Chapter 10: Information Security Management

What is the goal of information systems security?

• Threat/Loss Scenario: Major elements of IS security

• Threat – person or organization seeks to obtain data or other assets illegally, without owner’s permission and often without owner’s knowledge

• Vulnerability – opportunity for threats to gain access to individual or organizational assets; for example, when you buy online, you provide your credit card data, and as data is transmitted over Internet, it is vulnerable to threats

• Safeguard – measure individuals or organizations take to block threat from obtaining an asset; not always effective, some threats achieve their goal in spite of safeguards

• Target – asset desired by threat

•    Human error examples: (1) employee misunderstands operating procedures and accidentally deletes customer records; (2) employee inadvertently installs an old database on top of current one while doing backing up; (3) physical accidents, such as driving a forklift through wall of a computer room

•    Computer crime – intentional destruction or theft of data or other system components

•    Natural disasters – fires, floods, hurricanes, earthquakes, tsunamis, avalanches, other acts of nature; includes initial loss of capability and service, and losses recovery costs

•    Unauthorized Data Disclosure

•    Pretexting

•    Phishing

•    Spoofing

•    IP spoofing

•    Email spoofing

•    Drive-by sniffers

•    Wardrivers

•    Hacking & natural disasters

•    Procedures incorrectly designed or not followed

•    Increasing customer’s discount or incorrectly modifying employee’s salary.

•    Placing incorrect data on company Web site.

•    Cause

•    Improper internal controls on systems.

•    System errors.

•    Faulty recovery actions after a disaster.

• Viruses

• playload

• trojan horses

• worms

• spyware

• adware

• 
  

What are the sources of threats?What types of security loss exists?Incorrect Data Modification

Goal of Information Systems Security•Find appropriate trade-off between risk of loss and cost of implementing safeguards.•Protective actions–Use antivirus software.–Delete browser cookies?–Make appropriate trade-offs to protect yourself and your business.Average Computer Crime Cost and Percent of Attacks by Type (5 most expensive)How should you respond to security threats?Security safeguards and the five components

How can technical safeguards protect against security threats?
Use of multiple firewalls
•Organizations normally use multiple firewalls. Perimeter firewall sits outside organizational network; is first device that Internet traffic encounters.•Packet-filtering firewall examines each part of a message and determines whether to let that part pass. To make this decision, it examines source address,  destination address(es), and other data. Packet-filtering firewalls can prohibit outsiders from starting a session with any user behind firewall, prohibit traffic from legitimate, but unwanted, addresses, such as competitors’ computers, and filter outbound traffic.•No computer should connect to the Internet without firewall protection. Many ISPs provide firewalls for their customers. By nature, these firewalls are generic. Large organizations supplement such generic firewalls with their own. Most home routers include firewalls, and Microsoft Windows has a built-in firewall as well. Third parties also license firewall products.
Malware types and spyware and adware symptoms
How should organizations respond to security incidents?
•Every organization should have an incident-response plan as part of the security program. No organization should wait until some asset has been lost or compromised before deciding what to do.
•The plan should include how employees are to respond to security problems, whom they should contact, the reports to make, and steps to reduce further loss.•Identify critical personnel and their off-hours contact information

Chapter 9: Business Intelligent Systems

How do organizations use business intelligence (BI) systems?

• BI systems are information systems that process operational and other data to identify patterns, relationships, and trends for use by business professionals and other knowledge workers.
• Five standard IS components are present in BI systems: hardware, software, data, procedures, and people.
• The boundaries of BI systems are blurry

• Use BI for all four of the collaborative tasks described in Chapter 2.

Falcon Security could use BI to determine whether it could save costs by rerouting its drone flights.

Typical Uses for BI

•Identifying changes in purchasing patterns

–Important life events change what customers buy.

•Entertainment

–Netflix has data on watching, listening, and rental habits.

–Classify customers by viewing patterns.

•Predictive policing

–Analyze data on past crimes - location, date, time, day of week, type of crime, and related data.

Just-in-Time Medical Reporting

•Example of real time data mining and reporting.

•Injection notification services

–Software analyzes patient’s records, if injections needed, recommends as exam progresses.

•Blurry edge of medical ethics.

What are the three primary activities in the BI process?

• These activities directly correspond to the BI elements in Figure 9-1.
• The four fundamental categories of BI analysis are reporting, data mining, BigData, and knowledge management.
• Push publishing delivers business intelligence to users without any request from the users; the BI results are delivered according to a schedule or as a result of an event or particular data condition. Pull publishing requires the user to request BI results.

Using business intelligence to find candidate parts at Falcon Security

• Identify parts that might qualify.
• Provided by vendors who make part design files available for sale.
• Purchased by larger customers.
• Frequently ordered parts.
• Ordered in small quantities.
• Used part weight and price surrogates for simplicity.

Acuire Data: Extracted Order Data

• Query

Sales (CustomerName, Contact, Title, Bill Year, Number Orders, Units, Revenue, Source, PartNumber)

Part (PartNumber, Shipping Weight, Vendor)

How do organizations use data warehouses and data marts to acquire data?

• Functions of a data warehouse
• Obtain data from operational, internal and external databases.
• Cleanse data.
• Organize and relate data.
• Catalog data using metadata.

Components of a data warehouse

Data Warehouses vs Data Marts

• The data analysts who work with a data warehouse are experts at data management, data cleaning, data transformation, data relationships, and the like. However, they are not usually experts in a given business function.
• A data mart is a subset of a data warehouse. A date mart addresses a particular component or functional area of the business.

How do organizations use reporting applications?

• Create meaningful information from disparate data sources.
• Deliver information to user on time.
• Basic operations:
• Sorting   
• Filtering
• Grouping   
• Calculating 
• Formatting

Unsupervised Data Mining

• No a priori hypothesis or model.
• Findings obtained solely by data analysis.
• Hypothesized model created to explain patterns found.
• Example: Cluster analysis.

Supervised Data Mining

• Uses a priori model.
• Prediction, such as regression analysis.
• Ex: CellPhoneWeekendMinutes

  = (12 + (17.5*CustomerAge)+(23.7*NumberMonthsOfAccount)

  = 12 + 17.5*21 + 23.7*6 = 521.7 minutes

What is the role of knowledge management systems?

• Knowledge Management (KM)
• Creating value from intellectual capital and sharing knowledge with those who need that capital.
• Preserving organizational memory
• Capturing and storing lessons learned and best practices of key employees.
• Scope of KM same as SM in hyper-social organizations.

Chapter 8: Social Media Information Systems

What is a social media information system (SMIS)?

• Social media (SM)
• IT for sharing content among networks of users.
• Enables communities of practice
• People related by a common interest
• Social media information system (SMIS)
• Sharing content among networks of users

Convergence of Many Disciplines

• Focus on MIS portion of diagram
• Social media is a convergence of many disciplines

Number of Social Media Active Users

Three SMIS Roles

• Social Media Providers
• Facebook, Google+, LinkedIn, Twitter, Instagram, and Pinterest platforms.
• Attracting, targeting demographic groups.
• Users
• Individuals and organizations
• Communities
• Mutual interests that transcend familial, geographic, and organizational boundaries.

SM User Communities

• Community A - First-tier community of users with direct relationship to the site.  User 1 belongs to three communities — A, B, and C.
• Communities B–E - second-tier communities intermediated by a first-tier user. 
• Number of second and higher tier community members grows exponentially.
• Exponential nature of relationships offers sponsoring organizations both a blessing and a curse.
• If social media site wants pure publicity, will need viral hook to relate to as many communities as possible.

Social Media Application Providers

• Facebook, Twitter, LinkedIn, Google...
• May charge fee, depending on application and purpose.
• Free company page on Facebook, but ...
• Fee to advertise to communities that "Like" that page.
• Internal SM using SharePoint for wikis, discussion board, photo sharing.

Five Components of SMIS

SMIS is Not Free

• Costs to develop, implement, manage social networking procedures.
• Direct labor costs
• 92% of companies use social media to recruit employees (93% from LinkedIn).
• 73% hired using social media,
• 1/3 rejected candidates because of social profile

How do SMIS advance organizational strategy?

• Strategy determines value chains
• Value chains determine business processes
• Provesses determine SMIS requirements
• How do value chains define dynamic processes?
• Dynamic process flows cannot be designed or diagrammed
• SM fundamentally changes balance of power among users, communities, and organizations

SM in value chain activities

Social Media and the Sales and Marketing Activity

• Dynamic, SM-based CRM process
• Social CRM
• Customers craft own relationship
• Wikis, blogs, discussion lists, frequently asked questions, sites for user reviews and commentary, other dynamic content
• Customers search content, contribute reviews and commentary, ask questions, create user groups, etc.
• Not centered on customer lifetime value

Social Media and Customer Service

• Relationship emerge from joint activity, customers have as much control as companies
• Products users freely help each other solve problems
• Selling to or through develop networks most successful
• Microsoft's MVP program
• Peer-to-peer support risks loss of control

Social Media and Inbound and Outbound Logistics

• Benefits
• Numerous solution ideas and rapid evaluation of them
• Better solutions to complex supply chain problems
• Facilitates user created content and feedback among networks needed for problem solving.
• Loss of privacy.
• Open discussion of problem definitions, causes, and solution constraints.
• Problem solving in front of your competitors

Social Media and Manufacturing and Operations

• Improves communication channels within organization and externally with consumers, design products, develop supplier relationships, and operational efficiencies
• Crowdsourcing
• Businesses-to-consumer (B2C)
• Youtube for posting videos of product reviews and testing, factory walk-throughs
• Yammer - enterprise social networking service.

Social Media and Human Resources

• Employee communications using internal personnel sites
• Ex: MySite and MyProfile in SharePoint
• Finding prospective employees, recruiting and evaluating candidates
• Place for employees to post their expertise
• Risks:
• Forming erroneous conclusions about employees
• Becoming defender of belief of pushing unpopular management message

How Do SMIS Increase Social Capital?

• Capital
• Investment of resources for future profit
• Types of business capital
• Physical capital: produce goods and services (factories, machines, manufacturing equipment).
• Human capital: human knowledge and skills investments
• Social capital: social relations with expectation of marketplace returns

What is the value of social capital?

• Value of social capital
• Number of relationships, strength of relationships, resources controlled
• Adds value in four ways
• Information
• Influence
• Social Credentials
• Personal Reinforcement

How Do Social Networks Add Value to Businesses?

• Progressive organizations:
• Have Facebook, LinkedIn, Twitter, other SN sites
• Encourage customers and interested parties to leave comments
• Risk - encouraging excessively critical feedback
• Klout score - measure of individual's social capital

Using Social Networks to Increase the Strength of Relationships

• Strength of a relationship
• Likelihood other entity will do something that benefits your organization
• Positive reviews, post pictures using organization's products or services, tweet about upcoming product releases, and so on.
• Strengthen relationships by asking someone to do you a favor
• Frequent interactions strengthen relationships

Using Social Networks to Connect to Those with More Resources

• Social Capital = Number of Relationships x Relationship Strength x Entity Resources
• Huge network of people with few resources less valuable than a smaller network of people with substantial resources
• Resources must be relevant
• Most organizations ignore value of entity assets

How do (some) companies earn revenue from social media?

• Hyper-social organization
• Transform interactions with customers, employees, and partners into mutually satisfying relationships with them and their communites
• You are the product
• "if you're not paying, you're the product."
• Renting your eyeballs to an advertiser
• Monetize

Revenue Models for Social Media

• Advertising
• Pay-per-click
• Use increases value
• Freemium
• Offers users a basic service for free, and then charges a premium for upgrades or advanced features.
• Sales - apps and virtual goods, affiliate commissions, donations

How do organizations develop an effective SMIS?

• Focus on being cost leader or on product differentiation
• Industry-wide or segment focus
• Premeditated alignment of SMIS with organization's strategy
• Next slide shows process of developing a practical plan to effectively use existing social media platforms.

Social Media Plan Development

What is Enterprise Social Network (ESN)?

• ESN
• Software platform uses SM to facilitate cooperative work of people within an organization
• Improve communication, collaboration, knowledge sharing, problem solving, and decision making
• Enterprise 2.0
• Use of emergent social software platforms within companies, or between companies, partners or customers

Chapter 7: Processes, Organizations, and Information Systems

Basic Types of Processes

Structured processes are formally defined, standardized processes involving day-to-day operations: accepting a return, placing an order, purchasing raw materials, and so forth.

Dynamic processes are flexible, informal, and adaptive processes normally involving strategic and less structured managerial decisions and activities.

Three levels of organizational scope

1. Workgroup - help a workgroup to accomplish a goal (e.g. accounts payable). Workgroup IS used to support one or more IS processes.
2. Enterprise - processes spanning multiple departments. Enterprise IS support enterprise processes (e.g. ERP, CRM).
3. Inter-enterprise-processes that require cooperation amongst different entities (e.g. prescription drugs).

The workgroups represent 6 of the 9 value-added activities.

Characteristics of Information Systems

• Processes are used at three levels of organizational scope: workgroup, enterprise, and inter-enterprise.
• Characteristics of departmental informational systems are summarized in Workgroup. Often, procedures are formalized in documentation, and users frequently receive formal training in use of those procedures.

Information systems can improve process quality

• Process efficiency 
• Ratio of outputs to inputs
• Process effectiveness
• How well a process achieves organizational strategy
• How can processes be improved?
• Change process structure
• Change process resources
• Change both
• Performing an activity
• Partially automated, completely automated
• Augmenting human performing activity
• Ex: Common reservation system
• Controlling data quality
• Ensure data complete and correct before continuing process activities

The problems of information silos:

• Data duplicated
• Data inconsistency
• Data isolated
• Disjointed processes
• Lack of integrated enterprise information
• Inefficiency: decisions made in isolation
• Increased cost for organization

Solving the problems of information silos

• Integrate into single database
• Revise applications
• Allow isolation, manage to avoid problems

How do CRM, ERP, and EAI support enterprise processes?

• Business Process Reengineering (BPR)
• Integrated data, enterprise systems create stronger, faster, more effective linkages in value chains
• Difficult, slow, exceedingly expensive
• Key personnel determine how best to use new technology
• Requires high-level and expensive skills and considerable time

Emergence of Enterprise Application Solutions

• Inherent processes
• Predesigned processes for using application
• "Industry best practices"
• Customer relationship management (CRM)
• Enterprise resource planning (ERP)
• Enterprise application integration (EAI)

Customer Relationship Management (CRM)

• Suite of applications, database, set of inherent processes
• Manage all interactions with customer through four phases of customer life cycle
• Marketing,  customer acquisition, relationship management, loss/churn
• Supports customer-centric organization

Customer Life Cycle

CRM Applications

ERP Applications

Enterprise Application Integration (EAI)

• Connects system "islands"
• Enables communicating and sharing data
• Provides integrated information
• Provides integrated layer on top of existing systems while leaving functional applications "as is"
• Enables gradual move to ERP

Design and Implementation for the Five Components

• EAI enables organizations to use existing silo applications while eliminating many serious problems of isolated systems

Someone with knowledge of business can fix a workflow problem

• If workflow involves information system, someone knowledgeable and comfortable working with technical people
• You with help of a business analyst

Elements of an ERP System

• Hardware
• ERP Application programs
• ERP Databases
• Business process procedures
• Training and Consulting

True ERP have application to integrate:

• Supply chain (procurement, sales order processing, inventory management, supplier management, and related activities)
• Manufacturing (scheduling, capacity planning, quality control, bill of materials, and related activities)
• CRM (sales prospecting, customer management, marketing, customer support, call center support)
• Human resources (payroll, time and attendance, HR management, commission calculations, benefits administration, and related activities)
• Accounting (general ledger, accounts receivable, accounts payable, cash management, fixed asset accounting)

ERP Solution Components

• ERP Application Programs
• Configurable vendor applications
• ERP Databases
• Trigger
• Computer program within database to keep database consistent when certain conditions arise
• Stored Procedure
• Enforces business rules
• Businesses Processes and Procedures
• Adapt to inherent processes and procedures, or design new ones?
• Training & Consulting
• Training to implement
• Top management support, preparing for change, dealing with resistance
• Training to use
• Industry-Specific Solutions

Characteristics of Top ERP Vendors

Challenges of Implementing and Upgrading Enterprise Information Systems

• Collaborative Management
• Requirements Gaps
• Transition Problems
• Employee Resistance
• New Technology

2026 - Hybrid Model

• ERP customers store most of their data on cloud servers managed by cloud vendors and store sensitive data on their own servers.

Chapter 6: The Cloud

Why Is  the Cloud the Future for Most Organizations?

• The Cloud
• Elastic leasing of pooled computer resources via Internet
• Elastic
• Automatically adjusts for unpredictable demand
• Limits financial risks
• Pooled
• Same physical hardware
• Economies of scale
• Average cost decreases as size of operation increases
• Major cloud vendors operate enormous data centers (web farms).

Why Now?

1. Cheap processors, essentially free data communication and storage.
2. Virtualization technology
3. Internet-based standards enable flexible, standardized processing capabilities.

Cloud does not make sense when:

• When law or standard industry practice require physical control or possession of the data.
• Financial institutions legally required to maintain physical control over its data.

What Network Technology Supports the Cloud?

Most computers today support 10/100/100 Ethernet

Abbreviations used for communications and computer memory speeds

• Communications equipment,
• Kilo = 1000
• Mega = 1,000,000
• Giga = 1,000,000,000
• 100 Mbps = 100,000,000 bits per second.
• Communication speeds expressed in bits, memory sizes in bytes.

Important ISP functions:

1. Provide legitimate Internet address
2. Provide gateway to Internet
3. Pay access fees and other charges to telecoms.

• WAN wireless average performance 1 Mbps, with peaks of up to 3.0 Mbps.
• Typical wireless LAN 50 Mbps.

How Does the Cloud Work?

Carriers and Net Neutrality

• Messages, broken into packets.
• Packets move across Internet, passing through networks owned by telecom carriers.
• Peering agreements - Carriers freely exchange traffic amongst themselves without paying access fees.
• Net neutrality principle
• All data treated equally
• Problem: some people use more bandwidth than others

Internet Addressing

• Public IP addresses
• Identifies a unique device on Internet
• Assigned by ICANN (Internet Corporation for Assigned Names and Numbers).
• Private IP addresses
• Identifies a device on a private network, usually a LAN.
• Assignment LAN controlled.

IP Addressing: Major Benefits

• Public IP addresses conserved
• One public IP address per LAN
• Using private IP addresses
• Eliminates registering public IP address with ICANN-approved agencies.
• Protects against direct attack.

Public IP Addresses and Domain Names

• IPv4
• 165.193.123.253
• Domain name
• Unique name affiliated with a public IP address
• Dynamic affiliation of domain names with IP addresses
• Multiple domain names for same IP address
• URL (Uniform Resource Locator)
• Internet address protocol, such as http:// or ftp://

Domain Registry Company

Go Daddy, or a similar agency, will first determine if desired name is unique worldwide. If so, it will apply to register that name.

Almost all e-commerce applications use a three-tier architecture

1. User tier consists of computers, phones, other devices with browsers that request and process Web pages.
2. Server tier consists of computers running Web servers and application programs.
3. Data tier consists of computers running a DBMS that processes a SQL requests to retrieve and store data.

Commerce server - application program that runs on server-tier computer. Receives requests from users via Web server, takes some action, and returns a response to users. Typical commerce server functions are to obtain product data from a database, manage items in a shopping cart, and coordinate checkout process.

Protocols Supporting Web Services

WSDL, SOAP, XML, and JSON

WSDL (Web Services Description Language) - Standard for describing services, inputs, outputs, other data supported by a Web service. Documents coded machine readable and used by developer tools for creating programs to access the service.

SOAP (no longer an acronym) - Protocol for requesting Web services and for sending responses to Web service requests.

XML (eXtensible Markup Language) - Used for transmitting documents. Contains metadata to validate format and completeness of a document, includes considerable overhead (see Figure 6-15a).

JSON (JavaScript Object Notation) - Markup language used for transmitting documents. Contains little metadata. Preferred for transmitting volumes of data between servers and browsers. While notation in format of JavaScript objects, JSON documents can be processed by any language (see Figure 6-15b).

How Organizations Use the Cloud

How can organizations use Cloud services securely?

Chapter 5: Database Processing

The purpose of a database:

• Organize and keep track of things
• Keep track of multiple themes
• Theme (ex. student grades, student emails, student office visits)
• Single theme - store in a spreadsheet
• Multiple themes - use a database

Example of single theme:

Student data form for a database application:

Example of a database:

Database is a self-describing collection of integrated records. Database is a collection of related tables.

Components of a database:

Formal term for table is “relation”. Linking relations together creates relationships. A database is a group of related tables. Metadata describes definitions of tables, fields and relationships.

Example of relationships among rows:

Columns that are keys to different tables than the ones in which they reside: Foreign key

Sample of access metadata:

Data management system is the program used to create process and administer database.

• Licensed from vendors
• IBM, Microsoft, Oracle, and others
• DB2, Access, SQL Server, Oracle Database
• Open Source
• MySQL: License-free for most applications

DBMS Process Operations

1. Read
2. Insert
3. Modify
4. Delete Data

Structured Query Language - SQL

• International standard
• Used by nearly all DBMS

Administering the Database

-Set up security system, user accounts, passwords, permissions, limits for processing.
-Limit user permissions.
-Back up database, improve performance of database applications, remove unwanted data

Query Example:

a

a•Typical database application report, query form and query report.  Structure of this report creates information because it shows student data in a context meaningful to the professor.

•DBMS programs provide comprehensive and robust features for querying database data.

Multiuser Processing Problem:

•Lost-update problem is one of the special characteristics of multi-user database processing. To prevent this problem, some type of locking must be used to coordinate the record update activities of multiple users. Locking has own set of problems and those problems must be addressed as well.

•Realize converting a single-user database to a multiuser database requires more than simply connecting another computer. The logic of the underlying application processing needs to be adjusted also. If you find inaccurate results, you may be experiencing multiuser data conflicts. Contact your IS department for assistance.

Entity-Relationship Data Model

Sample of relationships Ver 1:

•Normalization

–Converting poorly structured tables into two or more well-structured tables.

a

a

a