© frederic adam, 2000 is4406: information technologies dr. frederic adam department of accounting,...

© Frederic Adam, 2000

IS4406: Information Technologies

Dr. Frederic Adam

Department of Accounting, Finance and Information Systems

University College Cork

Ireland


Quick history of IS• Very rapid growth as a profession and an academic

discipline• early over-enthusiasm lead to mistakes

– loads of requests to computerise– crude methods of development and analysis– business applications not well understood

• discouragement and scepticism as a result• maturation was required on both theoretical and practical

sides (i.e. technology and management)• IS has become established as a discipline and functional

area


Has Lead to...

• ability to use information systems technology is essential for success

• some companies apply IT with great benefit; others make no progress at all

• “reactive approach” to IT no longer works– too much novelty too fast– technology evolution less and less predictable

• role of business managers in introducing IT has become paramount


Growth of IS

• Number of people involved:– In companies– In society at large

• Importance:– very visible information systems– size of investments

• Notoriety:– Internet…– public perception


Change of Focus in IS:• Very Technical

– specialists’ domain– centralised concentrated expertise– expensive– well guarded– computer based

• Very Managerial– every manager’s business– decentralised awareness– very cheap– service department more open to the outside– information based


Evolution of IS departments

1960’s 1990’s

IS Staff

Hardware

Total costs of running the IS function (after Earl, 1989)


Evolution of IS in business

Three eras have been identified (Rockart & Van Bullen, 1984)

• First: in the 50s and beginning of the 60s• Second: in the 60s and the 70s• Third: in the 80s and the 90s

They correspond to conceptual advances in the Information Systems field and technical advances in computers


First era - Data Processing:

• computer people highly specialised• no attention to user requirements• systems are very inflexible• users have no computing competencies• applications are mainly “number crunching”


Second era - Management Information System.

• Computers are seen as a part of the corporate strategy

• Communication develops between the computer people (“Techies”) and other functions

• Range of applications available broadens - accounting, finance, manufacturing ...

• Better methodologies are available to analyse requirements


Third era - Information Management

• All managers are involved in the production / processing of information

• Almost all staff members have access to a computer

• Users have become more computer literate• Prototyping methodologies mean better analysis of

problems of users• Better development environments mean users can

develop their own applications


Information Technology for Business

• IS are at the core of the collection / processing / storage of information

• IS is used to produce the information used for decision making

• IS is used for the co-ordination of the activities of the business

• IS is used to communicate with the outside


Information as the Lifeblood of Organisations

• Information and communication amongst organisational actors is a key to success

• reliable and timely circulation of information• robust networks of communication (formal

and informal)• robust storage and retrieval of information


Basic flows of information

• Organisations are organised in a number of functional areas

• they carry out complementary missions• they interact and collaborate in managing the

organisation• What are they called? What are their mission?


Examples:• Finance: managing the cash flows, providing resources to the

firm– sub area: Accounting (books and legal reporting)– sub area: Accounts receivable and payable: deal with suppliers and

customers

• Marketing: promoting the firm and its products

• Sales: selling the products; dealing with customers– sub area: sales orders– sub area: returns

• Production: manufacture goods– sub area: purchasing raw material– sub area: quality control


Collaboration / Conflict between areas

• All areas of the firm must exchange info with the others (just like organisations must interact with the outside)

• divergence of viewpoints means opportunities for conflict are great

• managing same resources / using the same assets but with radically different goals

• Examples??


Examples:• Quality control versus production:

– production want to increase volumes and keep productivity at highest levels

– QC want to prevent any “faulty” product to come out of the door

In an environment where zero defect is only a remote target => conflict is likely

• same versus sales

in one organisation, QC were referred to as the Sales Prevention department

• Dealing with returns


Collaboration and Information

• Functional areas cannot collaborate if no information circulates (e.g. factory floor isolated from rest of organisation)

• first stage: people talk to one another• then exchange of documents• then develop integrated systems shared by several

functional areas / the whole firm• This requires the existence of common definitions and

reliable / undisputed sources of data• Also people must have incentives to collaborate


Reliable Common Grammar: Examples

• Sales statistics:– as per invoices?– before returns– adjusted for bad debts– Also, what feed back time?

• Production figures:– after rejects– adjusted for loss / destruction in finished goods storage– Any possibilities that figures are not reliable?

• business analysts must talk to everyone to ensure existence of common reliable methods


Reliable / Undisputed sources of data

• No debate between functional areas about basic figures of the business - production figures

• Robust measures of individual / area performance for the purpose of assessment and rewarding

• Robust externally oriented systems for invoicing / paying

• Reliable systems for storage / processing / retrieval of data

• Archiving for comparison

Figure 1

Incentives


Corresponding Information Systems

• The basic Accounting sub-systems are:– payroll– order entry– inventory (goods for sales, raw material...)– shipping– accounts receivable– purchasing– receiving– accounts payable– general ledger

• Figure 1 shows the relationships between them


Also required for manufacturing environments

• Goods are manufactured, not purchased• recipes must be known in advance for all products• activity must be planned for in advance:

– volumes– raw material– machine– competent personnel (shift work)

• communication must take place with other key functional areas => PLANNING

limiting / constraining factors}


=> Master schedule for production

Manufacturing Tasks

• Based on volumes• determine quantities of RM to commit (+ planning

for additional purchases)• schedule production runs (including sub-assemblies)• line up workers to operate the machines• deal with short term variations (e.g. issue of over

time work)


Required computer systems

• Set of individual modules supporting the different tasks

• Each module links into the others so as to eliminate re-entry of data (e.g. volumes)

• Database structure well suited to such a system• BOM, Staff, Machines (and their characteristics)

are stored in specific tables• Work orders are entered => schedule comes out


Computer Software for Business

• Several types or layers of software• From close to the machine to close to the users• Also IT infrastructure (cables, networks and

services)• All administered by the IS department or the

community of users


First layer: Operating System

• Until the 60s, no operating systems• Waste of computer resources as only one job can

run at a time• Most of the components are idling while a small

number of them works• Operating System - a set of programs to enable a

computer to manage its own resources• No user intervention required


Definition

• program that controls the overall activity of the computer

• provides “service” to other applications• Manages multi-user environments• missions involve:

– accepting commands from users– loading programs for execution– scheduling the use of computer resources– managing the memory / allocating space– synchronising the use of I/O and storage devices


Operating Systems - Components:

• Resident monitor - stored in ROM - loaded when PC powered on

– handles basic operations– load keyboard, screen, mouse drivers etc...

• External Routines - to carry out specific tasks:– user part of the OS– located on hard disk (e.g. Windows directory)– format disks; making backups;etc...


Operating System - a closer look at its roles:

• Job control program

• I/O management

• Program manager

• Memory Manager


Job control Program:

• Job = application program + its data• JCP prepares the job to be run

– security - job protection (access levels)– setting limits and priorities– allocating resources

• In particular, allocates memory• use a JCL


Setting limits and priorities:• select I/O devices

– which tape drive– which printer

• assign a level of priority - queuing jobs– jobs that run faster, little I/O activity = high priority– jobs that tie up many different resources = low priority– jobs that are vital = high priority

• assign a % of the resources (shared system)• initiate job accounting

– measure exact usage of resources– rates– maintains audit trail


Input / Output Manager:

• I/O devices are much slower than CPU• Try to minimise idling time - mediate differences

in speed• monitors exchanges Input-RAM and RAM-output• uses channels (independent processors) to free

CPU from handling the transfers• uses buffers to speed up transfer


Program Manager:

• handles the movements of programs into the RAM

• more complex when more than one job at a time• uses different types of algorithms:

– batch processing– time sharing– real-time processing

• can be multi-processing or multi-programming or multi-tasking...


Batch Processing:

• Stage one: Data collection• stage 2: Data processing• Little computer resources used until submission of

jobs• E.g. registration day in UCC.• Data not up-to-date until end of processing


Time sharing:

• Several users run jobs at the same time• Each has a time slice of the computer• Each process start and is interrupted in turn• User unaware of slicing because speed is high • Mostly in centralised environments (where

computing resources are centralised


Real-Time processing / on-line applications:

• Update / processing of data is done in real time - i.e. as changes occur

• Typical example - Bookings from travel agents• Speed is paramount unlike with batch processing• Only available in the last 20 years because it

requires loads of power.


Multiprogramming:Mode of operation of computer

• Multiprogramming refers to the concurrent execution of more than one program

• Computers can only execute one instruction at a time but they can work on several programs at a time

• Operating system organises the switches of the CPU from one job to another

• Switching takes place when I/O operations occur


Multiprocessing:• Different from Multiprogramming• Refers to a situation when two or more CPUs

execute instructions at the same time• eg: space shuttle is directed by calculations made

by FIVE computers• If one computer is not be fast enough

– one computer handles processing– one handles I/O operations

• If one computer fails– parallel processing


Multitasking:

• Nearly the same as multiprogramming

• But more often used for smaller computers

• For PCs, multitasking appeared with Windows 3.1

• e.g. ALT + TabKey or look in the task bar


Memory Manager:• Programs are moved in and out of memory all

the time - because memory is not big enough• Memory Manager keeps track of program’s

address in memory (RAM) and on disk• Parts that are not needed go back to the disk• This is referred to as “Virtual Storage” - i.e.

storage on disk of elements that should be in the memory


Techniques for Virtual Memory:

• Paging:– pgms chopped into fixed length sections (pages)– size can be adjusted at will– pgm broken down independently from pgm logic

• Segmentation:– fragmentation respects pgm logic– 1 segment = 1 module of pgm– aim at reducing the number of page transfers


Basics of data organisation:DATA HIERARCHY (four cats)

• Fields = represent a single data item– numeric field (numbers, currency...)– alphabetic field (text or “string”)– alphanumeric field (any combination of the above)

• Records = made up of a related set of fields - as many as required to describe entity

– each “case” or instance in the data has its own record

• File = a set of related records - as many as instances• Database = a collection of related files


Example of data structure

Name First name Telephone

Borg John 45 25 65 65Healy Margaret 25 58 96 63McEnroe Bjorn 12 25 28 89Cantona Paul 25 78 85 85

Fields

Records

File + Other filesie: more information


"A collection of interrelated data stored together with controlled redundancy, to serve one or more applications in an optimal fashion; the data is stored so that it is independent of the application programs which use it; a common and controlled approach is used in adding new data and in modifying existing data within the database."

Database: Definition.


• A collection of interrelated data stored together• with controlled redundancy• to serve one or more applications in an optimal

fashion• the data is stored so that it is independent of the

application programs which use it• a common and controlled approach is used in

adding new data and in modifying existing data within the database.

Definition - closer look


DataBase Management System (DBMS):

• program that makes it possible to:– create– use– maintain

a database

• provides a logical access to the data stored in the DB

• users/programmers do not have to worry about the physical aspects of the DB


Relational DBs:

• Data items stored in tables (records + fields)• Specific fields from each table related to other

fields in other tables (joint)• infinite number of possible viewpoints on the

data (queries)• most flexible of all DBs but slower for complex

searches (many connections to follow)• Oracle, SyBase on Unix, Access, Paradox for

Windows...


Describing relationships

• Attempt at modelling the business elements (entities) and their relationships (links)

• Can be based on users’ descriptions of the business processes

• Specifies dependencies between the data items• Coded in an Entity-Relationship Diagram

(ERD)


Types of Relationships

• one-to-one: one instance of one data item corresponds to one instance of another

• one-to-many: one instance to many instances

• many-to-many: many instance correspond to many instances

• Also some relationships may be:– compulsory– optional


Structured Query Language

• used for defining and manipulating data in Relational DBs

• aimed at:– reducing training costs– increasing productivity– improve application portability– increase application longevity– reduce dependency on single vendors– enable cross systems communication

• In practice, SQLs can be a bit different


Querying RDBs with SQL

• use a form of pseudo english to retrieve data in a view (which looks like a table)

• syntax is based on a number of “clauses”• Select: specifies what data elements will be

included in the view• From: lists the tables involved• Where: specifies conditions to filter the data

– specific values sought– links between tables


Additional syntax

• Add computation in the “select” statement:– select SUM(price)– select AVG(price), MAX, MIN, COUNT

• Simplify comparisons with a BETWEEN clause and LIKE clause (with *, ?)

• Add sorting instruction after the where clause– ORDER BY name (alphabetical)– ORDER BY price (ascending)

• Provide aggregate information by grouping data:– GROUP BY customer


Functions of Database Management Systems

• Data storage retrieval and update facilities• A user-accessible catalogue or data dictionary• Support for shared update• Backup and recovery services• Security services• Integrity services• Services to promote data independence• Telecommunications• Utilities


Support for Logical Transactions

• logical transaction = many separate physical transactions (reading, updating, writing records)

• if transaction are interrupted before entire completion "up to date" data is sacrificed for consistent data.

• If not, transaction is committed - ie written to disk• DBMS provides mechanisms that either Commit

or Rollback transactions


SHARED UPDATE• i.e. Two or more users making updates to database

at the same time– Single vs. Multiuser Environment (eg: Networked

DBMS)

• Problem: double update– CUSTOMER BALANCE: 418– Pat (recording sale: +100) and Jo (recording payment -100):– CORRECT: Pat reads, updates and writes (commits: 518). Jo reads

(518), updates and writes (commits: 418).– VALUE: 418.– INCORRECT: Pat reads and updates. Jo reads and updates. Pat

writes (commit: 518). Jo writes (commit: 318).– VALUE: 318.


SHARED UPDATE - SOLUTIONS

• 1. AVOIDANCE:– Prohibit shared update,– Allow access for retrieval only,– Record updates in transaction file and update database

periodically using a batch program.

• Problem: Data is temporarily out of date• customer may not be allowed credit because his

balance had not been credited with last payment.


• 2. LOCKING– Lock table/record/field from access by other users.

• TYPES OF LOCK– Exclusive Lock– Read Only Lock– Lock Time-Out

• Other variables– Lock Granularity– Deadlock

SHARED UPDATE - SOLUTIONS


• TYPES OF LOCK– Exclusive Lock: Other users can neither read nor update locked

table/record/row. Extreme and inflexible.– Read Only Lock: Other users can read but not update the

locked table/record. – Lock Time-Out: If a record is locked, a user could have a long

wait for its release. Some DBMS's detect lengthy locks and unlock them, undoing any updates made to any records during the transaction.

– Lock Granularity: Refers to the level of the lock: field, record, page/block, table.

– Deadlock: Users can have a lock on more than one record at a time. This poses problems when two users require each others locked records.


RECOVERY

1. Backups or Saves (normal backup of DB files)

2. Journaling / Audit trail / Audit file– Keep a log or journal of the activity which updates the

database– recovery involves: Copying the backup over database

and running a special program to update the backup version of the database with the transaction in the log.


SECURITY• Restriction of access to authorised users only.

1. Passwords

2. Encryption

3. Views

4. Authorisation Levels• read only

• edit

• delete

• create


Data Integrity

• DBMS provides a mechanism to enforce specific rules. – Examples:

*Customer numbers must be numeric,

• But programmers must also develop their own

* Credit Limits must be £300, £500 or £1000 only,

* The sales rep for a given customer must exist,

* No customer may be deleted if he/she currently has an order on file.


Data Independence

• DBMS must support the isolation of data structure from the programs

• Users or application programs not be affected by changes to the database structure. (no reprogramming or recompilation)

• Logical and Physical Data Independence Usually achieved through Subschema or View type mechanisms.


Database Schema

• description of the overall logical structure of a database, expressed / programmed in Data Definition Language (DDL)

• broken down into sub-schemas: logical description of a user’s view or program’s view of the data used

• DDL can be very sophisticated on a mainframe or trivial on a PC (queries / views)


Telecommunication

• organisations are rarely single site / single entity• flows of data transcend the boundaries of

organisations - so do information systems• data communication must be implemented• databases can be used to support the distribution

of information resources


Integration of applications

• organisational data sources are varied• all applications must be integrated to save time (ie:

exchange data)• databases can be used to enable this integration

(eg: MFG/PRO)• portability / compatibility is paramount (eg:

ODBC drivers)


Database Utilities

• Compact datafiles• Index / re-index data files• Repair database (crash)• Import/export data from and to other sources• Enforce standards (eg: integrity of relationships,

NF...)• Associated data dictionary• Access to remote computers (login, emulation)


Distributed Databases• Logical next step in geographically dispersed

organisations• goal is to provide location transparency• starting point = a set of decentralised DBs

located in different places, developed for the specific information needs of each site

• Aim: to integrate these decentralised DBs into a coherent DDB


Advantages of Distributed DBs:

• Increased reliability of systems and availability of data

• Local control preserved• Modular growth possible at each site and at

new sites• Optimised communication costs• Faster response times


Control in normal DBs

• transaction control: ability of the DBMS to ensure the successful completion of transactions– commit transactions– roll-back to previous state

• concurrency control: ability of the DBMS to arbitrate between concurrent uses of data:– simultaneous access– simultaneous update– deletion


Control in Distributed DBs

• Different portions of the overall database reside at different locations

• these portions are controlled by different processors running sometimes different DBMSs

• common schema means queries can involve any portion of the DB residing at any location


Options for Distributed DBs

• Issue of physical design (data structure)

• performance of the DB (response time...) depends upon good design

• There are a number of options:– data replication– horizontal partitioning– vertical partitioning– combinations of the above


Data replication

• store a separate copy of the full tables in each location

• if a copy is stored at every site: Full Replication• Advantages:

– reliability– fast response

• Disadvantages– storage requirements– complexity and cost of updating


Horizontal partitioning

• some of the rows of the tables are stored in one location; others are stored at other locations

• eg: customers banking out of a particular branch• Advantages:

– efficiency– local optimisation– security

• Disadvantages:– inconsistent speed access– backup vulnerability


Vertical partitioning• some columns are projected into base relationship

at different sites

• all relations share a common domain so the full table can be reconstructed

• Advantages:– tailor-made support for functional areas– same as horizontal partitioning

• Disadvantages:– some queries might be very slow– users must understand some design issues


Combinations of the three methods

• most of the time, companies will use different methods

• each method is efficient in certain situations + some other security requirements

• eg: local customers, information originating at a certain site, shared processes that require the same data at all sites

• it is a design issue to try to identify the optimal distribution - data at the sites where it is used most


Distributed DBMS

• additional roles to play in the case of a distributed DB

• determine the location where data to be retrieved is located

• translate the request into the language used by the local DBMS

• deal with normal data management functions, security matters, locking, query optimisation...


Heterogeneous Distributed DBMS

• a different DBMS running at each site• a master DBMS controlling the interactions

amongst the parts• not practical today (compatibility)• more often, each DBMS follows the same data

architecture


Problems with global transactions

• DBMSs can be radically different - relational versus network

• only some state-of-the-art commercial products have translating capabilities

• one alternative solution is to put some essential data and the directory of the data locations on a central server

• Real distributed DBMS solve these problems for the users with the help of the NOS


Commit Protocol• to ensure the integrity of the data in update operations• well defined procedure based on the exchange of

messages (“ok” or “not ok”)• each global transaction can either be complete (and

completed) or aborted• Two-phase commit:

– site originating the transaction sends requests to all sites involved in the update

– all sites attempt to process their part of the transaction without committing the data (temp files)

– they notify the first site whether OK or not– the first site collects all OKs and sends order to commit the data


Timestamping

• Alternative to locking (possibility of deadlocks)• ensures that transactions are processed in serial order so

locking in not needed• All updated records carry the timestamp of the

transactions that modified them• if new transaction attempts to update a record with an

earlier timestamp = OK• If new transaction ...with a later stamp, update access is

denied, the transaction is re-stamped and is re-started


Updated record

Updated record

Example:

168

Record update: 170 OK

170

Record Update: 165 Denied

Record Update: 170 Transaction re-started (ie: do it again)

170

Record in a DB

+++: costly deadlock situations are avoided----: transactions may sometimes be restarted even thoughthey did not conflict with previous ones.


Effect of design on speed• how to design fast queries• simple example with two sites in relational DB:

– supplier (Supplier#, ...,City): 10,000 records stored in Detroit– part (part#, .., colour): 100,000 records stored in Chicago– Shipment (supplier#,..., Part#): 1,000,000 records stored in Detroit– each record is 100 characters long + there are 10 red parts– data transmission is 10,000 character/second, 1 second delay in any

communication– data processing negligible

• Write the SQL statement• Imagine how the query can be carried out between the two

sites


SQL statement

select supplier.supplier#

from supplier, part, shipment

where supplier.city = ‘Cleveland’

and supplier.supplier# = shipment.supplier#

and shipment.part# = part.part#

and part.color = ‘Red’


Conclusions

• Reasonably easy to optimise query with two tables• Very complex with more than two (try with 30!)• Rules:• Queries must be broken down into components isolated at

different sites (minimise communication time and traffic)• Determine which site has the potential to yield FEWER

selected records• Move preliminary results to site where rest of the work

can be performed (ie: try to move as few records as possible)


Managing the IS department:

• Dilemmas in managing IT:– limited to the administration of systems– searching for new opportunities to develop the use of IT

• Success of the IT function is often measured based on the operation of existing systems

• Adaptability and creativity are not assessed• Neither is the efficiency of resource usage


Tasks of IS

• IS delivers a service to the rest of the organisation - it is a support department

• IS is in charge of managing the computer resources and the technology

• IS must plan for future needs on behalf of the whole organisation

• IS must develop the new systems that will be help the organisation in the future


Tensions in IS department: Why IS departments are short of staff?

1960’s 1990’s

IS Staff

Hardware

Total costs of running the IS function


Tension in IS Departments: Entropy of System’s Development

SystemsPlanning

SystemsSupport

SystemsAnalysis

SystemsDesign

SystemsImplementation

Obsolete system= need new system

New related problem or requirement

New solution to existing requirement

Bugs and errorsin execution


IS as a service department

• supporting end-users - answering their requests• training users• provide a secure environment• providing advice on how to tackle problems in

the future

There are a number of strategies to fulfil this role


Different philosophies of Network Management:

1 - Centralised DP:• one company = one computer• one department does all the processing2 - Decentralised DP:• each individual function has own computer with home made rules

and procedures3 - Distributed DP (DDP):• somewhere in between• various computers available throughout the company• all linked together


+/- of the different philosophies:

1 - Centralised DP:• easy to maximise use of computer and to control usage• flexibility for user is restricted2 - Decentralised DP:• difficult to maintain and share corporate data (compatibility

of software, hardware...?)3 - Distributed DP (DDP):• more difficult to manage• does address the difficulties of both philosophies


Traditional IS

• computing is a centralised activity managed by the IS department

• functional areas have no freedom in relation to the selection or the usage of IT

• functional areas have no budget for computing• the IT architecture developed in the

organisation is centralised as well


End-user computing

• Users / managers are active in determining the systems they require

• They are active in specifying the requirements for these applications

• They may even develop the applications themselves (if skilled enough)

• They have a specific budget within their functional area to accomplish this

• They may be supported by the IS department through an Information Centre


Problems with EUC:

• less transparency in the IS spending (up to 50% in “hidden” costs)

• more difficulty in integrating inter-departmental systems

• possibility that individual buyers make wrong choices

• Loss of economies of scale


Problems with EUD

• No overall view of business systems• no standards for development and

documentation• likely duplication of efforts and data• likelihood of loss of critical knowledge• risk of local users “re-inventing the wheel”


Advantages of EUC

• faster application development / implementation• increased chance of getting requirements right• users become more expert at using computing

resources• productivity increases at individual user level• reduction of the “application backlog”


Outsourcing

• Transfer the responsibility for IS to an outside organisation (various degrees)

• Use a computer service provider for one or more applications

• outsource some development work• Do without an IT department and depend entirely

upon outside specialists• Saves money but with major consequences for

control and strategic developments


Historical evolution of IS

• Stage of growth model (Nolan)• All organisations go through similar stages• EUC emerges in stage 2• EUC must be carefully managed through the

other stages• Failure to manage EUC means organisation

does not go into later stages• Evolution is basically a cycle of phases of

control, EUC and outsourcing


Dealing with IT costs

• Allocating or charging out costs• Seen as an administrative or accounting

procedural matter• can influence the selection of and management of

IT investments and budget• Who pays for IS projects and who is responsible

determines how applications are cost justified• Also accountability for failure and over spending


The Chargeback system

• Unpopular at the best of times• users see it as a pricing mechanism: how

expensive should IT be?• Transfer pricing for buying and selling IT

products and services• All boils down to status of IS department and

whether functional areas have access to a free IS market


Free Market?

• Have functional areas their own budget?• Is IS an independent profit centre?• Is IS in competition with other suppliers?• Can IS refuse unprofitable work?

• Who prepares the IS budgets?• What cost drivers to use?


Calculating IS usage

• Traditionally, CPU time and other very technical parameters

• More fair to the user to use more visible and business-like measures:– number of transactions– number of screens viewed per session– …

• Matter of business policy!!


Vision of the status of IS

• Earl argues that charge-out system must reflect the role of IS as component of the business:

• service centre: IS service not chargeable• cost centre: users are charged with costs

representing the resources consumed (IT costs are recovered)

• Profit centre: users pay a market price (IS department can have its own revenues + bid for outside work)


Implications for charge-out system

• Cost centre: charging method based on average/standard costs (e.g. network)

• Profit centre = open market - players can accept / refuse work based on availability of better offer

• First step to outsourcing??• Hybrid method may offer best solution,

– charges determined by the nature of each application

• but is difficult to implement


Protection of Information Resources

• Modern network-based environments require the application of basic security principles to distributed environments.

• “An open, secure system is a contradiction in terms” (datapro, 1994).

• any data flowing through a network or cached temporarily is vulnerable

• as security is implemented, freedom is reduced


Basic principles of security

• Confidentiality• integrity• authenticity• utility - fitness for a purpose


Steps in protecting Distributed Resources

• Identify what you want to protect• evaluate and determine all possible

weaknesses / sources of risk• constantly review access to IT resources and

IT audit procedures• routinely conduct / update risk analysis of the

operation


Priorities for the Protection of Computer Resources

• Prevention of computer crimes - ie ensuring that information resources are only used as prescribed and by authorised personnel

• disaster planning - pro-actively envisaging what might happen in order to minimise risks

• disaster recovery or “business continuation” - ie ensuring that consequences of crime and accidents will also be minimum so business can resume immediately


Computer crime:• using computer resources to engage in unauthorised or

illegal acts– stealing money from a bank– copying and using programs without required licence

• as technology spreads, opportunities for crime increase

• still very loose legal framework means few people are prosecuted

• 80% of crimes are insiders’ jobs (employees)

• most instances are not reported (banks!!!)


Types of computer crime:

• a very large number of different ways:

– data diddling: unauthorised modification of data– the Trojan Horse technique: a block of code hidden in a

program– the salami technique: shaving minute amounts to each

transaction– Trapdoor routines: special programs used in the

development phase sometimes not removed– Eavesdropping: spying of data communication between

LANs and mainframes for important info


Recent survey• security problems resulting in financial loss:

– 24% software failure – 12% network failure– 12% virus– 11% computer failure– 7% stolen data– 5% sabotage– 4% network break-in

• Nearly 50% have lost valuable info in last 2 years

• 20 respondents have lost info worth more than £1 million

• 70% say security risks have worsen

• 80% have hired a full time info security director

• 67% have faced viruses in the last year


Computer related crime

• credit card fraud 96%• telecommunication fraud 96%• staff use of corporate computer for personal use 96%• unauthorised access to company files 95%• cellular phone fraud 95%• unlawful copying of copyright software 90%• theft of information regarding:

– clients 81%– trade secrets 80%– new products 75%– confidential employee information 75%– money 72%


Hackers and Bandits:

• most prolific types of unauthorised activities on computer systems

• a hacker is someone who breaches communication and network security to gain unauthorised access to a central computer

• Hackers are supposed to do it for the fun• very often not classified as computer crime and not

prosecuted• They can however be tricked by Bandits who give

them “bad ideas”


Requirements for identification of computer crime:

A number of conditions have to be demonstrated to enable prosecution of the crime:– knowledge: criminals must have competent knowledge

about the act and be aware of the consequences– purpose: the must have an underlying purpose,

specific intent otherwise, browsing may be merely “electronic trespassing”

– malice: they must be motivated by malice and wish to do harm in some way.


How to make it easier to trap Hackers:

• have investigation procedures ready to be implemented• they will aim at freezing the situation and preserving

the scene of the crime– prevent further damage to data and programs– limit the losses incurred– find out what went wrong– identify the perpetrator (if any)– preserve evidence in view of legal action

• in the case of internal threats, publish an internal code of conduct for employees (included in work contract??)


Why are computers so vulnerable?? - DATA

• data can be stored in pocket size forms (floppy disks, disks, tapes, DAT...)

• electronic data is invisible• data can leak (electromagnetic waves = tempest)• data is accessible (can be copied without trace or

authority)• data can get left behind• centralised data stores can reach high value


• computers are mythical: users do not behave rationally

• technology is changing faster than companies / people can adapt

• communication and networking are compounding factors

• systems and networks are more and more integrated (open systems)

• processing is more and more distributed

• security standards are still very low

Why are computers so vulnerable?? - COMPUTERS


Consequences of security breaches

• damage is sometimes unexpected and subtle:– loss of business– damaged reputation– compromised organisational secrets

• Primary costs - replacement of destroyed / stolen property

• secondary costs - lost business / revenues• incidental costs - legal and detrimental costs

resulting from damage or settlement


First step is risk analysis:

• Some general threats to all companies, but each setting is unique => specific analysis

• identify specific worth of organisational assets• From list of sensitive assets a specific security

plan can be designed• this is best done by an outsider (taking some

distance is required) by way of an inquiry:– talking to people– learning about the company– writing a report that will convince top management


steps in security: assessing risks:

• a number of “models” are available for assessing risks

• one example is:

where:– threats are events which cause harm– vulnerability is the degree of openness of the org.– asset value is the worth of the assets in danger

• If one component decreases, risks decreases and vice versa

Risk = Threats + Vulnerabilities + Assets values


Risk analysis techniques:• Subjective analysis = group method where all competent staff

review:– the role of the computer systems– the nature of the business and the org.– the history of the company (for previous problems)– no longer sufficient because not systematic enough

• Quantitative analysis: come up with a figure that should be spent every year by:– computing the likelihood of each threat – computing the costs of damage resulting from each threat– multiplying frequency and impact to obtain the maximum amount that should be

spent on protecting the company against each threat– there are obvious limits to that method too


Security policy matrix:Impact

10

0

Expectancy

0 10

Plan(What-if?)

Accept Risk(So What...)

Avoid/Escape(What!!!)

Control(What to do...)


Components of the the security Plan

• physical security• document security• personnel security• hardware security• software security and logical access control


Example - physical security

• Plan is aimed at deterring intruders from trying• efficiency of the barrier is measured by:

– the time and cost needed to breach it– the speed with which intrusions are identified– the accuracy with which the intruder is identified– its non-interference with the life of the organisation

• it involves the protection of:– the computers (location, layout of computer centre)– the services of the computer installation (air conditioning, power,

water...)– fire protection


Example - document security

• there are a number of documents specific to computer use that are important:– blank pro-formas– “handle as if..” documents (ie: drafts, mistakes...)

• magnetic documents (ie: disks and tapes) must be registered in an inventory

• tapes must be purged before being re-used• the life of every computer document should

end by its destruction (shredded)


Who is in charge:

• security is still viewed as an MIS issue• Co-ordination of security strategy is an MIS issue• but co-operation is required from all departments /

users• if procedures are not followed, the best strategy is

worth nothing


Security of Networks:

• Security is much easier to implement in M/F environments - ie centralised

• risks increase in LANs and even more in interconnected LANs (WANs)

• Remote access is a great source of risk - eg workstations are left unattended

• Remote access market = $2 billion in 1997• how to make a network of notebooks safe


Security with EDI:

• organisations share their IT infrastructure• paperless nature of transactions requires double care

- legal aspects• prevention, monitoring and recovery must be shared

and co-ordinated between the partners• liability and responsibility could be difficult to

establish• all parties involved must agree on common code of

security to ensure “end-to-end” security


Security with CAD:

• attempt to shorten the value chain of an org.• design office is linked to outside organisations to

contract out work• design office is on-line to the manufacturing systems• Integrated system also involves inventory control,

finished goods stocks, shop floor control...


Security with Document Image Processing

• Paperless organisation means documents are scanned as soon as they come in

• copies of all documents always available from anywhere

• over-reliance on such systems (inability to handle paper documents) can lead to disaster

• editing facilities make it too easy to “fabricate” documents for fraudulent purposes


Added difficulties in multi-vendor environments

• most organisations no longer rely on one single platform

• integration means emphasis is on linking these rather than separating them

• password protection can mean that users must remember many different passwords

• encouragement for users to weaken security by using same password or obvious passwords


Recovery Planning:

• perfect security cannot be achieved and no single countermeasure is completely effective

• security is about reducing the risk to an acceptable level and coping with the consequences– provision must be made for accidents despite countermeasures– recovery mechanisms are as important as protection

• so security measures should:– operate in conjunction with the corporate life– be simple and easy to implement– be cost effective as £££ are scarce for security– be introduced over a period of time, progressively


Potential gain from a suitable security strategy:

• improved image:– competitive advantage can be obtained

• enhanced customer confidence:– ensure service continuity– accuracy and privacy of service– safeguard of customer assets

• new products and services:– novel security devices and strategies can be marketed and sold to other

companies– security projects may generate new ideas

• new security features for existing products and services:– can give new life to an old line of products– market opportunities may be lost if security is not up to the standard


A Strategic Role for IS

• IS as a contributor to organisational value added• Helping functional areas to develop their

contribution• contributing to developing new specific activities• e.g. Electronic Commerce


IS Strategy

• IS strategy must be consistent with:

• The organisation’s corporate plan• its management’s view of the role of IS in the

organisation• its stage of maturity of use and management of IS


Example of questions that must be addressed

• Where does the IS strategy fit in the wider set of corporate strategies

• what has been the history of IS strategy planning• what circumstances demand major re-assessment

of IS plans• who might be employed to do the actual planning• what might an IS strategy contain


Different organisational circumstances

• Maturity (Nolan)• Information intensity• Strategic Importance• Special circumstances demand extra planning:

– major corporate changes (BGE)– external competitive opportunity or threats– evolutionary change in IS maturity


From Planning to Implementing

• Improving IS strategic Planning is primary target of IS and non-IS managers

• Contents of plans improved over 80s and 90s• But many IS plans have been left aside

nevertheless• Lack in commitment to implement them -

especially top management


Barriers to implementation

• Lack of top management’s awareness (DP era)• Credibility gap between between hype and real

benefits• Lack of vision (information not an asset)• Difficulty in judging / evaluating IS proposals• Short term focus militates against planning


Evaluating IS investments

• Tangible versus intangible benefits• Quantifiable versus unquantifiable• Accounting rules: return on investment often

militates against IT and technology at large• Prioritising proposals• IS investment versus non-IS projects - eg:

automation on factory floor


Threats resulting from lack of planning

• Loss of control of investment in IT• Incompatible / inconsistent development of IT

usage - eg: UCC• Conflicts between functional areas• Systems’ life shorter + greater need for upgrade /

maintenance• Decreasing return on investment


Good IS planning?

• Impact not instantaneous (2 / 3 years delay in getting benefits)

• Benefits depend on:– starting point (current system’s portfolio)– opportunities sought– top management support (champion)

• Proper organisational culture and good relationship between IS and other areas must be developed (eg: BGE)


Mintzberg’s Grass Root Model

• Planning for IS is everyone’s business• Balance between formalised strategies and

emergent strategies• Planning process should not only pre-conceive

strategies, but also recognise their emergence and intervene when appropriate

• Knowing when to promote change for the sake of adaptation and when to resist it for the sake of internal efficiency


Adaptive approach to IS planning

• Best opportunities for IS development are often linked to unique assets or resources

• Firms must learn to identify and exploit these

• Hayes (1985):“Firms should acquire technologies and techniques so that

workers and managers gain experience with them and come to understand their capabilities and constraints”

• Organisational structure should be modify in order to foster this process


Roles in Hayes’ Model• Wizards - corporate experts and librarians for new

technologies

• Marriage Brokers - designed to act as intermediaries between users and wizards

• Rich Uncle - manager who pays for seeds so users can develop prototypes

• Weed Puller - top executive who re-evaluate investments and projects and stops or encourage them

• Teacher - educates users about the possibilities offered by technologies and other about the organisation and its products


Advantages of the Adaptive Approach

• Bottom up process - ideas come from users in close contact with organisational processes

• Top-down approaches are less satisfactory as senior strategists may be unaware of technical possibilities

• Adaptive approach enables focus on specificities of the firm => yield long term edge

• Development of an informal structure of actors involved in strategic idea generation may prove a competitive advantage in its own right

© frederic adam, 2000 is4406: information technologies dr. frederic adam department of accounting,...

Documents

information technology

information systems

outside information

information technologies

information systems

era information management

crunching slide

paramount slide