knowledge. Patience.

Systems analyst

Work with users to determine system requirements, design and develop job descriptions and procedures, and help determine system test plans.

Strong interpersonal and communications skills. Knowledge of both business and technology. Adaptable.


Design and write computer programs.

Logical thinking and design skills, knowledge of one or more programming languages.

Business intelligence analyst

Collaborate with cross-functional teams on projects, and analyze organizational data.

Excellent analytical, presentation, collaboration, database, and decision making skills.

Business analyst, IT

Work with business leaders and planners to develop processes and systems that implement business strategy and goals.

Knowledge of business planning, strategy, process management, and technology. Can deal with complexity. Sees the big picture but works with the details. Strong interpersonal and communications skills needed.

Test QA engineer

Develop test plans, design and write automated test scripts, and perform testing.

Logical thinking, basic programming, superb organizational skills, eye for detail.

Database administrator

Manage and protect database.

Diplomatic skills, database technology knowledge.

Consultant, IT

Wide range of activities: programming, testing, database design, communications and networks, project management, security and risk management, social media, and strategic planning.

Quick learner, entrepreneurial attitude, communications and people skills. Responds well to pressure. Particular knowledge depends on work.

Manager, IT

Manage teams of technical workers and manage the implementation of new systems

Management and people skills, critical thinking, very strong technical skills.

Project manager, IT

Initiate, plan, manage, monitor, and close down projects.

Management and people skills, technology knowledge. Highly organized.

Chief technology officer (CTO)

Advise CIO, executive group, and project managers on emerging technologies.

Quick learner, good communications skills, business background, deep knowledge of IT.

Chief information officer (CIO)

Manage IT departments and communicate with executive staff on IT- and IS-related matters. Member of the executive group.

Superb management skills, deep knowledge of business and technology, and good business judgment. Good communicator. Balanced and unflappable.

Chief information security officer (CISO)

Manage IS security program, protect the organization’s information systems and information, and manage IS security personnel.

Deep knowledge of security threats, protections, and emerging security threat trends. Excellent communication and diplomacy skills. Good manager.

Median salaries and approximate salary ranges for the positions discussed in Figure 11-2 are shown in Figure 11-3.3 According to the U.S. Social Security Administration, the median salary in 2018 for the average U.S. worker was $32,838.4 Salary ranges for CTO, CIO, and CISO are higher than the other positions because they require many more years of experience.

Figure 11-3: Salaries for Information Systems Jobs
Salaries for information systems jobs have a wide range. Higher salaries are for professionals with more experience, working for larger companies, and living in larger cities.5 Do not expect to begin your career at the high end of these ranges. As noted, all salaries are for positions in the United States and are shown in U.S. dollars.

(By the way, for all but the most technical positions, knowledge of a business specialty can add to your marketability. If you have the time, a dual major can be an excellent choice. Popular and successful dual majors are accounting and information systems, marketing and information systems, and management and information systems.)

Knowledge Check

Q11-2 How Do Organizations Plan the Use of IS?


We begin our discussion of IS functions with planning. Figure 11-4 lists the major IS planning functions.

Figure 11-4: Planning the Use of IS/IT

· Align information systems with organizational strategy; maintain alignment as organization changes.

· Communicate IS/IT issues to executive group.

· Develop/enforce IS priorities within the IS department.

· Sponsor steering committee.

Align Information Systems with Organizational Strategy


The purpose of an information system is to help the organization accomplish its goals and objectives. In order to do so, all information systems must be aligned with the organization’s competitive strategy.

Recall the four competitive strategies from Lesson 2. The first two strategies are that an organization can be a cost leader either across an industry or within an industry segment. Alternatively, for the second two strategies, an organization can differentiate its products or services either across the industry or within a segment. Whatever the organizational strategy, the CIO and the IS department must constantly be vigilant to align IS with it.

Maintaining alignment between IS direction and organizational strategy is a continuing process. As strategies change, as the organization merges with other organizations, as divisions are sold, IS must evolve along with the organization. As you will learn in Lesson 12, maintaining that alignment is an important role for business process management and for COBIT (Control Objectives for Information and related Technology), in particular.

Unfortunately, however, adapting IS to new versions of business processes is neither easy nor quick. For example, switching from in-house hosting to cloud hosting requires time and resources. Such a change must also be made without losing the organization’s computing infrastructure. The difficulty of adapting IS is often not appreciated in the executive suite. Without a persuasive CIO, IS can be perceived as a drag on the organization’s opportunities.

Communicate IS Issues to the Executive Group


This last observation leads to the second IS planning function in Figure 11-4. The CIO is the representative for IS and IT issues within the executive staff. The CIO provides the IS perspective during discussions of problem solutions, proposals, and new initiatives.

For example, when considering a merger, it is important that the company consider integration of information systems in the merged entities. This consideration needs to be addressed during the evaluation of the merger opportunity. Too often, such issues are not considered until after the deal has been signed. Such delayed consideration is a mistake; the costs of the integration need to be factored into the economics of the purchase. Involving the CIO in high-level discussions is the best way to avoid such problems.

Develop Priorities and Enforce Them Within the IS Department


The next IS planning function in Figure 11-4 concerns priorities. The CIO must ensure that priorities consistent with the overall organizational strategy are developed and then communicated to the IS department. At the same time, the CIO must also ensure that the department evaluates proposals and projects for using new technology in light of those communicated priorities.

Read more about the perspective of a senior data officer in the Career Guide.

Technology is seductive, particularly to IS professionals. The CTO may enthusiastically claim, “By moving all our reporting services to the cloud, we can do this and this and this …” Although the statement might be true, the question that the CIO must continually ask is whether those new possibilities are consistent with the organization’s strategy and direction.

Thus, the CIO must not only establish and communicate such priorities but enforce them as well. The department must evaluate every proposal, at the earliest stage possible, as to whether it is consistent with the organization’s goals and aligned with its strategy.

Furthermore, no organization can afford to implement every good idea. Even projects that are aligned with the organization’s strategy must be prioritized. The objective of everyone in the IS department must be to develop the most appropriate systems possible, given constraints on time and money. Well-thought-out and clearly communicated priorities are essential.

Sponsor the Steering Committee


The final planning function in Figure 11-4 is to sponsor the steering committee. A steering committee is a group of senior managers from the major business functions that works with the CIO to set the IS priorities and decide among major IS projects and alternatives.

The steering committee serves an important communication function between IS and the users. In the steering committee, information systems personnel can discuss potential IS initiatives and directions with the user community. At the same time, the steering committee provides a forum for users to express their needs, frustrations, and other issues they have with the IS department.

Typically, the IS department sets up the steering committee’s schedule and agenda and conducts the meetings. The CEO and other members of the executive staff determine the membership of the steering committee.

Knowledge Check

Q11-3 What Are the Advantages and Disadvantages of Outsourcing?


Outsourcing is the process of hiring another organization to perform a service. Outsourcing is done to save costs, to gain expertise, and to free management time.

The father of modern management, Peter Drucker, is reputed to have said, “Your back room is someone else’s front room.” For instance, in most companies, running the cafeteria is not an essential function for business success; thus, the employee cafeteria is a “back room.” Google wants to be the worldwide leader in search and mobile computing hardware and applications, all supported by ever-increasing ad revenue. It does not want to be known for how well it runs cafeterias. Using Drucker’s sentiment, Google is better off hiring another company, one that specializes in food services, to run its cafeterias.

Because food service is some company’s “front room,” that company will be better able to provide a quality product at a fair price. Outsourcing to a food vendor will also free Google’s management from attention on the cafeteria. Food quality, chef scheduling, plastic fork acquisition, waste disposal, and so on, will all be another company’s concern. Google can focus on search, mobile computing, and advertising-revenue growth.

Outsourcing Information Systems


Outsourcing information systems can reduce costs, but it can also create ethical dilemmas. For more on outsourcing issues, read the Ethics Guide.

Many companies today have chosen to outsource portions of their information systems activities. Figure 11-5 lists popular reasons for doing so. Consider each major group of reasons.

Figure 11-5: Popular Reasons for Outsourcing IS Services

Management Advantages
First, outsourcing can be an easy way to gain expertise. As you’ll learn in Lesson 12, iMed Analytics wants to develop custom IoT medical device apps and a new real-time machine learning system, but no one on the staff knows the particulars of coding these types of apps. Outsourcing can be an easy and quick way to obtain that expertise.

For example, Figure 11-6 shows the top-10 highest-paid skills or experiences reported from Dice’s annual Tech Salary Survey. Note that only one of the top-10 skills in 2019 was ranked in the top 10 in 2012. Rapid changes in technology push rapid changes in demand for certain technical skills.

Figure 11-6: Top-10 Tech Skills


Skill or Experience










Apache Kafka

$ 134,557






$ 134,462





$ 133,695









$ 132,708









$ 132,497









$ 132,136








$ 131,772






$ 131,556









Amazon Redshift

$ 130,723





PaaS (Platform as a Service)

$ 130,669







Organizations developing innovative products may not have the necessary in-house technical expertise to produce them. In fact, unless they’re constantly training their current employees on the latest technology, they probably don’t have the necessary expertise. Outsourcing and strategic partnerships enable organizations to make products they wouldn’t have otherwise been able to make internally.

Another reason for outsourcing is to avoid management problems. At iMed Analytics, building a large development and test team may be more than the company needs and require management skills that neither Emily nor Jose has. Outsourcing the development function saves them from needing this expertise.

Similarly, some companies choose to outsource to save management time and attention. Emily at iMed has the skills to manage a new software development project, but she may choose not to invest the time.

Note, too, that it’s not just Emily’s time. It is also time from more senior managers who approve the purchase and hiring requisitions for that activity. And those senior managers, like Jasmine, will need to devote the time necessary to learn enough about server infrastructure to approve or reject the requisitions. Outsourcing saves both direct and indirect management time.

Cost Reduction
Other common reasons for choosing to outsource concern cost reductions. With outsourcing, organizations can obtain part-time services. Another benefit of outsourcing is to gain economies of scale. If 25 organizations develop their own payroll applications in-house, then when the tax law changes 25 different groups will have to learn the new law, change their software to meet the law, test the changes, and write the documentation explaining the changes. However, if those same 25 organizations outsource to the same payroll vendor, then that vendor can make all of the adjustments once, and the cost of the change can be amortized over all of them (thus lowering the cost that the vendor must charge).

Risk Reduction
Another reason for outsourcing is to reduce risk. First, outsourcing can cap financial risk. In a typical outsourcing contract, the outsource vendor will agree to a fixed price contract for services. This occurs, for example, when companies outsource their hardware to cloud vendors. Another way to cap financial risk is as Emily recommends: delay paying the bulk of the fee until the work is completed and the software (or other component) is working. In the first case, it reduces risk by capping the total due; in the second, it ensures that little money need be spent until the job is done.

Second, outsourcing can reduce risk by ensuring a certain level of quality or avoiding the risk of having substandard quality. A company that specializes in food service knows what to do to provide a certain level of quality. It has the expertise to ensure, for example, that only healthy food is served. So, too, a company that specializes in, say, cloud-server hosting knows what to do to provide a certain level of reliability for a given workload.

Note that there is no guarantee that outsourcing will provide a certain level of quality or quality better than could be achieved in-house. If it doesn’t outsource the cafeteria, Google might get lucky and hire only great chefs. Emily might get lucky and hire the world’s best software developer. But, in general, a professional outsourcing firm knows how to avoid giving everyone food poisoning or how to develop new mobile applications. And if that minimum level of quality is not provided, it is easier to hire another vendor than it is to fire and rehire internal staff.

Finally, organizations choose to outsource IS in order to reduce implementation risk. Hiring an outside cloud vendor reduces the risk of picking the wrong brand of hardware or the wrong virtualization software or implementing tax law changes incorrectly. Outsourcing gathers all of these risks into the risk of choosing the right vendor. Once the company has chosen the vendor, further risk management is up to that vendor.

International Outsourcing


Choosing to use an outsourcing developer in India is not unique to iMed Analytics. Many firms headquartered in the United States have chosen to outsource overseas. Microsoft and Dell, for example, have outsourced major portions of their customer support activities to companies outside the United States. India is a popular source because it has a large, well-educated, English-speaking population that will work for 20 to 30 percent of the labor cost in the United States. China and other countries are used as well. In fact, with modern telephone technology and Internet-enabled service databases, a single service call can be initiated in the United States, partially processed in India and then Singapore, and finalized by an employee in England. The customer knows only that he has been put on hold for brief periods of time.

International outsourcing is particularly advantageous for customer support and other functions that must be operational 24/7. Amazon, for example, operates customer service centers in the United States, Costa Rica, Ireland, Scotland, Germany, Italy, Beijing, Japan, and India. During the evening hours in the United States, customer service reps in India, where it is daytime, can handle the calls. When night falls in India, customer service reps in Ireland or Scotland can handle the early morning calls from the east coast of the United States. In this way, companies can provide 24/7 service without requiring employees to work night shifts.

By the way, as you learned in Lesson 1, the key protection for your job is to become someone who excels at nonroutine symbolic analysis. Someone with the ability to find innovative applications of new technology is also unlikely to lose his or her job to overseas workers.

What Are the Outsourcing Alternatives?


Organizations have found hundreds of different ways to outsource information systems and portions of information systems. Figure 11-7 organizes the major categories of alternatives according to information systems components.

 Figure 11-7: IS/IT Outsourcing Alternatives
Some organizations outsource the acquisition and operation of computer hardware. Electronic Data Systems (EDS) has been successful for more than 30 years as an outsource vendor of hardware infrastructure. Figure 11-7 shows another alternative: outsourcing the computers in the cloud via IaaS.

Acquiring licensed software, as discussed in Lesson 4 and Lesson 12, is a form of outsourcing. Rather than develop the software in-house, an organization licenses it from another vendor. Such licensing allows the software vendor to amortize the cost of software maintenance over all of the users, thus reducing that cost for all who use it. Another option is platform as a service (PaaS), which is the leasing of hardware with preinstalled operating systems as well as possibly DBMS systems. Microsoft’s Azure is one such PaaS offering.

Some organizations choose to outsource the development of software. Such outsourcing might be for an entire application, as with iMed, or it could also be for making customizations to licensed software, as is frequently done with ERP implementations.

Yet another alternative is software as a service (SaaS), in which hardware and both operating system and application software are leased. is a typical example of a company that offers SaaS.

It is also possible to outsource an entire system. PeopleSoft (now owned by Oracle) attained prominence by providing the entire payroll function as an outsourced service. In such a solution, as the arrow in Figure 11-7 implies, the vendor provides hardware, software, data, and some procedures. The company need provide only employee and work information; the payroll outsource vendor does the rest.

Finally, some organizations choose to outsource an entire business function. For years, many companies have outsourced to travel agencies the function of arranging for employee travel. Some of these outsource vendors even operate offices within the company facilities. Such agreements are much broader than outsourcing IS, but information systems are key components of the applications that are outsourced.

What Are the Risks of Outsourcing?


With so many advantages of outsourcing and so many different outsourcing alternatives, you might wonder why any company has in-house IS/IT functions. In fact, outsourcing presents significant risks, as listed in Figure 11-8.

 Figure 11-8: Outsourcing Risks
Loss of Control
The first risk of outsourcing is a loss of control. For iMed, once Emily contracts with her friend Kiaan, Kiaan is in control. At least for several weeks or months. If he makes iMed a priority project and devotes his attention and that of his employees as needed, all can work out well. On the other hand, if he obtains a larger, more lucrative contract soon after he starts iMed, schedule and quality problems can develop. Neither Emily nor Jose has any control over this eventuality. If they pay at the end, they may not lose money, but they can lose time.

For service-oriented outsourcing, say, the outsourcing of IT infrastructure, the vendor is in the driver’s seat. Each outsource vendor has methods and procedures for its service. The organization and its employees will have to conform to those procedures. For example, a hardware infrastructure vendor will have standard forms and procedures for requesting a computer, for recording and processing a computer problem, or for providing routine maintenance on computers. Once the vendor is in charge, employees must conform.

When outsourcing the cafeteria, employees have only those food choices that the vendor provides. Similarly, when obtaining computer hardware and services, the employees will need to take what the vendor supports. Employees who want equipment that is not on the vendor’s list will be out of luck.

Unless the contract requires otherwise, the outsource vendor can choose the technology that it wants to implement. If the vendor, for some reason, is slow to pick up on a significant new technology, then the hiring organization will be slow to attain benefits from that technology. An organization can find itself at a competitive disadvantage because it cannot offer the same IS services as its competitors.

Another concern is a potential loss of intellectual capital. The company may need to reveal proprietary trade secrets, methods, or procedures to the outsource vendor’s employees. As part of its normal operations, that vendor may move employees to competing organizations, and the company may lose intellectual capital as that happens. The loss need not be intellectual theft; it could simply be that the vendor’s employees learned to work in a new and better way at your company, and then they take that learning to your competitor.

Similarly, all software has failures and problems. Quality vendors track those failures and problems and fix them according to a set of priorities. When a company outsources a system, it no longer has control over prioritizing those fixes. Such control belongs to the vendor. A fix that might be critical to your organization might be of low priority to the outsource vendor.

Other problems are that the outsource vendor may change management, adopt a different strategic direction, or be acquired. When any of those changes occur, priorities may change, and an outsource vendor that was a good choice at one time might be a bad fit after it changes direction. It can be difficult and expensive to change an outsource vendor when this occurs.

The final loss-of-control risk is that the company’s CIO can become superfluous. When users need a critical service that is outsourced, the CIO must turn to the vendor for a response. In time, users learn that it is quicker to deal directly with the outsource vendor, and soon the CIO is out of the communication loop. At that point, the vendor has essentially replaced the CIO, who has become a figurehead. However, employees of the outsource vendor work for a different company, with a bias toward their employer. Critical managers will thus not share the same goals and objectives as the rest of the management team. Biased, bad decisions can result.

Benefits Outweighed by Long-Term Costs
The initial benefits of outsourcing can appear huge. A cap on financial exposure, a reduction of management time and attention, and the release of many management and staffing problems are all possible. (Most likely, outsource vendors promise these very benefits.) Outsourcing can appear too good to be true.

In fact, it can be too good to be true. For one, although a fixed cost does indeed cap exposure, it also removes the benefits of economies of scale. If iMed demand takes off and it suddenly needs 200 servers instead of 20, the using organization will pay 200 times the fixed cost of supporting one server. It is possible, however, that because of economies of scale, the costs of supporting 200 servers are far less than 10 times the costs of supporting 20 servers. If they were hosting those servers in-house, they and not the vendor would be the beneficiary.

Also, the outsource vendor may change its pricing strategy over time. Initially, an organization obtains a competitive bid from several outsource vendors. However, as the winning vendor learns more about the business and as relationships develop between the organization’s employees and those of the vendor, it becomes difficult for other firms to compete for subsequent contracts. The vendor becomes the de facto sole source and, with little competitive pressure, might increase its prices.

Another problem is that an organization can find itself paying for another organization’s mismanagement, with little knowledge that that is the case. If iMed outsources its servers, it is difficult for it to know if the vendor is well managed. The iMed investors may be paying for poor management; even worse, iMed may suffer the consequences of poor management, such as lost data. It will be very difficult for iMed to learn about such mismanagement.

No Easy Exit
The final category of outsourcing risk concerns ending the agreement. There is no easy exit. For one, the outsource vendor’s employees have gained significant knowledge of the company.

They know the server requirements in customer support, they know the patterns of usage, and they know the best procedures for downloading operational data into the data warehouse. Consequently, lack of knowledge will make it difficult to bring the outsourced service back in-house.

Also, because the vendor has become so tightly integrated into the business, parting company can be exceedingly risky. Closing down the employee cafeteria for a few weeks while finding another food vendor would be unpopular, but employees would survive. Shutting down the enterprise network for a few weeks would be impossible; the business would not survive. Because of such risk, the company must invest considerable work, duplication of effort, management time, and expense to change to another vendor. In truth, choosing an outsource vendor can be a one-way street.

At iMed, if, after the initial application development, the team decides to change development vendors, it may be very difficult to do. The new vendor will not know the application code as well as the current one who created it. It may become infeasible in terms of time and money to consider moving to another, better, lower-cost vendor.

Choosing to outsource is a difficult decision. In fact, the correct decision might not be clear, but time and events could force the company to decide.

Knowledge Check

Q11-4 What Are Your User Rights and Responsibilities?


As a future user of information systems, you have both rights and responsibilities in your relationship with the IS department. The items in Figure 11-9 list what you are entitled to receive and indicate what you are expected to contribute.

Figure 11-9: User Information Systems Rights and Responsibilities

Your User Rights


You have a right to have the computing resources you need to perform your work as proficiently as you want. You have a right to the computer hardware and programs that you need. If you process huge files for data-mining applications, you have a right to the huge disks and the fast processor that you need. However, if you merely receive email and consult the corporate Web portal, then your right is for more modest requirements (leaving the more powerful resources for those in the organization who require them).

You have a right to reliable network and Internet services. Reliable means that you can process without problems almost all of the time. It means that you never go to work wondering, “Will the network be available today?” Network problems should be a rare occurrence.

You also have a right to a secure computing environment. The organization should protect your computer and its files, and you should not normally even need to think about security. From time to time, the organization might ask you to take particular actions to protect your computer and files, and you should take those actions. But such requests should be rare and related to specific outside threats.

You have a right to participate in requirements meetings for new applications that you will use and for major changes to applications that you currently use. You may choose to delegate this right to others, or your department may delegate that right for you, but if so, you have a right to contribute your thoughts through that delegate.

You have a right to reliable systems development and maintenance. Although schedule slippages of a month or 2 months are common in many development projects, you should not have to endure schedule slippages of 6 months or more. Such slippages are evidence of incompetent systems development.

Additionally, you have a right to receive prompt attention to your problems, concerns, and complaints about information services. You have a right to have a means to report problems and to know that your problem has been received and at least registered with the IS department. You have a right to have your problem resolved, consistent with established priorities. This means that an annoying problem that allows you to conduct your work will be prioritized below another’s problem that interferes with his ability to do his job.

Finally, you have a right to effective training. It should be training that you can understand and that enables you to use systems to perform your particular job. The organization should provide training in a format and on a schedule that is convenient to you.

Your User Responsibilities


You also have responsibilities toward the IS department and your organization. Specifically, you have a responsibility to learn basic computer skills and to learn the techniques and procedures for the applications you use. You should not expect hand-holding for basic operations. Nor should you expect to receive repetitive training and support for the same issue.

Users are given a responsibility to manage critical systems. Companies have to find effective ways of motivating employees to be compliant with security policies designed to protect these critical systems. See the Security Guide.

You have a responsibility to follow security and backup procedures. This is especially important because actions that you fail to take might cause problems for your fellow employees and your organization as well as for you. In particular, you are responsible for protecting your password(s). This is important not only to protect your computer but, because of intersystem authentication, also to protect your organization’s networks and databases.

You have a responsibility for using your computer resources in a manner that is consistent with your employer’s policy. Many employers allow limited email for critical family matters while at work but discourage frequent and long casual email. You have a responsibility to know your employer’s policy and to follow it. Further, if your employer has a policy concerning use of personal mobile devices at work, you are responsible for following it.

You also have a responsibility to make no unauthorized hardware modifications to your computer and to install only authorized programs. One reason for this policy is that your IS department constructs automated maintenance programs for upgrading your computer. Unauthorized hardware and programs might interfere with these programs. Additionally, the installation of unauthorized hardware or programs can cause you problems that the IS department will have to fix.

You have a responsibility to install computer updates and fixes when asked to do so. This is particularly important for patches that concern security and backup and recovery. When asked for input to requirements for new and adapted systems, you have a responsibility to take the time necessary to provide thoughtful, complete responses. If you do not have that time, you should delegate your input to someone else.

Finally, you have a responsibility to treat information systems professionals professionally. Everyone works for the same company, everyone wants to succeed, and professionalism and courtesy will go a long way on all sides. One form of professional behavior is to learn basic computer skills so that you avoid reporting trivial problems.

Knowledge Check

Q11-5 2031?


Over the next 10 years, changes in organizational management of IS and IT resources will be driven by the factors mentioned in Lesson 1, including exponential increases in processing power, storage, bandwidth, and connectivity. As a result, most organizations have already moved most of their internal hardware infrastructure to the cloud. This shift to the cloud will alter the way organizations function.

By 2031, it may be difficult to find a single hard disk anywhere within the organization. The same might be true for applications and employees as more online applications are rented—not bought—and jobs are outsourced. What happens to an organization when everything is outside the organization? Organizational boundaries become fuzzy and potentially nonexistent. Security, privacy, and competitiveness will become even more important. Sharing and stealing confidential data will be much easier.

If workers shift from being traditional employees to being consultants in the gig economy, we could see companies becoming hypercompetitive for the best workers. Workers with the hottest skills and the best work experience could make five or 10 times as much as their contemporaries. Even now, companies that are perceived as cool places to work are attracting the most talented workers. This trend will likely accelerate by 2031.

Everyday work life will be different in 10 years, too. Consider that Amazon started using Kiva robots in 2014, and now those robots account for 20 percent of Amazon’s workforce. More than 200,000 robots work alongside 840,000 employees. And it’s not just physical labor, either. A 2019 report by Wells Fargo predicted that in the next 10 years over 200,000 banking jobs currently done by human workers will be replaced by an AI.7 Advances in AI, robotics, and natural language processing could lead to a 30 percent reduction of all finance jobs by 2031.8 By 2031, it’s likely you will be working alongside a synthetic coworker.

The 2020 global pandemic accelerated the trend toward automation and remote working. Any job that requires humans to interact is a prime candidate for automation. Studies predict that 86 percent of restaurant jobs, 76 percent of retail jobs, and 59 percent of recreation jobs will be automated within the next decade.9 And this isn’t even considering the impact on manufacturing jobs. Companies negatively affected by the global lockdown see robots and AI as less risky, less costly, and more capable than their human counterparts. In the next decade the fear of losing jobs to robots may be replaced with the comfort of knowing that robots won’t get us sick. More tech workers will be needed to manage this new synthetic workforce.

By 2031, creating and maintaining a distinct corporate culture may be increasingly difficult. Increased outsourcing, automation, and a large remote virtual workforce may make corporations much less cohesive. Employee loyalty may become a punch line at Christmas parties in 2031. In 10 years, mixed-reality devices will be commonplace. Workers will be able to virtually interact with coworkers around the world as if they were all meeting in the same room.

Future workers may be more “connected” technologically but have fewer deep personal connections or shared experiences. You can already see this phenomenon with smartphones. How many times have you seen a group of people together physically, but most of them are silently staring down at their phones? Without a shared corporate culture or identity, it may be increasingly difficult for companies to hire, train, and keep the best employees.

By 2031, organizations will need to use social media inside the organization in true Enterprise 2.0 style. They will need to effectively engage their employees via internal social media. Similarly, employees will need to effectively engage customers in a world where social media interactions have a direct impact on the bottom line. IS will be seen no longer as a hindrance to organizational strategy and growth but as a key player for gaining competitive advantage. The ubiquity of social media and mobile devices will focus attention on the role that IS can play in achieving organizational goals.

So What? Poor Data Management at Facebook

What are the primary ways in which you interact with family, friends, and colleagues? You probably use face-to-face interactions and traditional phone calls to communicate with at least some of the people in your network. However, more and more communication technologies are being developed and adopted for use in a variety of contexts. For example, Slack is an extremely popular collaboration tool used within the business world, and Discord is a popular communication tool used by millions of gamers to keep in touch and strategize during game play. It is likely that you engage with some of your contacts using Facebook, the social media juggernaut boasting more than 2.5 billion active users as of 2020.

One reason that Facebook continues to attract and retain so many users is Metcalfe’s Law, which states that the value of a network is equal to the square of the number of users connected to it. In other words, the more users there are associated with a network, the more value is offered by that network. This incentivizes new users to join. When someone is considering joining their first social network, they are most likely to choose the platform that will already have the highest number of their friends, family members, and colleagues as users because their experience on that network will provide the greatest value relative to others. However, Metcalfe’s Law doesn’t just attract new users to a site. It also attracts app developers, researchers, and businesses seeking to glean insights—and make money—off the troves of data generated by users.

Click Here to Dislike
Due to Facebook’s position as the most popular social media site in the world, countless third parties target the network for opportunities to collect data about users, their connections with others, and their interactions. Several years ago, Facebook had an extremely open model that allowed the integration of Facebook with a variety of other platforms and services (music-streaming sites, dating sites, and so forth). This integration allowed users to create accounts and log in to those sites using their Facebook accounts. Additionally, third parties developed apps for Facebook that could access the data of the people using those apps as well as the data for all of their friends.

Only recently did the company recognize the potential privacy risks of this model and finally restrict data access to only those users who had directly provided consent to third-party developers as of 2015. However, the damage had already been done: It recently came to light that a researcher had siphoned off data for more than 80 million Facebook users and then sold that data to an analytics firm prior to Facebook putting tighter data restrictions in place.10 This violation of user privacy resulted in a firestorm about Facebook’s poor data management practices and resulted in a statement that Facebook would conduct an investigation to evaluate the apps that had the ability to access user data during that time.

Source: Bildagentur-online/Ohde/Alamy Stock Photo

Pay for Play
In response to this incident, CEO and founder Mark Zuckerberg stated that Facebook had already taken steps to prevent future privacy missteps. He was later summoned to Washington, D.C., to testify before the Commerce and Judiciary Committees on Capitol Hill to explain how something like this could have happened and how something similar could be prevented in the future. However, Facebook’s reputation was already tarnished by the incident. There was an active movement calling for people to delete their Facebook accounts. The scandal also had an impact on Wall Street. Major tech stocks (e.g., Facebook, Amazon, Apple, Netflix, and Alphabet) collectively lost $397 billion of market capitalization around this time as fears grew that other top tech companies likely had similar “skeletons in their closets.”11

While Facebook’s stock will likely recover, its data management practices, and possibly its business model, will change. Some experts have speculated that Facebook will begin offering the option for users to pay a monthly fee to access the network, which would protect their data from any sort of access by advertisers or other third parties.12 It has been estimated that Facebook would need to charge roughly $7 per month from users in North America to compensate for the $82 per user that is collected in advertising revenues per user per year.13 If nothing else, this situation has sent a shock wave through the tech world regarding privacy and the risks associated with careless management of user data—and the hard and soft costs that can occur as a result of such cavalier actions.


1. To what extent are social media platforms an important part of your daily interactions? Do you use a certain social media platform because your family or friends use it? Why do you think this is the case?

 Show Answer

2. Are you one of the 87 million Facebook users who had their data shared with Cambridge Analytica? If so, did this situation bother you? Why or why not?

 Show Answer

3. During Mark Zuckerberg’s hearings on Capitol Hill, it became clear that many politicians have minimal knowledge about how Facebook operates as a business. How does this present challenges for the creation of regulations that may be put in place to ensure that Facebook and other tech companies properly manage user data?

 Show Answer

4. Why would Facebook offer a pay option? Would it be worth it to you to pay a monthly fee to access Facebook and know that your personal data would be protected? Why or why not?

 Show Answer

Security Guide

Carrot or Stick? Neither
Imagine that you are given the opportunity to sit down with a group of corporate leaders and you can ask them about their biggest cyber security concerns. What do you think their most pressing worries would be?

When most people think about cybersecurity, they often conjure up images of hooded hackers in dark basements feverishly typing code or social engineers sneaking into corporate server rooms placing network taps to gain remote access. However, these types of nefarious digital actors often do not pose the greatest risk. You may find it surprising that what concerns business leaders most are their very own employees.

A study investigating where businesses felt most vulnerable found that the top three cybersecurity concerns were inappropriate sharing of data via mobile devices, physical loss of mobile devices exposing organizations to risk, and inappropriate IT resource use by employees14; all risks introduced by internal actors.

An additional finding of this study was that at least 40 percent of businesses of every size (very small businesses, small and medium-sized businesses, and enterprise-grade businesses) reported not feeling protected from inappropriate IT use by their own employees.

Security Policies
Accordingly, one of the mechanisms by which businesses try to reduce risk is to promote more secure behavior by employees. This is often accomplished using security policies. A security policy is simply a framework of guidelines and procedures that employees in an organization are mandated to follow to ensure appropriate use of systems, data, and other technological assets.

General information security policies are often rolled out in concert with a variety of other policies, including acceptable use policies, change management policies, email/communication policies, and disaster recovery policies.15 Employees are typically required to review these policies and agree to follow them during onboarding to the organization.

However, studies investigating employee compliance with security policies indicate that compliance rates can be dangerously lax. One study reported the troubling statistics that 44 percent of companies observed employees not following security policies appropriately and that roughly 25 percent of companies did not intend to even try to enforce security policies that had been deployed.

For companies electing to try to get employees to comply, a variety of methods are used. These methods can often be categorized as either rewards or punishments (frequently called the carrot or the stick approaches). But are existing methods like the carrot or stick approach actually effective if almost half of companies report issues with employee compliance?

Source: Wright Studio/Shutterstock

What Causes Compliance?
A study was recently conducted that looked at all of the information systems research that had investigated factors that influence security policy compliance.16 The purpose of the study was to identify higher-level trends and key takeaways from the dozens of different studies that each evaluated a handful of compliance factors. (This type of study is called a meta-analysis.)

Out of 17 different factors that had been widely studied, rewards and punishments placed in the bottom four, meaning that they are least likely to result in compliant behavior. This is quite a counterintuitive finding, as many organizations rely on rewards and punishments when trying to motivate compliant behavior.

Even more surprising is the finding that some of the strongest predictors of compliance are personal attributes, like attitudes and personal norms and ethics. What is interesting about this later finding is the realization that cultivating a security-conscious culture in an organization cannot be accomplished by simply putting incentives or punitive measures in place; it requires finding and hiring the right people who have the personal characteristics that match the security norms the organization is trying to create.

What does this mean for you? First, when you enter the workforce, you will become an integral part of your organization’s security posture—your compliance with the established policies will help to minimize risk. Second, when you take on managerial roles and hire new employees, you need to pay attention to factors that would indicate that an applicant will mesh well with the security needs and culture of the organization; employees cannot simply be altered to fit the organizational mold once they have been hired and are already on the inside.

Discussion Questions

1. You may not have realized that your university has a security policy that guides how students, faculty, and staff can use technological resources. Are you familiar with this policy and what it entails? If not, track down your university’s policy and read it carefully. Is there anything in the policy that surprises you?

 Show Answer

2. Where do you think security education, training, and awareness (SETA) ranked on the list of 17 factors that can lead to security policy compliance?

 Show Answer

3. What role do you think managers and higher-level organizational leaders play in promoting compliance and thereby a secure organizational culture?

 Show Answer

4. Refer back to question 1. If you were not familiar with your university’s policy, why do you think this is the case? What recommendations would you give your university’s chief information officer (CIO) to help him or her promote awareness of policies in students as to create a more secure university culture?

 Show Answer

Career Guide

Source: Susan M. Jones, DBA, CISA, OPST, Utah State University, Data Governance Officer

· Name: Susan M. Jones, DBA, CISA, OPST

· Company: Utah State University

· Job Title: Data Governance Officer

· Education: Henley Business School, UK

1. How did you get this type of job?

Early in my finance career, I watched technology advance and enhance business operations. I quickly realized that technology would provide a competitive advantage in the job market. Employers are always interested in individuals who have complementary technology skills. As the field evolved, threats to data became a focus, and I found myself addressing data security and data privacy issues. I studied “attackers” and how they were able to get into computer systems by exploiting technology and human psychology and trust. With this knowledge, my career advanced to my current position, where I help manage risk by setting clear ground rules for data access and handling.

2. What attracted you to this field?

Honestly, what isn’t attractive about this field? The information technology (IT) field is exciting, innovative, and dynamic. IT connects every division in an organization. For example, IT connects marketing to manufacturing, reshaping not only the way we produce products but the way we market them. More than the excitement of technology, the field is attractive because of its service aspects.

3. What does a typical workday look like for you (duties, decisions, problems)?

Much of my work involves identifying data-related risks and recommending technical and administrative controls to mitigate them. My days are full of a wide range of interactions and activities, which ultimately become more management oriented than technology oriented. From the mapping of data flows to training employees about secure data collection, my daily interactions provide valuable insight into the organization and its use of data and technology.

4. What do you like most about your job?

Like others in the IT profession, I find myself learning many different business functions, legal requirements, and system controls. The more I learn, the more I can contribute to the organization. To truly accomplish our organizational mission, we need both people and technology. I enjoy that my work contributes both to the organization and to the employees.

5. What skills would someone need to do well at your job?

Project management, change management, problem-solving, and communication skills are important for success in data governance. Data governance requires accountability; thus, if these skills are combined with a desire to learn and understand, a fulfilling career with strong relationships will follow. As a personal development goal, I consciously (and continually) work to hone these skills.

6. Are education or certifications important in your field? Why?

Yes, continual learning is valuable in any profession, but especially in technology. Technology is always progressing, so train, train, train! Education and certifications are very useful for professional development and career advancement, and they are listed as a base minimum in a majority of job descriptions in my field.

7. What advice would you give to someone who is considering working in your field?

Data governance requires the coordination of many roles and organizational areas. Therefore, my advice is to take time to analyze the big picture and make connections, whether working for yourself or for a large company. It is easy to learn about a single subject, but until you truly understand how one subject can enhance another, you will not recognize your full potential.

8. What do you think will be hot tech jobs in 10 years?

Tough question—tech forecasting can be a dangerous endeavor. In the next 10 years, I expect the hot tech jobs to involve more than just technology knowledge. In my dreams, all tech jobs will require a strong knowledge of data security and an understanding of privacy.

Ethics Guide

Training your Replacement
Scott Essex sat at his desk looking through the roster of employees he managed. As he flipped through the pages, he felt a sinking feeling in his stomach. Upper management had directed him to cut his team of software developers by nearly 75 percent. This directive came as a result of a recent initiative to reduce costs by outsourcing IT department projects. As he flipped back and forth between the pages, Scott didn’t know how to identify which employees to retain and which employees to let go. All the employees brought value to the team—if they didn’t, Scott wouldn’t have hired them in the first place.

Scott flipped to the beginning of the roster and started putting stars next to the names of employees he would consider letting go. Some had worked for the company for many years. But, in spite of their time on the job, they honestly didn’t add as much value as they should relative to their pay. Conversely, there were more recent hires who had tremendous potential and were low-cost relative to other employees. Scott paused and looked up from the roster—he wasn’t sure how he was going to look these people in the eye when he told them the bad news. But he would have to do it. It was part of his job.

Then it got worse. Scott’s boss sent him a portfolio of new development projects that had to be completed in the next 3 to 6 months. How could upper management expect the usual turnaround time for these projects when 75 percent of his staff was going to be replaced with new outsourced employees—working on the other side of the planet? These new employees would know nothing about the “vibe” of his team or the intangibles that made the team run smoothly. Letting employees go was one thing. But if he didn’t get these projects completed on time, his own position could be in jeopardy.

To Train or Not to Train
The next morning, Scott walked into the office still feeling discouraged about losing so much of his team. But he felt confident in the selections he had made concerning the employees who would be staying. As long as the remaining team members could move past this process and get back to work, he figured they had a chance at sticking to the new project schedule. He walked down the hall to drop off his proposed personnel changes to his boss, Beth Birman. Beth asked him to close the door and take a seat.

Beth started the conversation. “Well, I bet you are wondering how you are going to make those new project deadlines with the employee changeover you will be managing.” Scott tried to keep his true feelings from showing on his face. He replied optimistically, “Well, it is going to be a bit hectic, but I think we can manage!”

Source: Gorodenkoff/Shutterstock

Beth smiled and retorted, “Well, you should know that I always try to take care of you. I wouldn’t put you in such a bind without a little help.” Scott wasn’t sure what she was getting at. “I’m not exactly sure what you mean,” he replied.

Beth continued, “We are going to have the employees who are being released from your team train the new outsourced employees. Training the replacements will be a condition of departing employees’ severance package. If we do this, we ensure that the new employees do not spend a month or more getting up to speed and learning their responsibilities. Doing this will ensure that the outsourced hires are fully operational within a week or so. And you should be able to meet your project deadlines.”

The rest of the meeting was a blur. Scott tried to come to terms with the fact that the employees he was about to fire would be forced to train their own replacements. If they didn’t, they would forfeit most of their severance package. “Talk about adding insult to injury,” he muttered under his breath as he walked back to his desk.

He thought about it more and more as the day progressed, and he began to be deeply unsettled by what Beth was asking him to do. How is it fair to ask someone to train the person taking his or her job? This is going to be awkward, unpleasant, and insulting, Scott thought. If corporate felt good about this decision, what else would they be willing to make departing employees do as a condition of their termination? It seemed like a slippery slope. He wondered how long it would be before he was training his own replacement. He couldn’t get his mother’s famous saying out of his head: “If you lay down with the dogs, you wake up with fleas.”

Discussion Questions

1. According to the definitions of the ethical principles defined previously in this course:

a. Do you think that forcing an employee to train his or her replacement is ethical according to the categorical imperative?

b. Do you think that forcing an employee to train his or her replacement is ethical according to the utilitarian perspective?

2. How would you feel if you were asked to train your replacement after receiving notice that you were going to be terminated by your employer? Do you think that this sets a dangerous precedent for future termination conditions?

3. Aside from the tactic proposed by Beth in this scenario, what strategies could a company use to ensure that new replacement employees are better able to fulfill their responsibilities?

4. Building on question 3, how can technology be used to improve the change management process?

Active Review


Use this Active Review to verify that you understand the ideas and concepts that answer the lesson’s study questions.

· Q11-1 What are the functions and organization of the IS department?

List the five primary functions of the IS department. Define CIO and explain the CIO’s typical reporting relationships. Name the four groups found in a typical IS department and explain the major responsibilities of each. Define CTO and explain typical CTO responsibilities. Explain the purpose of the data administration function. Define CSO and CISO and explain the differences in their responsibilities.

· Q11-2 How do organizations plan the use of IS?

Explain the importance of strategic alignment as it pertains to IS planning. Explain why maintaining alignment can be difficult. Describe the CIO’s relationship to the rest of the executive staff. Describe the CIO’s responsibilities with regard to priorities. Explain challenges to this task. Define steering committee and explain the CIO’s role with regard to it.

· Q11-3 What are the advantages and disadvantages of outsourcing?

Define outsourcing. Explain how Drucker’s statement “Your back room is someone else’s front room” pertains to outsourcing. Summarize the management advantages, cost advantages, and risks of outsourcing. Differentiate among IaaS, PaaS, and SaaS and give an example of each. Explain why international outsourcing can be particularly advantageous. Describe skills you can develop that will protect you from having your job outsourced. Summarize the outsourcing risks concerning control, long-term costs, and exit strategy.

· Q11-4 What are your user rights and responsibilities?

Explain in your own words the meaning of each of your user rights as listed in Figure 11-9. Explain in your own words the meaning of each of your user responsibilities in Figure 11-9.

· Q11-5 2031?

Explain how the adoption of the cloud may be a model for future outsourcing of applications and jobs. List some changes and developments that will have an effect on an organization’s management of IS and IT. How might the gig economy affect organizational effectiveness? Explain how robotics and automation will affect the workplace. How could the global coronavirus lockdown change perceptions of an automated workforce. Describe how virtual workers and “connected” digital devices may actually make an organization less cohesive. Explain the organizational cultural change that will affect the IS department.

Using Your Knowledge with iMed
You now know the primary responsibilities of the IS department and can understand why it may implement the standards and policies that it does. You know the planning functions of IS and how they relate to the rest of your organization. You also know the reasons for outsourcing IS services, the most common and popular outsource alternatives, and the risks of outsourcing. Finally, you know your rights and responsibilities with regard to services provided by your IS department.

The knowledge of this lesson will help you understand what needs to be done, whether you work for iMed Analytics, are a potential investor in iMed Analytics, or are an advisor to a potential investor.

Using Your Knowledge


· 11-1. According to this lesson, information systems, products, and technology are not malleable; they are difficult to change, alter, or bend. How do you think senior executives other than the CIO view this lack of malleability? For example, how do you think IS appears during a corporate merger?

· 11-2. Suppose you represent an investor group that is acquiring hospitals across the nation and integrating them into a unified system. List five potential problems and risks concerning information systems. How do you think IS-related risks compare to other risks in such an acquisition program?

· 11-3. What happens to IS when corporate direction changes rapidly? How will IS appear to other departments? What happens to IS when the corporate strategy changes frequently? Do you think such frequent changes are a greater problem to IS than to other business functions? Why or why not?

Collaboration Exercise


Using the collaboration IS you built in Lesson 1, collaborate with a group of students to answer the following questions.

Green computing is environmentally conscious computing consisting of three major components: power management, virtualization, and e-waste management. In this exercise, we focus on power.

You know, of course, that computers (and related equipment, such as printers) consume electricity. That burden is light for any single computer or printer. But consider all the computers and printers in the United States that will be running tonight, with no one in the office. Proponents of green computing encourage companies and employees to reduce power and water consumption by turning off devices when not in use.

Is this issue important? Is it just a concession to environmentalists to make computing professionals appear virtuous? Form a team and develop your own, informed opinion by considering computer use at your campus.

· 11-4. Search the Internet to determine the power requirements for typical computing and office equipment. Consider laptop computers, desktop computers, CRT monitors, LCD monitors, and printers. For this exercise, ignore server computers. As you search, be aware that a watt is a measure of electrical power. It is watts that the green computing movement wants to reduce.

 Show Answer

· 11-5. Estimate the number of each type of device in use on your campus. Use your university’s website to determine the number of colleges, departments, faculty, staff, and students. Make assumptions about the number of computers, copiers, and other types of equipment used by each.

 Show Answer

· 11-6. Using the data from items 11-4 and 11-5, estimate the total power used by computing and related devices on your campus.

 Show Answer

· 11-7. A computer that is in screensaver mode uses the same amount of power as one in regular mode. Computers that are in sleep mode, however, use much less power, say, 6 watts per hour. Reflect on computer use on your campus and estimate the amount of time that computing devices are in sleep versus screensaver or use mode. Compute the savings in power that result from sleep mode.

 Show Answer

· 11-8. Computers that are automatically updated by the IS department with software upgrades and patches cannot be allowed to go into sleep mode because if they are sleeping, they will not be able to receive the upgrade. Hence, some universities prohibit sleep mode on university computers (sleep mode is never used on servers, by the way). Determine the cost, in watts, of such a policy.

 Show Answer

·    11-9. Calculate the monthly cost, in watts, if:

a. All user computers run full time night and day.

 Show Answer

b. All user computers run full time during work hours and in sleep mode during off-hours.

 Show Answer

c. All user computers are shut off during nonwork hours.

 Show Answer

· 11-10. Given your answers to items 11-4 through 11-9, is computer power management during off-hours a significant concern? In comparison to the other costs of running a university, does this issue really matter? Discuss this question among your group and explain your answer.

 Show Answer

Case Study




Imagine that you are placed in a group of four strangers and each of you is sent to a different location in your city. Upon reaching that location, you are given an envelope that contains a task that you and your group members have been assigned to complete together. The only way that you can communicate is by using a phone that has been provided to each member of your group at your respective locations.

Now, for comparison, think about your last experience working on a group project for school. Make a list of all of the different forms of technology that you used to communicate and coordinate with your group members. Your list probably includes calendar applications, to-do lists, cell phones, text messaging, cloud storage, productivity software, email, the Internet, and more.

Source: Sundry Photography/Shutterstock

Consider the disparity between these two scenarios. The first scenario is consistent with the constraints of collaboration before the advent of the Internet, personal computers, cell phones, and so on. The second scenario is consistent with the collaboration technologies that are available to most people today. However, just because there is more technology available today relative to decades ago doesn’t mean that there still couldn’t be an even better way to work as a team.

In fact, the most high-profile collaboration tool available today has changed the way countless teams around the world interact and work together. Almost by accident, the creation of this tool even spawned a billion-dollar company—Slack.

Silver Linings


Steward Butterfield had already had quite a successful career in the tech world. He first founded a company that developed a massively multiplayer online role-playing game (MMORPG). When that project fizzled, the company pivoted and developed the photo-sharing site Flickr. His company was ultimately bought by Yahoo! in 2005, and Butterfield stayed on to serve in a management position at Yahoo! for several years. In 2009, Butterfield started a new company, again with the intention to release a new MMORPG called Glitch.17

While Butterfield’s second attempt at developing a game was again abandoned in 2012, the process of developing the game yielded an outcome that would become the silver lining of all silver linings. Development teams for the game were spread between three cities: New York, San Francisco, and Vancouver. The chat tool they had been using to collaborate was stripped down and clunky—the developers decided to invent their own collaboration platform to facilitate their work.18

Despite having no initial intention to commercialize the collaboration tool, Butterfield realized that what they’d created had potential. Rather than switching over to try to sell their platform immediately, they pushed it out to friends and colleagues at other companies for unofficial trials; the bigger the group, the better.19 After multiple rounds of revisions to the tool, it was ready to go out into the wild in 2014. Interested users were required to request an invitation to access the tool; thousands of people submitted requests on the first day. A few months later, the company rebranded itself as Slack Technologies. (Slack is actually an acronym for “Searchable Log of All Conversations and Knowledge”).

Slack Attack


Slack rapidly grew its user base over the next several years, with 140,000 daily active users in 2014 to over 1 million active daily users in 2015 and then breaking through 3 million active daily users by 2016. Shadowing this growth was extensive funding, as Slack brought in multiple rounds of funding totaling over $100 million each round, which in sum would approach $1 billion worth of investments by 2019.

Slack has continuously worked to improve its platform and expand its functionality. Today, it features channels for messaging, embedded file sharing, voice and video calls, native integrations with other platforms (Google Drive, Dropbox, Zoom, Salesforce, etc.), security and privacy controls, searchable histories, and so on.20 To gauge adoption potential, the company developed its own target indicating that it takes teams about 2,000 messages before they reach the tipping point of buying in long-term. Of the teams that reached that point, 93 percent are still using Slack.

Based on its success and upward trajectory, Slack filed for a direct listing on the New York Stock Exchange in June 2019. The reference price to begin trading was $26, and the share price topped out at $38.62 at the end of the day—a diluted valuation of $23.2 billion.21



Slack turned out to be one of the fastest-growing tech companies of all time, but can it sustain this type of rapid growth and profitability? Many tech companies offer various combinations of collaboration tools (e.g., Microsoft Teams, which leads in security and compliance), and with Slack’s creation of a new market for enterprise-level collaboration platforms, competitors are now focusing on stealing Slack’s first-mover-advantage market share.

Further, with the disruption to the economy from COVID-19, it will be more difficult for Slack to engage with large corporate clients and close deals due to travel and meeting restrictions. Future revenue projects are uncertain. Will Slack continue its string of successes, or has the company left too much slack in the line for other companies to reel in?


· 11-11. Have you tried Slack? If so, think about your experience. If not, take a few minutes to install Slack and check it out for yourself. (At a minimum, take a few minutes to browse the Slack website.) In either case, consider why it has become so popular. Be ready to share your thoughts with the class.

 Show Answer

· 11-12. Despite its wild success and growing demand, Slack continues to offer a freemium model (i.e., people can use the software for free and then pay if they want advanced features, extended access, or enterprise functionality). With an extensive customer base, why wouldn’t Slack do away with this model and charge everyone who wants to use the platform?

 Show Answer

· 11-13. Why would a company want to spend money on Slack when users likely already have access to Microsoft Office solutions and/or Google Docs? Wouldn’t these provide enough collaboration opportunities?

 Show Answer

· 11-14. Most tech companies choose to follow a conventional initial public offering (IPO) process; Slack chose a direct listing. Do some research about the differences between these two processes—why do you think Slack chose the route that it did?

 Show Answer

· 11-15. In light of the challenges that may lie ahead for Slack, what recommendations would you give executives on how to continue the company’s success?

 Show Answer

Complete the following writing exercises

· 11-16. Consider the following statement: “In many ways, choosing an outsource vendor is a one-way street.” Explain what this statement means. Do you agree with it? Why or why not? Does your answer change depending on what systems components are being outsourced? Why or why not?

· 11-17. A large multinational corporation experiences a severe data breach that results in the loss of customer data for nearly 250 million customers. The lost data included names, addresses, email addresses, passwords, credit card numbers, and dates of birth. During the first week, the entire company is in damage control mode. About 2 weeks after the data breach, the company’s board of directors starts asking who was responsible. Heads are going to roll. They want to show their customers that they are taking steps so this won’t happen again. Should they fire the CEO, CIO, CISO, CTO, database administrators, or line workers? Justify your choices.

· Lesson 12

· Information Systems Development


Lesson Preview


As a future business professional, you will be involved in the development of new technology applications for your business. You may take the lead, as Emily has been doing in developing iMed, or you might be an office manager who implements procedures and trains people in the use of systems such as iMed. Or you might become a business analyst and work as a liaison between users and technical staff. If nothing else, you may be asked to provide requirements and to test the system to ensure those requirements have been met. Whatever your role, it is important that you understand how processes and systems are developed and managed.

We begin in Q12-1 by clarifying what we’re developing and introducing three different development processes. Then, in the next series of questions, we’ll go into more detail for each. In Q12-2, we’ll discuss business process management, and in Q12-3, you’ll learn how to interpret process diagrams that you may be called upon to evaluate during your career. Next, we’ll discuss the stages of the systems development life cycle in Q12-4, and then in Q12-5 we’ll summarize the keys to successful SDLC project management. Q12-6 then presents a newer, possibly superior development process known as scrum, and we’ll wrap up this lesson in Q12-7 with a discussion of how information systems careers are likely to change between now and 2031.

Q12-1 How Are Business Processes, IS, and Applications Developed?


Many business professionals become confused when discussing business processes, information systems, and applications. You can avoid this confusion by understanding that they are different, by knowing those differences, and by realizing how they relate to each other. That knowledge will make it easier for you to appreciate the ways that processes, systems, and applications are developed and, in turn, help you be more effective as a team member on development projects.

How Do Business Processes, Information Systems, and Applications Differ and Relate?


As you learned in Lesson 2, a business process consists of one or more activities. For example, Figure 12-1 shows activities in an ordering business process: A quotation is prepared and, assuming the customer accepts those terms, the order is processed. Inventory availability is verified, customer credit is checked, special terms, if any, are approved, and then the order is processed and shipped. Each of these activities includes many tasks, some of which involve processing exceptions (only part of the order is available, for example), but those exceptions are not shown.

Figure 12-1: Activities in a Business Process and the Correlating Information Systems
The activities in a business process often involve information systems. In Figure 12-1, for example, all of the activities except Approve Special Terms use an information system. (For this example, we’ll assume that special terms are rare and approved by having a salesperson walk down the hallway to the sales manager.) Each of these information systems has the five components that we’ve repeatedly discussed. The actors or participants in the business process are the users of the information systems. They employ IS procedures to use information systems to accomplish tasks in process activities.

Each of these information systems contains a software component. Developing software nearly always involves the data component, and it often involves the specification and characteristics of hardware (e.g., mobile devices). Consequently, we define the term application to mean a combination of hardware, software, and data components that accomplishes a set of requirements. In Figure 12-1, the Customer Credit IS contains an application that processes a customer database to approve or reject credit requests.

As you can see from the example in Figure 12-1, this one business process uses four different IS. In general, we can say that a single business process relates to one or more information systems. However, notice that not all process activities use an IS; some require just manual tasks. In Figure 12-1, the Approve Special Terms activity uses no IS. Instead, as stated, salespeople walk down the hallway to ask their manager if terms are acceptable. In some cases (not in this example, however), it is possible for none of the activities to use an IS, in which case the entire business process is manual.

Now, consider any of the information systems in Figure 12-1, say, the Inventory IS. In addition to providing features and functions to verify item availability, that IS has other features that support additional business processes. For example, the Inventory IS supports the item ordering process, the item stocking process, the item backorder process, and more. So, even though we cannot see it from Figure 12-1, we can correctly infer that IS supports many business processes. Further, every IS supports at least one business process; if it did not, it would have little utility to the organization that pays for it.

We can use the terminology of Lesson 5 to summarize these statements and state that the relationship of business processes and information systems is many-to-many. One business process can potentially use many IS, and a single IS can support potentially many business processes. Furthermore, a business process is not required to use an IS, but every IS supports at least one business process. Figure 12-2 shows the process/information system relationship using an entity-relationship diagram.

Figure 12-2: Relationship of Business Processes and Information Systems

Every information system has at least one application because every IS includes a software component. We could further investigate the relationship between IS and applications, but that relationship is beyond the scope of this text.

So, to summarize:

1. Business processes, information systems, and applications have different characteristics and components.

2. The relationship of business processes to information systems is many-to-many, or N:M. A business process need not relate to any information system, but an information system relates to at least one business process.

3. Every IS has at least one application because every IS has a software component.

When you participate in development meetings, you’ll sometimes hear people confuse these terms. They’ll quickly switch back and forth among processes, systems, and applications without knowing that they’ve changed terms and contexts. With these understandings, you can add value to your team simply by clarifying these differences.

Which Development Processes Are Used for Which?


Over the years, many different techniques have been tried for the development of processes, IS, and applications. In this lesson, we’ll investigate three: business process management (BPM), systems development life cycle (SDLC), and scrum.

Developing secure applications for IoT devices is often an afterthought. Read the Security Guide to learn more.

Business process management is a technique used to create new business processes and to manage changes to existing processes. Except for startups, organizations already have processes, in one form or another, in varying levels of quality. If they did not, they wouldn’t be able to operate. Therefore, BPM is, in most cases, used to manage the evolution of existing business processes from one version to an improved version. We’ll discuss BPM in Q12-2 and Q12-3.

As shown in Figure 12-3, the systems development life cycle (SDLC) is a process that can be used to develop both information systems and applications. The SDLC achieved prominence in the 1980s when the U.S. Department of Defense required that it be used on all software and systems development projects. It is common, well known, and often used but, as you’ll learn, frequently problematic. You need to know what it is and when and when not to use it. We’ll discuss the SDLC in Q12-4 and Q12-5.

Figure 12-3: Scope of Development Processes

Development Processes





Business Processes

Information Systems


Scrum is a new development process that was created, in part, to overcome the problems that occur when using the SDLC. Scrum is generic enough that it can be used for the development (and adaptation) of business processes, information systems, and applications. We’ll discuss scrum in Q12-6.

Personnel that take the most active and important role for each of these processes are shown in Figure 12-4. A business analyst is someone who is well versed in Porter’s models (see Lesson 2) and in the organization’s strategies and who focuses, primarily, on ensuring that business processes and information systems meet the organization’s competitive strategies. As you would expect, the primary focus of a business analyst is business processes.

 Figure 12-4: Role of Development Personnel
Systems analysts are IS professionals who understand both business and information technology. They focus primarily on IS development but are involved with business analysts on the management of business processes as well. Systems analysts play a key role in moving development projects through the SDLC or scrum development process.

Applications are developed by technical personnel such as programmers, database designers, test personnel, hardware specialists, and other technical staff. Systems analysts play a key role in developing applications requirements and in facilitating the work of the programmers, testers, and users.

Because applications development involves technical details that are beyond the scope of this introductory class, we will only be peripherally concerned with applications development here. If you have a technical bent, however, you should consider these jobs because they are absolutely fascinating and are in extremely high demand.

Knowledge Check

Q12-2 How Do Organizations Use Business Process Management (BPM)?


For the purposes of this lesson, we will extend the definition of business processes that we used in Lesson 2. Here we will define a business process as a network of activities, repositories, roles, resources, and flows that interact to accomplish a business function. As stated in Lesson 2, activities are collections of related tasks that receive inputs and produce outputs. A repository is a collection of something; an inventory is a physical repository and a database is a data repository. The new terms in this definition are roles, which are collections of activities, and resources, which are people or computer applications that are assigned to roles. Finally, a flow is either a sequence flow that directs the order of activities or a data flow that shows the movement of data among activities and repositories.

To clarify these terms, think of roles as job titles. Example roles are salesperson, credit manager, inventory supervisor, and the like. Thus, an organization might assign three people (resources) to the salesperson role, or it might create an information system (resource) to perform the credit manager role.

Why Do Processes Need Management?


Business processes are not fixed in stone; they always evolve. To understand why, suppose you are a salesperson working at the company having the ordering process shown in Figure 12-1. When you joined the firm, they taught you to follow this process, and you’ve been using it for 2 years. It works fine as far as you know, so why does it need to be managed? Fundamentally, there are three reasons: to improve process quality, to adapt to changes in technology, and to adapt to changes in business fundamentals. Consider each.

Improve Process Quality
As you learned in Lesson 8, process quality has two dimensions: efficiency (use of resources) and effectiveness (accomplish strategy). The most obvious reason for changing a process is that it has efficiency or effectiveness problems. Consider a sales process. If the organization’s goal is to provide high-quality service, then if the process takes too long or if it rejects credit inappropriately, it is ineffective and needs to be changed.

With regard to efficiency, the process may use its resources poorly. For example, according to Figure 12-1, salespeople verify product availability before checking customer credit. If checking availability means nothing more than querying an information system for inventory levels, that sequence makes sense. But suppose that checking availability means that someone in operations needs not only to verify inventory levels but also to verify that the goods can be shipped to arrive on time. If the order delivery is complex, say, the order is for a large number of products that have to be shipped from three different warehouses, an hour or two of labor may be required to verify shipping schedules.

After verifying shipping, the next step is to verify credit. If it turns out the customer has insufficient credit and the order is refused, the shipping-verification labor will have been wasted. So, it might make sense to check credit before checking availability.

Similarly, if the customer’s request for special terms is disapproved, the cost of checking availability and credit is wasted. If the customer has requested special terms that are not normally approved, it might make sense to obtain approval of special terms before checking availability or credit. However, your boss might not appreciate being asked to consider special terms for orders in which the items are not available or for customers with bad credit.

As you can see, it’s not easy to determine what process structure is best. The need to monitor process quality and adjust process design, as appropriate, is one reason that processes need to be managed.

Change in Technology
Changing technology is a second reason for managing processes. For example, suppose the equipment supplier who uses the business process in Figure 12-1 invests in a new information system that enables it to track the location of trucks in real time. Suppose that with this capability the company can provide next-day availability of goods to customers. That capability will be of limited value, however, if the existing credit-checking process requires 2 days. “I can get the goods to you tomorrow, but I can’t verify your credit until next Monday” will not be satisfying to either customers or salespeople.

Thus, when new technology changes any of a process’s activities in a significant way, the entire process needs to be evaluated. That evaluation is another reason for managing processes.

Change in Business Fundamentals
A third reason for managing business processes is a change in business fundamentals. A substantial change in any of the following factors might result in the need to modify business processes:

· Market (e.g., new customer category, change in customer characteristics)

· Product lines

· Supply chain

· Company policy

· Company organization (e.g., merger, acquisition)

· Internationalization

· Business environment

To understand the implications of such changes, consider just the sequence of verifying availability and checking credit in Figure 12-1. A new category of customers could mean that the credit-check process needs to be modified; perhaps a certain category of customers is too risky to be extended credit. All sales to such customers must be cash. A change in product lines might require different ways of checking availability. A change in the supply chain might mean that the company no longer stocks some items in inventory but ships directly from the manufacturer instead.

Or the company might make broad changes to its credit policy. It might, for example, decide to accept more risk and sell to companies with lower credit scores. In this case, approval of special terms becomes more critical than checking credit, and the sequence of those two activities might need to be changed.

Of course, a merger or acquisition will mean substantial change in the organization and its products and markets, as does moving portions of the business offshore or engaging in international commerce. Finally, a substantial change in the business environment, say, the onset of a recession, might mean that credit checking becomes vitally important and needs to be moved to first in this process.

What Are BPM Activities?


The factors just discussed will necessitate changes in business processes, whether the organization recognizes that need or not. Organizations can either plan to develop and modify business processes, or they can wait and let the need for change just happen to them. In the latter case, the business will continually be in crisis, dealing with one process emergency after another.

Figure 12-5 shows the basic activities in business process management (BPM), a cyclical process for systematically creating, assessing, and altering business processes. This cycle begins by creating a model of the existing business process, called an as-is model. Then business users who are involved in the process (this could be you!), and business and systems analysts evaluate that model and make improvements. As you learned in Lesson 8, business processes can be improved by changing the structure of the process, by adding resources, or both. If the process structure is to be changed, a model of the changed process is constructed. Two common ways of adding resources to a process are to assign more people to process activities and to create or modify information systems.

 Figure 12-5: Four Stages of BPM
The second activity in the BPM process is to create components. In this activity, the team designs changes to the business process at a depth sufficient for implementation. If the business process involves new information systems or changes to existing information systems, then systems development projects are created and managed at this stage. Again, some activities involve IS, and some do not. For those that do, information systems procedures need to be created to enable users to accomplish their process tasks.

Implementing the new or changed process is the third activity in BPM. Here process actors are trained on the activities that they will perform and on the IS procedures that they will use. Converting from an existing process to a new or revised one usually meets with employee resistance, as you learned with regard to ERP implementations in Lesson 8. Thus, an important activity for you during implementation is softening that resistance. We will discuss four different conversion alternatives in Q12-4, when we discuss the SDLC. These four strategies pertain equally well to process implementation.

Once the process has been implemented, well-managed organizations don’t stop there. Instead, they create policy, procedures, and committees to continually assess business process effectiveness. The Information Systems Audit and Control Association has created a set of standard practices called COBIT (Control Objectives for Information and related Technology) that are often used in the assessment stage of the BPM cycle. Explaining these standards is beyond the scope of this discussion, but you should know that they exist. See
 for more information.

When the assessment process indicates that a significant need for change has arisen, the BPM cycle is repeated and adjusted. New process models are developed, and components are created, implemented, and assessed.

Effective BPM enables organizations to attain continuous process improvement. Like quality improvement, process improvement is never finished. Process effectiveness is constantly monitored, and processes are adjusted as and when required.

By the way, do not assume that business process management applies only to commercial, profit-making organizations. Nonprofit and government organizations have business processes just as commercial ones do, but most of these processes are service-oriented rather than revenue-oriented. Your state’s Department of Labor, for example, has a need to manage its processes, as does the Girl Scouts of America. BPM applies to all types of organizations.

Knowledge Check

Q12-3 How Is Business Process Modeling Notation (BPMN) Used to Model Processes?


One of the four stages of BPM, and arguably the most important stage, is to model business processes. Such models are the blueprint for understanding the current process and for designing new versions of processes. They also set the stage for the requirements for any information systems and applications that need to be created or adapted. If models are incomplete and incorrect, follow-on components cannot be created correctly. In this question, you will learn standard notation for creating process documentation.

Learning this standard notation is important to you because, as a business professional, you may be involved in modeling projects. Unless you become a business or systems analyst, you are unlikely to lead such a project, but as a user, you may be asked to review and approve models, and you may participate as a representative of your department or area of expertise in the creation of new models.

Need for Standard for Business Processing Notation


As stated, we define a business process as a network of activities, repositories, roles, resources, and flows that interact to accomplish a business function. This definition is commonly accepted, but unfortunately dozens of other definitions are used by other authors, industry analysts, and software products. For example, IBM, a key leader in business process management, has a product called WebSphere Business Modeler that uses a different set of terms. It has activities and resources, but it uses the term repository more broadly than we do, and it uses the term business item for data flow. Other business-modeling software products use still other definitions and terms. These differences and inconsistencies can be problematic, especially when two different organizations with two different sets of definitions must work together.

Accordingly, a software-industry standards organization called the Object Management Group (OMG) created a standard set of terms and graphical notations for documenting business processes. That standard, called Business Process Modeling Notation (BPMN), is documented at A complete description of BPMN is beyond the scope of this text. However, the basic symbols are easy to understand, and they work naturally with our definition of business process. Hence, we will use the BPMN symbols in the illustrations in the lesson. All of the diagrams in this lesson were drawn using Microsoft Visio, which includes several BPMN symbol templates. Figure 12-6 summarizes the basic BPMN symbols.

 Figure 12-6: Business Process Management Notation (BPMN) Symbols

Documenting the As-Is Business Order Process


Figure 12-7 shows the as-is, or existing, order process introduced in Figure 12-1. First, note that this process is a model, an abstraction that shows the essential elements of the process but omits many details. If it were not an abstraction, the model would be as large as the business itself. This diagram is shown in swim-lane layout. In this format, each role in the business process is given its own swim lane. In Figure 12-7, there are five roles, hence five swim lanes. All activities for a given role are shown in that role’s swim lane. Swim-lane layout simplifies the process diagram and draws attention to interactions among components of the diagram.

 Figure 12-7: Existing Order Process
Two kinds of arrows are shown. Dotted arrows depict the flow of messages and data flows. Solid arrows depict the flow or sequence of the activities in the process. Some sequence flows have data associated with them as well. According to Figure 12-7, the customer sends an RFQ (request for quotation) to a salesperson (dotted arrow). That salesperson prepares a quotation in the first activity and then (solid arrow) submits the quotation back to the customer. You can follow the rest of the process in Figure 12-7. Allocate inventory means that if the items are available, they are allocated to the customer so that they will not be sold to someone else.

Diamonds represent decisions and usually contain a question that can be answered with yes or no. Process arrows labeled Yes and No exit two of the points of the diamond. Three of the activities in the as-is diagram contain a square with a plus (+) sign. This notation means that the activity is considered to be a subprocess of this process and that it is defined in greater detail in another diagram.

One of these three subprocesses, the Check Customer Credit subprocess, is shown in Figure 12-8. Note the role named Customer Credit IS in this subprocess. In fact, this role is performed entirely by an information system, although we cannot determine that fact from this diagram. Again, each role is fulfilled by some set of resources, either people or information systems or both.

 Figure 12-8: Check Customer Credit Process
Once the as-is model has been documented, that model can then be analyzed for problems or for improvement opportunities. For example, the process shown in Figure 12-7 has a serious problem. Before you continue, examine this figure and see if you can determine what the problem is.

The problem involves allocations. The Operations Manager role allocates inventory to the orders as they are processed, and the Credit Manager role allocates credit to the customer of orders in process. These allocations are correct as long as the order is accepted. However, if the order is rejected, these allocations are not freed. Thus, inventory is allocated that will not be ordered, and credit is extended for orders that will not be processed.

One fix (many are possible) is to define an independent process for Reject Order (in Figure 12-7 that would mean placing a box with a + in the Reject Order activity) and then design the Reject Order subprocess to free allocations. Creating such a diagram is part of Exercise 12-3 in Using Your Knowledge.

Sometimes, BPMN diagrams are used to define process alternatives for discussion and evaluation. Another use is to document processes for employee training, and yet another use is to provide process requirements documentation for systems and application development. As a business professional, you may be asked to interpret and approve BPMN diagrams for any of these purposes.

Knowledge Check

Q12-4 What Are the Phases in the Systems Development Life Cycle (SDLC)?


The systems development life cycle (SDLC) is the traditional process used to develop information systems and applications. The IT industry developed the SDLC in the “school of hard knocks.” Many early projects met with disaster, and companies and systems developers sifted through the ashes of those disasters to determine what went wrong. By the 1970s, most seasoned project managers agreed on the basic tasks that need to be performed to successfully build and maintain information systems. These basic tasks are combined into phases of systems development. As stated, SDLC rose to prominence when the U.S. Department of Defense required it on government contracts.

Different authors and organizations package the tasks into different numbers of phases. Some organizations use an eight-phase process, others use a seven-phase process, and still others use a five-phase process. In this course, we will use the following five-phase process:

1. Define System

2. Determine Requirements

3. Design System Components

4. Implement System

5. Maintain System

Figure 12-9 shows how these phases are related. Development begins when a business-planning process identifies a need for a new system. This need may come from a BPM design activity, or it might come from some other business planning process. For now, suppose that management has determined, in some way, that the organization can best accomplish its goals and objectives by constructing a new information system.

 Figure 12-9: Five Phases of the Systems Development Life Cycle (SDLC)
For the potential iMed application, Dr. Greg Solomon, the owner of the business, directs his team to create a prototype. That directive will start a systems development project.

Developers in the first SDLC phase—system definition—use management’s statement of the system needs in order to begin to define the new system. (For the iMed application, this statement is based on experience with the prototype.) The resulting project plan is the input to the second phase—requirements analysis. Here, developers identify the particular features and functions of the new system. The output of that phase is a set of approved user requirements, which become the primary input used to design system components. In phase 4, developers implement, test, and install the new system.

Over time, users will find errors, mistakes, and problems. They will also develop new requirements. The description of fixes and new requirements is input into a system maintenance phase. The maintenance phase starts the process all over again, which is why the process is considered a cycle.

In the following sections, we will consider each phase of the SDLC in more detail.

Define the System


In response to the need for the new system, the organization will assign a few employees, possibly on a part-time basis, to define the new system, assess its feasibility, and plan the project. In a large organization, someone from the IS department leads the initial team, but the members of that initial team are both users and IS professionals. For small organizations and for startups like iMed, the team will be led by IS-savvy managers like Emily.

Define System Goals and Scope
As Figure 12-10 shows, the first step is to define the goals and scope of the new information system. Information systems exist to facilitate an organization’s competitive strategy by improving the quality of business processes. At this step, the development team defines the goal and purpose of the new system in terms of these reasons.

 Figure 12-10: SDLC System Definition Phase
Consider iMed. The current system is built for a health professional, but the team wants an integrated system that integrates IoT devices, users, hospitals, and uses an AI to analyze real-time data. What, exactly, does that mean? What kind of an application? How fancy of a user interface is needed? In broad strokes, what will the application do?

In other systems, the scope might be defined by specifying the users or the business processes or the organizations and healthcare providers that will be involved.

Assess Feasibility
Once we have defined the project’s goals and scope, the next step is to assess feasibility. This step answers the question “Does this project make sense?” The aim here is to eliminate obviously nonsensible projects before forming a project development team and investing significant labor.

Feasibility has four dimensions: cost, schedule, technical, and organizational. Because IS development projects are difficult to budget and schedule, cost and schedule feasibility can be only an approximate, back-of-the-envelope analysis. The purpose is to eliminate any obviously infeasible ideas as soon as possible.

Cost feasibility is an assessment of whether the anticipated benefits of the system are likely to justify the estimated development and operational costs. In some cases, it also means whether the project can realistically be done within the budget provided. Clearly, costs depend on the scope of the project. Saying we’re going to build an enterprise prototype that integrates real-time data from IoT devices, hospitals, doctors, and users doesn’t provide much for the team to go on. So, at this point, all the team can do is to make rough estimates. Given those estimates, the team can then ask, “Does this project make sense? Will we obtain sufficient return to justify these estimated costs?” At iMed, Dr. Solomon most likely asked for a prototype because he didn’t like the 0K to 0K range for developing the full system.

Like cost feasibility, schedule feasibility is difficult to determine because it is hard to estimate the time it will take to build the system. However, if Jose and his team determine that it will take, say, no less than 6 months to develop the system and put it into operation, Emily and Dr. Solomon can then decide if they can accept that minimum schedule. At this stage of the project, the organization should not rely on either cost or schedule estimates; the purpose of these estimates is simply to rule out any obviously unacceptable projects.

Technical feasibility refers to whether existing information technology is likely to be able to meet the needs of the new system. With regard to the iMed prototype, the team would assess technical differences between the current prototype and the IoT devices they want to support. For example, can iMed pull data from a smart blood pressure monitor, analyze it, and send it to a doctor in the form of a shiny dashboard?

Finally, organizational feasibility concerns whether the new system fits within the organization’s customs, culture, charter, or legal requirements. Dr. Solomon, the founder of iMed analytics, may be overestimating the willingness of medical doctors to adopt iMed. Doctors may resist adopting iMed due to patient privacy concerns. The iMed team will also have to consider the legal requirements of transferring medical data between multiple organizations.

Form a Project Team
If the defined project is determined to be feasible, the next step is to form the project team. Normally the team consists of both IS professionals and user representatives. The project manager and IS professionals can be in-house personnel or outside contractors as described in Lesson 11.

Typical personnel on a development team are a manager (or managers for larger projects), business analysts, systems analysts, programmers, software testers, and users.

Systems analysts are closer to IT and are a bit more technical than business analysts, though, as stated, there is considerable overlap in their duties and responsibilities. Both are active throughout the systems development process and play a key role in moving the project through it. Business analysts work more with managers and executives; systems analysts integrate the work of the programmers, testers, and users. Depending on the nature of the project, the team may also include hardware and communications specialists, database designers and administrators, and other IT specialists.

The team composition changes over time. During requirements definition, the team will be heavy with business and systems analysts. During design and implementation, it will be heavy with programmers, testers, and database designers. During integrated testing and conversion, the team will be augmented with testers and business users.

User involvement is critical throughout the system development process. Depending on the size and nature of the project, users are assigned to the project either full or part time. Sometimes users are assigned to oversight committees that meet periodically, especially at the completion of project phases and other milestones. Users are involved in many different ways. The important point is for users to have active involvement and to take ownership of the project throughout the entire development process.

The first major task for the assembled team is to plan the project. Team members specify tasks to be accomplished, assign personnel, determine task dependencies, and set schedules.

Determine Requirements


Determining the system’s requirements is the most important phase in the SDLC process. If the requirements are wrong, the system will be wrong. If the requirements are determined completely and correctly, then design and implementation will be easier and more likely to result in success.

Sources of Requirements
Examples of requirements are the contents and the format of Web pages and the functions of buttons on those pages, the structure and content of a report, and the fields and menu choices in a data entry form. Requirements include not only what is to be produced but also how frequently and how fast it is to be done. Some requirements specify the volume of data to be stored and processed.

If you take a course in systems analysis and design, you will spend weeks learning techniques for determining requirements. Here, we will just summarize that process. Typically, systems analysts interview users and record the results in some consistent manner. Good interviewing skills are crucial; users are notorious for being unable to describe what they want and need. Users also tend to focus on the tasks they are performing at the time of the interview. Tasks performed at the end of the quarter or end of the year are forgotten if the interview takes place mid-quarter. Seasoned and experienced systems analysts know how to conduct interviews to bring such requirements to light.

As listed in Figure 12-11, sources of requirements include existing systems as well as the Web pages, forms, reports, queries, and application features and functions desired in the new system. Security is another important category of requirements.

Figure 12-11: SDLC: Requirements Analysis Phase
If the new system involves a new database or substantial changes to an existing database, then the development team will create a data model. As you learned in Lesson 5, that model must reflect the users’ perspective on their business and business activities. Thus, the data model is constructed on the basis of user interviews and must be validated by those users.

Sometimes, the requirements determination is so focused on the software and data components that other components are forgotten. Experienced project managers ensure consideration of requirements for all five IS components, not just for software and data. Regarding hardware, the team might ask: Are there special needs or restrictions on hardware? Is there an organizational standard governing what kinds of hardware may or may not be used? Must the new system use existing hardware? What requirements are there for communications and network hardware?

Similarly, the team should consider requirements for procedures and personnel: Do accounting controls require procedures that separate duties and authorities? Are there restrictions that some actions can be taken only by certain departments or specific personnel? Are there policy requirements or union rules that restrict activities to certain categories of employees? Will the system need to interface with information systems from other companies and organizations? In short, requirements for all of the components of the new information system need to be considered.

These questions are examples of the kinds of questions that must be asked and answered during requirements analysis.

Role of a Prototype
Because requirements are difficult to specify, building a working prototype can be quite beneficial. Whereas future systems users often struggle to understand and relate to requirements expressed as word descriptions and sketches, working with a prototype provides direct experience. As they work with a prototype, users will assess usability and remember features and functions they have forgotten to mention. Additionally, prototypes provide evidence to assess the system’s technical and organizational feasibility. Further, prototypes create data that can be used to estimate both development and operational costs.

To be useful, a prototype needs to work; mock-ups of forms and reports, while helpful, will not generate the benefits just described. The prototype needs to put the user into the experience of employing the system to do his or her tasks.

Prototypes can be expensive to create; however, this expense is often justified not only for the greater clarity and completeness of requirements but also because parts of the prototype can often be reused in the operational system. Much of the code created for the initial iMed prototype can be reused for later integration of additional IoT devices, hospitals, and applications.

Unfortunately, systems developers face a dilemma when funding prototypes; the cost of the prototype occurs early in the process, sometimes well before full project funding is available. A common complaint is “We need the prototype to get the funds, and we need the funds to get the prototype.” Unfortunately, no uniform solution to this dilemma exists, except applying experience guided by intuition. Again, we see the need for nonroutine problem-solving skills.

Approve Requirements
Once the requirements have been specified, the users must review and approve them before the project continues. The easiest and cheapest time to alter the information system is in the requirements phase. Changing a requirement at this stage is simply a matter of changing a description. Changing a requirement in the implementation phase may require weeks of reworking applications components and the database structure.

Design System Components


Each of the five components is designed in this stage. Typically, the team designs each component by developing alternatives, evaluating each of those alternatives against the requirements, and then selecting from among those alternatives. Accurate requirements are critical here; if they are incomplete or wrong, then they will be poor guides for evaluation.

Figure 12-12 shows that design tasks pertain to each of the five IS components. For hardware, the team determines specifications for what the system will need. (The team is not designing hardware in the sense of building a CPU or a disk drive.) Program design depends on the source of the programs. For off-the-shelf software, the team must determine candidate products and evaluate them against the requirements. For off-the-shelf with alteration programs, the team identifies products to be acquired off-the-shelf and then determines the alterations required. For custom-developed programs, the team produces design documentation for writing program code.

Figure 12-12: SDLC: Component Design Phase
If the project includes constructing a database, then during this phase database designers convert the data model to a database design using techniques such as those described in Lesson 5. If the project involves off-the-shelf programs, then little database design needs to be done; the programs will have been coded to work with a preexisting database design.

Procedure design differs, depending on whether the project is part of a BPM process or part of a systems development process. If the former, then business processes will already be designed, and all that is needed is to create procedures for using the application. If the latter, then procedures for using the system need to be developed, and it is possible that business processes that surround the system will be needed as well.

With regard to people, design involves developing job descriptions for the various roles. These descriptions will detail responsibilities, skills needed, training required, and so forth.

System Implementation


The term implementation has two meanings for us. It could mean to implement the information systems components only, or it could mean to implement the information system and the business processes that use the system. As you read the following task descriptions, keep in mind that the tasks can apply to both interpretations of implementation. Tasks in the implementation phase are to build and test system components and to convert users to the new system and possibly new business processes (see Figure 12-13).

 Figure 12-13: SDLC: Implementation Phase
Developers construct each of the components independently. They obtain, install, and test hardware. They license and install off-the-shelf programs; they write adaptations and custom programs as necessary. They construct a database and fill it with data. They document, review, and test procedures, and they create training programs. Finally, the organization hires and trains needed personnel. Once each component has been tested independently, the entire system is tested as an integrated whole.

Testing is important, time-consuming, and expensive. A test plan, which is a formal description of the system’s response to use and misuse scenarios, is written. Professional test engineers, called product quality assurance (PQA) test engineers, are hired for this task. Often, teams of these engineers are augmented by users as well.

System Conversion
Once the system has passed testing, the organization installs the new system. The term system conversion is often used for this activity because it implies the process of converting business activity from the old system to the new. Again, conversion can be to the new system only, or it can be to the new system, including new business processes.

Four types of conversion are possible: pilot, phased, parallel, and plunge. Any of the first three can be effective. In most cases, companies should avoid “taking the plunge”!

With pilot installation, the organization implements the entire system/business processes on a limited portion of the business, say, a single department. The advantage of pilot implementation is that if the system fails, the failure is contained within a limited boundary.

As the name implies, with phased installation the new system/business processes are installed in phases across the organization(s). Once a given piece works, then the organization installs and tests another piece of the system, until the entire system has been installed. Some systems are so tightly integrated that they cannot be installed in phased pieces. Such systems must be installed using one of the other techniques.

With parallel installation, the new system/business processes run parallel with the old one until the new system is tested and fully operational. Parallel installation is expensive because the organization incurs the costs of running both the existing and the new system/business processes. Users must work double time, if you will, to run both systems. Then considerable work is needed to reconcile the results of the new with the old.

The final style of conversion is plunge installation (sometimes called direct installation). With it, the organization shuts off the old system/business processes and starts the new one. If the new system/business processes fail, the organization is in trouble: Nothing can be done until either the new system/business processes are fixed or the old ones are reinstalled. Because of the risk, organizations should avoid this conversion style if possible. The one exception is if the new system is providing a new capability that will not disrupt the operation of the organization if it fails.

Figure 12-14 summarizes the tasks for each of the five components during the design and implementation phases. Use this figure to test your knowledge of the tasks in each phase.

 Figure 12-14: Design and Implementation for the Five Components

Maintain System


With regard to information systems, maintenance is a misnomer; the work done during this phase is either to fix the system so that it works correctly or to adapt it to changes in requirements.

When developing innovative applications sometimes new systems may have unintended negative consequences; see the Ethics Guide.

Figure 12-15 shows tasks during the maintenance phase. First, there needs to be a means for tracking both failures1 and requests for enhancements to meet new requirements. For small systems, organizations can track failures and enhancements using word processing documents.

Figure 12-15: SDLC: System Maintenance Phase
As systems become larger, however, and as the number of failure and enhancement requests increases, many organizations find it necessary to develop a tracking database. Such a database contains a description of the failure or enhancement. It also records who reported the problem, who will make the fix or enhancement, what the status of that work is, and whether the fix or enhancement has been tested and verified by the originator.

Typically, IS personnel prioritize system problems according to their severity. They fix high-priority items as soon as possible, and they fix low-priority items as time and resources become available.

Because an enhancement is an adaptation to new requirements, developers usually prioritize enhancement requests separate from failures. The decision to make an enhancement includes a business decision that the enhancement will generate an acceptable rate of return.

Knowledge Check

Q12-5 What Are the Keys for Successful SDLC Projects?


SDLC projects are difficult to manage. In this question we will consider five keys to success:

· Create a work breakdown structure.

· Estimate time and costs.

· Create a project plan.

· Adjust the plan via trade-offs.

· Manage development challenges.

Create a Work Breakdown Structure


The key strategy for SDLC projects is to divide and conquer. Most such projects are too large, too complicated, and the duration too long to attempt to manage them as one piece. Instead, successful project managers break the project into smaller and smaller tasks until each task is small enough to estimate and to manage. Every task should culminate in one or more results called deliverables. Examples of deliverables are documents, designs, prototypes, data models, database designs, working data entry screens, and the like. Without a defined deliverable, it is impossible to know if the task was accomplished.

Tasks are interrelated, and to prevent them from becoming a confusing morass, project teams create a work breakdown structure (WBS), which is a hierarchy of the tasks required to complete a project. The WBS for a large project is huge; it might entail hundreds or even thousands of tasks. Figure 12-16 shows the WBS for the system definition phase for a typical IS project.

Figure 12-16: Example Work Breakdown Structure (WBS)

In Figure 12-16, the overall task, System definition, is divided into Define goals and scope, Assess feasibility, Plan project, and Form project team. Each of those tasks is broken into smaller tasks until the work has been divided into small tasks that can be managed and estimated.

Estimate Time and Costs


As stated, it is exceedingly difficult to determine duration and labor requirements for many development tasks. Fred Brooks2 defined software as “logical poetry.” Like poetry, software is not made of wood or metal or plastic; it is pure thought-stuff. Some years ago, when a seasoned software developer was pressed for a schedule, he responded by asking, “What would Shakespeare have said if someone asked him how long it would take him to write Hamlet?” Another popular rejoinder is “What would a fisherman say if you ask him how long it will take to catch three fish? He doesn’t know, and neither do I.”

Organizations take a variety of approaches to this challenge. One is to avoid scheduling problems altogether and never develop systems and software in-house. Instead, they license packages, such as ERP systems, that include both business processes and information systems components. As stated in Lesson 8, even if the vendor provides workable processes, those processes will need to be integrated into the business. However, the schedule risk of integration activities is far less than those for developing processes, programs, databases, and other components.

But what if no suitable package exists? In this case, companies can admit the impossibility of scheduling a date for the completion of the entire system and take the best result they can get.

Only the loosest commitments are made regarding the date of complete and final system functionality. Project sponsors dislike this approach because they feel like they are signing a blank check, and in fact, they are. But this approach doesn’t treat fictional estimates and schedules as if they were real, which may be the only other alternative.

The third approach is to attempt to schedule the development project in spite of all the difficulties. Several different estimation techniques can be used. If the project is similar to a past project, the schedule data from that past project can be used for planning. When such similar past projects exist, this technique can produce quality schedule estimates. If there is no such past project, managers must make the best estimates they can. For computer coding, some managers estimate the number of lines of code that will need to be written and apply industry or company averages to estimate the time required. Other coding estimation techniques exist.3 Of course, lines of code and other advanced techniques estimate schedules only for software components. The schedules for processes, procedures, databases, and the other components must be estimated using different methods.

Create a Project Plan


A project plan is a list of WBS tasks, arranged to account for task dependencies, with durations and resources applied. Some tasks cannot be started or finished until other tasks are completed. You can’t, for example, put electrical wires in a house until you’ve built the walls. You can define task dependencies in planning software such as Microsoft Project, and it will arrange the plan accordingly.

Given dependencies, estimates for task duration and resource requirements are then applied to the WBS to form a project plan. Figure 12-17 shows the WBS as input to Microsoft Project, with task dependencies and durations defined. The display, called a Gantt chart, shows tasks, dates, and dependencies.

 Figure 12-17: Gantt Chart of the WBS for the Definition Phase of a Project

Source: Windows 10, Microsoft Corporation.

The user has entered all of the tasks from the WBS and has assigned each task a duration. She has also specified task dependencies, although the means she used are beyond our discussion. The two red arrows emerging from task 4, Define system boundaries, indicate that neither the Review results task nor the Assess feasibility task can begin until Define system boundaries is completed. Other task dependencies are also shown; you can learn about them in a project management class.

The critical path is the sequence of activities that determine the earliest date by which the project can be completed. Reflect for a moment on that statement: The earliest date is the date determined by considering the longest path through the network of activities. Paying attention to task dependencies, the planner will compress the tasks as much as possible. Those tasks that cannot be further compressed lie on the critical path. Microsoft Project and other project-planning applications can readily identify critical path tasks.

Figure 12-17 shows the tasks on the critical path in red. Consider the first part of the WBS. The project planner specified that task 4 cannot begin until 2 days before task 3 ends. (That’s the meaning of the red arrow emerging from task 3.) Neither task 5 nor task 8 can begin until task 4 is completed. Task 8 will take longer than tasks 5 and 6, and so task 8—not tasks 5 or 6—is on the critical path. Thus, the critical path to this point is tasks 3, 4, and 8. You can trace the critical path through the rest of the WBS by following the tasks shown in red, though the entire WBS and critical path are not shown.

Using Microsoft Project or a similar product, it is possible to assign personnel to tasks and to stipulate the percentage of time that each person devotes to a task. Figure 12-18 shows a Gantt chart for which this has been done. The notation means that Eleanore works only 25 percent of the time on task 3; Lynda and Richard work full time. Additionally, one can assign costs to personnel and compute a labor budget for each task and for the overall WBS. One can assign resources to tasks and use Microsoft Project to detect and prevent two tasks from using the same resources. Resource costs can be assigned and summed as well.

 Figure 12-18: Gantt Chart with Resources (People) Assigned

Source: Windows 10, Microsoft Corporation.

Managers can use the critical path to perform critical path analysis. First, note that if a task is on the critical path, and if that task runs late, the project will be late. Hence, tasks on the critical path cannot be allowed to run late if the project is to be delivered on time. Second, tasks not on the critical path can run late to the point at which they would become part of the critical path. Hence, up to a point, resources can be taken from noncritical path tasks to shorten tasks on the critical path. Critical path analysis is the process by which project managers compress the schedule by moving resources, typically people, from noncritical path tasks onto critical path tasks.

Adjust Plan via Trade-Offs


The project plan for the entire project results in a finish date and a total cost. In our experience in more than a dozen major development projects, the first response to a completed project plan is always “Good heavens! No way! We can’t wait that long or pay that much!” And our experience is not unusual.

Thus, the first response to a project plan is to attempt to reduce time and costs. Reductions can be made, but not out of thin air. An old adage in planning development projects is “Believe your first number.” Believe what you have estimated before your desires and wishes cloud your judgment.

So, how can schedules and costs be responsibly reduced? By considering trade-offs. A trade-off is a balancing of three critical factors: requirements, cost, and time. To understand this balancing challenge, consider the construction of something relatively simple—say, a piece of jewelry, such as a necklace, or the deck on the side of a house. The more elaborate the necklace or the deck, the more time it will take. The less elaborate, the less time it will take. Further, if we embellish the necklace with diamonds and precious gems, it will cost more. Similarly, if we construct the deck from old crates, it will be cheaper than if we construct it of clear-grained, prime Port Orford cedar.

We can summarize this situation as shown in Figure 12-19. We can trade off requirements against time and against cost. If we make the necklace simpler, it will take less time. If we eliminate the diamonds and gems, it will be cheaper. The same trade-offs exist in the construction of anything: houses, buildings, ships, furniture, and information systems.

Figure 12-19: Primary Drivers of Systems Development
The relationship between time and cost is more complicated. Normally, we can reduce time by increasing cost only to a point. For example, we can reduce the time it takes to produce a deck by hiring more laborers. At some point, however, there will be so many laborers working on the deck that they will get in one another’s way, and the time to finish the deck will actually increase. At some point, adding more people creates diseconomies of scale, the situation that occurs when adding more resources creates inefficiencies. A famous adage in the software industry is Brooks’ Law (named for the Fred Brooks discussed earlier), which states that adding more people to a late project makes it later. This occurs, in part, because new team members need to be trained by existing team members, who must be taken off productive tasks.

In some projects, we can reduce costs by increasing time. If, for example, we are required to pay laborers time and a half for overtime, we can reduce costs by eliminating overtime. If finishing the deck—by, say, Friday—requires overtime, then it may be cheaper to avoid overtime by completing the deck sometime next week. This trade-off is not always true, however. Extending the project interval means that we need to pay labor and overhead for a longer period; thus, adding more time can also increase costs.

Consider how these trade-offs pertain to information systems. We specify a set of requirements for the new information system, and we schedule labor over a period of time. Suppose the initial schedule indicates the system will be finished in 3 years. If business requirements necessitate the project be finished in 2 years, we must shorten the schedule. We can proceed in two ways: reduce the requirements or add labor. For the former, we eliminate functions and features. For the latter, we hire more staff or contract with other vendors for development services. Deciding which course to take will be difficult and risky.

Using trade-offs, the WBS plan can be modified to shorten schedules or reduce costs. But they cannot be reduced by management fiat.

Manage Development Challenges


Given the project plan and management’s endorsement and approval, the next stage is to do it. The final WBS plan is denoted as the baseline WBS. This baseline shows the planned tasks, dependencies, durations, and resource assignments. As the project proceeds, project managers can input actual dates, labor hours, and resource costs. At any point in time, planning applications can be used to determine whether the project is ahead of or behind schedule and how the actual project costs compare to baseline costs.

However, nothing ever goes according to plan, and the larger the project and the longer the development interval, the more things will violate the plan. Four critical factors need to be considered:

1. Coordination

2. Diseconomies of scale

3. Configuration control

4. Unexpected events

Development projects, especially large-scale projects, are usually organized into a variety of development groups that work independently. Coordinating the work of these independent groups can be difficult, particularly if the groups reside in different geographic locations or different countries. An accurate and complete WBS facilitates coordination, but no project ever proceeds exactly in accordance with the WBS. Delays occur, and unknown or unexpected dependencies develop among tasks.

The coordination problem is increased because software, as stated, is just thought-stuff. When constructing a new house, electricians install wiring in the walls as they exist; it is impossible to do otherwise. No electrician can install wiring in the wall as designed 6 months ago, before a change. In software, such physical constraints do not exist. It is entirely possible for a team to develop a set of application programs to process a database using an obsolete database design. When the database design was changed, all involved parties should have been notified, but this may not have occurred. Wasted hours, increased cost, and poor morale are the result.

Another problem is diseconomies of scale. The number of possible interactions among team members rises exponentially with the number of team members. Ultimately, no matter how well managed a project is, diseconomies of scale will set in.

As the project proceeds, controlling the configuration of the work product becomes difficult. Consider requirements, for example. The development team produces an initial statement of requirements. Meetings with users produce an adjusted set of requirements. Suppose an event then occurs that necessitates another version of requirements. After deliberation, assume the development team decides to ignore a large portion of the changes resulting from the event. At this point, there are four different versions of the requirements. If the changes to requirements are not carefully managed, changes from the four versions will be mixed up, and confusion and disorder will result. No one will know which requirements are the correct, current ones.

Similar problems occur with designs, program code, database data, and other system components. The term configuration control refers to a set of management policies, practices, and tools that developers use to maintain control over the project’s resources. Such resources include documents, schedules, designs, program code, test suites, and any other shared resource needed to complete the project. Configuration control is vital; a loss of control over a project’s configuration is so expensive and disruptive that it can result in termination for senior project managers.

The last major challenge to large-scale project management is unexpected events. The larger and longer the project, the greater the chance of disruption due to an unanticipated event. Critical people can change companies; even whole teams have been known to pack up and join a competitor. A hurricane may destroy an office, the company may have a bad quarter and freeze hiring just as the project is staffing up, technology will change, competitors may do something that makes the project more (or less) important, or the company may be sold and new management may change requirements and priorities.

How do you schedule these types of events into your WBS? As a project manager, you never know what strange event is heading your way. Such unanticipated events make project management challenging but also incredibly fascinating!

Knowledge Check

Q12-6 How Can Scrum Overcome the Problems of the SDLC?


The systems development life cycle (SDLC) process is falling out of favor in the systems development community, primarily for two reasons. First, the nature of the SDLC denies what every experienced developer knows to be true: systems requirements are fuzzy and always changing. They change because they need to be corrected, more is known, users change their minds about what they want after they use part of the system, business needs change, or technology offers other possibilities.

According to the SDLC, however, progress goes in a linear sequence from requirements to design to implementation. Sometimes this is called the waterfall method because the assumption is that once you’ve finished a phase, you never go back; you go over the waterfall into the pool of the next stage. Requirements are done. Then you do design. Design is done; then you implement. However, experience has shown that it just doesn’t work that way.

In the beginning, systems developers thought the SDLC might work for IS and applications because processes like the SDLC work for building physical things. If you’re going to build a runway, for example, you specify how long it needs to be, how much airplane weight the surface must support, and so forth. Then you design it, and then you build it. Here waterfall processes work.

However, business processes, information systems, and applications are not physical; as stated, they’re made of thought-stuff. They’re also social; they exist for people to inform themselves and achieve their goals. But people and social systems are incredibly malleable; they adapt. That characteristic enables humans to do many amazing things, but it also means that requirements change and the waterfall development process cannot work.

The second reason that the SDLC is falling out of favor is that it is very risky. The people for whom the system is being constructed cannot see what they have until the very end. At that point, if something is wrong, all the money and time have already been spent. Furthermore, what if, as frequently happens, the project runs out of money or time before it is completed? The result is a form of management blackmail in which the developers say, “Well, it’s not done yet, but give us another $100,000 and another 6 months, and then we’ll have it done.” If management declines, which it might because at that point, the time and money are sunk, it is left not only with the loss but also with the unmet need that caused it to start the SDLC in the first place.

In short, the SDLC assumes that requirements don’t change, which everyone who has ever been within 10 feet of a development project knows is false, and it’s very risky for the business that sponsors it.

What Are the Principles of Agile Development Methodologies?


Over the past 40 years, numerous alternatives to the SDLC have been proposed, including rapid application development, the unified process, extreme programming, scrum, and others. All of these techniques addressed the problems of the SDLC, and by the turn of the past century, their philosophy had coalesced into what has come to be known as agile development, which means a development process that conforms to the principles in Figure 12-20.

Figure 12-20: Principles of Agile (Scrum) Development

· Expect, even welcome, changes in requirements.

· Frequently deliver working version of the product.

· Work closely with customer for the duration.

· Design as you go.

· Test as you go.

· Team knows best how it’s doing/how to change.

· Can be used for business processes, information systems, and applications development.

Traditionally, agile development was thought to be done by small organizations, working on small projects. However, a 2020 study by VersionOne Inc. noted that this trend has reversed. For example, in 2006, nearly two-thirds of respondents worked for organizations with less than 100 people. By 2020, more than 50 percent of respondents worked for organizations with more than 1,000 people, and more than 25 percent worked for organizations with more than 20,000 people, as shown in Figure 12-21.4

Scrum is an agile methodology and conforms to the principles shown in Figure 12-20. While other agile methodologies are used, shown in Figure 12-22, more than 58 percent of agile projects use the scrum methodology.

Figure 12-21: Size of Organizations Using Agile (2019)
The first way in which scrum and the other agile techniques differ from the SDLC is that they expect and even welcome change. Given the nature of social systems, expect is not a surprise, but why welcome? Isn’t welcoming requirements change a bit like welcoming a good case of the flu? No, because systems are created to help organizations and people achieve their strategies, and the more the requirements change, the closer they come to facilitating strategies. The result is better and more satisfying for both the users and the development team.

Figure 12-22: Agile Methodology Used
Second, scrum and other agile development processes are designed to frequently deliver a working version of some part of the product. Frequently means 1 to 8 weeks, not longer. This frequency means that management is at risk only for whatever costs and time have been consumed in that period. And, at the end of the period, they will have some usable product piece that has at least some value to the business.

Thus, unlike the SDLC, agile techniques deliver benefits early and often. The initial benefits might be small, but they are positive and increase throughout the process. With the SDLC, no value is generated until the very end. Considering the time value of money, this characteristic alone makes agile techniques more desirable.

The third principle in Figure 12-20 is that the development team will work closely with the customer until the project ends. Someone who knows the business requirements must be available to the development team and must be able and willing to clearly express, clarify, and elaborate on requirements. Also, customers need to be available to test the evolving work product and provide guidance on how well new features work.

The fourth principle is a tough one for many developers to accept. Rather than design the complete, overall system at the beginning, only those portions of the design that are needed to complete the current work are done. Sometimes this is called just-in-time design. Designing in this way means that the design is constantly changing, and existing designs may need to be revised, along with substantial revision to the work product produced so far. On the surface, it is inefficient. However, experience has shown that far too many teams have constructed elaborate, fanciful, and complete designs that turned out to be glamorous fiction as the requirements changed.

Test as you go, the next principle, is obvious if the team is going to be delivering working versions. Testing is initially conducted among members of the team but involves the business customer as well.

Development teams know how well they’re doing. You could go into any development environment today and ask the team how it’s doing and, once team members understood you were not about to inflict a new management program on them, you would find they know their strengths, weaknesses, bottlenecks, and process problems quite well. That principle is part of agile development methodologies. At the end of every deliverable or some other (short) milestone, the team meets to assess how it’s doing and how it can improve.

Finally, agile development methodologies are generic. They can be applied to the creation of business processes, information systems, and applications. They are applicable to other team projects as well, but that subject is beyond the scope of this text.

What Is the Scrum Process?


Scrum is an agile development methodology developed by Ken Schwaber and Jeff Sutherland6 and extended by others over the past 15 years. Scrum is a rugby term and was first used for teamwork in a Harvard Business Review article written by Hirotaka Takeuchi and Ikujiro Nonaka.7 In rugby, a scrum is a gathering of a team into a circle to restart play after a foul or other interruption. Think of it as a huddle in American football.

Scrum Essentials
As stated, scrum is one type of agile development process having the specific characteristics shown in Figure 12-23. First, the process is driven by a prioritized list of requirements that is created by the users and business sponsors of the new system. Scrum work periods can be as short as 1 week but, as with all agile processes, never longer than 8. Two to 4 weeks is recommended. Each work period, the team selects the top priority items that it will commit to delivering that period. Each workday begins with a stand-up, which is a 15-minute meeting in which each team member8 states:

· What he or she has done in the past day

· What he or she will do in the coming day

· Any factors that are blocking his or her progress

Figure 12-23: Scrum Essentials

· Requirements list drives process

· Each work period (1 to 4-8 weeks):

· Select requirements to consider

· Determine tasks to perform—select requirements to deliver

· Team meets daily for 15 min (stand-up)

· What I did yesterday

· What I’m going to do today

· What’s blocking me

· Test frequently

· Paired work possible

· Minimal documentation

· Deliver (something) that works

· Evaluate team’s work process at end of period (and say thanks)

· Rinse and repeat until

· Customer says we’re done

· Out of time

· Out of money

· Three principal roles

· Product owner (business professional who represents customer)

· Scrum master

· Team members (7±2 people)

The purpose of the stand-up is to achieve accountability for team members’ progress and to give a public forum for blocking factors. Oftentimes one team member will have the expertise to help a blocked team member resolve the blocking issue.

Testing is done frequently, possibly many times per day. Sometimes the business owner of the project is involved in daily testing as well. In some cases, team members work in pairs; in paired programming, for example, two team members share the same computer and write a computer program together. Sometimes, one programmer will provide a test, and the other will either demonstrate that the code passes that test or alter the code so that it will. Then the two members switch roles. Other types of paired work are possible as well.

Minimal documentation is prepared. The result of the team’s work is not design or other documents but, rather, a working version of the requirements that were selected at the start of the scrum period.

At the end of the scrum period, the working version of the product is delivered to the customer, who can, if desired, put it to use at that time, even in its not-fully-finished state. After the product is delivered, the team meets to evaluate its own process and to make changes as needed. Team members are given an opportunity to express thanks and receive recognition for superior work at these meetings. (Review the criteria for team success in Lesson 7, and you will see how scrum adheres to the principles of a successful team.)

Figure 12-24 summarizes the scrum process.

 Figure 12-24: Scrum Process
When Are We Done?
Work continues in a repeating cycle of scrum periods until one of three conditions is met:

· The customer is satisfied with the product created and decides to accept the work product, even if some requirements are left unsatisfied.

· The project runs out of time.

· The project runs out of money.

Unlike the SDLC, if a scrum project terminates because of time or budget limitations, the customer will have some useful result for the time and money expended. It may not be the fully functioning version that was desired, but it is something that, assuming requirements are defined and prioritized correctly, can generate value for the project sponsors.

How Do Requirements Drive the Scrum Process?


Scrum is distinguished from other agile development methodologies, in part, by the way that it uses requirements to drive planning and scheduling. First, requirements are specified in a particular manner. One common format is to express requirements in terms of who does what and why.

For example, in the doctor’s version of the iMed system, a requirement was expressed as:

“As a doctor, I want to view a patient’s blood pressure records so I can make sure she is not doing too much.”


“As a doctor, I want to view a patient’s blood pressure records so I can make sure she is following her prescription.”

Each of these requirements specifies who (the doctor) does what (view a patient’s blood pressure data) and why (make sure she is following her prescription). It’s not surprising that the requirement includes who and what, but the need for why may surprise you. The purpose of the why clause of the requirement is to set a context for the value that will be delivered by the requirement. Including it increases the likelihood that the product will deliver business value and not just blindly meet the requirement.

As stated, the product owner creates requirements and prioritizes them. For example, one of the two preceding requirements will be judged higher in importance than the other. All other things being equal, the team will satisfy the higher priority requirement first. This means, too, that if the project runs out of time or money, the highest priority requirements will have been completed first.

Creating Requirements Tasks
Given a requirement, the team meets to create tasks that must be accomplished to meet that requirement. In Figure 12-24, this work is done in the Choose requirements to deliver activity.

Figure 12-25 shows eight tasks that need to be done to accomplish an example requirement. In the Choose requirements to deliver activity, tasks for additional requirements that might also be implemented in this scrum period are created.

Figure 12-25: Example Requirement and Tasks

“As a doctor, I want to view the patient’s exercise records so I can make sure she is following her prescription.”


1. Authenticate the doctor.

2. Obtain patient identifying data from doctor.

3. Determine this doctor is authorized to view this patient’s records.

4. Read the database to obtain exercise records.

5. Read the database to obtain most recent prescription record.

6. Format the data into a generic format.

7. Determine the type of mobile device the doctor is using.

8. Format the generic report into a report for that mobile device.

Tasks are created in a team meeting because the team as a whole can iterate and allow members to give feedback. One team member will think of a task that needs to be done, of which other members are not aware. Or the team member will realize that a particular task is incomplete, is doable in some other way, or doesn’t really need to be done.

Scheduling Tasks
As described so far, scrum is a good idea, one of many agile processes that might be used. What makes scrum particularly innovative, however, is the way that tasks are scheduled.

Scrum methodology recognizes that developers are terrible, even wretched, at determining how long a task will take. However, developers are quite good at determining how long something will take in comparison to something else. So, while a developer may be poor at estimating the time required to do, say, Task 2 in Figure 12-25, he or she will likely be accurate when saying that Task 2 will take twice as long as Task 1 or some other ratio.

So, according to the scrum process, once the tasks are known for a given set of requirements, the next step is to assign each task a difficulty score, called points. The easiest task has a point score of 1. A task that will take five times longer is given a point score of 5, and so on. For reasons that are beyond the scope of this discussion, points are expressed in values from a sequence of integers known as the Fibonacci sequence: {1, 2, 3, 5, 8, 13, 21, 34, 55, 89, 144, and?}. The question mark is used because any number larger than 144 is meaningless. Most likely 89 and 144 are meaningless as well. Tasks with such large point scores need to be subdivided into multiple requirements. When all tasks have received points, the points are summed to a total for the requirement.

Scrum includes several different techniques for assigning points. Team estimation and planning poker are two. You can learn more about them in The Elements of Scrum.9 The gist of these techniques is to obtain team scores by applying the team’s expertise in an iterative, feedback-generating process.

Committing to Finish Tasks
As teams work together, they will learn the total number of points of work they can accomplish each scrum period. That term is called the team’s velocity. The team uses its velocity to determine how many requirements it can commit to accomplishing in the next scrum period. Of course, during the first period, the team will not know its velocity. In that case, senior members will need to make a guess. That guess may be far off, but it will get better as the team gains experience. Unlike the SDLC, there is at least well-founded hope that, over time, estimating will improve.

Suppose the five requirements on a team’s prioritized requirements list total 125 points. If a team knows its velocity is 100 points per scrum period, it knows it cannot do all five. However, if the top four total, say, 80 points, it can commit to doing those four plus something else. In this case, the team would go back to the product owner and ask if there is a requirement lower on the priority list that can be done for the available 20 points of capacity. This estimation technique is summarized in Figure 12-26.

Figure 12-26: Summary of Scrum Estimation Techniques

1. Team assigns 1 point to simplest task.

2. Times to deliver working tasks are compared to each other and assigned points (points are Fibonacci numbers). Use:

a. Team estimation

b. Planning poker

c. Other

3. Using past experience, team computes its velocity … number of points it can accomplish per scrum period.

4. Working with product owner, team selects tasks for the upcoming scrum period, constrained by its velocity.

If you haven’t participated in software or systems development, this process may sound like so much hocus-pocus. However, it has two very important characteristics that make it not so. First, scrum is a methodology that incorporates team iteration and feedback for scheduling and tasking, which, as you know by now, is a way for a team to create something together that exceeds what each member can do individually. Second, scrum provides a framework for process learning. As a team works more and more scrum periods together, it learns better and better how to assign points, and it learns more and more what its true velocity is.

But scrum isn’t a magic bullet. It can’t guarantee that the project will produce a high-quality product, on time, and under budget. But, as an alternative to the traditional SDLC, it can limit potential financial losses and produce substantial results in just a few weeks.

Knowledge Check

Q12-7 2031?


By 2031, the way information systems are developed will have changed. In fact, it is already changing. Artificial intelligence (AI), machine learning, and deep neural networks are reshaping the way enterprise systems are developed. From a user’s perspective, it will appear that information systems are being “trained” rather than “created.” But why is this shift occurring?

Well, it’s because machines are faster and more accurate than humans when it comes to certain tasks. Writing code for a calculator that does basic addition and subtraction is easy. The mathematical rules are straightforward. Write several lines of code and you’re done. Developers who make this type of software create it line by line.

But what if the task is less clear—more abstract. For example, it is much more difficult to write software that can identify a specific face, translate content from one language to another, or determine which news stories are relevant to individual users. These types of applications are increasingly relevant and profitable. Developers are solving these types of problems via machine learning by training the system to make decisions that lead to the correct outcome. They don’t create code for it.



Take Microsoft’s new Fetch! application as an example (
). The application takes any image and identifies the correct dog breed. That sounds simple enough. But how would you program that? Microsoft developers used machine learning to train Fetch! to identify the correct dog breed.

Developers kept giving Fetch! images of different dogs and told it when it correctly identified the correct dog breed. And Fetch! learned. It created the complex algorithms that it uses to analyze images. If the developers open up the application, they see an indecipherable set of mathematical equations that are constantly changing. They can’t understand the code because it’s not code in the traditional sense.

Identifying dog breeds is fun, but so what? Well, consider what will happen when AI and machine learning are applied to robotics, drones, self-driving cars, and 3D printing. Employees in accounting, manufacturing, finance, sales, and IS will all train a system to help them with their job—or do their job. Systems will, with help from their human partners, become their own developers.

Will all coding jobs go away? No, of course not. But software developers will become more like architects rather than builders.

User-Driven Systems


What does this mean for you as a business user? Well, you will be involved in a systems development project in the next 10 years. That’s a near certainty. Software runs the world. Your current employer depends on software to keep making money. Your future employer will become even more dependent on these new types of applications. Even now, Facebook uses machine learning to determine stories in your News Feed, Google uses it to identify faces, and Microsoft Skype uses it to translate between languages.10

All management grads are going to play strong roles in developing new systems as well as managing the projects. You grew up using systems with great user experience (UX) designed into them. This experience will enable you to help create a closer alignment between processes and IS and business strategy, goals, and objectives. And later, you won’t sit in your C-level job and complacently leave systems development to others.

Industry Will Push Change


Finally, between now and 2031, the nature of the industry will change. First, as you learned in Lesson 5, the NoSQL DBMS products were not developed by existing DBMS vendors. They were developed by organizations that had unique needs and that developed software to meet those needs. The DBMS vendors caught on after the fact. In the next 10 years, we will see similar stories repeated again and again.

That’s it! You’ve reached the end of this text. Take a moment to consider how you can help your career by developing your personal brand, as described in the Career Guide.

Software vendors will find ways to make their solutions more agile using SOA and Web services, and as a result, systems and processes will be more agile and better able to adapt to changing needs. New systems will come online fast, and the limiting factor will be humans’ ability to cope. Business professionals have a key role in solving those coping problems.

In the end, user involvement will be the key to the success of systems development. Systems will depend on users to train them. Users will know how to create successful user interfaces. And users will be the ones to solve previously unknown problems. You as a business user will be the one to make a difference.

So What? Speed into the Future with 5G

Have you ever taken a long road trip that took you through a variety of landscapes, including metropolitan areas, rolling hills, mountains, or steep canyons? If so, you know firsthand that the interest level of the geography can vary from endless, gradually rolling fields (snore) to jagged cliffs and winding canyons (now we’re talking!). You may have noticed that in addition to changes in scenery, there were also changes in the availability of your cell phone service.

Stable and hasty download/upload speeds can lurch to a grinding halt almost instantly either when cell towers are no longer in range or when the topography of the region becomes more hilly or mountainous. (Few things make a road trip worse than relying on the EDGE network!) While cell service on a road trip may seem far afield from a business context, this scenario is actually quite similar to the Internet connectivity issues that can occur on many factory floors.

Consider a massive warehouse that has been converted to a large-scale production facility. The layout may contain numerous automated fabrication areas, massive shelving areas that are several stories high and filled with a variety of materials, piles of components waiting to be entered into production, and piles of finished goods waiting to be shipped out to customers. While Wi-Fi access points will be deployed around the facility in an attempt to maximize speed and coverage areas, these types of factories are often riddled with Wi-Fi cold zones due to the obstacles (e.g., machines, shelving, metal equipment) signals encounter that may not be penetrable.11

As more and more machines have Internet connectivity and automated equipment is deployed to move around the factory autonomously and communicate wirelessly, ensuring high speeds and reliable coverage areas is critical for these factories to work both efficiently and effectively.

Source: Mentalmind/Shutterstock

Enter 5G!
5G, which stands for the fifth generation of wireless technologies for cell networks, is currently being rolled out by the major telecommunications providers in the United States. 5G signals can be transmitted using either millimeter waves, mid-band, or low-band. Each of these offers different ranges and download speeds, but in general, 5G service will offer faster speeds, lower latency (i.e., better response time), and the ability to connect many more devices than previous generations.12

While these improvements will change the experience that we all have connecting our mobile devices to the Internet, there are a number of important implications for a variety of stakeholders, not just private users.

Think back to our factory struggling with inconsistent Wi-Fi speeds and dead zones. It is worth pointing out that factories have had to rely on hardwiring equipment for over a century and many still rely on it today due to the troublesome wireless connectivity issues that persist. 5G could be used internally to alleviate these issues.

5G actually requires more antennas due to its transmission of data in shorter ranges, so a factory floor would benefit from this type of close-knit technological framework. Additionally, 5G antennas would offer faster speeds more consistently due to the higher density of antennas, and it would also support the many Internet-connected devices (i.e., Internet of Things, or IoT) that are now being deployed abundantly on factory floors.13

Many experts also predict that the world of sports will be greatly impacted by the rollout of 5G. For example, sports fans often want as much information about players and teams as they can get. There will be an inevitable movement to embed sensors in just about everything, from balls and pucks to the athletes’ equipment (e.g., helmets and shoulder pads).14 5G technology is the perfect solution due to its ability to support communicating with all of these sensors and the lower latency at which it operates.

Other potential impacts on sports include the ability to allow users to select any number of camera angles or video feeds to customize how they watch games to even promoting sports betting due to the lower latencies (betting on individual plays!) and more detailed data sets that gamblers will be able to access.15

Some other areas that stand to be impacted by 5G include driverless cars with their numerous sensors and the potential to communicate with other autonomous vehicles in real time, augmented and mixed-reality applications (e.g., movies and games), healthcare applications including high-fidelity telemedicine and remote surgical procedures, and improved camera and surveillance imagery due to the improved upload speeds and lower latency.16

While some may think that 5G will just allow us to download content in less time, it is clear that there is much more at stake. High-speed and low-latency connections may transform just about everything that we do in our expanding digital world!


1. Many news articles about deploying 5G infrastructures refer to it as a race. Do you think countries stand to “win” or “lose” depending on how quickly they are able to roll out 5G capabilities? Explain.

 Show Answer

2. Not only is 5G expected to provide incredible new capabilities on its own, but it is also expected to act as a magnifier that helps other emerging technologies become even more powerful. How do you think 5G could feed the power of artificial intelligence?

 Show Answer

3. Think of three more examples of industries or processes that will benefit from the higher speeds and lower latencies offered by 5G.

 Show Answer

4. How do you think 5G could be used to improve information security?

 Show Answer

Security Guide

How many devices are connected to the Internet in your home or apartment? The answer may surprise you. It is hard to believe that most American households had just a single desktop computer with an Internet connection only 10 to 20 years ago (if they had computer or Internet access at all). Since then, the fulfillment of Moore’s Law and Metcalfe’s Law and increases in bandwidth have been catalysts for the proliferation of Internet-connected devices everywhere.

It is not uncommon today to walk into an average home to find dozens of devices connected to the Internet, including desktops, laptops, tablets, phones, game consoles, media-streaming devices, smart TVs, smart speakers, home safety devices (e.g., alarm systems, security cameras, smoke detectors, and video doorbells), baby monitors, AI assistants, appliances, and more. In addition to the core functionality of these devices, many are designed to interoperate with other Internet-connected devices to create systems and “systems of systems.” This ecosystem of connected devices, which can communicate and interoperate without human intervention, is often referred to as the Internet of Things (IoT).

IoT, Not Securi-T
Companies developing IoT products have to create devices in such a way that they can communicate efficiently with other devices without requiring complex configuration. Early adopters aren’t the only ones buying IoT devices; these products have become more mainstream, meaning that most IoT consumers lack the technical skills needed to troubleshoot problems. Subsequently, IoT devices are often designed with security as an afterthought rather than a priority. Each additional layer of security in an IoT device can slow its development and, eventually, its time to market.

As a result, IoT devices are another example of the trade-off between security and convenience (e.g., requiring a 50-character password for your online bank account is secure, but consumers won’t tolerate the inconvenience of typing in 50 characters every time that they want to check their account balance). The only overt security feature of many IoT devices is the username and password needed to access/manage the settings for the device. However, users often neglect to create new credentials when setting up devices, which can create serious vulnerabilities.

In fact, because owners often neglect to create new passwords for their devices, hackers have identified IoT devices as prime targets for the purpose of creating massive botnets of zombies (a device with an Internet connection that has been compromised by a hacker). These botnets can then be used as part of a large coordinated denial-of-service (DoS) attack. Many DoS attacks are relatively minor in scale, and most larger organizations have the countermeasures in place to stave off these attacks. However, a group of three hackers recently took botnets and DoS attacks to an entirely new level.

Meet Mirai
A college student at Rutgers University, along with two other people, developed a piece of malware that specifically targeted IoT devices to create a botnet. The initial purpose of the botnet was to give the hackers an advantage when playing the popular game Minecraft. In essence, the botnet allowed the hackers to disrupt the connection of an opponent during a game and boot them offline, resulting in a victory over that opponent. However, the hackers were so savvy in the creation of the malware, named Mirai, that the size of the botnet grew to an unprecedented level. Mirai infected tens of thousands of devices in its first few hours and then doubled in size every hour until it reached about 600,000 infections.17


Upon recognizing the power of the digital monster they had created, the hackers worked to increase the sophistication of the botnet, and a number of attacks were launched at a variety of targets. When law enforcement agencies began ramping up their investigation, the hackers published their code online, a strategy often used to weaken claims about the identities of malware creators. However, posting the code online had much more of an impact than simply creating a smoke screen. Competing hacking groups started using the code to create their own botnets. Over the next 5 months, there were more than 15,000 Mirai-related DoS attacks.

Even though the three original hackers were ultimately caught and pleaded guilty, the code lives on, and it’s anyone’s guess how long the code will be employed for nefarious purposes. The best bet for citizens is to change the passwords on IoT devices to ensure that those devices are not a part of the next big botnet attack!

Discussion Questions

1. Take a few minutes to think about your home network and your connected devices. How many IoT devices do you have? Have you created new credentials for each of them to ensure that they are not vulnerable? How might attackers gain access to these devices?

 Show Answer

2. Think about your daily interactions with technology. Think of three other examples demonstrating the trade-off between security and convenience (besides the use of a long password as described in the article).

 Show Answer

3. Why would IoT devices make good targets for attackers?

 Show Answer

4. The hackers were able to avoid jail time for their actions. Do you think their direct disruption of numerous sites and companies’ digital operations should have resulted in more serious penalties? How should the legal system apply penalties for the creation of malware that will continue to live on in spite of the hackers being caught and maybe even feeling sorry for their actions?

 Show Answer

Career Guide

Developing your Personal Brand
In the previous lessons, you read firsthand accounts from real people who have made successful careers in MIS. These unfiltered accounts explained how these people got their jobs, what attracted them to the field, what a typical workday looks like, and what they like most about their jobs. You also learned the kinds of skills and education necessary to do well in these types of jobs.

Now that you have completed this course, you also have a sense of what MIS is all about. You know the main content areas, understand the terminology, and have heard from real people who work in the field. Hopefully, this has given you a realistic view of MIS careers. If you are interested in such a career or even if you’re going into another field, it’s important to learn how to develop your personal brand.

Professionals use social media, such as LinkedIn, to build their personal brand. You may be too young, too inexperienced, and not yet unique enough to have a personal brand, but, then again, maybe not. And even if now isn’t the right time to build a personal brand, you will need to have, build, and maintain your personal brand at some point in the future if you want to be a business leader.

So, what is “building a personal brand”? It’s not embarrassing self-promotion. It’s not self-advertising, and it’s not a résumé of your recent experience. It is, instead, the means by which you conduct authentic relationships with the market for your talents and abilities. That market might be your professional colleagues, your employer, your fellow employees, your competition, or anyone who cares about what you care about.

As a business professional, how do you create authentic relationships that are less transactional and more personal? You start by realizing that the people who consume your services are not just bosses and colleagues but rather full-fledged human beings with the rich stew of complexity that all humans have. With this idea in mind, can you use social media to transform your relationships from being transactional in nature to being more personal?

Such a transformation is possible but difficult. You don’t want to share every detail of your personal life on LinkedIn or your professional blog. Few readers will care about your vacation in the Bahamas. However, they might want to know what you read while lying on the beach, why you read it, and what you learned from it—or perhaps how disappointed you were about what you didn’t learn. But your report has to be authentic.

If you’re reading Kierkegaard or Aristotle for the purpose of showing erudition on your personal blog, you missed the point. But if Kierkegaard has something interesting to say about the ethics of the latest business scandal that affects your professional interests, many readers who share those interests may want to know. And they will then have a way to approach you because of that common interest. That common interest may lead to an exciting new job opportunity, or maybe it will lead to a fulfilling new relationship, or maybe it will go nowhere. You never know.

When engaging in personal branding efforts, always be guided by your personal strategy. Consider Figure 2-12 again in light of your personal competitive strategy. What is your personal competitive advantage? Why would someone choose you, your expertise, or your work products over others? Then, with answers to these questions in mind, start building your personal brand. Again, be sure your efforts focus on creating authentic relationships and not on shameless advertising.

Source: Anatolii Babii/Alamy Stock Photo

Realize, too, that a strong personal brand is essential to some careers. For example, if you want to be an independent consultant, say, an expert on privacy and control for cloud data storage, you’ll need to invest considerable time developing and maintaining your professional brand. But whether or not it’s essential, having a strong personal brand is an asset in any field in any job. And you can be sure that if you don’t have a good personal brand, one of your competitors will.

Discussion Questions

1. Using your own words, define and describe a personal brand.

2. Describe how you could use social media (like LinkedIn) to make an existing professional contact more personal in nature while still maintaining your privacy.

3. Pick a contemporary topic of interest in your major field of study. For example, if you’re an operations major, pick something like 3D printing. (Read question 4, however, before you pick.)

a. Search the Web for opinions about the realities, contemporary uses, big issues and problems, or other interesting dimensions of your topic.

b. Find two or three experts in that topic, and go to their professional brand sites. That brand might be a blog, a Web page, a collection of articles, an SM site on Facebook or LinkedIn, or some other public statement of their professionalism.

c. Which of the sites is the best? Explain why you think so.

4. Suppose you become an expert in the topic you used in your answer to question 3. Think about your experiences in the past year that relate to that topic. It could be experiences in class, out of class with fellow students, or in conversations with roommates. It could be something that happened at your job at McDonald’s. Whatever.

a. Make a list of 10 such experiences.

b. Describe how you could use social media, including blogs, to present five of the best of those 10 experiences in a way that helps build your professional brand.

5. Reflect on your answers to questions 1–4.

a. Do you think having a personal brand is important for you? Explain why or why not. (The answer to this question may not be yes, and for good reasons.)

b. What was the most difficult task for you when formulating your answers to question 4?

c. Summarize what you have learned from this exercise about how you might get more value from your college experiences.

Ethics Guide

The Doctor is in . . . your Laptop
Mike walked into his office, closed the door, and sat down in the tufted leather chair behind his desk. He couldn’t have expected the meeting to go any better than it did—he now realized that all of the preparation had paid off. He had just finished pitching a proposal that outlined how his medical practice should pivot mainly to telemedicine. As one of the youngest doctors in the practice, he was definitely more tech savvy and innovative than his peers, so he had anticipated quite a bit of resistance. He was somewhat surprised at how quickly everyone else had joined his cause.

Source: Agenturfotografin/Shutterstock

The driving force behind this change was simply the fact that younger generations were wanting more convenient and technologically based services. If you can use an app for food delivery, calling a taxi, or even finding your next date, why couldn’t health care provide the same ease and convenience? Also, because his office was in a relatively rural area and served as the main healthcare provider in the region, Mike thought that offering digital services would help people living farther away who may have to drive upward of 30 to 60 minutes to reach the office.

In some cases, he wondered if the distance had prevented some patients from coming in for regular checkups. One of his passions in medical school had been preventive care. Anything he could do to actively promote patients to get checkups and care for themselves was important to him. Also, since many of the instruments used during checkups could now be purchased online for relatively cheap, patients could still get accurate medical readings without needing to meet with a healthcare provider in person. In other words, he could still provide a rigorous medical experience conveniently and for minimal cost.

As another dimension of this change, the COVID-19 pandemic made it clear that having all patients come into the medical practice to seek treatment carried a certain amount of risk. Having a bunch of sick patients sitting in close proximity while waiting for checkups or testing was less than ideal. It would be far safer for Mike’s practice to meet with as many patients as possible online and then outsource the remaining in-person medical treatments that were needed to the hospital or medical offices that were in the next county.

This might prove more expensive or time-consuming for some patients, but since most visits could in fact be conducted digitally, this would ensure revenue coming in and keep the practice financially viable while cutting costs and reducing risk. Assuming things went well, Mike could even see closing the office completely and just having the medical team working from their respective homes—if they could close the office, they could really save some money!

Can You Hear Me Now?
Mike slowly closed the lid of his laptop and slumped into his chair—it had seemed like one of the longest days in his career. He had just finished a day of online patient meetings; however, only about half of them could be considered successful. A number of his patients hadn’t been able to figure out how to join the call and still more patients who had been able to call in had unstable connections; either the calls had been dropped or the audio/video feed had been so fragmented that it was impossible to have a meaningful conversation.

Since Mike’s initial pitch a few months before, the members of the practice had done some demographic and geographic analysis—they’d realized that many of their patients were either late-career or retired and that most patients lived in areas with limited telecommunications infrastructures (i.e., poor or spotty telephone service/slower bandwidth). He hadn’t imagined that the conditions were so poor as to prohibit even a basic video call, but it seemed to be more the norm than the exception. Had he just made the biggest blunder in his career?

At this point, the practice couldn’t revert back to in-office care; too much time and money had been invested in converting over to this new digital format. However, if they couldn’t actually provide care due to technical limitations, this new model would not be sustainable, and the practice would end up going out of business. Mike walked over and hung his white doctor’s coat in the closet. Before he closed the door, it slid off the hanger and fell onto the floor; he hoped this wasn’t a bad omen for things to come.

Junk Mail
Stella and Charlie walked out together to check the mail—it had been their daily tradition since both retiring several years before. Luckily, they had successfully cut many of their expenses, so bills weren’t too frequent. They mainly liked to keep an eye out for cards and drawings from their granddaughters. On the top of the pile they pulled out a letter from “Dr. Mike.” “I wonder what this is all about,” Charlie said to Stella. “I don’t think either of us is due for a checkup for at least a few more months.” Charlie opened the letter and began to read out loud:

Dear Patients,
We hope this letter finds you healthy and well. As you know, our practice transitioned to an online/telemedicine format a few months ago. Unfortunately, we have found that an online-only format is not ideal for our local client base, especially considering some of the technical limitations associated with our area. As such, we will be merging our telemedicine practice with one of the large hospitals in the metro area and will be adopting their existing client base. We regret to inform you that with the high volume we will be handling in our new agreement, we cannot continue on with any of our existing clients. If you would like a recommendation for another medical practice, we can provide some limited referral services.
Stay well.

Charlie looked at Stella and could tell that she was concerned. Now that Mike’s practice was not an option, the next practice was over an hour away, and they both didn’t like driving much these days. “Can they really leave us without convenient medical care?” Stella asked. “So it would seem,” Charlie replied. They slowly walked back up the driveway and retreated into the house.

Discussion Questions

1. Technology continues to alter and disrupt a variety of business models and industries. Consider the decision Mike made to convert the medical practice into an online-only office and, ultimately, his decision to pursue a client base that would not be limited by technical constraints (but would leave former clients stranded without convenient care).

a. Is this behavior ethical according to the categorical imperative?

b. Is this behavior ethical according to the utilitarian perspective?

2. Have you participated in a telemedicine call? If so, be ready to share your perceptions of the experience.

3. Do you think that a virtual doctor’s visit would provide the same level of care as an in-office visit? Consider the difference between online and traditional (face-to-face) university courses. Do you find that the experience between these two formats differ?

4. If you had been a colleague of Mike’s in the medical practice, what recommendations would you have given him in this situation?

Active Review


Use this Active Review to verify that you understand the ideas and concepts that answer the lesson’s study questions.

· Q12-1 How are business processes, IS, and applications developed?

Using your own words, explain the differences among business processes, information systems, and applications. State the components of each. Using the terminology from Lesson 5, describe the relationship of business processes and IS. Name three development processes and state which processes are used for the development of business processes, information systems, and applications. Explain the primary roles of business and systems analysts.

· Q12-2 How do organizations use business process management (BPM)?

State the definition of business process used in this lesson and define roles, resources, and data flows. Explain three reasons why business processes need to be managed. Describe the need for BPM and explain why it is a cycle. Name the four stages of the BPM process and summarize the activities in each. Define as-is model. Explain the role of COBIT.

· Q12-3 How is business process modeling notation (BPMN) used to model processes?

Explain the need for a process documentation standard. Describe swim-lane layout. Explain each of the symbols in Figures 12-7 and 12-8 and describe the relationship of these two diagrams. Describe the problems in the process in Figure 12-7 and suggest one solution. Name three uses for BPMN diagrams.

· Q12-4 What are the phases in the systems development life cycle (SDLC)?

Describe the origins of the SDLC and how it came to prominence. Name five basic systems development activities. Describe tasks required for the definition, requirements, and design steps. Explain the tasks required to implement a system and describe four types of system conversion. State specific activities for each of the five components during the design and implementation stages. Explain why the term maintenance is a misnomer when applied to information systems; state tasks performed during systems maintenance.

· Q12-5 What are the keys for successful SDLC projects?

Name five keys for successful development projects. Explain the purpose of a work breakdown structure. Summarize the difficulties of development estimation and describe three ways of addressing it. Explain the elements in the Gantt chart in Figure 12-17. Define critical path and explain critical path analysis. Summarize requirements, cost, and schedule trade-offs. List and explain four critical factors for development project management.

· Q12-6 How can scrum overcome the problems of the SDLC?

Explain two reasons that the SDLC is falling out of favor. In your own words, explain the meaning and importance of each of the principles in Figure 12-20. Explain how each of the scrum essential items in Figure 12-23 is implemented in the scrum process shown in Figure 12-24. Name three elements in a scrum requirement. Describe what is unique about the way that scrum determines the time required to accomplish a task. Define velocity and explain how it is used in scheduling. Explain how scrum provides a framework for process learning.

· Q12-7 2031?

Describe how machine learning will change systems development projects. Using Microsoft Fetch! as an example, explain why “training” will be an integral part of systems development. Explain why you will be involved in systems development projects during your professional career. How does the knowledge of your generation of businesspeople influence systems development? Explain why systems will be more easily adapted.

Using Your Knowledge with iMed
Emily, Jasmine, and even Dr. Solomon need to know the basics of development processes, which to use for what, and the advantages of using the SDLC and scrum. Before spending any money, they need to understand the difficulties and risks of developing processes, IS, and applications, particularly inter-enterprise systems such as iMed.

At some point in your career, you will need this knowledge as well.

Using Your Knowledge


· 12-1. Search Google or Bing for the phrase what is a business analyst. Investigate several of the links that you find and answer the following questions:

a. What are the primary job responsibilities of a business analyst?

b. What knowledge do business analysts need?

c. What skills/personal traits do business analysts need?

· 12-2. Search Google or Bing for the phrase what is a systems analyst. Investigate several of the links that you find and answer the following questions:

a. What are the primary job responsibilities of a systems analyst?

b. What knowledge do systems analysts need?

c. What skills/personal traits do systems analysts need?

d. Would a career as a systems analyst be interesting to you? Explain why or why not.

e. Using your answers to this question and to question 12-1, compare and contrast the jobs of business and systems analyst.

· 12-3. Using your own experience and knowledge, create a process diagram for a Reject Order activity that would fix the allocation problem in the as-is order process in Q12-3. Use Visio 2019 and the standard BPMN shapes, if possible. Explain how your process fixes the allocation problem.

· 12-4. Choose an important project type in a business discipline of interest to you. In accounting it could be an audit; in marketing it could be a plan for using social media; in operations, it could be a project of opening a new warehouse. Choose a major activity that is important and that you find interesting. Compare and contrast the use of a process such as the SDLC to using a process such as scrum for your project. Which process would you recommend? Justify your recommendation.

 Show Answer

· 12-5. Reread the opening vignette in Lesson 11. Explain how Emily and Jose could use a scrum process for managing Kiaan. Describe how doing so would reduce the risk of failure.

Collaboration Exercise


Using the collaboration IS you built in Lesson 1, collaborate with a group of students to answer the following questions.

Wilma Baker, Jerry Barker, and Chris Bickel met in June 2020 at a convention of resort owners and tourism operators. They sat next to each other by chance while waiting for a presentation; after introducing themselves and laughing at the odd sound of their three names, they were surprised to learn that they managed similar businesses. Wilma Baker lives in Santa Fe, New Mexico, and specializes in renting homes and apartments to Santa Fe visitors. Jerry Barker lives in Whistler Village, British Columbia, and specializes in renting condos to skiers and to Whistler/Blackcomb Resort visitors. Chris Bickel lives in Chatham, Massachusetts, and specializes in renting homes and condos to Cape Cod vacationers.

The three agreed to have lunch after the presentation. During lunch, they shared frustrations about the difficulty of obtaining new customers, especially given the numerous travel opportunities available via the Internet today. Further, the rise in value of the dollar over the euro has created substantial competition for North American tourism.

As the conversation developed, they began to wonder if there was some way to combine forces (i.e., they were seeking a competitive advantage from an alliance). So, they decided to skip one of the next day’s presentations and meet to discuss ways to form an alliance. Ideas they wanted to discuss further were sharing customer data, developing a joint reservation service, and exchanging property listings.

As they talked, it became clear they had no interest in merging their businesses; each wanted to stay independent. They also discovered that each was very concerned, even paranoid, about protecting their existing customer base from poaching. Still, the conflict was not as bad as it first seemed. Barker’s business was primarily the ski trade, and winter was his busiest season; Bickel’s business was mostly Cape Cod vacationers, and she was busiest during the summer. Baker’s high season was the summer and fall. So, it seemed there was enough difference in their high seasons that they would not necessarily cannibalize their businesses by selling the others’ offerings to their own customers.

The question then became how to proceed. Given their desire to protect their own customers, they did not want to develop a common customer database. The best idea seemed to be to share data about properties. That way they could keep control of their customers but still have an opportunity to sell time at the others’ properties.

They discussed several alternatives. Each could develop her or his own property database, and the three could then share those databases over the Internet. Or they could develop a centralized property database that they would all use. Or they could find some other way to share property listings.

Because we do not know Baker, Barker, and Bickel’s detailed requirements, we cannot develop a plan for a specific system. In general, however, they first need to decide how elaborate an information system they want to construct. Consider the following two alternatives:

· Alternative 1: They could build a simple system centered on email. With it, each company sends property descriptions to the others via email. Each independent company then forwards these descriptions to its own customers, also using email. When a customer makes a reservation for a property, that request is then forwarded back to the property manager via email.

· Alternative 2: They could construct a more complex system using a Web-based, shared database that contains data on all their properties and reservations. Because reservations tracking is a common business task, it is likely that they can license an existing application with this capability.

In your answers to questions 12-6 and 12-7, use Microsoft Visio and BPMN templates to construct your diagram. If you don’t have those templates, use the cross-functional and basic flowchart templates. If you do not have access to Visio, use PowerPoint instead.

· 12-6. Create a process diagram for Alternative 1 discussed previously, using Figure 12-8 as a guide. Each company will need to have a role for determining its available properties and sending emails to the other companies that describe them. They will also need to have a role for receiving emails and a role for renting properties to customers. Assume the companies have from three to five agents who can fulfill these roles. Create a role for the email system if you think it is appropriate. Specify roles, activities, repositories, and data flows.

 Show Answer

· 12-7. Create a process diagram for Alternative 2 discussed previously, using Figure 12-8 as a guide. Each company will need to have a role for determining its available properties and adding them to the reservation database. They will also need a role for renting properties that accesses the shared database. Assume the companies have from three to five agents who can fulfill these roles. Create a role for the property database application. Specify roles, activities, repositories, and data flows.

 Show Answer

· 12-8. Compare and contrast your answers in questions 12-6 and 12-7. Which is likely to be more effective in generating rental income? Which is likely to be more expensive to develop? Which is likely to be more expensive to operate?

 Show Answer

· 12-9. If you were a consultant to Baker, Barker, and Bickel, which alternative would you recommend? Justify your recommendation.

Case Study


When Will We Learn?


When David Kroenke, one of the authors of this text, was teaching at Colorado State in 1974, he participated in a study that investigated the primary causes of information systems development failures. The findings? The number one reason for failure was a lack of user involvement in creating and managing system requirements.

Technology has made enormous strides since that study. In 1974, computers consumed large rooms, and neither the minicomputer nor the personal computer had been invented. Alas, the development of information systems has not kept up; in fact, one can argue that nothing has changed.

Creating a Healthcare Exchange


The Affordable Care Act (also known as Obamacare) requires the creation of healthcare exchanges that necessitate the development of interorganizational information systems. States were encouraged to set up exchanges for their own residents, but if they elected not to do so, the states’ residents could use an exchange developed by the federal government. About half of the states decided to use the federal exchange. The remainder developed their own exchanges (and supporting information systems).

The state of Oregon created an exchange named Cover Oregon that was a complete and utter failure. Cover Oregon was never operable despite costing more than $248 million in U.S. and Oregon tax dollars. In May 2014, the U.S. attorney’s office in Portland opened a grand jury investigation into the project.19 Very early in the project, Maximus Company, an independent consulting firm that had been hired to provide quality assurance, warned that requirements were vague, changing, and inconsistent. Those warnings made no difference. Why?

Why Are Requirements Not Managed?


In 1974, it might have been that managers were computer illiterate and thus couldn’t know how to manage requirements. However, everyone involved in Cover Oregon has a cell phone and probably an iPad or Kindle, so they are hardly computer illiterate. So today, at least, computer literacy isn’t the problem.

Does the problem of managing requirements lie with management? Or with requirements? Other healthcare exchanges, like Access CT in Connecticut, were successful. Was the Connecticut healthcare exchange successful because the project was closely managed by the lieutenant governor, a woman with future political ambitions? Oregon has no lieutenant governor, but surely there was someone to manage the project. One indication of management problems in Oregon is that the information system was to be used by one healthcare agency (Cover Oregon) but developed by a different healthcare agency (Oregon Health Administration). The two agencies fought battles over requirements. Due to lack of senior-level management, not only were requirements unmanaged, they were fought over by two competing governmental agencies.

That might be the prime cause for Cover Oregon’s failure. But is there something else? Even in well-managed organizations, is there something about requirements that makes them hard to manage? Fred Brooks provided one insight when he said that software is logical poetry. It’s made of pure thought-stuff. If two governmental agencies were to construct a building and if they fought over, say, how many stories that building was to have, then their disagreement would be visible for all to see. People would notice one group of contractors adding a floor while another group is tearing it down.

So, part of the problem is that the requirements are requirements for pure thought-stuff. But what else?

How do you know if the requirements are complete? If the blueprints for a building don’t include any provisions for electrical systems, that omission is obvious. Less so with software and systems. For example, what if no one considers the need to do something when a client forgets his username or password and has no record of policy numbers? Software or procedures need to be developed for this situation, but if no one thinks to specify that requirement, then nothing will be done. The system will fail when such a client need appears.

And how do you know the quality of the requirements statements? A requirement like “Select a qualifying insurance policy for this client” is written at such a high level that it is useless. One of the reasons for building a prototype is to flush out missing and incomplete requirements.

Assess Feasibility and Make Trade-offs


But there’s more we can learn from this example. All of the state and federal healthcare exchanges needed to be operating by October 1, 2013. So, the schedule was fixed with no chance for an adjustment. Considering cost, while funds were not fixed, they were not easily changed. The states initially provided some funding, as did the U.S. government. Once those financial allocations were made, it was difficult to obtain more money. Not impossible, but difficult.

Examine Figure 12-19 again. If schedule is fixed and if funding is nearly fixed, what is the one factor that can be traded off to reduce project difficulty and risk? The requirements. Reduce them to the bare minimum and get the system running. Then, after some success, add to the project. That seems to be the strategy that the Connecticut healthcare exchange (Access CT) followed.

But this principle exposes another of the problems in Oregon. It wanted everything. It embarked on a policy called “No Wrong Door,”20 a policy that would leave no person nor problem behind. Cover Oregon should provide a solution for all. Such statements make wonderful political messaging, but if the schedule is fixed and the funding is nearly so, how are those goals to be accomplished? Tell your roommate that you have 1 week between semesters and nearly no money and you plan to take a first-class, 2-month jungle excursion in Africa. Hello? Anyone home?

Software and systems are made of pure thought-stuff. Easy to imagine a glorious future of amazing capability. But they are constructed by costly human labor, and nine women can’t make a baby in 1 month. Remember that sentence when you are asked to help determine requirements for your new information system.

Will this case still be relevant 40 years from now? It’s up to you and your classmates.


· 12-10. Describe three reasons why cases like this will remain relevant 40 years from now. Describe three developments that could make these cases obsolete. Which will pertain? Will such cases be relevant 40 years from now? Justify your opinion.

 Show Answer

· 12-11. Read the Executive Summary of the First Data report located
. Applying your knowledge about the SDLC, describe what you think are the three major reasons that Cover Oregon failed.

 Show Answer

· 12-12. Three vendors had been considered as outside contractors to develop Cover Oregon, but two of them bowed out of the competition. Describe three reasons that they may have done so.

 Show Answer

· 12-13. The project was known to be in trouble, but it seemed to have a life of its own. Ying Kwong, a technology analyst at Oregon’s Department of Administrative Services, said in May 2013 that the Cover Oregon project reminded him of the science fiction movie The Blob: “You simply don’t know how to shoot this beast, because it does not have a known anatomy with the normal vital organs that make it tick.”21 Had you been a senior manager at Cover Oregon, what would you have done when the problems became apparent?

 Show Answer

· 12-14. In a June 2014 survey, a majority of Oregonians held Governor Kitzhaber responsible.22 But in 2015 Kitzhaber was reelected to a historic fourth term. Unfortunately, a month later he resigned amid an unrelated influence-peddling scandal.23 Bruce Goldberg, former head of OHA and acting head of Cover Oregon, was fired on March 18, 2014, and continued to draw a full salary until July 18.24 Given these results, does it seem likely that anyone will bear the consequences for these mistakes? Consider who that might be.

 Show Answer

Complete the following writing exercises

· 12-15. Assume that your company has just licensed a cloud-based SaaS CRM system. Your boss asks you what needs to be done to make it operational. Using the SDLC, summarize on one page the work to do to transform that SaaS into a working IS.

· 12-16. Suppose you work for a medium-sized oil and natural gas company as a systems developer. The CEO is interested in developing an application that will give him information about the amount of natural gas passing through pumping stations located around North America. He wants it to work on his desktop, iPad, and smartphone. The features he wants on the application seem to change every time you talk with him, and you’re still in the planning phase. Now he’s asked for a schedule. Why might it be difficult to develop a schedule for this project? How would you explain this to the CEO? Describe a metaphor you could use to explain how difficult it will be to accurately predict when the application will be completed.

Study Questions

· QID-1 How does the global economy affect organizations and processes?

· QID-2 What are the characteristics of international IS components?

· QID-3 How do inter-enterprise IS facilitate global supply chain management?

· QID-4 What are the security challenges of international IS?

· QID-5 What are the challenges of international IS management?

QID-1 How Does the Global Economy Affect Organizations and Processes?


Today’s businesses compete in a global market. International business has been sharply increasing since the middle of the 20th century. After World War II, the Japanese and other Asian economies exploded when those countries began to manufacture and sell goods to the West. The rise of the Japanese auto industry and the semiconductor industry in southeastern Asia greatly expanded international trade. At the same time, the economies of North America and Europe became more closely integrated.

Since then, a number of other factors have caused international business to mushroom. The fall of the Soviet Union opened the economies of Russia and Eastern Europe to the world market. Even more important, the telecommunications boom during the dot-com heyday caused the world to be encircled many times over by optical fiber that can be used for data and voice communications.

After the dot-com bust, optical fiber was largely underused and could be purchased for pennies on the dollar. Plentiful, cheap telecommunications enabled people worldwide to participate in the global economy. Before the advent of the Internet, if a young Indian professional wished to participate in the Western economy, he or she had to migrate to the West—a process that was politicized and limited. Today, that same young Indian professional can sell his or her goods or services over the Internet without leaving home. The Chinese economy has also benefited from plentiful, cheap telecommunications and has become more open to the world.

Figure ID-1 shows the percent of individuals with Internet access in some of the largest countries in the world over the past few years.1 Most developed countries have average Internet access rates around 80 to 90 percent and are relatively flat in terms of growth. But emerging countries are catching up very quickly.

Figure ID-1: Growth in Internet Access

Source: Based on Klaus Schwab, “The Global Competitiveness Report 2019–2020,” World Economic Forum, October 8, 2019, accessed June 23, 2020, The Global Competitiveness Report 2019.

Source: savaseris/istock/Getty Images

Developments such as these led columnist and author Thomas Friedman to claim, now famously, that “the world is flat,” implying seamless integration among the world’s economies. That claim and the popular book2 of the same name fit with the business press’s biases and preconceptions, and it seemed to make intuitive sense. A general sense that the world’s economies were integrated came to pervade most business thinking.

However, Harvard professor Pankaj Ghemawat decided to look deeper, and the data he found prompted him to write a Foreign Policy article titled “Why the World Isn’t Flat.”3 His article was published in 2007; the fact that it took such solid research and more than 8 years to gain widespread attention is a testament to the power of bias and preconception.

Some of Ghemawat’s data is summarized in Figure ID-2. Notice that, even including cross-border telecommunications, Internet traffic averages less than 21 percent. Cross-border voice calls are even less at 7 percent. International commerce, which most people think is a large factor in all economies, is less than 21 percent, when corrected for double counting.4

Figure ID-2: Percent of Cross-Border Commerce

Source: Based on Pankaj Ghemawat and Steven Altman, “DHL Global Connectedness Index 2019,” DHL International GmbH, October 2019, accessed June 23, 2020, The State of Globalization in a Distancing World.

Commerce Type

Cross-Border Percent


 7 percent voice calls
21 percent Internet


3 percent immigrants


6 percent direct investment


21 percent commerce

Does this mean that international business is not important to you? No, it does not. What it does mean, as Ghemawat points out, is that most of the opportunity of international commerce is ahead of us. The world is not (yet) flat. While information systems have already played a key role in international commerce, their effect in the future is likely to be larger. As Web services become more widespread, it becomes easier to link information systems together. As mobile devices continue their exploding growth in developing countries, even more users will enter the world economy via the Internet.

Consider the difference between fixed and mobile Internet subscriptions shown in Figure ID-3. Mobile subscriptions far outweigh fixed subscriptions, especially in developing countries.5 As more people gain access to the Internet through more types of devices, it becomes easier to provide Web-based services and products on the international stage. Opportunity abounds.

Figure ID-3: Fixed and Mobile Internet Subscriptions

Source: Based on Klaus Schwab, “The Global Competitiveness Report 2019–2020,” World Economic Forum, October 8, 2019, accessed June 23, 2020, The Global Competitiveness Report 2019.

How Does the Global Economy Change the Competitive Environment?


To understand the effect of globalization, consider each of the elements in Figure ID-4.

Figure ID-4: Organizational Strategy Determines Information Systems
The enlarging Internet-supported world economy has altered every one of the five competitive forces. Suppliers have to reach a wider range of customers, and customers have to consider a wider range of vendors. Suppliers and customers benefit not just from the greater size of the economy, but from the ease with which businesses can learn about each other using tools such as Google and Bing and, in China,

Because of the data available on the Internet, customers can also learn of substitutions more easily. The Internet has made it substantially easier for new market entrants, although not in all cases. Amazon, Apple, and Google, for example, have garnered such a large market share that it would be difficult for any new entrant to challenge them. Still, in other industries, the global economy facilitates new entrants. Finally, the global economy has intensified rivalry by increasing product and vendor choices and by accelerating the flow of information about price, product, availability, and service.

How Does the Emerging Global Economy Change Competitive Strategy?


The emerging global economy changes thinking about competitive strategies in two major ways: product localization and product differentiation. First, the sheer size and complexity of the global economy means that any organization that chooses a strategy allowing it to compete industry-wide is taking a very big bite! Competing in many different countries, with products localized to the language and culture of those countries, is an enormous and expensive task.

For example, to promote Windows worldwide, Microsoft must produce versions of Windows in dozens of different languages. Even in English, Microsoft produces a UK version, a U.S. version, an Australian version, and so forth. The problem for Microsoft is even greater because different countries use different character sets. In some languages, writing flows from left to right. In other languages, it flows from right to left. When Microsoft set out to sell Windows worldwide, it embarked on an enormous project.

The second major way today’s world economy changes competitive strategies is that its size, combined with the Internet, enables unprecedented product differentiation. If you choose to produce the world’s highest quality and most exotic oatmeal—and if your production costs require you to sell that oatmeal for $350 a pound—your target market might contain only 200 people worldwide. The Internet allows you to find them—and them to find you. The decision involving a global competitive strategy requires the consideration of these two changing factors.

How Does the Global Economy Change Value Chains and Business Processes?


Because of information systems, any or all of the value chain activities in Figure ID-2 can be performed anywhere in the world. An international company can conduct sales and marketing efforts locally, for every market in which it sells. 3M divisions, for example, sell in the United States with a U.S. sales force, in France with a French sales force, and in Argentina with an Argentinean sales force. Depending on local laws and customs, those sales offices may be owned by 3M, or they may be locally owned entities with which 3M contracts for sales and marketing services. 3M can coordinate all of the sales efforts of these entities using the same CRM system. When 3M managers need to roll up sales totals for a sales projection, they can do so using an integrated, worldwide system.

Manufacturing of a final product is frequently distributed throughout the world. Components of the Boeing 787 are manufactured in Italy, China, England, and numerous other countries and delivered to Washington and South Carolina for final assembly. Each manufacturing facility has its own inbound logistics, manufacturing, and outbound logistics activity, but those activities are linked via information systems.

For example, Rolls-Royce manufactures an engine and delivers that engine to Boeing via its outbound logistics activity. Boeing receives the engine using its inbound logistics activity. All of this activity is coordinated via shared, inter-enterprise information systems. Rolls-Royce’s CRM is connected with Boeing’s supply processes, using techniques such as CRM and enterprise resource planning (ERP). We discuss global supply chains further in QID-3.

World time differences enable global virtual companies to operate 24/7. Boeing engineers in Los Angeles can develop a design for an engine support strut and send that design to Rolls-Royce in England at the end of their day. The design will be waiting for Rolls-Royce engineers at the start of their day. They review the design, make needed adjustments, and send it back to Boeing in Los Angeles, where the reviewed, adjusted design arrives at the start of the workday in Los Angeles. The ability to work around the clock by moving work into other time zones increases productivity.

Because of the abundance of low-cost, well-educated, English-speaking professionals in India, many organizations have chosen to outsource their service and support functions to India. Some accounting functions are outsourced to India as well.

Knowledge Check

QID-2 What Are the Characteristics of International IS Components?


To understand the effect of internationalization on information systems, consider the five components. Computer hardware is sold worldwide, and most vendors provide documentation in at least the major languages, so it has always been possible to obtain local hardware and set up local networks. Today, however, the emergence of the international cloud makes it even easier for any company, anywhere in the world, to obtain the latest in server technology. It does need to know how to do so, however, pointing to a possible future role for you as an international IS major.

Regarding software, consider the user interface for an international information system. Does it include a local-language version of Windows? What about the software application itself? Does an inventory system used worldwide by Boeing suppose that each user speaks English? If so, at what level of proficiency? If not, what languages must the user interface support?

Next, consider the data component. Suppose that the inventory database has a table for parts data, and that table contains a column named Remarks. Further suppose Boeing needs to integrate parts data from three different vendors: one in China, one in India, and one in England. What language is to be used for recording remarks? Does someone need to translate all of the remarks into one language? Into three languages?

The human components—procedures and people—are obviously affected by language and culture. As with business processes, information systems procedures need to reflect local cultural values and norms. For systems users, job descriptions and reporting relationships must be appropriate for the setting in which the system is used. We will say more about this in QID-5.

What’s Required to Localize Software?


The process of making a computer program work in a second language is called localizing software. It turns out to be surprisingly hard to do. To localize a document or the content of a Web page, all you need to do is hire a translator to convert your document or page from one language to another. The situation is much more difficult for a computer program, however.

Consider a program you use frequently—say, Microsoft Word—and ask what would need to be done to translate it to a different language. The entire user interface needs to be translated. The menu bar and the commands on it will need to be translated. It is possible that some of the icons will need to be changed because some graphic symbols that are harmless in one culture are confusing or offensive in another.

What about an application program such as CRM that includes forms, reports, and queries? The labels on each of these will require translation. Of course, not all labels translate into words of the same length, and so the forms and reports may need to be redesigned. The questions and prompts for queries, such as “Enter part number for back order,” must also be translated.

All of the documentation will need to be translated. That should be just a matter of hiring a translator, except that all of the illustrations in the documentation will need to be redrawn in the second language.

Think, too, about error messages. When someone attempts to order more items than there are in inventory, the application produces an error message. All of those messages will need to be translated. There are other issues as well. Sorting order is one. Spanish uses accents on certain letters, and it turns out that an accented ó will sort after z when you use the computer’s default sort ordering. Figure ID-5 summarizes the factors to address when localizing software.

Figure ID-5: Factors to Address When Localizing a Computer Program

· Translate the user interface, including menu bars and commands.

· Translate, and possibly redesign, labels in forms, reports, and query prompts.

· Translate all documentation and help text.

· Redraw and translate diagrams and examples in the help text.

· Translate all error messages.

· Translate text in all message boxes.

· Adjust sorting order for the different character set.

· Fix special problems in Asian character sets and in languages that read and write from right to left.

Programming techniques can be used to simplify and reduce the cost of localization. However, those techniques must be used in design, long before any code is written. For example, suppose that when a certain condition occurs, the program is to display the message “Insufficient quantity in stock.” If the programmer codes all such messages into the computer program, then, to localize that program, a programmer will have to find every such message in the code and then ask a translator to change that code. A preferred technique is to give every error message a unique identifier and to create a separate error file that contains a list of identifiers and their associated text. Then, when an error occurs, program code uses the identifier to obtain the text of the message to be displayed from the error file. During localization, translators simply translate the file of error messages into the second language.

The bottom line for you, as a future manager, is to understand two points: (1) Localizing computer programs is much more difficult, expensive, and time consuming than translating documents. (2) If a computer program is likely to be localized, then plan for that localization from the beginning, during design. In addition, when considering the acquisition of a company in a foreign country, be sure to budget time and expense for the localization of information systems.

IBM’s Watson Learns Samoan


A good example of the inherent problems with localization can be seen in the recent partnership between IBM and the large New Zealand consulting services provider Beca Group.6 Beca wanted to use IBM’s Watson, an artificial intelligence virtual agent to answer questions using a person’s natural language. The goal of The Talanoa Project was to improve community engagement with New Zealand’s Samoan-speaking population. In order to do this, Watson learned Samoan.

This is no easy task. The Samoan language has informal, formal, and ceremonial ways of speaking. It has fewer letters (17 letters) and complex grammar and, relative to English, can be contextually difficult to decipher. Watson uses an iterative process to learn Samoan. It processes some text in Samoan, gets feedback from humans who speak Samoan, and then processes more text. It continues this process until it learns how to speak Samoan. The localization of IBM’s Watson wasn’t easy, but the final AI named “Tala” received a positive response from the Samoan community.

Watson doesn’t forget, sleep, or take vacations. It’s continually learning and processing more information. It could potentially provide language services to billions of people worldwide in their native language, not a secondary language, regardless of where they live (Figure ID-6). Watson knows dozens of languages in written form, and can speak over a dozen languages fluently including English, Japanese, French, Brazilian Portuguese, Spanish, German, Italian, and Arabic.7

Figure ID-6: Spoken World Languages

Source: Based on Ethnologue, “Languages of the World,”, February 15, 2020, Ethnologue.

What Are the Problems and Issues of Global Databases?


When we discussed CRM and ERP in Lesson 8, you learned the advantage of having all data stored in a single database. In brief, a single database reduces data integrity problems and makes it possible to have an integrated view of the customer or the operations of the organization.

International companies that have a single database must, however, declare a single language for the company. Every Remark or Comment or other text field needs to be in a single language. If not, the advantages of a single database disappear. This is not a problem for companies that commit to a single company language.

A single database is not possible, however, for companies that use multiple languages. Such companies often decide to give up on the benefits of a single database to let divisions in different countries use different databases, with data in local languages. For example, an international manufacturer might allow a component manufacturing division in South Korea to have a database in Korean and a final assembly division in Brazil to have a different database in Portuguese. In this scenario, the company needs applications to export and import data among the separate databases.

Besides language, performance is a second issue that confronts global databases. When using a single database, data transmission speeds are often too slow to process data from a single geographic location. If so, companies sometimes distribute their database to locations around the world.

Distributed database processing refers to the processing of a single database that resides in multiple locations. If the distributed database contains copies of the same data items, it is called a replicated database. If the distributed database does not contain copies of the same data but rather divides the database into nonoverlapping segments, it is called a partitioned database. In most cases, querying either type of distributed database can improve performance without too much development work. However, updating a replicated database so that changes are correctly made to all copies of the data is full of challenges that require highly skilled personnel to solve. Still, companies like Amazon, which operates call centers in the United States, India, and Ireland, have invested in applications that are able to successfully update distributed databases worldwide. Given this infrastructure, Amazon then made this distributed database technology available via its Web services, as you learned in Lessons 5 and 6. The cloud has made the international distribution of data much easier.

Challenges of International Enterprise Applications?


As you learned in Lesson 8, workgroup business processes and functional applications support particular activities within a single department or business activity. Because the systems operate independently, the organization suffers from islands of automation. Sales and marketing data, for example, are not integrated with operations or manufacturing data.

You learned that many organizations eliminate the problems of information silos by creating enterprise systems. With international IS, however, such systems may not be worthwhile.

Advantages of Functional Systems


Lack of integration is disadvantageous in many situations, but it has advantages for international organizations and international systems. For example, if an order-processing functional system located in the United States is independent from the manufacturing systems located in Taiwan, it becomes unnecessary to accommodate language, business, and cultural differences within a single system. U.S. order-processing systems can operate in English and reflect the practices and culture of the United States. Taiwanese manufacturing information systems can operate in Chinese and reflect the business practices and culture of Taiwan. As long as there is an adequate data interface between the two systems, they can operate independently, sharing data when necessary.

Enterprise systems, such as ERP, solve the problems of data isolation by integrating data into a database that provides a comprehensive and organization-wide view. However, that advantage requires that the company standardize on a single language and, most likely, place that database in a single location. Otherwise, separated, functional databases are needed.

Problems of Inherent Processes


Processes inherent in ERP and other applications are even more problematic. Each software product assumes that the software will be used by people filling particular roles and performing their actions in a certain way. ERP vendors justify this standardization by saying that their procedures are based on industry-wide best practices and that the organization will benefit by following these standard processes. That statement may be true, but some inherent processes may conflict with cultural norms. If they do, it will be very difficult for management to convince the employees to follow those processes. Or at least it will be difficult in some cultures to do so.

Differences in language, culture, norms, and expectations compound the difficulties of international process management. Just creating an accurate as-is model is difficult and expensive; developing alternative international processes and evaluating them can be incredibly challenging. With cultural differences, it can be difficult just to determine what criteria should be used for evaluating the alternatives, let alone performing the evaluation.

Because of these challenges, in the future it is likely that international business processes will be developed more like inter-enterprise business processes. A high-level process will be defined to document the service responsibilities of each international unit. Then Web services will be used to connect those services into an integrated, enterprise, international system. Because of encapsulation, the only obligation of an international unit will be to deliver its defined service. One service can be delivered using procedures based on autocratic management policies, and another can be delivered using procedures based on collaborative management policies. The differences will not matter in a Web service-based enterprise system.

Knowledge Check

QID-3 How Do Inter-Enterprise IS Facilitate Global Supply Chain Management?


A supply chain is a network of organizations and facilities that transforms raw materials into products delivered to customers. Figure ID-7 shows a generic supply chain. Customers order from retailers, who in turn order from distributors, who order from manufacturers, who order from suppliers. In addition to the organizations shown here, the supply chain also includes transportation companies, warehouses, and inventories and some means for transmitting messages and information among the organizations involved.

 Figure ID-7: Supply Chain Relationships
Because of disintermediation, not every supply chain has all of these organizations. Some companies sell directly to the customer. Both the distributor and retailer organizations are omitted from their supply chains. In other supply chains, manufacturers sell directly to retailers and omit the distribution level.

The term chain is misleading. Chain implies that each organization is connected to just one company up the chain (toward the supplier) and down the chain (toward the customer). That is not the case. Instead, at each level an organization can work with many organizations both up and down the supply chain. Thus, a supply chain is a network.

To appreciate the international dimension of a supply chain, consider Figure ID-8. Suppose you decide to take up cross-country skiing. You go to REI (by visiting either one of its stores or its website) and purchase skis, bindings, boots, and poles. To fill your order, REI removes those items from its inventory of goods. Those goods have been purchased, in turn, from distributor/importers.

 Figure ID-8: Supply Chain Example
According to Figure ID-8, REI purchases the skis, bindings, and poles from one distributor/importer and the boots from a second. The distributor/importers, in turn, purchase the required items from the manufacturers, which, in turn, buy raw materials from their suppliers.

In Figure ID-8, notice the national flags on the suppliers and manufacturers. For example, the pole manufacturer is located in Brazil and imports plastic from China, aluminum from Canada, and fittings from Italy. The poles are then imported to REI in the United States by the Importer/Distributor.

The only source of revenue in a supply chain is the customer. In the REI example, you spend your money on the ski equipment. From that point all the way back up the supply chain to the raw materials suppliers, there is no further injection of cash into the system. The money you spend on the ski equipment is passed back up the supply chain as payments for goods or raw materials. Again, the customer is the only source of revenue.

The Importance of Information in the Supply Chain


In order to stay competitive, the focus of many businesses, worldwide, is to reduce costs. Supply chain costs are a primary target for such reductions, especially among companies that have a global supply chain. Figure ID-9 illustrates how Walmart overhauled its supply chain to eliminate distributors and other intermediaries, enabling it to buy directly from manufacturers. Walmart’s goal is to increase sales and revenues from its private-label goods. At the same time, it also has consolidated purchasing and warehousing into four global merchandising centers, such as the one near Mexico City that processes goods for emerging markets.8

Figure ID-9: Example Walmart Supply Chain
As you’ll learn in your production and supply chain courses, many different factors determine the cost and performance of a supply chain. However, information is one of the most important. Consider, for example, inventory management at each of the companies in Figure ID-9. How do those companies decide when and how much to purchase? How does the new Walmart processing center in Mexico City determine how many pairs of jeans, ice chests, or bottles of vitamin C to order? How large should the orders be? How frequently should orders be placed? How are those orders tracked? What happens when a shipment disappears? Information is a major factor in making each of those decisions, along with dozens of others. To provide insight into the importance of information, consider just one example, the bullwhip effect.

How Can Information Relieve the Bullwhip Effect?


The bullwhip effect is a phenomenon in which the variability in the size and timing of orders increases at each stage up the supply chain, from customer to supplier. Figure ID-10 depicts the situation. In a famous study, the bullwhip effect was observed in Procter & Gamble’s supply chain for diapers.9

Figure ID-10: The Bullwhip Effect

Source: Based on Hau L. Lee, V. Padmanabhan, and S. Whang, “The Bullwhip Effect in Supply Chains,” Sloan Management Review, Spring 1997.

Except for random variation, diaper demand is constant. Diaper use is not seasonal; the requirement for diapers does not change with fashion or anything else. The number of babies determines diaper demand, and that number is constant or possibly slowly changing.

Retailers do not order from the distributor with the sale of every diaper package. The retailer waits until the diaper inventory falls below a certain level, called the reorder quantity. Then the retailer orders a supply of diapers, perhaps ordering a few more than it expects to sell to ensure that it does not have an outage.

The distributor receives the retailer’s order and follows the same process. It waits until its supply falls below the reorder quantity, and then it reorders from the manufacturer, with perhaps an increased amount to prevent outages. The manufacturer, in turn, uses a similar process with the raw-materials suppliers.

Because of the nature of this process, small changes in demand at the retailer are amplified at each stage of the supply chain. As shown in Figure ID-10, those small changes become quite large variations on the supplier end.

The bullwhip effect is a natural dynamic that occurs because of the multistage nature of the supply chain. It is not related to erratic consumer demand, as the study of diapers indicated. You may have seen a similar effect while driving on the freeway. One car slows down, the car just behind it slows down a bit more abruptly, which causes the third car in line to slow down even more abruptly, and so forth, until the thirtieth car or so is slamming on its brakes.

The large fluctuations of the bullwhip effect force distributors, manufacturers, and suppliers to carry larger inventories than should be necessary to meet the real consumer demand. Thus, the bullwhip effect reduces the overall profitability of the supply chain. Eliminating or at least reducing the bullwhip effect is particularly important for international supply chains where logistics costs are high and shipping times are long.

One way to eliminate the bullwhip effect is to give all participants in the supply chain access to consumer-demand information from the retailer. Each organization can thus plan its inventory or manufacturing based on the true demand (the demand from the only party that introduces money into the system) and not on the observed demand from the next organization up the supply chain. Of course, an inter-enterprise information system is necessary to share such data.

Consider the Walmart example in Figure ID-11. Along the bottom, each entity orders from the entity up the supply chain (the entity to its left in Figure ID-11). Thus, for example, the Walmart processing centers order finished goods from manufacturers. Without knowledge of the true demand, this supply chain is vulnerable to bullwhip effects. However, if each entity can, via an information system, obtain data about the true demand—that is, the demand from the retail customers who are the source of funds for this chain—then each can anticipate orders. The data about true demand will enable each entity to meet order requirements, while maintaining a smaller inventory.

Figure ID-11: Eliminate Bullwhip Effect with True Demand Information

Knowledge Check

QID-4 What Are the Security Challenges of International IS?


Managing international systems creates unique security challenges that derive from differences in legal systems, physical environments, and cultural norms. These security challenges represent very real threats to an organization’s ability to operate in another country.

Legal Environment


First, differences in legal environments between countries have a direct impact on the daily operation of information systems. The legal differences related to the use of encryption, distribution of content, and personal privacy protections can substantially affect international IS.

Most people are unaware that encryption is illegal or highly restricted in many countries. Yes, you read that correctly, illegal. In Russia and China, a license is required to import or export encryption products.10 The use of any encryption product requires a license. Other countries like England, India, and Australia have laws that can force decryption.

In fact, in 2015 British Prime Minister David Cameron suggested that back doors be placed in all software that would effectively circumvent all encryption. In 2016, the UK House of Commons passed the “Snooper’s Charter” bill that requires companies to remove encryption when asked by law enforcement. The law had to be revised in 2018 because it was found to violate EU privacy laws. The new law still allows the UK government to access personal data, but only for what it considers “serious crimes.”

In the United States, Apple was sued by the FBI to unlock an encrypted cell phone used in a terror attack in San Bernardino. The FBI eventually dropped the lawsuit, claiming it had purchased limited software that could break Apple’s encryption.11

Companies that use encryption need to be aware that encryption laws differ between countries and may affect their ability to operate effectively.

Distribution of Content
Laws regarding the legality of the nature of the content stored in an organization’s systems are also different between countries. For example, in 2010 Google moved its search engine service from China to Hong Kong over censorship problems. The People’s Republic of China (PRC) regularly forced Google to remove content that the PRC found unacceptable. Google subsequently saw its search market share drop from 30 percent to about 10 percent in 2016.

In 2018, Google tried to restart operations in China by making Google Maps available within China. Unfortunately, in order to do so, Google must use a special map application that is different from its regular worldwide application and that runs through Alibaba.12 In 2019, Google suspended business with one of China’s largest hardware manufacturers, Huawei. Owners of Huawei smartphones lost access to nearly all of Google’s proprietary applications and services.

In fact, dozens of countries regularly block access to certain Internet companies. Brazil blocked Facebook’s messaging app, WhatsApp, for 72 hours when it implemented end-to-end encryption.13 Turkey’s government blocked Twitter, Instagram, YouTube, and Facebook for 16 hours in 2020 after an airstrike in Syria.14

Personal Privacy
Variations in privacy laws can also affect the operation of an organization’s international systems. For example, in parts of Europe employers cannot read their workers’ emails, personal data cannot be collected without an individual’s permission, organizations must provide individuals with the ability to correct inaccuracies in the data they collect, and personal data cannot be shared by companies without express permission. None of these apply to organizations in the United States.

Differences in privacy laws may become even more pronounced. As discussed in Lesson 10, the EU’s General Data Protection Regulation (GDPR) lets people request their online data and limits how businesses can use customer data. As of 2020, Google had received more than 957,273 removal requests for more than 3,756,066 URLs. It has removed 46 percent of the requested URLs.15

The GDPR will likely be applied to other tech companies like Facebook, Bing, and Twitter as well. Unfortunately, none of these privacy protections applies to U.S. citizens. In fact, Google assembled its own panel of advisers, which recommended that the GDPR law not apply to any of Google’s properties outside the European Union (EU). This means EU users can still see their removed URLs if they visit rather than

A few days after the passage of the GDPR, a high-profile privacy advocate filed a $4.3B lawsuit against Google. Facebook was also sued for $4.5B.16 The Google lawsuit was subsequently dismissed, but in 2019 Facebook agreed to pay a $5 billion FTC penalty to settle privacy lawsuits. This is the largest fine ever imposed on a company for privacy violations.

Privacy laws have the potential to force international technology companies to change the way they operate and, more importantly, reshape international law.

Organizations need to be aware that laws related to encryption, content, and privacy will affect the way they collect, process, and store data. Consider how these laws might affect organizations that use cloud-based services to store data. Organizations could operate in a country with loose content laws and then store all of their data and applications in another country with stricter privacy laws in order to protect their users. In other words, the intersection of international law and technology is forcing organizations to carefully evaluate how they manage their information systems, in particular, the location of their data.

Physical Security


Second, operating information systems internationally can be problematic because of different physical environments. This includes threats to infrastructure in the form of natural disasters, geopolitical risks, civil unrest, and terrorist attacks.

Place your data center in Kansas, and it’s subject to tornados. Place your data center internationally, and it’s potentially subject to typhoons/hurricanes, earthquakes, floods, volcanic eruptions, or mudslides. For example, the data centers in Japan survived the terrible effects of the 2011 earthquake, tsunami, and nuclear reactor meltdowns. They survived the shaking, flooding, and widespread power outages because they were housed in special facilities with shock-absorbing structures and had backup power generators.

An organization’s physical infrastructure is also vulnerable to outright seizure. In 2018, Peter Levashov, also known as the Russian spam king, was arrested in Barcelona, Spain, for allegedly operating one of the top-10 largest spam networks named Kelihos.17 Federal agents seized two of Levashov’s Luxembourg servers that were being used as a proxy to hide his alleged criminal activities.

Employees who run critical infrastructure can be targeted as well. In 2020 many countries temporarily restricted travel into their countries. In 2020, over 62 countries refused admission of U.S. citizens and 4 other countries required a 14-day quarantine for all U.S. citizens entering their countries. With some exceptions, the U.S. blocked foreign nationals from 37 countries from entering the United States. People returning to the U.S. from travel abroad were required to quarantine for 14 days.18 Additional immigration restrictions in 2020 greatly reduced the number of H-1B and H4 visas that are often given to technology workers.19

Cultural Norms


Finally, cultural norms can affect the way organizations manage their international information systems. For example, bribery is generally considered unacceptable in the United States, but in other countries it is accepted as a normal way of doing business.

In 2020, aircraft manufacturer Airbus SE agreed to a record-setting $3.9 billion in combined fines in a global bribery and corruption case. The case detailed bribery schemes from 2008 to 2015 targeting government officials in countries including China, Malaysia, Sri Lanka, Taiwan, Indonesia, and Ghana.20 It’s important to note that this is just one company in one industry. Graft is a worldwide problem across many industries. This example points out how differences in cultural norms can affect an organization’s daily operations.

Apply these cultural differences to the management of international information systems. Can an organization depend on the control of separation of duties and authorities in a culture for which graft is an accepted norm? Could an organization lose valuable intellectual property in such an environment? Or what is the utility of a personal reference in a culture in which it is considered exceedingly rude to talk about someone when he or she is not present?

Organizations need to carefully examine how the deployment of international information systems might be affected by cultural norms. Because of differences in cultural norms, safeguards need to be chosen and evaluated on a culture-by-culture basis. Additional safeguards may be needed, but the technical and data safeguards described in Lesson 10 still apply to international systems.

Knowledge Check

QID-5 What Are the Challenges of International IS Management?


In addition to security, size and complexity make international IS management challenging. The components of international information systems are larger and more complex. Projects to develop them are larger and more complicated to manage. International IS departments are bigger and composed of people from many cultures with many different native languages. International organizations have more IS and IT assets, and those assets are exposed to more risk and greater uncertainty. Because of the complexity of international law, security incidents are more complicated to investigate.

Why Is International IS Development More Challenging?


The factors that affect international information systems development are more challenging than those that affect international software development. If the system is truly international, if many people from many different countries will be using the system, then the development project is exceedingly complicated.

To see why, consider the five components. Running hardware in different countries is not a problem, especially using the cloud, and localizing software is manageable, assuming programs were designed to be localized. Databases pose more difficulties. First, is a single database to be used, and if so, is it to be distributed? If so, how will updates be processed? Also, what language, currency, and units of measure will be used to store data? If multiple databases are to be used, how are data going to be transported among them? Some of these problems are difficult, but they are solvable, and cloud-based databases make them more so.

The same cannot be said for the procedure and people components. An international system is used by people who live and work in cultures that are vastly different from one another. The way customers are treated in Japan differs substantially from the way customers are treated in Spain, which differs substantially from the way they are treated in the United States. Therefore, the procedures for using a CRM will be correspondingly different.

Consider the relationship of business processes and information systems as discussed in Lesson 12. Information systems are supposed to facilitate the organization’s competitive strategy and support business processes. But what if the underlying business processes differ? Customer support in Japan and customer support in Spain may involve completely different processes and activities.

Even if the purpose and scope can be defined in some unified way, how are requirements to be determined? Again, if the underlying business processes differ, then the specific requirements for the information system will differ. Managing requirements for a system in one culture is difficult, but managing requirements for international systems can be many times more difficult.

There are two responses to such challenges: either (1) define a set of standard business processes or (2) develop alternative versions of the system that support different processes in different countries. Both responses are problematic. The first response requires conversion of the organization to different work processes, and, as you learned in Lesson 8, such conversion can be exceedingly difficult. People resist change, and they will do so with vehemence if the change violates cultural norms.

The second response is easier to implement, but it creates system design challenges. It also means that, in truth, there is not one system but many.

In spite of the problems, both responses are used. For example, SAP, Oracle, and other ERP vendors define standard business processes via the inherent procedures in their software products. Many organizations attempt to enforce those standard procedures. When it becomes organizationally infeasible to do so, organizations develop exceptions to those inherent procedures and develop programs to handle the exceptions. This choice means high maintenance expense.

What Are the Challenges of International Project Management?


Managing a global IS development project is difficult because of project size and complexity. Requirements are complex, many resources are required, and numerous people are involved. Team members speak different languages, live in different cultures, work in different time zones, and seldom meet face-to-face.

One way to understand how these factors affect global project management is to consider each of the project management knowledge areas as set out by the International Project Management Institute’s document, the PMBOK® Guide.21 Figure ID-12 summarizes challenges for each knowledge area. Project integration is more difficult because international development projects require the complex integration of results from distributed work groups. Also, task dependencies can span teams working in different countries, increasing the difficulty of task management.

Figure ID-12: Challenges for International IS Project Management

Knowledge Areas


Project integration

Complex integration of results from distributed work groups.
Management of dependencies of tasks from physically and culturally different work groups.

Requirements (scope)

Need to support multiple versions of underlying business processes.
Possibly substantial differences in requirements and procedures.


Development rates vary among cultures and countries.


Cost of development varies widely among countries. Two members performing the same work in different countries may be paid substantially different rates. Moving work among teams may dramatically change costs.


Quality standards vary among cultures. Different expectations of quality may result in an inconsistent system.

Human resources

Worker expectations differ. Compensation, rewards, work conditions vary widely.


Geographic, language, and cultural distance among team members impedes effective communication.


Development risk is higher. Easy to lose control.


Complications of international trade.

The scope and requirements definition for international IS is more difficult, as just discussed. Time management is more difficult because teams in different cultures and countries work at different rates. Some cultures have a 35-hour workweek, and some have a 60-hour workweek. Some cultures expect 6-week vacations, and some expect 2 weeks. Some cultures thrive on efficiency of labor, and others thrive on considerate working relationships. There is no standard rate of development for an international project.

In terms of cost, different countries and cultures pay vastly different labor rates. Using critical path analysis, managers may choose to move a task from one team to another. Doing so, however, may substantially increase costs. Thus, management may choose to accept a delay rather than move work to an available (but more expensive) team. The complex trade-offs that exist between time and cost become even more complex for international projects.

Quality and human resources are also more complicated for international projects. Quality standards vary among countries. The IT industry in some nations, such as India, has invested heavily in development techniques that increase program quality. Other countries, such as the United States, have been less willing to invest in quality. In any case, the integration of programs of varying quality results in an inconsistent system.

Worker expectations vary among cultures and nations. Compensation, rewards, and worker conditions vary, and these differences can lead to misunderstandings, poor morale, and project delays.

Because of these factors, effective team communication is exceedingly important for international projects, but because of language and culture differences and geographic separation, such communication is difficult. Effective communication is also more expensive. Consider, for example, just the additional expense of maintaining a team portal in three or four languages.

If you consider all of the factors in Figure ID-12, it is easy to understand why project risk is high for international IS development projects. So many things can go wrong. Project integration is complex; requirements are difficult to determine; cost, time, and quality are difficult to manage; worker conditions vary widely; and communication is difficult. Finally, project procurement is complicated by the normal challenges of international commerce.

What Are the Challenges of International IS Management?


Lesson 11 defined the four primary responsibilities of the IS department: plan, operate, develop, and protect information systems and supporting infrastructure. Each of these responsibilities becomes more challenging for international IS organizations.

Regarding planning, the principal task is to align IT and IS resources with the organization’s competitive strategy. The task does not change character for international companies; it just becomes more complex and difficult. Multinational organizations and operations are complicated; thus, the business processes that support their competitive strategies also tend to be complicated. Furthermore, changes in global economic factors can mean dramatic changes in processes and necessitate changes in IS and IT support. Technology adoption can also cause remarkable change. The increasing use of cell phones in developing countries, for example, changes the requirements for local information systems. The price of oil and energy can change international business processes. For these reasons, planning tasks for international IS are larger and more complex.

Three factors create challenges for international IS operations. First, conducting operations in different countries, cultures, and languages adds complexity. Go to the website of any multinational corporation, say, 3M or Dell, and you’ll be asked to click on the country in which you reside. When you click, you are likely to be directed to a Web server running in some other country. Those Web servers need to be managed consistently, even though they are operated by people living in different cultures and speaking various languages.

The second operational challenge of international IS is the integration of similar, but different, systems. Consider inventory. A multinational corporation might have dozens of different inventory systems in use throughout the world. To enable the movement of goods, many of these systems need to be coordinated and integrated.

Or consider customer support that operates from three different support centers in three different countries. Each center may have its own information system, but the data among those systems will need to be exported or otherwise shared. If not, then a customer who contacts one center will be unknown to the others.

The third complication for operations is outsourcing. Many organizations have chosen to outsource customer support, training, logistics, and other backroom activities. International outsourcing is particularly advantageous for customer support and other functions that must be operational 24/7. Many companies outsource logistics to UPS because doing so offers comprehensive, worldwide shipping and logistical support. The organization’s information systems usually need to be integrated with outsource vendors’ information systems, and this may need to be done for different systems, all over the world.

The fourth IS department responsibility is protecting IS and IT infrastructure. We consider that function next.

Setting Up Information Systems in Foreign Offices


The fourth IS department responsibility is protecting IS and IT infrastructure. To illustrate the challenges of international IS management, suppose that eHermes decides to open an office in Europe. How might it go about developing information systems for that office?

Before answering that question, consider how the Mahr Group, a midsized, multinational firm headquartered in Germany manages its foreign offices. The Mahr Group purchases its hardware and Internet access from local vendors but has its corporate employees install and configure the same software worldwide. It also has corporate employees perform standardized IT audits worldwide at each foreign office.22

Because it is a manufacturer, Mahr operates an ERP system, for which it maintains a centralized database in Germany that is accessed via its own leased communication lines worldwide. It also requires that the same computer-assisted-design (CAD) software be used worldwide. Doing so allows Mahr employees to exchange designs with offices around the world without worrying about compatibility problems.

Career Guide

Source: Lindsey Tsuya, Nike, Consumer Direct Sciences Advanced Analytics

· Name: Lindsey Tsuya

· Company: Nike

· Job Title: Consumer Direct Sciences Advanced Analytics

· Education: University of Utah

1. How did you get this type of job?

I was recruited by Nike while living in Seattle, Washington, and working for Lululemon. I was contacted by a recruiter via LinkedIn who was interested in my background and a potential fit for Nike in their global supply chain analytics. After speaking with the recruiter and passing their qualifications, Nike came to Seattle to do a full two-day round of interviews with multiple candidates. My interview was on the second day with a three-person panel.

2. What attracted you to this field?

As a college student, I worked in the service industry. When I was selecting my degree, I knew I wanted two things. First, I wanted a degree that made money. Second, I wanted a job that did not involve direct provision of service to the public. By choosing information systems, I knew I would be doing more of a behind-the-scenes job.

3. What does a typical workday look like for you (duties, decisions, problems)?

I am at the Global level at Nike, which means we are responsible for working with our Geo (geography) partners on marketing campaigns to ensure that each iteration of a marketing campaign is getting better. We measure the reach, retention, and relevance among other metrics to understand how the consumer is reacting to our marketing campaigns. It requires a lot decision making, tons of influencing with your business partners and Geo leads to execute A/B testing, and then reporting back the findings to the proper stakeholders.

4. What do you like most about your job?

I love my job because I am so close to the consumer. Historically I have not been aligned to marketing and the analytics in the marketing space. It is a lot of fun to see the campaigns come to fruition in the different marketplaces and the impact on the consumer. In my role we get to uncover insights from how the consumer feels toward our campaigns. Since Nike does such a great job at marketing campaigns, it is incredible to see how they are received by our consumers.

5. What skills would someone need to do well at your job?

Good analytical skills and the ability to analyze large amounts of data are essential. Critical thinking skills and the ability to think outside the box are also important. Soft skills that differentiate people are passion and a can-do attitude. Those two things coupled together will take anyone far in life.

6. Are education or certifications important in your field? Why?

I would say in any field, education and certifications assist with career development and credibility.

7. What advice would you give to someone who is considering working in your field?

No matter what field you choose, make sure it is something you are passionate about because if you are not passionate about it, work will feel like . . . work. If you are passionate about what you do, then work feels like play. You will spend so many hours of your life working, and you should not waste them doing something you don’t love.

Knowledge Check

Active Review


Use this Active Review to verify that you understand the ideas and concepts that answer the study questions.

· QID-1 How does the global economy affect organizations and processes?

Describe how the global economy has changed since the mid-20th century. Explain how the dot-com bust influenced the global economy and changed the number of workers worldwide. Summarize why the idea that the world is flat gained momentum and why that notion is incorrect. State how the lack of a “flat” world presents business opportunities. Summarize the ways in which today’s global economy influences the five competitive forces. Explain how the global economy changes the way organizations assess industry structure. How does the global economy change competitive strategy? How do global information systems benefit the value chain? Using Figure 2-6 (page 43) as a guide, explain how each primary value chain activity can be performed anywhere in the world.

· QID-2 What are the characteristics of international IS components?

Explain how internationalization affects the five components of an IS. What does it mean to localize software? Summarize the work required to localize a computer program. In your own words, explain why it is better to design a program to be localized rather than attempt to adapt an existing single-language program to a second language. Explain the problems of having a single database for an international IS. Define distributed database, replicated database, and partitioned database. State a source of problems for processing replicated databases.

Summarize the advantages of functional systems for international companies. Summarize the issues of inherent processes for multinational ERP. Explain how SOA services could be used to address the problems of international enterprise applications.

· QID-3 How do inter-enterprise IS facilitate global supply chain management?

Define supply chain, and explain why the term chain is misleading. Under what circumstances are not all of the organizations in Figure ID-8 part of the supply chain? Name the only source of revenue in a supply chain. Explain how Walmart is attempting to reduce supply costs. Describe the bullwhip effect and explain why it adds costs to a supply chain. Explain how the system shown in Figure ID-11 can eliminate the bullwhip effect.

· QID-4 What are the security challenges of international IS?

Explain legal differences between countries with respect to the use of encryption, distribution of content, and personal privacy protections. Describe how natural disasters, geopolitical risks, civil unrest, pandemics, and terrorist attacks could threaten the physical security of international IS. Give an example of how differences in cultural norms may affect international IS.

· QID-5 What are the challenges of international IS management?
State the two characteristics that make international IS management challenging.

Explain the difference between international systems development and international software development. Using the five-component framework, explain why international systems development is more difficult. Give an example of one complication for each knowledge area in Figure ID-12. State the four responsibilities for IS departments. Explain how each of these responsibilities is more challenging for international IS organizations. Describe three factors that create challenges for international IS operations. Summarize the strategy that Mahr uses when creating IS infrastructure in foreign offices.

Using Your Knowledge


· ID-1. Suppose you are about to have a job interview with a multinational company, such as 3M, Starbucks, or Coca-Cola. Further suppose you wish to demonstrate an awareness of the changes for international commerce that the Internet and modern information technology have made. Using the information in QID-1, create a list of three questions that you could ask the interviewer regarding the company’s use of IT in its international business.

· ID-2. Suppose you work for a business that has $100M in annual sales that is contemplating acquiring a company in Mexico. Assume you are a junior member of a team that is analyzing the desirability of this acquisition. Your boss, who is not technically savvy, has asked you to prepare a summary of the issues that she should be aware of in the merging of information systems of the two companies. She wants your summary to include a list of questions that she should ask of both your IS department and the IS department personnel in the prospective acquisition. Prepare that summary.

· ID-3. Using the data in this module as well as in Lesson 8, summarize the strengths and weaknesses of functional systems, CRM, and ERP. How do the advantages and disadvantages of each change in an international setting? For your answer, create a table with strength and weakness columns and with one row for each of the four systems types.

· ID-4. Suppose you are the CISO for a Fortune 500 company with offices in 15 different countries. Your company has substantial intellectual property to protect, and the CEO has suggested that the company move part of its R&D offshore to reduce costs. Using the information from QID-4, describe the potential threats that might arise from moving R&D to an offshore site.

Complete the following writing exercises.

· ID-5. Suppose you are working for a well-known social media company based in the United States. You’ve been placed in charge of expanding the company internationally. The first day on the job the chief information security officer (CISO) informs you that there have been repeated intrusions into corporate servers located in Asia. The hackers targeted accounts of well-known political dissidents. And they continue to do so on a regular basis. They make little effort to cover their tracks. The problem is that they’re based in the country in which you’re focusing your expansion efforts. Explain how different legal and cultural norms may hamper your expansion plans. Why might foreign government officials be hesitant to help you catch the hackers? What types of concessions or changes might the foreign government ask you to make to your social media platform before you’re given permission to operate in the country?

· ID-6. Assume you are Seth Wilson (Director of IT services) at eHermes. Using your knowledge from QID-5, write a one-page memo to Victor Vazquez (COO) explaining what needs to be done to set up information systems in a new European office. State and justify any assumptions you make.

Looking for top-notch essay writing services? We've got you covered! Connect with our writing experts today. Placing your order is easy, taking less than 5 minutes. Click below to get started.

Order a Similar Paper Order a Different Paper