The CEO of a local hospital group is exploring the idea of centralizing all of their IT services. They consist of four licensed, acute-care hospitals, three free-standing outpatient surgery centers, home care and hospice, physician practices, and multiple other facilities and services. Due to security and financial concerns, the hospital is exploring the possibility of using one of their locations as the main distribution facility for all of their locations’ medical services.
> Outline the equipment that would have to be purchased to support all services across the enterprise and/or be moved to the new central IT department.
> Develop a security plan for how the server room, databases, and data will be secured.
Need 5-7 pages with introduction and conclusion. Must be in APA format with minimum of 9 peer-reviewed citations.
LEARNING OUTCOMES
After reading this chapter, you will be able to:
■ define approaches for integrating IS strategy with business strategy;
■ apply simple strategic analysis tools to determine IS strategy.
MANAGEMENT ISSUES
Annual investment in BIS is signifi cant for many companies. But what return do organisations receive for this investment? To achieve more eff ective investment, a well-planned BIS strategy is required that supports the corporate goals. In this chapter we aim to answer the questions a newly installed manager seeking to develop an IS strategy would ask:
■ Which process can we follow to develop an IS strategy?
■ How can we ensure the IS strategy supports the business strategy?
■ What analysis tools are available to assess current use of IS within the organisation and its environment and formulate IS strategy?
■ Where should we locate the IS function and to what extent should some services be outsourced?
CHAPTER AT A GLANCE
MAIN TOPICS
■ The strategic context 478
■ Introduction to BIS strategy 479
■ Tools for strategic analysis and definition 485
■ IS and business strategy integration 495
FOCUS ON . . .
■ IS/IT and SMEs 499
CASE STUDY
13.1 Which cloud model will prevail? 484
13.2 Next generation of clients forces pace of IT change 501
CHAPTER
13 Information systems strategy
M13_BOCI6455_05_SE_C13.indd 477 30/09/14 7:24 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT478
Organisations that make the most effective use of business information systems (BIS) are those that make BIS strategy an integral part of their overall business strategy. The development of the e-business concept is intended to further support the integration of BIS with business strategy. This chapter looks at the approaches an organisation can use to develop a strategy for putting information systems in place which will support and enhance its overall business strategy.
INTRODUCTION
THE STRATEGIC CONTEXT
In its original sense, ‘strategy’ referred to the development of plans for deceiving or outwitting an enemy. Today, corporate strategy is developed not to conquer a single competitor, but rather to compete within a chosen market. Johnson et al. (2011) use a definition that places strategy in the context of the marketplace environment and stresses its role in utilising internal resources to be best able to compete in this environment. The elements of this environment are summarised in Figure 1.2. These authors define strategy as:
the direction and scope of an organization over the long-term: which achieves advantage for the organization through its configuration of resources within a changing environment to meet the needs of markets and to fulfil stakeholder expectations.
Strategy Definition of the future direction and actions of a company defined as approaches to achieving specific objectives.
BIS is one of the resources deployed to help meet the needs of the market by developing and promoting new, innovative products and services that increase customer value. Most companies use a hierarchy of strategies to support the business strategy. For example, a marketing strategy is developed to assist in implementing the business strategy and this in turn will inform a marketing communications strategy. Similarly an information strategy will support the business strategy and this will be achieved by implementing separate IS and IT strategies as explained in the next section.
Effective use of BIS can also result in increased efficiency of internal processes and outward-facing processes which are part of supply chain management. This can help reduce costs and lead to increased profitability.
Any organisation’s strategy can be rooted in four areas:
■ vision – an image of a future direction that everyone can remember and follow; ■ mission – a statement of what a business intends to achieve and what differentiates it
from other businesses; ■ strategies – a conditional sequence of consistent resource allocations that defines an
organisation’s relationships with its environment over time; ■ policies – guidelines and procedures used in carrying out a strategy.
These areas in turn can be applied at a number of levels within an organisation:
■ corporate strategy – view of the lines of business in which the company will participate and the allocation of resources to each line;
■ strategic business units (SBU) – subsidiaries, divisions, product lines;
Hierarchy of strategies
A collection of sub- strategies developed to help achieve corporate objectives.
M13_BOCI6455_05_SE_C13.indd 478 30/09/14 7:24 AM
479ChaPter 13 INFORMATION SYSTEMS STRATEGY
■ functional strategy – each functional area within a business unit must develop a course of action to support the SBU strategy. Examples include marketing strategy and logistics strategy.
This straightforward definition masks an underlying complexity of strategy. Indeed, the way in which an organisation can formulate its strategy is the subject of some debate. Claudio Ciborra (Ciborra and Jelassi, 1994) contrasts the mechanistic or prescriptive approach to business strategy with more flexible and eclectic approaches. The former is characterised by such elements as:
■ Conscious and analytical thought, where strategies emerge from a structured process of human thought and rigorous analysis; it is suggested that implementation can only follow when the strategy has been analytically formulated.
■ Top-down and control orientation, where strategy is formulated at the peak of the managerial pyramid and responsibility for strategy lies with the organisation’s chief executive officer.
■ Simple and structured models of strategy formulation, where data analysis and internal and external scanning are undertaken so that the resulting model is clear and simple.
■ Separation between the formulation of strategy and its implementation; diagnosis is followed by prescription and then by action; an organisation structure must therefore follow the formulation of the strategy rather than the other way around.
Flexible, eclectic or emergent approaches, on the other hand, are characterised by responsiveness to gradual changes through evolutionary decision-making processes that often prevail in organisations that profess to adhere to formal and mechanistic approaches to strategy formulation. Mintzberg (1990), as cited by Ciborra and Jelassi (1994), questions the mechanistic, prescriptive school of thought on three counts:
1. During strategy implementation, surprises occur that question previously developed plans. To be successful, the strategic plan needs to be modified to reflect the new situation and this contradicts the previously stated rationality and rigidity that characterise the mechanistic approach. Organisational learning is also hampered by an unduly inflexible approach.
2. While the mechanistic approach to strategy features the strategist as an impartial and independent observer and participant in the strategy development process, the reality in organisations is that organisational structure, culture, inertia and politics themselves influence the strategy development process. Strategy formulation is therefore profoundly influenced by the environment it is seeking to affect.
3. The mechanistic approach to strategy formulation is an intentional process of design. However, the reality is that organisations acquire knowledge on a continual basis and this knowledge can have a profound influence on the contents of strategy and, therefore, its formulation process.
Since both corporate and IS strategy formulation will always involve the need to react to unforeseen circumstances, resulting in sudden changes to overall corporate objectives, an effective strategy formulation process must embrace adaptation, organisational learning and incremental development that reflect a constantly changing business environment.
INTRODUCTION TO BIS STRATEGY
We have seen that all business strategies must be responsive to the external environment, but what are the elements of a strategy for managing BIS and how do they relate? Ward and Peppard (2002) identify three different elements of IS strategy:
M13_BOCI6455_05_SE_C13.indd 479 30/09/14 7:24 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT480
1. Business information strategy. This defines how information, knowledge and the applications portfolio will be used to support business objectives. Increasingly, a chief information officer (CIO) or chief knowledge officer (CKO) who is part of, or reports to the senior management team is appointed to be responsible for defining and implementing this strategy.
2. IS functionality strategy. This defines, in more detail, the requirements for e-business services delivered by the range of business applications (the applications portfolio).
3. IT strategy (IS/IT strategy). This defines the software and hardware standards and suppliers which make up the e-business infrastructure.
These strategies are part of the organisation’s hierarchy of strategies discussed in the previous section.
IT strategy determines the technological infrastructure of the organisation. It ensures the most appropriate technologies and best standards are used in terms of cost, efficiency and supporting the needs of the business users and integration with customers and other partners. A recent strategic decision taken by many companies is to use the Internet protocol (IP) to support deployment of business applications via an intranet. The hardware and software elements of the IT infrastructure were described earlier (in Chapters 3 to 6). Approaches for controlling the total cost of ownership (TCO) of the IT infrastructure are described earlier (in Chapter 16).
IS strategy determines how IT is applied within an organisation. It should ensure that the IT deployed supports business strategies and that the appropriate resources and processes are in place for the deployment to be effective.
Note that, in reality, there is some overlap between elements of IS and IT strategy. For example, it can be argued that the selection of the optimal portfolio of software applications is an aspect of both IS and IT strategy. For this reason a convention preferred by many authors such as Ward and Peppard (2002) refers to both elements together (IS/IT strategy). This convention is used in this chapter.
The relationship between these elements is indicated in Figure 13.1. It is evident that these three elements can be considered to be hierarchical. Here, business information strategy should be driven by the objectives of the business strategy – by its information needs. IS functionality, delivered by BIS applications, should in turn be driven by the
Applications portfolio
The range of different types of business information systems deployed within an organisation.
IT strategy
Determination of the most appropriate technological infrastructure comprising hardware, networks and software applications.
IS strategy
Determination of the most appropriate processes and resources to ensure that information provision supports business strategy.
Figure 13.1 Relationship between business strategy and IS/IT strategies
Information Strategy
Corporate objectives
Business Strategy
Internal resource analysis
IS strategy objectives
IS Strategy
IT Strategy
Information requirements
Information requirements
Micro environment
Macro environment
M13_BOCI6455_05_SE_C13.indd 480 30/09/14 7:24 AM
481ChaPter 13 INFORMATION SYSTEMS STRATEGY
Micro-environment
Immediate environment includes customers, competitors, suppliers and distributors.
Macro-environment
Wider environment of social, legal, economic, political and technological influences.
Purpose To emphasise the importance of monitoring and responding to a range of environment influences.
Activity For each of the environment influences shown in Figure 1.3, give examples of why it is import-ant as part of IS/IT strategy to monitor and respond in an information systems strategy context. Environmental influences are clearest for a company operating an e-commerce service.
Why are environment influences important?Activity 13.1
information requirements of the organisation, and finally IT strategy is the implementation of IS strategy through the delivery of IT infrastructure. Such a model is useful for debate. For example, does this model represent reality in most organisations? Do organisations have separate information, IS and IT strategies? What are the benefits and disadvantages of this approach? Although the top-down approach implies strong control of IS and alignment with business strategy, it may have limited responsiveness in taking advantage of opportunities provided by IS. If IS strategy development identifies a business opportunity it is difficult to feed this back up the hierarchy to be incorporated into the business strategy. We return to this issue in a later section where we review the merits of business-impacting and business-aligning techniques.
The importance of a coherent strategy to manage information is highlighted by Willcocks and Plant (2000) who found in a study of 58 major corporations in the USA, Europe and Australasia that the leading companies were astute at ‘distinguishing the contributions of information and technology, and considering them separately’. They make the point that competitive advantage ‘comes not from technology, but how information is collected stored, analysed and applied’.
All organisations operate within an environment that influences the way in which they conduct business. Strategy development is strongly influenced by considering the environment the business operates in. Environmental influences can be broken down into:
■ the immediate competitive environment (micro-environment) which includes customer demand and behaviour, competitor activity, marketplace structure and relationships with suppliers and partners;
■ the wider environment (macro-environment) in which a company operates includes economic development and regulation by governments in the forms of law and taxes together with social and ethical constraints such as the demand for privacy.
For IS/IT strategy, the most significant environmental influences are those of the immediate marketplace which is shaped by the needs of customers and how services are provided to them through competitors and intermediaries and via upstream suppliers. We concentrate on managing these influences here (and in Chapter 14). Wider influences are provided by local and international economic conditions and legislation together with what business practices are acceptable to society. Finally, technological innovations are vital in providing opportunities to provide superior services to competitors or through changing the shape of the marketplace. Later (in Chapters 15 to 17) we look at issues involved in managing some of the external factors related to information systems.
IS/IT strategy and an organisation’s environment
M13_BOCI6455_05_SE_C13.indd 481 30/09/14 7:24 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT482
Paul Licker refers to seven ‘modern management imperatives’ (Licker, 1997) summarised as the ‘seven Rs of strategy’. These highlight how an organisation must compete by using information systems strategy to respond to its external environment. Each of the seven Rs is described below together with how IS can be used to respond to the influence.
■ Reach – this recognises that businesses increasingly compete globally rather than locally or within national boundaries. As a result organisations need the ability to compete with everyone else, regardless of geographic constraints.
IS/IT both allows global competition and is required to compete; organisations need information and the tools to process it to allow quick, accurate response, any time and anywhere; global competition implies information networks and inter-organisational systems.
■ Reaction – customers are becoming ever more demanding and customers will make their views known and wish to have them respected. This means that organisations need quick customer feedback on products and services in order to offer what customers are demanding.
IS/IT is needed to access and interpret customer feedback. It can be used to keep track of customers, products and projects – it is particularly important to bring order to the data to facilitate fast and accurate response so that managers will be able to anticipate customer needs because they understand the customer. A consequence of this is that software needs to be flexible and quickly developed.
■ Responsiveness – the process of turning an idea into a product or service that can be marketed is shortening – global reach means that there will be a greater probability that a competitor will be able to offer a good or service that more closely meets customers’ requirements. The response to this situation is to shorten the concept-to-customer cycle time so that the organisation can tailor goods and services to meet customers’ specific needs.
There needs to be a rapid movement of product ideas to the market. Organisations need IS/IT to help manage this process: efficiency and speed as well as accuracy and reliability are required and information needs to be relevant and well formatted.
■ Refinement – greater customer sophistication and specificity means that customers are more able than ever to distinguish fine differences between products and compare them with their needs and desires.
More customer sophistication means increased turbulence in the market, so more information and the tools to manage and manipulate it are needed. Customers are better at communicating precise requirements which means that niche markets appear, grow and disappear rapidly. As a result increased breadth of information is required to create and market products. Also, customers respond well to systems that respond well to them.
■ Reconfiguration – as a consequence of changing customer needs and preferences, it may be necessary to re-engineer work patterns and organisational structures to change the structure of work and workflow from idea to product or service.
As business processes need to evolve and adapt to market needs, there is a big impact on information resource requirements needed for organisational learning (crossing functional boundaries). Complex work structures generate complex data, and management support systems are needed to help manage continually evolving work patterns and structures. Also, new architectures (e.g. client/server) allow decentralisation of IS/IT and greater customer responsiveness.
The environment and the modern management imperatives
M13_BOCI6455_05_SE_C13.indd 482 30/09/14 7:24 AM
483ChaPter 13 INFORMATION SYSTEMS STRATEGY
■ Redeployment – changing an organisation’s configuration may require the reorganisation and redesign of the financial, physical, human and information resources that are required to create and market a product or service.
Rapid redeployment of resources is required to meet customer needs. An organisation needs to be able to visualise complex arrangements for resources and models to manage them. Therefore, it is necessary to maintain detailed, relevant information on resources at all times and be able to redeploy them. Information itself has become a competitive resource, as well as allowing more control over other resources.
■ Reputation – an organisation’s reputation will be determined, at least in part, by the satisfaction that a customer experiences. This will be enhanced when the product or service meets or exceeds expectations and requirements. Therefore, an organisation needs to pay attention to the quality and reliability of its products or services and processes by which they are produced.
IS/IT can be used to support product development, testing, marketing and customer post-sales service. It can also help to reduce the gap between expectation and performance. Organisations need to enhance the quality and reliability of the product, and information systems can help in such areas as quality benchmarks, measurement and group-based control techniques.
Figure 13.2 illustrates how an organisation’s IS/IT strategy increasingly forms the bridge between the external business environment and internal business processes and activities. Consider an airline: the quality of all customer interactions, often referred to as ‘moments of truth’ by marketers, whether by phone, Internet or in person, require the support of IS. Similarly most supplier services will also be arranged and delivered through IS support.
An organisation’s IS/IT capability will determine, at least in part, how well it can respond to demands placed on it by the external business environment and how it can manage and revise its internal business processes to meet those external demands.
Figure 13.2 IS/IT capability positioning model showing IS/IT capability as the bridge between internally and externally focused business strategies
Internal Process
Internal Process
Internal Process
Internal Process
Competitiors
Suppliers
Customers
IS/IT capability
M13_BOCI6455_05_SE_C13.indd 483 30/09/14 7:24 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT484
Enthusiasm for the cloud continues to grow. Companies from banking groups with thousands of branches to five-person start-ups are embracing it to obtain the benefits of its pay-as-you-go pricing and on-demand flexibility.
‘Cloud computing is one of the biggest game-changers in computing since e-business emerged 15 years ago,’ says Steve Caniano, who is in charge of AT&T’s hosting, cloud and application services businesses.
‘It helps companies directly align business needs to IT consumption, tie revenues to expenses, and control costs,’ he adds. ‘Using the cloud, businesses can scale their infrastructure at will and create opportunities to [take advantage] of services previously unavailable or unthinkable.
‘Based on our work with thousands of businesses, we estimate that approximately 70 per cent of corporate information technology infrastructure runs on customer premises with less than 20 per cent utilisation. The cloud helps companies avoid wasted investment on idle resources.’
Two AT&T customers illustrate the point. One an engineering group, the other a regional energy company. The engineering group uses AT&T’s network- based cloud to increase or decrease its computing capability in line with its business cycles and project execution, both of which tend to be ‘spiky’. This allows it to avoid investing in infrastructure that would sit idle between projects.
The regional energy company had to cope with millions of web requests for information about energy outages and repairs during a big storm. This threatened the site’s ability to work.
‘It moved the site’s infrastructure to our cloud in four hours, enabling it continuously to communicate real-time outage information to residents and media throughout the service area, greatly improving customer service,’ Mr Caniano says.
Mark Brown, IT risk and assurance director at Ernst& Young, a consultancy, agrees that cloud computing will change the operating landscape, but believes it is likely to complement, rather than replace, client server computing.
He believes that traditional large-scale IT programmes will retain their place in the chief information officer’s arsenal, but will be supplemented with cloud computing.
While some companies are comfortable with a public cloud computing model using on-demand resources such as Amazon’s Web Services, others are building
private clouds using their own virtualised servers, or adopting hybrid public-private models.
But the basic drivers are often the same and, perhaps surprisingly, cost savings are not at the top of the list.
As a recent report by Gartner, the IT research company, noted: ‘The cloud promises to deliver a range of benefits, including a shift from capital-intensive to operational cost models, lower overall cost, greater agility and reduced complexity. It can also be used to shift the focus of IT resources to higher-value-added activities for the business, or to support innovation and, potentially, lower risks.’
When asked about the main customer benefits of cloud computing, 67 per cent of Europe-based respondents to a survey published this month by CA Technologies, a software company, pinpointed scalability. Businesses using the cloud have more flexibility to expand or contract IT services as required.
A further 54 per cent highlighted the significance of ‘agility’, again emphasising the importance of being able to deliver services in a shorter time.
The survey investigated the cost benefits from cloud services and found users making savings of about 11.5 per cent on their annual IT budgets, up from 9.7 per cent reported in last year’s study.
The research also highlighted the maturation of the market. Although private clouds dominate the industry, with 55 per cent of CA’s partners saying their customers use them, compared with 33 per cent for public and 22 per cent for hybrid clouds, it is the hybrid model that is expected to take off.
When asked what type of cloud will be predominantly used in five years’ time, almost half (47 per cent) answered hybrid, compared with 37 per cent for private and just 16 per cent for public.
‘The hybrid cloud model combines the best of both worlds by allowing customers to maximise their existing infrastructure and keep it under internal control, but with the ability to use public cloud resources as needed,’ the report’s authors noted.
The reality is that, while most companies are looking at moving to the cloud, many are cautious about the public model, perhaps because of concerns about security and reliability.
For example, at Wells Fargo, the banking group, Scott Dillon, executive vice-president and head of technology infrastructure services, has used what he calls ‘cloud like’ technologies to help steer the company through a three-year integration project following the $15bn acquisition of Wachovia.
Which cloud model will prevail? By Paul Taylor
CASE STUDY 13.1
M13_BOCI6455_05_SE_C13.indd 484 30/09/14 7:24 AM
485ChaPter 13 INFORMATION SYSTEMS STRATEGY
In this section we present six tools commonly used in BIS strategic analysis and definition. We start by considering tools that are mainly used to assess the external environmental constraints and options for strategy and then move on to tools that assess the existing internal situation and are used to generate options about future strategy. The tools selected form only a small proportion of those available, but those covered provide a firm foundation for further analysis. In addition, each tool will be examined in the context of the way in which it can be used to help derive an IS strategy that is an integral part of an organisation’s business strategy. We will review the application of these six tools:
1. Porter and Millar’s five forces model – analyses the different external competitive forces that affect an organisation and how information can be used to counter them.
2. Porter’s competitive strategies – assesses how external competitive forces can be harnessed. 3. Nolan’s stage model – an evolutionary maturity model for assessing the current
development of information systems within an organisation. 4. McFarlan’s strategic grid – a model for assessing the current and future applications
portfolio within an organisation.
TOOLS FOR STRATEGIC ANALYSIS AND DEFINITION
‘We think the cloud is here to stay, but not a public cloud The attributes of the cloud or what we refer to as ‘cloudlike computing’ are something we have been embracing for about three years. We have been working on a road map to move towards that and evolve,’ he says.
‘We started by commoditising the hardware itself, moving into virtualisation and standardising software,’ he explains.
In the process, Wells Fargo reduced its number of top ‘tier 4’ data centres from seven to three, cut its regional data centres from 13 to 10, reduced the number of applications by 25 per cent to 3,000 and accelerated server provisioning (starting up a new application server) from months to 10 days.
By the end of last year, almost two-thirds of the bank’s servers were virtualised and 80 per cent were standardised. As a result, Wells Fargo achieved $1bn in savings with a significant portion attributed to its infrastructure efficiency efforts.
But like other IT professionals, Mr Dillon notes that making this type of change is not just about the technology. ‘You really have to start [focusing on] your operational readiness and capabilities,’ he says.
‘Moving to the cloud is not just another IT project, it represents a transformation of the business,’ says Mr Brown.
Daryl Plummer, a Gartner fellow and expert on web services and the cloud, strongly agrees. ‘There is a stronger recognition today that this is more than just a shift of technology,’ he says.
Unlike the move from mainframe to client-server, which was a switch from one technology architecture to another, ‘this shift moves out of the realm of technology architecture change and into the realm of behavioural relationship and business change, so it’s more akin to the change from on-premises systems with client-server mainframe to the web and e-business.’
Mr Plummer adds: ‘I use Amazon as a great example of the shift that happened then, the kind of dynamic change that can happen to markets, and now we’re seeing the same thing happening because of the cloud phenomenon.’
But he cautions that, although most companies recognise they need a cloud strategy, ‘the problem is that a lot of them are deluding themselves. Some of them are being fooled by marketing strategy, and others are just not educated enough about what cloud computing is to be able to come up with a credible strategy’.
He adds: ‘The gulf between knowing you need a strategy, and having a credible one, is a big one. We have to point out that, because companies are still just educating themselves about what it means to be doing cloud computing’
QUESTION
Discuss the cloud model in terms of IS strategy.
Source: Taylor, P. (2012) Which cloud model will prevail?. Financial Times. 22 May. © The Financial Times Limited 2012. All Rights Reserved.
M13_BOCI6455_05_SE_C13.indd 485 30/09/14 7:24 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT486
5. Value chain analysis – a tool for analysing the value-adding of information within an organisation. Note that value chain or value stream analysis can also be used to assess value-adding activities outside an organisation.
6. Critical success factors (CSFs) analysis – a model for assessing those factors within an organisation that are required to achieve strategic objectives.
1. Porter and Millar’s five forces model
Porter and Millar’s five forces model is a model for analysing the different external competitive forces that affect an organisation and how information can be used to counter them. The five forces are rivalry between existing competitors, threat of new entrants, threat of substitutes, the power of buyers and the power of suppliers.
This model originated in 1985 and has remained one of the classic tools by which an organisation can assess its current competitive position in relation to a number of external factors:
■ Rivalry between existing competitors. This will determine the immediate competitive position of the business and will depend principally on the number of firms already in the industry and the maturity of the industry itself. For example, a mature or declining industry will probably experience a high degree of rivalry, since survival is the key issue at stake.
■ Threat of new entrants. A new entrant to an industry will cause the existing competitive situation to be disrupted. This has been evident in many countries over the last few years, where many of the formerly nationalised industries which were then privatised are now facing competition that they have never faced before.
■ Threat of substitutes. The substitutes in question already exist within the industry, but because of differentiation they are not quite perfect substitutes for each other. The danger here, therefore, is that a company may lose market share if a rival can supply a substitute that more closely matches the needs of certain customers.
■ Power of buyers. The phrase ‘the customer is king’ is never more true than here where buyers, especially in a business area where there are relatively few of them, can exert power by threatening to switch their purchasing to an alternative supplier. This is also true for businesses where the items being purchased are particularly high-value items (e.g. aero engines).
■ Power of suppliers. This may appear a little odd given the previous point, since a business is going to be the customer to its suppliers. However, there are still competitive pressures to be addressed. For example, in a situation where a material is in short supply, a business is going to be at risk from its competitors bidding up material prices and suppliers selling to the highest bidder. An illustration of this is the worldwide shortage of PC memory chips in the early 1990s, where computer manufacturers effectively had to endure a large hike in prices if they were still to manufacture and sell personal computers.
Figure 13.3 illustrates how the five forces outlined above provide the main external pressure on the successful operation of a typical business.
These five forces can exert a profound influence on how business is conducted. If the model is to be used successfully, it will require a thorough analysis of the industry under consideration. Of itself, the resulting information will not automatic-ally generate a business strategy for the organisation. However, it will create a vivid picture of the market environments within which the organisation is operating and provide some pointers towards avenues of further investigation.
From an information systems strategy perspective, the tool provides further pointers towards how IS can be used to affect one or more of the five forces. Each one of the five forces will be taken and an illustration of how IS can be used to benefit the business will be given:
Porter and Millar’s five forces model
Porter and Millar’s five forces model analyses the following competitive forces which impact on an organisation: rivalry between existing competitors, threat of new entrants, threat of substitutes, the power of buyers and the power of suppliers.
M13_BOCI6455_05_SE_C13.indd 486 30/09/14 7:24 AM
487ChaPter 13 INFORMATION SYSTEMS STRATEGY
■ Rivalry between existing competitors. The greater the extent of rivalry within the industry, the higher the costs that will be incurred by a business as it seeks to compete with its rivals. In addition, industry rivalry will be profoundly influenced by the positioning of its products in both the industry and product lifecycles. In a declining industry, for example, collaborative efforts between industry rivals may help reduce costs or raise the profile of the industry.
■ Threat of new entrants. Businesses such as the financial services industry are competing increasingly on the basis of quality and service, and information systems are one enabler in this process. Investment in systems that support these two aspects of competition can deter potential entrants if they themselves have to make a significant investment in such systems before they can hope to compete successfully.
■ Threat of substitutes. The threat here is greater if the substitute products are a close alternative. In the shape of CAD/CAM and computer-integrated manufacturing, IS can be used to speed up development of new products and therefore reduce the ability of competitors to provide products that are acceptable substitutes.
■ Power of buyers. IS can be used to lock customers into a company’s products and so reduce the risk of the customer switching to a rival. For example, a business specialising in organising corporate travel may locate terminals at its main corporate customers so that they will be more likely to book flights, hotels and car hire with that company rather than a competitor.
■ Power of suppliers. If a supplier believes that its customers will always buy from it because there are few perceived alternatives, it is in a position to exert upward pressure on prices and to dictate trading terms to the customer rather than the other way around. Through external databases and now the Internet, IS can help businesses identify equipment and raw material suppliers much more efficiently than before and so reduce the bargaining power of suppliers.
Figure 13.3 Porter and Millar’s five forces model
Source: Adapted from excerpt in ‘How information gives you the competitive advantage’ by M.E. Porter and V.E Millar, July/August 1985, pp. 149–60. Copyright © 1985 by the Harvard Business School Publishing Corporation; all rights reserved.
Bargaining power of
customers
The business and its
external threats
Threat of
substitutes
Power of
suppliers
Threat of
new entrants
Extent of rivalry between existing
competitors
M13_BOCI6455_05_SE_C13.indd 487 30/09/14 7:24 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT488
The value of this model is that it encourages an organisation to look at itself in the context of its external environment. It is not a methodology that a company can follow to transform itself. It is now appropriate to switch from an externally oriented view to an internal one, again courtesy of Michael Porter.
2. Porter’s competitive strategies
Related to his work on the five forces, Porter proposed three different competitive strategies that could be used to counter these forces, of which the organisation may be able to adopt one (Porter, 2004). Once a competitive strategy has been identified, all marketing efforts can be applied to achieving this and IS can help support the aim. The three competitive strategies, which are covered in more detail in Chapter 1, are:
■ Overall cost leadership – the firm aims to become the lowest-cost producer in the industry. The strategy here is that, by reducing costs, one is more likely to retain customers and reduce the threat posed by substitute products. An example of how this might be achieved is to invest in systems that support accurate sales forecasting and therefore projected materials requirements so that good, long-term deals can be struck with suppliers, thus reducing materials costs.
■ Differentiation creates a product perceived industry-wide as being unique. By being able to tailor products to specific customers’ requirements or by offering an exceptional quality of service, the risk of customers’ switching is reduced.
■ Focus or niche involves identifying and serving a target segment very well (e.g. buyer group, product range, geographic market). The firm seeks to achieve either or both of ‘cost leadership’ and ‘differentiation’.
There is also a possible undesirable outcome: ■ ‘Stuck in the middle’ – the firm is unable to adopt any of the above approaches and,
therefore, is ultimately at the mercy of competitors that are able to offer these approaches.
3. Nolan’s stage model
Nolan’s stage model is a six-stage maturity model for the application of information systems to a business.
It must be stressed at the outset that this model dates back to the mainframe era and, therefore, provides a way of looking at an organisation’s response to ongoing IS investment and management that is fundamentally influenced by this. However, the model does have value since it is simple to understand, provides an evolutionary view of business use of IS and demonstrates that an organisation’s approach to the management of IS will change over time. The model demonstrates that, over time and with experience, an organisation’s approach to computer applications, specialist IS personnel and methods of management will evolve to a level of maturity where the planning and development of information systems are embedded into the strategic planning process for the business as a whole.
Using the Internet as an example of a new information technology, examine how a business could apply information technology to counter each of Porter and Millar’s competitive forces. Applications that you may wish to consider are: sales of existing products by electronic commerce to customers across the Internet; introducing new products available over the Internet; marketing of products across the Internet; reducing the cost and increasing the efficiency of dealing with suppliers through an extranet; and changes in the ease of switching and switching costs through using the Internet. Note that the new technologies may actually improve the power of the company you are dealing with in some instances. State where you feel this is the case.
Using Porter and Millar’s model to devise strategies for exploiting the InternetActivity 13.2
Nolan’s stage model
This model is a six- stage evolutionary model of how IS can be applied within a business.
M13_BOCI6455_05_SE_C13.indd 488 30/09/14 7:24 AM
489ChaPter 13 INFORMATION SYSTEMS STRATEGY
The six-stage 1979 version of the model is the one on which we will focus here:
1. Initiation. The first cautious use of a strange technology, characterised by: ■ low expenditures for data processing; ■ small user involvement; ■ lax management control; ■ emphasis on functional applications to reduce costs.
2. Contagion. The enthusiastic adoption of computers in a range of areas:
■ proliferation of applications; ■ users superficially enthusiastic about using data processing systems; ■ management control even more lax; ■ rapid growth of budgets; ■ treatment of the computer by management as just a machine; ■ rapid growth of computer use throughout the organisation’s functional areas; ■ computer use is plagued by crisis after crisis.
3. Control. A reaction against excessive and uncontrolled expenditures of time and money on computer systems:
■ IS raised higher in the organisation; ■ centralised controls placed on the systems; ■ applications often incompatible or inadequate; ■ use of database and communications, often with negative general management
reaction; ■ end-user frustration.
4. Integration. Using new technology to bring about the integration of previously unintegrated systems:
■ rise of control by the users; ■ large DP (data processing) budget growth; ■ demand for database and online facilities; ■ DP department operates like a computer utility; ■ formal planning and control within DP; ■ users more accountable for their applications; ■ use of steering committees, applications financial planning; ■ DP has better management controls, standards, project management.
5. Data administration. There is a new emphasis on managing corporate data rather than information technology:
■ identification of data similarities, their usage and meanings within the whole organisation;
■ the applications portfolio is integrated into the organisation; ■ DP (MIS – management information systems) department serves more as an admin-
istrator of data resources than of machines; ■ the emphasis changes to IS rather than DP.
6. Maturity. Information systems are put in place that reflect the real information needs of the organisation:
■ use of data resources to develop competitive and opportunistic applications; ■ MIS organisation viewed solely as a data resource function; ■ MIS emphasis on data resource strategic planning; ■ ultimately users and MIS department jointly responsible for the use of data resources
within the organisation.
Data processing (DP) department is a term commonly used in the 1970s and 1980s to describe the functional area responsible for management of what is now referred to as information
Data processing (DP) department
Commonly used in the 1970s and 1980s to describe the functional area responsible for management and implementation of information systems.
M13_BOCI6455_05_SE_C13.indd 489 30/09/14 7:24 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT490
systems and applications development. It is interesting to note that the term focuses on the processing of data rather than the application of information. The head of this department was referred to as DP manager rather than chief information officer or IS manager.
There are a number of implications of Nolan’s model which, if taken into account, may help provide a clearer path towards the maturity stage. Both general and IS management must:
■ verify the state of IS development in order to plan for the future; ■ recognise the fundamental organisational transition from computer management to
information resource management; ■ recognise the importance of and the future trends in information technology; ■ introduce and maintain the appropriate planning and control devices for the IS function
(steering committees etc.).
While it is clear that the model has value, there are clearly a number of shortcomings, particularly in respect of the lack of a human dimension. Galliers and Sutherland (1991) extended the model so that it is a socio-technical one rather than merely a technical one. They did this by including reference to the organisation’s goals, culture, skills and structure. Nevertheless, we should not dismiss Nolan’s model, despite its age, since it can still provide a useful framework for information systems planning. Indeed, the maturity stage implies what all organisations should aspire to: true integration between IS and business planning!
4. McFarlan’s strategic grid
McFarlan’s strategic grid model is used to indicate the strategic importance of information systems to a company now and in the future. It is sometimes referred to as an applications portfolio model since it assesses the current mix of business information systems within an organisation.
This matrix model was developed by Cash et al. (1992) to consider the contribution made currently by information systems and the possible impact of future IS investments. It is suggested in the original model that any business will occupy one of the segments in the matrix (Figure 13.4):
■ The strategic segment indicates that the business depends on both its existing IS and its continued investment in new IS to sustain continued competitive advantage.
McFarlan’s strategic grid
This model is used to indicate the strategic importance of information systems to a company now and in the future.
Applications portfolio
The range of different types of business information systems deployed within an organisation.
Source: After Cash et al. (1992) Corporate Information Systems Management, 3rd edition. © The McGraw-Hill Companies, Inc.
Figure 13.4 McFarlan’s strategic grid
Turnaround Strategic
Support Factory
Low High Low
High
Strategic importance of current IS
S tr
at eg
ic im
po rt
an ce
o f
pl an
ne d
IS
M13_BOCI6455_05_SE_C13.indd 490 30/09/14 7:24 AM
491ChaPter 13 INFORMATION SYSTEMS STRATEGY
■ The turnaround segment suggests that, while a business in this position does not currently derive significant competitive benefits from its current IS, future investment in this area has the potential to positively affect the business’s competitive position.
■ On the other hand, a business operating in the factory segment, while depending on its current IS to operate competitively, does not envisage further IS investment having a positive impact on its competitive position.
■ Finally, a business in the support segment does not, and believes it will not, derive significant competitive advantage from information systems.
Note that it is not likely to be the aim for every company to move to a high strategic importance for IS. In some industries such as manufacturing, it is unlikely that IS will ever attain high importance. In others, such as retailing, it may become more important. Given the varying significance of IS in different industries, there are a number of ways in which this model can be applied:
■ across industries for analysing the strategic importance that particular industries attach to IS;
■ within an industry, different competitors can be plotted according to the relative significance they attach to IS;
■ within a company, different departments within an organisation can be classified and goals set in relation to the future planned importance of IS.
Ward and Peppard’s (2002) modified matrix provides a useful variation on this model by categorising information systems and their business contribution in terms of an applications portfolio. This model recognises that the information systems used by a single company will not fit into a single quadrant on such a matrix, but rather there will be a portfolio of IS, some of which may lie in different quadrants.
The four sectors, which are shown in Figure 13.5, are:
■ Support. These applications are valuable to the organisation but not critical to its success.
Source: After Ward and Peppard (2002) Strategic Planning for Information Systems. Copyright 2002. © John Wiley& Sons Ltd.
Figure 13.5 Ward and Peppard’s modified strategic grid
High potential (Turnaround)
Aim: often uncertain
Approach: competitive proactive focus
Strategic
Aim: competitive advantage
Approach: competitive/ e�ectiveness focus
Support
Aim: reduce costs
Approach: reactive with e�ectiveness focus
Key operational (Factory)
Aim: improve performance
Approach: reactive with technology and e�ciency focus
Low High
Low
High
Degree of dependence of the business on IS/IT application in achieving business
performance objectives
P ot
en tia
l c on
tr ib
ut io
n of
IS /IT
a pp
lic at
io n
to ac
hi ev
in g
fu tu
re b
us in
es s
go al
s
M13_BOCI6455_05_SE_C13.indd 491 30/09/14 7:24 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT492
■ Key operational. The organisation currently depends on these applications for success (mission-critical).
■ High potential. These applications may be important to the future success of the organisation.
■ Strategic. Applications that are critical to sustaining future business strategy.
Each of an organisation’s applications will fall into one of these categories. It is quite feasible that applications will move from one sector to another over time (e.g. today’s strategic application may become tomorrow’s key operational one). It is quite possible, for example, that a current key operational system needs to be developed to replace an old legacy system that no longer meets all the organisation’s requirements (e.g. in respect of year 2000 compliance).
The McFarlan matrix and its variant do not of themselves provide a methodology to assist an organisation with its information systems planning. However, especially in its Ward and Peppard guise, the matrix can be effective in providing a framework through which an organisation can explore current and planned IS, both from an IS perspective and from that of functional business managers.
5. Value chain analysis
This is an analytical framework for decomposing an organisation into its individual activities and determining the value added at each stage. In this way, the organisation can assess how effectively resources are being used at the various points on the value chain. Michael Porter’s value chain is a framework for considering key activities within an organisation and how well they add value as products and services move from conception to delivery to the customer. The relevance for information systems is that for each element in the value chain, it may be possible to use IS to increase the efficiency of resource usage in that area. In addition, IS may be used between value chain activities to increase organisational efficiency.
Value chain analysis makes a distinction between primary activities, which contribute directly to getting goods and services closer to the customer (physical creation of a product, marketing and delivery to buyers, support and servicing after sale), and support activities, which provide the inputs and infrastructure that allow the primary activities to take place. Figure 13.6 shows the distinction between these activities.
Primary activities can be broken down into five areas:
■ Inbound logistics. Receiving, storing and expediting materials to the point of manufacture of the good or service being produced.
Value chain
Michael Porter’s value chain is a framework for considering key activities within an organisation and how well they add value as products and services move from conception to delivery to the customer.
Source: Reprinted from Competitive Advantage: Creating and Sustaining Superior Performance by Michael E. Porter. Copyright © 1985, 1998 by Michael E. Porter. All rights reserved.
Figure 13.6 Michael Porter’s internal value chain model, showing the relationship between primary activities and support activities to the value chain within a company
ServicesSales and marketing
Outbound logisticsOperationsInbound
logistics
Procurement
Product technology/development
Human resource management
Administration and infrastructure
Value added cost 5 margin
M13_BOCI6455_05_SE_C13.indd 492 30/09/14 7:24 AM
493ChaPter 13 INFORMATION SYSTEMS STRATEGY
■ Operations. Transforming the inputs into finished products or services. ■ Outbound logistics. Storing finished products and distributing goods and services to the
customer. ■ Marketing and sales. Promotion and sales activities that allow the potential customer to
buy the product or service. ■ Service. After-sales service to maintain or enhance product value for the customer.
Secondary activities fall into four categories:
■ Corporate administration and infrastructure. This supports the entire value chain and includes general management, legal services, finance, quality management and public relations.
■ Human resource management. Activities here include staff recruitment, training, development, appraisal, promotion and rewarding employees.
■ Technology development. This includes development of the technology of the pro-duct or service, the processes that produce it and the processes that ensure the successful management of the organisation. It also includes traditional research and development activities.
■ Procurement. This supports the process of purchasing inputs for all the activities of the value chain. Such inputs might include raw materials, office equipment, production equipment and information systems.
It is probably easier to see how IS can be applied within this model than in the five forces model that we looked at earlier. For example, sales order processing and warehousing and distribution systems can be seen to be very relevant to the inbound and outbound logistics activities. Similarly, accounting systems have an obvious relevance to administration and infrastructure tasks. What is perhaps less clear is how IS can be used between value chain elements. The case study on ‘Applying the value chain to a manufacturing organisation’ helps illustrate the use of IS to provide linkages between some of the value chain elements.
How can an organisation have a positive impact on its value chain by investing in new or upgraded information systems? Porter and Millar (1985) propose the following five-step process:
1. Step 1. Assess the information intensity of the value chain (i.e. the level and usage of information within each value chain activity and between the levels of activity). The higher the level of intensity and/or the higher the degree of reliance on good-quality information, the greater the potential impact of new information systems.
2. Step 2. Determine the role of IS in the industry structure (for example, banking will be very different from mining). It is also important to understand the information linkages between buyers and suppliers within the industry and how they and competitors might be affected by and react to new information technology.
3. Step 3. Identify and rank the ways in which IS might create competitive advantage (by affecting one of the value chain activities or improving linkages between them). High-cost or critical activity areas present good targets for cost reduction and performance improvement.
4. Step 4. Investigate how IS might spawn new businesses (for example, the Sabre computerised reservation system spawned a multi-billion-dollar software company which now has higher earnings than the original core airline business).
5. Step 5. Develop a plan for taking advantage of IS. A plan must be developed that is business-driven rather than technology-driven. The plan should assign priorities to the IS investments (which, of course, should be subjected to an appropriate cost–benefit analysis).
M13_BOCI6455_05_SE_C13.indd 493 30/09/14 7:24 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT494
6. Critical success factors (CSFs) analysis
Critical success factors (CSFs) are measures that indicate the performance or efficiency of different parts of an organisation. Good performance of processes measured by these factors is vital to the business unit or organisation.
This technique is one of the most useful for an organisation in pinpointing what are its precise information needs. The essence of CSF analysis is summarised in Figure 13.7.
Critical success factors will exist in every functional area of the business and they indicate those things which must be done right if that functional area in particular and the organisation as a whole are to flourish. CSFs will also relate to the level within each functional area. For example, in the sales function, a CSF for an account handler may be the accurate and speedy recording and retrieval of sales data. On the other hand, for a senior manager, a CSF may involve achieving the right mix of products.
Once CSFs have been determined across process and hierarchical levels, it is possible to consider the key decisions that have to be made if those CSFs are to be achieved.
Figure 13.7 Critical success factors and deriving information needs
Information needs
Key decisions
CSF
Information needs
Key decisions
CSF
Information needs
CSF
Business activities
Key decisions
Critical success factors (CSFs)
Measures that indicate the performance or efficiency of different parts of an organisation and its processes.
An example of the application of CSFS in sales order processing When a customer places an order, a number of decisions need to be made, the results of which will determine the processing actions for the order and the effectiveness of the process. The critical success factor for this process will be to achieve a high conversion rate of orders received to orders fulfilled while minimising the risk of bad debts.
One of the first decisions will be whether to accept the customer order at all. Such a decision will hinge on the creditworthiness of the customer. Second, a decision will have to be made about when the customer can receive his or her order. This may be a complex process, depending on the size and importance of the customer, the size and complexity of the order and finally existing stock levels for the ordered items and planned manufacturing or purchasing lead times. If the order is delayed, the customer may seek an alternative supplier.
M13_BOCI6455_05_SE_C13.indd 494 30/09/14 7:24 AM
495ChaPter 13 INFORMATION SYSTEMS STRATEGY
This section examines how strategic models can be applied to ensure that there is good congruence between business and IS strategies. The aim is to apply tools that enable us either to align the IS strategies with the business needs or use IT/IS to have a favourable impact on the business. Aligning techniques are top-down in nature, beginning with the organisation’s generic business strategy and from this deriving information systems strategies that support business activities. Before these tools can be applied, it is necessary to consider the organisational strategy and the environment in which the business operates.
It is useful to consider tools for strategy definition in the context of whether they are intended to support an existing business strategy directly (business alignment), or whether they are intended to indicate new opportunities which may have a positive impact on a business strategy (business-impacting).
In a business-alignment IS strategy the IS strategy will be generated from the business strategy through techniques such as CSF analysis. In a business-impacting IS strategy the IS strategy will have a favourable impact on the business strategy through the use of innovative techniques and technologies, often as part of business process re-engineering. CSF analysis is fundamentally a business-aligning technique rather than an impacting one.
Business impacting could be achieved through the use of value chain analysis where an organisation, through an analysis of the potential for the use of IS within and between value chain elements, may seek to identify strategic IS opportunities. Perhaps the ultimate expression of using IS to impact business performance is through business process re-engineering.
Having identified the range of key decisions that need to be supported, consideration must turn to the information needed to support the decision-making processes for each relevant functional business area or operational level. To pursue the sales example to its logical conclusion, one of the first information needs is, therefore, the creditworthiness of the customer as expressed by his or her credit line or limit and the current outstanding amount. Both of these items of information would normally be drawn from a mixture of existing sales and accounts receivable data. The sales account handler needs this information before a decision can be made to continue with the customer order. Second, information relating to order item availability needs to be known before a delivery date commitment can be made to the customer. This information will probably be drawn from:
1. Customer data (for example, is the customer an important one who needs to be looked after?).
2. Stock control data (is there sufficient stock in the warehouse to fulfil this customer’s requirements?).
3. Production planning data (if there is currently insufficient stock on hand, will there be sufficient stock in time to meet the customer’s requirements?).
Through improving the quality of information available to support decision making, it should be possible to improve the efficiency of sales order processing and achieve the CSF.
IS AND BUSINESS STRATEGY INTEGRATION
Business-aligning IS strategy
The IS strategy is derived directly from the business strategy in order to support it.
Business-impacting IS strategy
The IS strategy is used to favourably impact the business strategy, perhaps by introducing new technologies.
Figure 13.8 attempts to illustrate one of the key problems in strategic information systems planning. T1 represents the point in time when it is recognised that the current IS/IT capability (C1) is insufficient to meet the needs of the organisation (represented by the IS/IT capability gap G1). Plans are therefore developed to acquire the applications and/ or infrastructure which will meet the needs of the business. At time T1 it is anticipated that a level of IS/IT capability represented by C2 will be sufficient when implemented at
The importance of strategic alignment
M13_BOCI6455_05_SE_C13.indd 495 30/09/14 7:24 AM
496 Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT
time T3 (thus making up the anticipated IS/IT capability gap G2). However, developments in an organisation’s business strategy may mean that, by T3, IS/IT requirements are greater than those envisaged earlier on, thus resulting in a new IS/IT capability gap, G3. The response to this can be a shortening of the cycle time between new software releases so that the cap-ability gap is smaller and for a shorter period. However, the implication of this is that IS/IT and business strategies run the risk of never being fully and consistently aligned.
It is possible to take the misalignment argument further (Figure 13.9). At time T1, an organisation may anticipate significant demands for additional IS/IT development and construct an IS plan that will deliver capability C2 by time T2. However, it is possible that the organisation may only need part of that capability by T2 and will only be capable of using the IS/IT resource C2 by time T3. Therefore, the time from T2 to T3 may represent wasted resources. Furthermore, it may also represent a period of organisational change and upheaval
Figure 13.8 IS/IT capability/requirement model showing a strategic mismatch between IS/IT capability and business requirements
Time
IS/IT strategy
Business strategy
T3T2T1
C1
C2
C3
G3
G2
G1
Figure 13.9 IS/IT capability/requirement scenario 2 showing a strategic mismatch between IS/IT capability and business requirements
Time
IS/IT strategy
Business strategy
T3T2T1
C1
C2
G1
G2
M13_BOCI6455_05_SE_C13.indd 496 30/09/14 7:24 AM
497ChaPter 13 INFORMATION SYSTEMS STRATEGY
while there is a misalignment of this type. In an extreme case, the resulting mismatch could result in business failure since the organisation’s business strategy has been neglected at the expense of an over-emphasis on the perceived benefits of IS/IT investments alone.
These misalignment problems lie at the heart of IS planning and mean that there is a risk of ever-moving goalposts when attempting to specify, acquire and implement new computer-based information systems.
Weill and Broadbent (1998) summarise the alignment of business strategy and in-formation technology in Figure 13.10. The elements to be aligned include:
■ Environment – the external business environment provides opportunities through the availability of technology, threats from competitors and constraints from external regulations.
■ Information technology portfolio – this comprises the IT infrastructure and the informational, transactional and strategic information systems part of the portfolio.
■ IT strategy – here, three aspects need to be balanced: the role of information techno-logy in the firm (for example whether it is perceived to be a core or support function); the way information services are delivered (e.g. the degree or centralisation or decentralisation and the extent to which services are insourced or outsourced); technology policies and standards as they relate to the acquisition and operation of hardware and software solutions.
■ Strategic context – the two aspects here include the strategic intent of the organisation as it drives long-term investments in the IT (infrastructure) portfolio and the current strategy which drives the acquisition of strategic, informational and transactional information systems in response to changing internal and external needs.
Strategic alignment barriers
Figure 13.10 Barriers to business and IS/IT alignment
Impacts
Strategic context
Products Market Investment Customers
Expression barrier
Strategic intent
Impacts
Aligns
Current strategy
IT StrategySpecification barrier
Environment
Opportunities: Technology Threats: Competitors Constraints: Regulations
Role of IT
Delivery of services
Policy and standards
IT Portfolio Implementation barrier
Information enablesDrives
Informational
Transactional
Infrastructure
Strategic
M13_BOCI6455_05_SE_C13.indd 497 30/09/14 7:24 AM
498 Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT
The barriers identified by Weill and Broadbent in aligning business strategy, technology strategy and the information technology portfolio fall into three categories: expression barriers, specification barriers and implementation barriers.
Expression barriers include lack of direction in the business strategy which can result in an information technology strategy being set in isolation from the business strategy, changing strategic intents where the long-term goals of the firm are unstable and lead to difficulties in articulating a technology infrastructure, and insufficient awareness of information technology whereby the vision for how technology will be used can restrict business opportunities.
Specification barriers can include lack of information technology involvement where the impact of IT industry developments is not seriously considered in an organisation’s strategy-setting process, the communications gap that can exist between IT professionals and business managers which can lead to misunderstandings and inappropriate decisions, and uncoordinated information technology where investment in IT takes place without an overview of the organisation’s total IT portfolio and its relationship to strategic objectives.
Implementation barriers occur when one or more parts of the organisation perceive themselves as being somehow different from the other functional areas or business units and, therefore, they opt out of the shared infrastructure because they believe that it will not meet their needs.
A consequence of the barriers discussed above is that organisations can make significant investments in their IT portfolio which do not necessarily lead to any real business benefits, thus leading to the notion of the ‘productivity paradox’ (discussed in Chapter 14).
Integrated metrics such as the balanced scorecard have become widely used as a means of translating organisational strategies into objectives and then providing metrics to monitor the execution of the strategy. The balanced scorecard, popularised in a 1993 Harvard Business Review article by Kaplan and Norton, can be used to translate vision and strategy into objectives. In part, it was a response to over-reliance on financial metrics such as turnover and profitability and a tendency for these measures to be retrospective rather than looking at future potential as indicated by innovation, customer satisfaction and employee development. In addition to financial data the balanced scorecard uses operational measures such as customer satisfaction, efficiency of internal processes and also the organisation’s innovation and improvement activities including staff development.
We will now consider each of four main areas of the balanced scorecard (Figure 13.11). Consider the influence of IS in contributing to each area:
1. Customer concerns. These include time (lead time, time to quote, etc.), quality, performance, service and cost. A measure for Halifax Bank from Olve et al. (2000) considers satisfaction of mystery shoppers visiting branches and from branch customer surveys. Customer satisfaction will be partly determined by the performance of customer-facing IS in branches and directly determined by the quality of online banking.
2. Internal measures. Internal measures should be based on the business processes that have the greatest impact on customer satisfaction: cycle time, quality, employee skills, productivity. Companies should also identify critical core competencies and try to guarantee market leadership. Example measures from Halifax: ATM availability (%), conversion rates on mortgage applications (%), arrears on mortgage (%). IS can be directly applied to improve these performance measures.
3. Financial measures. Traditional measures such as turnover, costs, profitability and return on capital employed. For publicly quoted companies this measure is key to shareholder value. Example measures from Halifax: gross receipts (£), mortgage offers (£), loans (£).
Balanced scorecards and strategic alignment
Balanced scorecard
A framework for setting and monitoring business performance. Metrics are structured according to customer issues, internal efficiency measures, financial measures and innovation.
M13_BOCI6455_05_SE_C13.indd 498 30/09/14 7:24 AM
499ChaPter 13 INFORMATION SYSTEMS STRATEGY
4. Learning and growth: innovation and staff development. Innovation can be measured by change in value through time (employee value, shareholder value, percentage and value of sales from new products). Examples: management performance, training performance, new product development. Some companies such as Skandia Life use measures such as staff IT skills or access to the IT to assess performance in this area.
For each of these four areas management teams will define objectives, specific measures, targets and initiatives to achieve these targets. For some companies, such as Skandia Life, the balanced scorecard becomes much more than a performance measurement system but provides a framework for the entire business strategy process. Olve et al. (2000) make the point that a further benefit of the scorecard is that it does not solely focus on outcomes, but also considers measures that are performance drivers that should positively affect the outcomes. Examples of performance drivers are investment in technology and employee training.
Figure 13.11 The balanced scorecard process
Vision & Strategy
Internal process perspective
What business processes must we excel at to satisfy customers and shareholders?
Customer perspective To achieve our vision
how should we appear
to our customers?
Financial perspective To succeed financially, how should we appear
to shareholders?
Learning and growth
perspective To achieve our
vision, how will we sustain our ability to
change and improve?
Systems and IT Development
Strategy Development
Management Control Systems
Learning Organisation
IS/IT AND SMEsFOCUS ON…
James Thong (1999) whilst lamenting the lack of empirical research on the determinants of IS/IT adoption in small businesses nevertheless identifies a number of factors that can apply in SMEs. These include:
M13_BOCI6455_05_SE_C13.indd 499 30/09/14 7:24 AM
500500 Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT
■ Highly centralised management structures with CEOs making most of the critical decisions including IS/IT policies and strategy – hence IS/IT adoption will depend largely on the skills and orientation of the CEO.
■ The tendency to employ generalists rather than specialists – meaning that there is potentially less to be gained for the business as a whole and limited career progression for IS/IT specialists (even if they can be attracted in the first place).
■ A generally lower level of awareness of potential IS/IT benefits and a general lack of IS knowledge and technical skills.
■ The lack of financial resources and susceptibility to short-term planning as a consequence of a highly competitive business environment – this leads to less funds for IS/IT investment and/or the acquisition of lowest-cost IS/IT that may in itself prove inadequate for the organisation’s needs; furthermore, an SME typically has fewer slack resources with which to absorb a possibly unsuccessful adoption of IS/IT.
■ A tendency to adopt a short-term management perspective and the consequent underestimation of the amount of time and effort needed for IS/IT implementation – which in turn increases the risk of implementation failure.
Thong goes on to suggest that since the skills, time and resource constraints identified above are not as significant for larger organisations, then theories and practices in relation to IS/IT strategy implementation may not fit SMEs. Thong concludes that if SMEs are to be successful in terms of their orientation towards, and successful implementation and use of IS/IT, then four factors play a significant role in achieving this:
■ CEOs need to be both knowledgeable and innovative and show a willingness to invest scarce resources to take advantages of the improved organisational efficiency and effectiveness that successful IS/IT can offer.
■ IS/IT implementation in SMEs must offer a better alternative than the existing practices that exist within the SME. So, for example, if the opportunity cost of an IS/IT implementation is the upgrade in manufacturing equipment that is forgone, then the IS/IT investment may not be the wisest course of action. Similarly, the IS/IT must be consistent with the existing norms and values of the organisation as well as being easy to use and understand – failure in either of these will lead to non-use of the systems and thus represent a waste of scarce resources.
■ Despite the acknowledged lack of financial resources and IS/IT-knowledgeable employees in many SMEs, sufficient financial and human resources still need to be devoted to an IS/IT implementation if it is to be successful.
■ Where there is a greater need for information processing within an SME (one dealing with financial services, rather than a small builder for example), there is likely to be a greater adoption of IS/IT. This still means, however, that sufficient financial and IS/IT-knowledgeable human resources will be needed, and that these are more likely, the larger the organisation.
Thoburn et al. (1999) point out that traditionally, SMEs have concentrated on the ‘4 Ms’ – money, materials, machine and manpower, whilst neglecting the effective management of information, resulting in fragmented information systems that do not meet the operational or strategic needs of the organisation. Indeed, they suggest that appropriate management of information lies at the heart of an agile organisation. However, in their 15-month analysis of three manufacturing companies in the SME sector, they found such factors as:
■ poor strategic awareness with a lack of internal and external intelligence; ■ limited, uncoordinated and unplanned technology where computers were seen as an
answer by simply being present; ■ lack of direct integration of IT systems and connectedness of IT and people-centred
systems;
M13_BOCI6455_05_SE_C13.indd 500 30/09/14 7:24 AM
501ChaPter 13 INFORMATION SYSTEMS STRATEGY
■ people that were highly trained, valued and rewarded but where there was a failure in communications in people-centred systems.
In response to some of the difficulties encountered by SMEs as they seek to make better use of IS/IT, Pavic et al. (2007) propose a four-stage model whereby it may be possible for some SMEs to integrate new IS technology into an overall strategy and that this new technology could lead to a competitive advantage:
■ Implementation of appropriate IT infrastructure. IT infrastructure integration is seen as a starting element of an e-business implementation strategy and investment is needed in the hardware and software required for the business to work. Their study shows that companies that are highly IT-capable and employ more skilled staff outperformed others in terms of profit.
■ Changed organisational structure and business strategies. Structural change within organisations is seen as essential and a company must accept that the Internet technology will become an integral part. They see structural change as an import-ant element of sustaining value creation by firms in the future, and point out that organisations need an integrated and coordinated approach towards knowledge, technology and relationship management.
■ Integration within an organisation. This refers to complete internal integration where all aspects of organisational operations must be synchronised and co-aligned with the business goal of focusing on cost reduction and internal efficiency. It is suggested that SMEs that are able to integrate internally are more successful and employ skilled and knowledgeable staff.
■ Full integration with free information flow between suppliers, the organisation and customers. Final and full integration with free information flows enables the business goal of creating market value and competitive advantage by using the Internet technology to be achieved. It also enables supply chain integration and more effective insourcing and outsourcing. It is suggested that this stage is seen as an essential part of implementing an e-business strategy for an SME.
Pavic et al. summarise by saying that if SMEs are to create competitive advantage and e-customers, it is absolutely essential for them to have a sound and well-resourced integration plan of new technologies. However, as they also point out, the literature in this field consistently argues that effective adoption and implementation of IS may rely quite a lot on individual factors such as organisational size and structure, and the mix of available human and financial resources and capabilities. They also suggest that although SMEs are more flexible and more adaptable to change, they lack the human and financial resources and capabilities of large firms and, therefore, they face limitations in purchasing and implementing new systems. The challenge then for SMEs is to embed IS/IT technologies (including web-based systems) as soon as possible into their business model.
Any retail high street bank chief will tell you that IT investment and development is critical in maintaining loyalty in a fast-changing market. For example, it allows customers to check balances on mobile phones before making a purchase.
The picture in private banking, whose members compete on the strength of their brand and the personal services they provide, is more fragmented.
‘A big chunk of their offering is in the ‘white glove’ service,’ says Matthew Thomas, partner in investment
Next generation of clients forces pace of IT change By Jennifer Thompson
CASE STUDY 13.2
➨
M13_BOCI6455_05_SE_C13.indd 501 30/09/14 7:24 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT502
management at KPMG, referring to the face-to-face advice offered by wealth managers that private banking customers know and trust, and typically work with for many years. ‘However, that’s not necessarily tracking what customers want.’
Doing nothing about this latest technological revolu- tion is not an option. Where they once primarily catered to long-established ‘old money’ clients, many private banks have started to note the number of Generation Y clients in their 20s and 30s among the customers they have attracted over the past couple of years. These are young and digitally savvy individuals, some of them technology entrepreneurs.
‘The new generation of private banking customers has grown in a different way,’ says Nicolas Debaig, head of strategy and business development at ABN Amro private banking. ‘They have different expectations.’
The sector has mainly regarded technology as a cost and a support function, not as a means of competing. Such attitudes are changing.
‘People are the mainstay but IT is now playing a more and more important role,’ adds Mr Thomas.
Technology investment offers an opportunity for individual banks to shine in customer service as well as risk management.
‘For a while, technology has been a big deal for private bankers and potentially a key differentiator,’ says Ralf Dreischmeier, global leader of the information technology practice at Boston Consulting Group.
Better technology can assist wealth managers with risk and compliance by recording how they interact with clients and documenting agreements or discussions about risk appetite or investment exposure. Investing in platforms and software could help smaller banks scale up quickly if they add a significant number of clients.
The costs of investment are typically in the range of at least tens of millions of pounds or dollars, unproblematic sums for big private banks. Barclays, for instance, has dedicated about two-thirds of Project Gamma, a £350m investment programme in its wealth and investment management business, to IT. One innovation was
the launch last year of voice recognition technology in its telephone banking services, a move aimed at personalising the service and reducing call times that have been lengthened by standard security checks.
‘We’re trying to use technology to get some of the awkward modern realities out of the way,’ says Matt Smallman, vice-president in charge of the client experience at Barclays.
Meanwhile, ABN Amro has concentrated on developing technology around its core systems relating to customer relationship and portfolio management, developing an online tool that allows clients to see the exposure of their portfolio.
Can smaller banks compete? Some insiders wryly note that at least they are not burdened by legacy IT systems that can wreak havoc in the event of glitches.
Many analysts regard outsourcing, or small groups sharing an IT platform with other businesses or alongside a bigger bank, as the only economically feasible route for such organisations.
‘When it comes to efficiency in the back office, that is almost the only way they can compete,’ argues Mr Dreischmeier.
Others suggest they could make their online offering stand out with distinctive apps, which cost thousands of pounds to develop rather than millions, and can be used to tailor the customers’ experience to their individual needs.
One small business that has developed its own system is Weatherbys Bank, which grew out of a seventh- generation family-owned firm dedicated to horseracing services. It was granted a bank licence in 1994 and has had no trouble developing its own IT platform, thanks to its unusual heritage. This meant it had a pre-existing IT business to manage a database of the pedigree of foals born in the UK and Ireland.
Even for those who currently find themselves ahead in the technology stakes, continuing innovation and investment are essential. ‘You need to update,’ says Roger Weatherby, chief executive of the bank that bears his name. ‘There’s always something to add to.’
Source: Thompson, J. (2013) Next generation of clients forces pace of IT change. Financial Times. 7 May. © The Financial Times Limited 2013. All Rights Reserved.
1. Business strategy will embrace business decisions, the broad objectives and direction of the organisation and how it might cope with change – in other words, where the business is going and why. IS has an impact on this and provides potential for competitive advantage.
SUMMARY
QUESTION
What does the case study show about the strategic role of IT?
M13_BOCI6455_05_SE_C13.indd 502 30/09/14 7:24 AM
503ChaPter 13 INFORMATION SYSTEMS STRATEGY
2. A company needs an information systems strategy that is rooted in business needs, meets the demand for information to support business processes and provides applications for key functional areas of the business.
3. If an organisation does not have a clear picture of what its strategy is, it is difficult to see how the right information systems can be put in place. In turn, if the information needs are unclear, it is difficult to see how the right techno-logy can be put in place to satisfy those needs.
4. Since business strategies have the potential to be subjected to sudden and unpredictable change (or even evolutionary change), the IS and IT strategies that are needed to support changing business strategies must themselves be capable of adaptation and change if they are to continue to reflect the existing business strategy at any time. In reality, IS strategy must be embedded in an organisation’s business strategy and be a fundamental part of it. Separation between the two is likely to result in a suboptimal solution, with organisations failing to gain the full benefits that information systems and the technology associated with them can bring.
1. How do strategic systems differ from high-potential projects?
2. Why do information systems projects fail?
3. Explain the difference between project size and project complexity when evaluating information systems risk.
4. Why might the mechanistic approach to strategy formulation be considered inadequate?
5. How might Porter’s five forces model be helpful in determining information systems requirements?
6. Explain how a fast-food restaurant may use Porter’s value chain analysis to help determine its information system needs.
7. How might Nolan’s stage model be useful to an organisation that is struggling with spiralling IS costs?
8. Identify three critical success factors for the maternity department of a busy hospital. How do those CSFs translate into key decisions and then information requirements?
EXERCISES
Self-assessment exercises
Discussion questions
1. ‘The millennium bug has demonstrated that organisations, more often than not, take a short- term view in their approach to information systems rather than a strategic one.’ Discuss.
2. ‘The barriers relating to the relationship between business and IS/IT strategies mean that successful alignment is likely to be the exception rather than the rule.’ Discuss.
Essay questions
1. Top-down and bottom-up approaches to formulating information systems strategy are fine as far as they go. However, is there a case for a more eclectic or selective approach to the strategy formulation process?
M13_BOCI6455_05_SE_C13.indd 503 30/09/14 7:24 AM
Cash, J., McKenney, J. and McFarlan, F.W. (1992) Corporate Information Systems Management, 3rd edition, Irwin, Homewood, IL
Ciborra, C. and Jelassi, T. (1994) Strategic Information Systems: A European Perspective, John Wiley, Chichester
Galliers, R.D. and Sutherland, A.R. (1991) ‘Information systems management and strategy management and formulation: the stages of growth model revisited’, Journal of Information Systems, 1, 2, 89–114
Johnson, G., Scholes, K. and Whittington, R. (2011) Exploring Strategy, 9th edition, Prentice Hall Europe, Hemel Hempstead
Kaplan, R.S. and Norton, D.P. (1993) ‘Putting the balanced scorecard to work’, Harvard Business Review, Sep–Oct, 134–42
Licker, P.S. (1997) Management Information Systems: A Strategic Leadership Approach, Dryden Press, London
Mintzberg, H. (1990) ‘The design school: reconsidering the basic premises of strategic management’, Strategic Management Journal, 11, 171–95
Nolan, R. (1979) ‘Managing the crisis in data processing’, Harvard Business Review, Mar–Apr, 115–26
Olve, N., Roy, J. and Wetter, M. (2000) Performance Drivers. A Practical Guide to Using the Balanced Scorecard, John Wiley, Chichester
Pavic, S., Koh, S.C.L., Simpson M. and Padmore, J. (2007) ‘Could e-business create a competitive advantage in UK SMEs?’ Benchmarking: An International Journal, 14, 3, 320–51
Porter, M.E. (2004) Competitive Strategy, Free Press, New York
Porter, M.E. and Millar, V.E. (1985) ‘How information gives you competitive advantage’, Harvard Business Review, July/August, 149–60
Thong, J.Y.L. (1999) ‘An integrated model of information systems adoption in small businesses’, Journal of Management Information Systems, Spring, 15, 4, 187
Thoburn, J.G., Arunachalam, S. and Gunasekaran A. (1999) ‘Difficulties arising from dysfunctional information systems in manufacturing SMEs – case studies’, International Journal of Agile Management Systems 1, 2, 116–26
Ward, J. and Peppard, J. (2002) Strategic Planning for Information Systems, 3rd edition, John Wiley, Chichester
Examination questions
1. Explain the concept of Porter’s value chain and how it can be used to identify a company’s information needs.
2. How can McFarlan’s strategic grid be used to define an information systems strategy for a company?
3. Explain the difference between a business-impacting and a business-aligning approach to a company’s IS strategy. Give examples of strategy tools that can help support each method.
4. Using the potential business applications of the Internet, show how Porter’s five forces model can help identify opportunities for deploying information systems.
References
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT504
2. Evaluate the importance of information systems knowledge amongst senior business managers in achieving successful alignment of business and IS/IT strategies.
M13_BOCI6455_05_SE_C13.indd 504 30/09/14 7:24 AM
505ChaPter 13 INFORMATION SYSTEMS STRATEGY
Further reading
Curtis, G. and Cobham, D. (2008) Business Information Systems: Analysis, Design and Practice, 6th edition, Addison-Wesley, Harlow.
Johnson, G., Scholes, K. and Whittington, R. (2011) Exploring Corporate Strategy, 9th edition, Prentice Hall Europe, Hemel Hempstead.
Kearns, G.S. and Sabherwal, R. (2007) ‘Strategic alignment between business and information technology: a knowledge-based view of behaviors, outcome, and consequences’, Journal of Management Information Systems, Winter 2006–7, 23, 3, 129–62.
Kendall, K.E. and Kendall, J.E. (2013) Systems Analysis and Design, 9th edition, Prentice-Hall, Englewood Cliffs, NJ.
Lynch, R. (2006) Corporate Strategy, 4th edition, Financial Times Prentice Hall, Harlow.
Smith, P. R. and Zook, Z. (2011) Marketing Communications: Integrating Offline and Online with Social Media, 5th edition, Kogan Page, London.
Ward, J. and Peppard, J. (2012) Strategic Planning for Information Systems, 4th edition, John Wiley, Chichester. This book provides an excellent review of current thinking on IS strategy.
Web links
www.outsourcing.com Outsourcing Institute web site.
Weill, P. and Broadbent, M. (1998) Leveraging the New Infrastructure: How Market Leaders Capitalize on Information, Harvard Business School Press, Boston
Willcocks, L. and Plant, R. (2000) ‘Business Internet strategy – moving to the Net’, in L. Willcocks and C. Sauer (eds) Moving to E-Business, Random House, London, pp. 19–46
M13_BOCI6455_05_SE_C13.indd 505 30/09/14 7:24 AM
,
CHAPTER
1 Information systems management
LEARNING OUTCOMES
After reading this chapter, you will be able to:
■ evaluate the relationship between IS spending and business benefits;
■ evaluate location alternatives for an organisation’s IS function;
■ assess the arguments for and against outsourcing;
■ apply IS governance concepts to the management of an organisation’s IS function.
MANAGEMENT ISSUES
Annual investment in BIS is signifi cant for many companies. But what return do organisations receive for this investment? To achieve more eff ective investment, a well-planned BIS strategy is required that supports the corporate goals. In this chapter we aim to answer the questions a newly installed manager seeking to develop an IS strategy would ask:
■ How can we ensure that our proposed IS/IT solutions will deliver value for money?
■ What are the main considerations when deciding where to locate the management of the IS/IT function within the organisation?
■ How can we determine the extent to which IS/IT services should be outsourced?
■ What management tools and techniques exist to help us manage the IS/IT portfolio effectively?
CHAPTER AT A GLANCE
MAIN TOPICS
■ Information systems investment appraisal 508
■ Determining investment levels for information systems in an organisation 509
■ Locating the information systems management function 512
■ Outsourcing 515
■ Beyond strategic information systems – the importance of IS capability 524
■ Pulling it together: IT governance and COBIT 527
FOCUS ON . . .
■ IT infrastructure flexibility 526
CASE STUDIES
14.1 Outsourcing: beware false economies 522
14.2 IT trends shape future corporate strategies 532
CHAPTER
14
M14_BOCI6455_05_SE_C14.indd 507 30/09/14 7:26 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT508
Earlier (in Chapter 13), we explored a number of tools and issues relating to the development if IS/IT strategies and their integration with an overall business strategy. This chapter explores a range of issues relating to the management of information systems within an organisation including investment appraisal, outsourcing and the organisation and implementation of the IS/IT management function within an organisation. By combining effective IS/IT strategies with effective implementation and management, it will then become more likely that an organisation will have IS/IT solutions that provide significant business benefits rather than ones which act as a drain on the organisation.
INTRODUCTION
There has been considerable discussion in academic journals regarding both ‘information systems value’ and ‘evaluating IS/IT investments’. While the former relates more closely to the ‘productivity paradox’ mentioned above, the latter deals more with the analysis of how organisations can identify and evaluate IS/IT investments and their associated benefits. Lubbe and Remenyi (1999) in their analysis of the management of IS/IT evaluation identified seven benefit objectives that provide a stimulus to organisational IS/ IT investment. In descending order of significance these are:
■ productivity; ■ new opportunities; ■ change; ■ competitive advantage; ■ contribution to organization; ■ increased turnover; ■ reduced risk.
Coupled with these factors, Lubbe and Remenyi also identified seven IS/IT investment drivers that will help determine the organisation’s response to the IS/IT investment opportunity. In descending order of importance, these are:
■ organisational strategy; ■ management decisions; ■ interfacing (of systems); ■ quality of service; ■ evaluation of IS/IT (tangible and intangible benefits); ■ business modelling (improving business processes); ■ budgets.
Given that there is a range of drivers that affect the IS/IT investment process and that both tangible and intangible benefits will be generated as a result of the IS/IT investment, a range of techniques can be employed to assess tangible benefits (typically through financial measures) and intangible benefits (using qualitative methods). Indeed, the existence of both financial and non-financial approaches to IS/IT investment appraisal could give us some clue as to why the so-called productivity paradox may appear to exist. In other words, there may not be a financial payback in the short or even medium term, but the very fact that business benefits (such as improved customer service) are perceived to come from
INFORMATION SYSTEMS INVESTMENT APPRAISAL
M14_BOCI6455_05_SE_C14.indd 508 30/09/14 7:26 AM
509ChaPter 14 INFORMATION SYSTEMS MANAGEMENT
Earlier (in Chapter 8) we described the assessment of costs at the initiation phase of a single information systems project. In this chapter, we consider at an organisational level the amount of investment that should occur in information systems.
Managers in many organisations are concerned with the level of investment in information systems and whether they are getting value for money from that investment. One of the difficulties with measuring this is that while costs tend to be tangible in nature, benefits are often more difficult to quantify.
DETERMINING INVESTMENT LEVELS FOR INFORMATION SYSTEMS IN AN ORGANISATION
particular investments that have been assessed from a qualitative perspective, would lend some credence to the ‘time lag’ explanation of the paradox.
Financial approaches to information systems investment appraisal have already been covered earlier (in Chapter 8).
How much an organisation will spend on IS will depend both on the size of the organisation and on the nature of its business operations. Spending as a proportion of turnover will also vary over time, depending on the maturity of an organisation’s systems and on the organisation itself. There is a tendency for the proportion of spending on IS to increase as organisations mature and have to maintain legacy systems. Regardless of any of these considerations, the task facing senior managers remains the same: can we be sure that investment in IS will deliver more benefit than the costs incurred?
Investment levels
As described earlier (in Chapter 8), costs can be both tangible and intangible. As you would expect, tangible costs are more easily identified than intangible ones. Hochstrasser and Griffiths (1990) produced a checklist which can help organisations identify, quantify and evaluate information system costs. The main cost elements include:
■ hardware costs; ■ software costs; ■ installation costs; ■ environmental costs; ■ running costs; ■ maintenance costs; ■ security costs; ■ networking costs; ■ training costs; ■ wider organisational costs.
Since every information system that is acquired incurs operational and maintenance costs, IS expenditure will always be split between development costs and operational and maintenance costs.
Information systems costs
M14_BOCI6455_05_SE_C14.indd 509 30/09/14 7:26 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT510
While information systems costs are relatively easy to identify, the benefits that accrue from IS investment are harder to quantify. This is because benefits are often intangible in nature and, therefore, harder to ascribe a financial value to. Broadly speaking, benefits from IS investment result from the capability of the organisation to do things that it could not do or did not do very well before. This must be supported by information of good quality, as defined in Chapter 2. This will include:
■ Information relevance – is the information being provided relevant to the business decisions being made?
■ Is accurate information available on which business decisions can be made? ■ Speed of information delivery – does information reach the decision makers when they
need it? ■ The functionality of the IS to support decision making – will the system do what we want
it to do? ■ The reliability of the IS – can we rely on the system to give us the information we want
when we want it?
If the above questions can be answered positively, then the investment in IS is providing benefits to the organisation and, therefore, allows it to do things that it could not do before.
In making an IS investment decision, the value that accrues from the above elements must be measured in some way. However, as noted above, value from IS investment can often be intangible in nature and, therefore, harder to measure. Such items of intangible benefit include:
■ improved customer service; ■ gaining competitive advantage and avoiding competitive disadvantage; ■ support for core business functions; ■ improved management information; ■ improved product quality; ■ improved internal and external communication ■ impact on the business through innovation; ■ job enhancement for employees.
Each of these elements has a level of difficulty attached when we attempt to determine the value of the benefit. For example, impact on the business through innovation is very hard to measure quantitatively, while the benefit of improved product quality may be easier to measure.
Information system benefits
We can deduce from the above discussion that the more accurately we can identify the contribution of IS towards the value of business gain, the more accurately we can identify the value accruing from IS investments. It follows from this that in order to assess the value of future investments in IS, we must come up with a framework that allows us to weigh up the relative costs and benefits and so enables us to make properly considered IS investment decisions.
There are a number of approaches that attempt to evaluate IS investment decisions. In essence, a proposed or ongoing investment should proceed if the benefits from the investment outweigh the costs incurred. However, as Robson (1997) indicates, one of the
IS investment – balancing costs and benefits
M14_BOCI6455_05_SE_C14.indd 510 30/09/14 7:26 AM
511ChaPter 14 INFORMATION SYSTEMS MANAGEMENT
main difficulties is the intangible benefits, which can amount to at least 30 per cent of all benefits obtained. In addition, even if a benefit can be quantified (e.g. a new system speeds up customer response to queries from an average of 10 minutes to 10 seconds), it is not always easy to put a monetary value on it. This leads to a division in approaches between those that concentrate purely on financial measures and those that attempt a non-monetary evaluation.
Earlier (in Chapter 8) we considered the basis of investment decisions taken at the feasibility assessment stage of the initiation of an individual project. It is the role of the IS manager to ensure that individual IS project decisions are consistent with the company’s overall IS strategy.
Financial justification methods look at the relationship between the monetary costs of IS investment and the monetary benefits that might be obtained from it. There are a number of techniques that can be used, including:
■ return on investment (ROI); ■ discounted cashflow (DCF), such as net present value (NPV) and internal rate of return
(IRR); ■ payback period.
These are described in more detail elsewhere (in Chapter 8), which also reviews how they are applied to a proposal for an individual system.
Risk assessment methods, on the other hand, look at a number of factors other than those related to pure financial return. Such considerations include:
■ the benefits that are designed to accrue from investment in different categories of IS; ■ the reasons that systems fail; ■ categories of risk and their likely impact on systems success.
Information systems fail when they do not deliver the benefits they were intended to achieve. Clearly, the greater the investment in IS, the greater the impact of a failed project, especially as that investment could have been made in another part of the business (e.g. investment in additional plant, people or equipment) with much greater effect.
We will now look at an alternative approach for prioritising investment in IS.
Investment categories of the IS applications portfolio
Sullivan (1985) identified four investment categories for information systems that provide a framework within which the strategic value of the investment to the company can be placed. It is useful to identify in which category a new system lies within the IS portfolio, in order to assess its importance and allocate resources to it accordingly. The investment categories are:
1. Strategic systems. These are designed to bring about innovation and change in the conduct of business and so bring about a competitive edge. Business processes may need to be designed and relationships with customers and suppliers changed. Risk occurs because of the level of uncertainty associated with these kinds of systems (we are dealing with unstructured decision making, the results of which are often hard to quantify).
2. Key operational systems. Existing processes are rationalised, integrated or reorganised in order to carry out the activities of business more effectively. The risk occurs in the complexity of the systems in this category and the need to integrate them with other systems (externally as well as internally).
3. Support systems. Such systems support well-structured, stable and well-understood business processes (i.e. decisions are usually made in a climate of relatively high business certainty). Benefits derive either from eliminating unnecessary processes or from automating regular and routine procedures. In either case, the aim is to reduce cost and raise efficiency. The risks occur in selecting the right kind of software (often packaged) and implementing it effectively to gain the benefits.
M14_BOCI6455_05_SE_C14.indd 511 30/09/14 7:26 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT512
4. High-potential projects. These are of research and development orientation and may have the capacity to deliver significant business benefits in the future. They are usually high-risk projects (in the sense that they may not deliver anything at all) and the main business risk lies in committing too much money to the project (i.e. the attitude that if we invest more, we must realise some benefits!).
The challenge for the organisation is to channel investment into the areas that are likely to yield the highest level of potential benefit at the lowest level of acceptable risk.
Risk factors
These have been summarised by Ward and Peppard (2002). They should be considered at the start of a project to attempt to reduce the risk of project failure. Risk management is described in more detail elsewhere (in Chapter 8).
There are two basic approaches to locating the information system function in an organisation that operates at more than one location. These are the centralisation of all IS services at one office (usually the head office) and decentralisation. It is unusual for a company to choose one extreme or the other; typically, the approach will vary for the different types of services. The approach chosen is significant, since it will have a direct correspondence to the quality of service available to the end-user departments and the cost of providing this service.
LOCATING THE INFORMATION SYSTEMS MANAGEMENT FUNCTION
It is useful to make a distinction between information systems and information technology. As has been stated before, we can view IT as the infrastructure and an enabler, while information systems give a business the applications that produce the information for decision-making purposes. IS cannot exist without the IT to support them, but IT on its own does not of itself confer any business benefits.
For information technology the following must be managed:
■ Hardware platforms. These need to be selected and supported (for example, it may be decided only to operate a client/server environment using Unix workstations).
■ Network architectures. An organisation currently operating a mixture of AS/400 computers and PCs may wish to focus on a particular network architecture for the PCs in order to facilitate easier integration with the AS/400 systems.
■ Development tools. It may be desirable to adopt tools that permit more rapid development of new information systems. Such tools will need to be able to run on the selected hardware platform and also be compatible with chosen database management systems.
■ Legacy systems. These systems may run on old hardware platforms and be difficult to integrate with planned systems development. While strictly an IS issue rather than an IT one, it may still be necessary in the short-to-medium term to provide the necessary IT support to allow these systems to continue to operate.
■ Operations management. This covers a number of areas, including hardware management, capacity planning, security (backups, access control, error detection, archiving), technical support (for hardware and systems software), telecommunications and network management.
What needs to be managed?
M14_BOCI6455_05_SE_C14.indd 512 30/09/14 7:26 AM
513ChaPter 14 INFORMATION SYSTEMS MANAGEMENT
The areas that relate to information systems management are:
■ Business systems development. Applications development falls into two broad categories: those applications that deal with corporate data and those that are departmental or personal in nature.
■ Migration and conversion strategy. While strictly being part of the systems development process, migration from one system to another involves specialists from both IS/IT and functional business areas. For corporate information systems, many functional areas may be involved.
■ Database administration. Today’s information systems depend very much on database management systems (such as DB2, Oracle, Informix and Access).
■ User support and training. All applications software users require support at some point. The objective is to get the right support to the right people at the right time.
■ End-user application development. This is becoming increasingly popular, especially in medium-to-large organisations. Such development will not only require support (e.g. advice on appropriate development tools) but will require explicit management to ensure that wheels are not being re-invented and bug-ridden software not being produced.
■ Shared services. Recent innovations such as e-mail and collaborative work systems have both local and corporate application. The objective should be to maximise local flexibility while at the same time ensuring that organisation-wide standards are adhered to (the same could be said of end-user development).
■ IS/IT staffing. While this is more of a human resources issue than an IT one, it is, nevertheless, important to stress that for an IT strategy to be implemented, there need to be staff with expertise in hardware, communications, systems software and development software. Naturally, for a small business this expertise will be limited.
This analysis indicates that there are some aspects of IS/IT that need central control and management, but at the same time there are local needs that have to be addressed within individual functional areas of the business. Therefore, we should now move from what needs to be managed to where IS/IT needs to be managed and the factors that influence this.
In a large company with several sites, IS/IT management must be organised and located in such a way as to ensure full integration of business and IS/IT strategies, as well as full support for the IS/IT needs of each functional area of the business.
Questions that should be asked when ascertaining the best approach include:
■ Is information systems management (ISM) in tune with corporate strategy? Structures need to exist in such a way that an organisation’s information systems strategy is fully embedded within its business strategy. This means that mechanisms must exist that embrace all functional areas of the business as well as the most senior management.
■ Is ISM in tune with organisational shape? A heavily centralised approach to managing all aspects of IS/IT may conflict with a geographically dispersed organisation, or with one where individual functional areas enjoy a high degree of local autonomy.
■ Is the focus of ISM inward-looking on managing technology? If this is the case, it suggests that IS/IT is operating mainly in a support capacity rather than a strategic one. An alternative, less palatable explanation is that the IS/IT department is rooted in the past and does not see IS/IT as being an integral part of business strategy.
■ Is the focus of ISM outward-looking on helping the business plan the best use of technology? A positive answer to this question indicates a modern approach to IS/IT
Structuring information systems management
M14_BOCI6455_05_SE_C14.indd 513 30/09/14 7:26 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT514
management. One can look at all aspects of IS/IT, from getting the best management information from existing transaction processing systems to implementing a company- wide communications strategy to enable business processes to be re-engineered and facilitate better links to customers and suppliers.
There are a number of additional factors that will influence the structuring of information systems management. An organisation that operates in a single geographic location will have different needs from one that is spread over many sites (perhaps over many countries). Similarly, a business that has a diverse range of products and business operations may need an ISM different from that of a single-product company. If a large organisation has a number of discrete strategic business units, it may be appropriate to treat each distinct SBU as a separate entity in its own right for ISM purposes.
One must also not ignore the impact of organisational culture and management style on ISM structure. An organisation that has a decentralised management philosophy may find it easier to decentralise certain ISM functions than one that is highly centralised.
There are two approaches to IS/IT management. The centralised approach will concentrate all aspects of IS/IT management at a single point within the organisation, such as the data processing or management information systems (MIS) department. An MIS department may either report into a single functional business area (traditionally, the accounting department has been a popular choice) or it may report directly at board level. The modern trend is for MIS managers or chief information officers (CIOs) to report directly at board level in the same way as heads of functional areas such as HRM, sales and finance.
The decentralised approach recognises that some aspects of IS/IT management are best located close to the point of use. If any degree of decentralisation exists, the inference is that there will be staff located within the parts of the organisation that enjoy a degree of local autonomy. In some cases, the staff will be IS/IT professionals who might otherwise be located in a more centralised structure.
Alternatively, there may be ‘hybrid’ personnel who have both functional area expertise and good IS/IT skills. Aspects of IS/IT that lend themselves well to a degree of decentralisation are the development of end-user applications, use of report generators with corporate data as the main input, and information systems in functional areas that carry out discrete activities not connected with primary business functions (such as plant maintenance or HRM systems).
For centralised and decentralised approaches there are advantages. With the centralised approach, it is suggested that it is possible to:
■ achieve and control consistent IS/IT strategy without having to worry about what individual functional business areas are doing;
■ coordinate IS/IT activities more easily; ■ implement simpler control systems, since it will not be necessary to monitor the quality
of the distributed IS/IT activities; ■ allocate resources more efficiently, using the benefit of economies of scale and eliminating
the risk of similar applications being developed in different parts of the organisation; ■ achieve speedier strategic decision making because of fewer parties being involved.
Supporters of the decentralised approach also claim a number of advantages:
■ The presence of IS/IT expertise at a functional level allows for a rapid response to local problems without the competition for resources that exists with the centralised approach.
■ Where local decisions can be made about IS/IT that directly affects that area, improved motivation and commitment among staff to their information systems is likely.
■ The cumbersome overhead associated with purely centralised systems is reduced.
Decentralised IS management
Management of some IS services in individual operating companies or at regional offices, but with some centralised control.
Centralised IS management
The control of all IS services from a central location, typically in a company head office or data centre.
M14_BOCI6455_05_SE_C14.indd 514 30/09/14 7:26 AM
515ChaPter 14 INFORMATION SYSTEMS MANAGEMENT
The decentralised approach also has a number of problems associated with it:
■ Where responsibilities are split (e.g. between operational and strategic matters), they need to be very carefully defined if matters are not to be forgotten.
■ Central management may become frustrated by what it perceives as an idiosyncratic approach being adopted within the functional business areas (and vice versa).
■ Split responsibilities may result in complicated control procedures which make decision making more difficult and time-consuming. No one location will be correct for all organisations. Indeed, as an organisation moves towards the maturity stage, it will evolve different locations for different areas of information systems management.
For those who get the balance right between centralised and decentralised services, they can expect to enjoy:
■ rapid information systems development; ■ harmonious IS and business relationships; ■ an IS service that is tailored for the user community; ■ a cost-effective IS/IT function; ■ development of technology infrastructures that support the required information
systems; ■ business success through successfully implemented IS/IT strategies; ■ adoption of appropriate IS strategies; ■ effective change management processes; ■ encouragement of end-user computing where appropriate; ■ accurate assessment of IS/IT costs and benefits, thus ensuring value for money from IS/
IT investments.
On the other hand, those organisations that fail can expect:
■ continual conflict between functional business areas and the IS/IT function; ■ continual complaints about information systems management as a whole; ■ business decline or inefficient service provision; ■ lack of interest in information systems by non-IS/IT personnel; ■ skills problems – either shortages in certain areas or wasteful duplication; ■ high staff turnover; ■ gaps and overlaps in the provision of IS/IT services.
This is an additional case study on the companion web site. You should suggest an appropriate strategy for SSL which is distributed over several sites in the UK.
Location of the IS function at Security Services Limited (SSL)Activity 14.1
Outsourcing occurs when a function of a company that was traditionally conducted internally by company staff is instead completed by a third party. The main reasons for doing this are usually cost reduction and to enable focus on the core business. Functions that are commonly outsourced include catering, cleaning, public relations and information systems.
OUTSOURCING
Information systems outsourcing
All or part of the information systems services of a company are subcontracted to a third party.
M14_BOCI6455_05_SE_C14.indd 515 30/09/14 7:26 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT516
Outsourcing is a major trend in the development and management of information systems. Major public and private organisations in the UK such as the Inland Revenue and Rolls-Royce have outsourced its IS management to Electronic Data Systems (EDS).
There are different degrees of outsourcing, varying from total outsourcing to partial management of services. It is best to consider the types of outsourcing services offered rather than specifics such as facilities management and time sharing, which are open to different interpretations. The main categories of services that can be managed include:
1. Hardware outsourcing. This may involve renting time on a high-capacity mainframe computer. Effectively, the company is sharing the expense of purchasing and maintaining the network with other companies that are also signed up to an outsourcing contract. This arrangement is sometimes known as a time-sharing contract.
2. Network management. Network management may also be involved when managing hardware: here a third party is responsible for maintaining the network. This is often referred to as facilities management (FM), and may also include management of PC and server hardware.
3. Outsourcing systems development. When specialised programs are required by a business, it is necessary either to develop bespoke software or to modify existing systems. This is also a significant outsourcing activity. When EDS undertook its contract with the Inland Revenue in the UK, one of its main tasks was to write the software to deal with changes to the way in which tax forms were submitted.
4. IS support. A company help desk can be outsourced to a third party. This could cover answering queries about operating systems, office applications or specific company applications. It could also include fixing problems, in which case an on-site presence would be required. Microsoft outsources much of its support for Windows 95 and 98 to third parties such as Digital.
5. Management of IS strategy. Determining and executing the information systems strategy is less common than the other types of outsourcing outlined above, because many companies want to retain this control. A great deal of trust will be placed in the outsourcing partner in this arrangement and it is most common in a total outsourcing contract.
6. Total outsourcing. An example of total outsourcing is the 1996 agreement between Thorn Europe and IBM Global Services. This five-year contract involves IBM taking over all IT operations on hardware from five different vendors, managing 90 staff and defining and implementing the IT strategy as well.
Types of outsourcing
Time sharing
The processing and storage capacity of a mainframe computer is rented to several companies using a leasing arrangement.
facilities management (FM)
The management of a range of IT services by an outsourcing provider. These commonly include network management and associated software and hardware.
Many businesses accept that poor management on their part and unrealistic expectations are largely to blame for failed IT outsourcing deals, according to a new report released today by sourcing advisory firm TPI. Meanwhile, a separate study has concluded that the potential for significant savings through outsourcing is expected to fuel growth in the offshoring market for the next 20 years at least. The TPI report, which is based on responses from 40 large firms undertaking outsourcing projects, found that almost a third admitted to placing more emphasis on setting up an
Customers admit blame for outsourcing failuresMini case study
M14_BOCI6455_05_SE_C14.indd 516 30/09/14 7:26 AM
517ChaPter 14 INFORMATION SYSTEMS MANAGEMENT
outsourcing contract than they did on managing it. Over half also said that their own ‘unrealistic’ expectations were a major barrier to the success of the project. ‘Contrary to popular belief, many companies blame themselves at least as much as the service providers for their own dissatisfaction with outsourcing relationships’, said Stuart Harris, partner at TPI. ‘Moreover, problems encountered with outsourcing contracts prior to renegotiations often stem from a lack of clarity between the client and the service provider about the scope of the services to be provided – not the quality of the services themselves.’ Harris said the fact that only 18 percent of respondents had looked to replace their incumbent supplier during contract renegotiations suggested that most customers understood that relationships with outsourcers could change over time. ‘Most clients conclude that the industry’s service providers are generally adept at delivering on contractual commitments, and that courses of remedy must necessarily involve changes to service management and governance processes in the first instance’, explained Harris. The report will prove reassuring to outsourcing providers, many of whom have been roundly blamed for the high proportion of IT outsourcing projects that are deemed to have failed. How- ever, it also suggests that some outsourcers may be exploiting customers’ weak outsourcing management skills, with almost a third of respondents claiming their bargaining position had weakened during the renegotiation process compared with when the original deal was signed. Worryingly for the outsourcing sector, the report also found that best practice outsourcing management techniques are still not widespread. Almost half of respondents said they had no formal governance structure, while over a third fail to hold regular meetings for monitoring outsourcing deals. The findings are particularly concerning in the wake of a recent study from management consultancy AT Kearney that predicts offshore outsourcing sites such as India and China will retain their cost advantage for another 20 years, despite wage inflation. Paul Laudicina, managing office of AT Kearney, said that the report also revealed that while salaries in offshore locations are climbing, the quality and stability of their services are also improving. ‘These findings reinforce the message that corporations making global location decisions should focus less on short-term cost considerations, and more on long-term projections of talent supply and operating conditions’, he said. The report also identified Indonesia, Malaysia, the Philippines, Singapore, Thailand and Vietnam, as the strongest challengers to India and China in the offshore outsourcing market.
Source: IT Week, 20 March 2007, www.computing.co.uk/itweek/news/2185966/customers-admit-blame
The main reasons for IS outsourcing are to achieve the following:
■ Cost reduction. An outsourcing vendor can share its assets, such as mainframes and staff, between different companies and achieve economies of scale. It is also argued by outsourcing vendors that lower costs are achieved since they are in a contractual relationship, unlike most internal providers of IT services.
■ Quality improvements and customer satisfaction. Through outsourcing IS functions to a company that is expert in this field, it should be possible to deliver better-quality services to internal and external customers. Better quality could be in the form of systems that are more reliable and have appropriate features, a more reliable company network and better phone support.
■ Enables focus on core business. A company can concentrate its expertise on what it is familiar with, i.e. its market and customers, rather than being distracted by information systems development. This particular argument is weak in some industries such as the financial services sector where information systems are critical to operating in a particular market.
Why do companies outsource?
M14_BOCI6455_05_SE_C14.indd 517 30/09/14 7:26 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT518
■ Reduce risk of project failure. Owing to the contract, there is more pressure on the supplier compared with internal developers to deliver a quality product on time, hence it is more likely to succeed.
■ Implementation of a strategic objective. To implement a strategic objective may involve considerable risk if it is undertaken internally or resources are not available. For example, in the mid-1990s many companies undertook outsourcing to ensure that the ‘millennium bug’ could be fixed by using a third party with the expertise to solve the problem. Similarly, in the mid-1990s many companies were undertaking business process re-engineering initiatives that often involved major changes to information systems.
Whether these benefits are achievable is currently the subject of a great deal of debate, with the detractors of outsourcing arguing that although costs may be reduced, the quality of the service will also decline. Since outsourcing is a relatively new phenomenon, it is not clear whether the promises are achieved, but the number of companies signing up to outsourcing contracts indicates that it is a major industry trend. Other problems that may occur are that IT staff are likely to be unhappy, as they are transferred to a third-party company with new contracts. To summarise this section, reasons given by companies as to why they use outsourcing are given in Table 14.1.
Table 14.1 Main reasons for outsourcing
reason Percentage mentioning
Cost savings 57%
Improved quality of service 40%
Access to specialist expertise 37%
Increased flexibility 27%
Strategic business decision 21%
Free management time 19%
Lack of resources 11%
Improved financial control 8%
Reasons for outsourcing The top 10 reasons companies outsource (in alphabetical order), according to The Outsourcing Institute:
1. Accelerate re-engineering benefits
2. Access to world-class capabilities
3. Cash infusion
4. Free resources for other purposes
5. Function difficult to manage or out of control
6. Improve company focus
7. Make capital funds available
8. Reduce operating costs
9. Reduce risk
10. Resources not available internally
Source: The Outsourcing Institute, © 1998 The Outsourcing Institute, Jericho, NY.
M14_BOCI6455_05_SE_C14.indd 518 30/09/14 7:26 AM
519ChaPter 14 INFORMATION SYSTEMS MANAGEMENT
Examine Table 14.1 and assess which of the reasons for outsourcing would be important to the following:
1. Financial manager (chief finance officer).
2. Information systems manager.
3. Managing director.
4. Departmental manager in human resources, marketing or production.
Reasons for outsourcingActivity 14.2
Strassmann (2002) checked on some of the largest recent multi-year contracts for firms that outsourced more than half their computing resources. An analysis of detailed financial information from 1996 to 2000 that was available for eight firms revealed that each of them had delivered declining returns on (shareholder) equity (ROE), with the average ROE for the entire group declining from 18.2 per cent in 1996 to 2.5 per cent in 2000.
This observation raises an interesting question: is it the outsourcing of computing resources that is the cause of the decline, or is it a symptom of outsourcing being used by a business in trouble as an attempt to reduce costs?
Collins and Millen (1995) cite the following concerns over outsourcing:
■ loss of control of IS ■ loss or degradation of internal IS services ■ corporate security issues ■ qualifications of outside personnel ■ negative impact on employee morale.
In addition to these problems, case studies seem to suggest that the principal objective of undertaking outsourcing, cost reduction, may not be achieved in many cases. Cost reduction is usually thought to occur because of a reduction in the number of staff employed and savings on the cost of acquisition of hardware and software through discounts available through economies of scale.
Lacity and Hirscheim (1995), in their classic study of outsourcing, identify the following reasons for escalating costs:
■ not identifying present and future requirements fully, and leaving loopholes in the contract;
■ failing to identify the full costs and service levels of existing in-house operations, with the result that contracts turn out to cost more than originally anticipated because in-house calculations were too low;
■ change-of-character clauses prompting excess fees for any changes in service or functions;
■ software licence transfer clauses making customers responsible for fees; ■ fixed prices that soon exceed market prices because the cost of IT is decreasing; ■ fluctuations in data processing volumes not covered by fixed limits under the contract,
and incurring significantly higher fees. ■ paying extra for services that the customer assumed were included in the fixed price,
because of poor analysis beforehand of services provided by the in-house group leading to a limited fixed-price contract;
Problems of outsourcing
M14_BOCI6455_05_SE_C14.indd 519 30/09/14 7:26 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT520
■ subsidising the vendor’s learning curve; ■ changes in technology: vendors offer services on existing platforms and subsequent
moves into new technology often cost more than anticipated.
To avoid some of the problems outlined above, the design of the contract is critical to ensure that the supplier provides a full service. For network management this can be achieved through service-level agreements (SLAs) that specify minimum acceptable values for availability of the network, such as 99.8 per cent access, or give the maximum number of failures per month. It is more difficult to specify in a contract services to be provided for developing software. As a result of this, the costs of outsourced software development can spiral. Further details on defining contracts for information systems development are given later in this chapter.
Outsourcing IS developments will have a direct impact on information systems staff and this needs to be managed. In the worst case staff may be made redundant, but in the majority of cases the outsourcing company will agree to employ existing IS staff while a core of IS staff remain with the company to manage the contract or functions that have not been outsourced. Redundancies tend not to occur, because this is part of the agreement between the company and the outsourcer to avoid resistance to change. Additionally, due to shortages of IS staff it is usually possible for the outsourcing company to redeploy staff if necessary.
Even if staff are not made redundant, transfer of staff will cause major disruption and often resentment. One main cause of this is that staff will be forced to sign a new contract when they transfer. While remuneration may be better, terms and conditions will change. For example, there may be no paid overtime, or staff may be asked to work elsewhere in the country on other outsourcing contracts. Positive aspects of outsourcing for staff may include:
■ improved rates of pay; ■ better training; ■ greater career opportunities for improving knowledge and promotion through working
in a range of companies.
Human factors and outsourcing
The critical role of the contract in ensuring that an outsourcing initiative will work has already been mentioned. In addition to this, other factors must be incorporated. These include:
■ Outsourcing strategy must be consistent with the business and information management strategy.
■ Level of outsourcing should be appropriate to the business: selective outsourcing for most businesses or total outsourcing where information systems play a mainly supporting role.
■ A method of retaining control and leverage over the suppliers is necessary. This could include a shorter-term contract, a risk and reward contract, and not including strategic planning in the services to be outsourced.
■ Human factors involved in outsourcing must be considered in conjunction with the human resources department, particularly where staff may be displaced or made redundant.
Making outsourcing work
M14_BOCI6455_05_SE_C14.indd 520 30/09/14 7:26 AM
521ChaPter 14 INFORMATION SYSTEMS MANAGEMENT
■ If a company does not have previous experience of outsourcing, it may be valuable to get an independent specialist to assist in drawing up the outsourcing agreement.
■ Allocating time and using measurement systems to manage the outsourcing contract.
Feeny et al. (1995) have identified alternative scenarios to help an organisation decide whether to stay in-house or to outsource. These are summarised in Table 14.2.
The same authors cite the following statistics from the organisations they surveyed:
■ 80 per cent had considered outsourcing; ■ 47 per cent outsourced some or all of their information systems; ■ 70 per cent did not have formal outsourcing policy in place; ■ only 43 per cent of organisations that had outsourced actually have an outsourcing policy; ■ few organisations approach outsourcing in a strategic manner.
These rather alarming statistics clearly show that more than half of those organisations that outsource some of their information systems provision do not have a formal outsourcing policy in place. Perhaps it is not surprising then, that Paul Strassmann (2002) has described outsourcing as a ‘game for losers’.
In a review of outsourcing success factors, Gonzalez et al. (2005) summarise a number of success factors in the literature. The key success factors include:
■ Provider’s understanding of clients’ objectives – the client–provider relationship management should focus on the achievement of the clients’ aims; suppliers that have a good understanding and an interest in the outsourcing firm’s business will be better positioned to help define those goals essential for the middle- and long-term continuity of the outsourcing relationship.
■ Choosing the right provider – this can be key to the success or failure of the outsourcing agreement; therefore, prior to contract signature, a detailed evaluation and selection of potential vendors must be carried out and the provider must be chosen from a wide range of IT vendors in order to locate a potential outsourcing provider; an organisation should also investigate current outsourcing partnerships in the same sector as well as in related industries; factors such as the stab-ility, quality and reputation of the provider should also be considered.
■ A clear idea of what is sought through outsourcing – an accurate definition of the project’s scope and specifications is a clear prerequisite for outsourcing success; if firms resort to outsourcing with only a vague idea of what they want to obtain from the vendor, unavoidable uncertainty relating both to technological aspects of the IS service and to the volume of needs that must be met will result; the solution, therefore, is to outsource only those activities that are clearly understood and for which a solid contract can be drawn up. It is also recommended to sign the contract for a length of time that allows the firm to monitor its business requirements whilst the client firm must also make an effort to clarify the business objectives that will be reached through outsourcing.
Table 14.2 Decision matrix for deciding which IS services stay in-house
Business characteristics Outsource Don’t outsource
Business positioning impact Low High
Links to business strategy Low High
Future business uncertainty Low High
Technological maturity High Low
Level of IT integration Low High
In-house v. market expertise Low High
M14_BOCI6455_05_SE_C14.indd 521 30/09/14 7:26 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT522
■ Provider’s attention to clients’ specific problems – since each organisation is different, firms are advised against standard contracts and clients want to feel that the provider will take into account their special technological and business characteristics.
■ Frequent client–provider contacts – the literature suggests that these contacts will make it possible to build working relationships, confidence, comfort and trust; ensure the provider’s extensive acclimatisation to understand their customer’s style, standards and culture; good communication between client and vendor in order to make the outsourcing deal successful for everybody; enable continuity by designing relationships that anticipate change as business conditions and technology evolve, thus requiring relationship structures and management mechanisms that ensure successful work with the outsourcing vendor over time
■ A good-value-for-money relationship – since financial justification is seen as one of the top ten outsourcing success factors, outsourcing is likely to be successful when financial expectations such as the achievement of a cash infusion, cost reduction, production and transaction cost economies, financial slack or even tax advantages are covered.
■ Top management’s support and involvement – given that the involvement of the top management in IT-related decisions is largely the key determining factor for the good or bad performance of IS departments within organisations, senior management support is also crucial in the IT outsourcing process where both senior management and IT management involvement is required to conduct a rational outsourcing evaluation; by involving both in the outsourcing decision, financial, business and technical objectives can be defined, thus establishing the scope of the outsourcing evaluation, developing bid analysis criteria, and verification of the bid analysis, whilst the IT management ‘assumes the critical role of creating the detailed request for proposal, evaluating the legitimacy of vendor economies of scale, estimating the effects of price/performance improvements, and providing insights on emerging technologies that might affect the business’.
■ Proper contract structuring – if an organisation outsources its information systems, a written outsourcing contract is the only certain way to ensure that expectations will be realised – it is therefore essential to outsourcing success. Good outsourcing contracts must be as comprehensive as possible, defining all pertinent issues; they must discuss the obligations of each party, cost, duration, terms and conditions and must include clauses that refer to its evolution, reversibility, termination and penalisation. The contract can, therefore, ‘be viewed as a set of master terms and conditions, with details about the specific work required and the compensation for that work treated as additional components’.
Letting a contractor deal with ‘your mess for less’ is the conventional attraction of outsourcing – customers save money by handing over their hardware, software, networking and even information technology staff to a third party.
Clients often say they want to outsource to focus on their core business, to improve flexibility or to access
skilled staff, says Neville Howard, a partner in the technology integration team at Deloitte, the business advisers. ‘But I haven’t seen one yet that doesn’t want to save money on operating costs.’
Traditional IT outsourcing contracts last five, seven or even 10 years, and offer annual savings of about 20 per cent. Suppliers tend to lose money in the first year or
Outsourcing: beware false economies By Jane Bird
CASE STUDY 14.1
M14_BOCI6455_05_SE_C14.indd 522 30/09/14 7:26 AM
523ChaPter 14 INFORMATION SYSTEMS MANAGEMENT
two because of the investment required in taking over legacy systems.
Over the long term, they save by shedding staff, streamlining systems and achieving economies of scale. In recent years, this pricing model has become harder to achieve because of a shortage of capital to borrow.
Clients’ discomfort with the idea of their IT being handled at long distances has also made it more difficult for suppliers to cut costs by offshoring. The advent of cloud computing and software as a service, with their pay-as-you-go pricing, has also increased the financial pressure on outsourcing suppliers.
Many have made unrealistic promises to win contracts and then underinvested. ‘Service levels dip and customers become frustrated. We hear that again and again,’ says Mr Howard. Customers should be careful about driving a hard bargain, he says, because what looks like a lower price might end up costing more.
Martin Burvill, group vice-president of global solutions at Verizon Business, the US IT services provider, says that customers who just want to save money by outsourcing and ruthlessly drive down suppliers on price are making a big mistake. ‘Suppliers try to recover their losses by charging for all the extras or cutting back resources, so there is a huge gulf between expectation and execution.’
Customers can’t expect to get a cheaper service unless they are prepared to let suppliers change the operating model and methodology, Mr Burvill says. ‘Without transformation, the supplier won’t make money. This is pure logic, but it gets forgotten,’ he says.
Customers have to be prepared to adapt, he adds, and the more they can move to the outsourcing provider’s systems, the greater the potential savings.
Customers can often get better value for money by focusing on how the outsourcing provider can make them more competitive or help to bring out products faster, says Jonathan Cooper-Bagnall, head of outsourcing at PA Consulting.
‘That might mean switching some services off or scaling them back, or shifting the speed of transition from legacy infrastructure to new customer-focused applications.’ They could also request fewer estimates for new applications, which are expensive, he says.
For outsourcing providers, moving away from guaranteed returns and minimum commitments is a big step, says Mr Cooper-Bagnall. ‘It fundamentally changes the way they can sell, because it’s not about
length of contract. They have to change the incentive structure for sales staff, and think about whether it cannibalises a service they already provide.’
Nick Grossman, group business development director of 2e2, an IT services provider, suggests that customers should set challenges for outsourcing suppliers, such as reducing the time and cost of processing documents. ‘With measurable targets, suppliers can be offered a share in the risks and rewards of improving business efficiency,’ he says.
Keeping outsourcing providers to a minimum also helps to reduce costs, says Don Herring, the New Jersey-based senior vice-president of network sourcing at AT&T, the communications company. AT&T encourages clients to engage a maximum of three suppliers to handle computing, applications and networking respectively, and to expect them to collaborate. This can result in savings of up to 35 per cent, says Mr Herring.
Having multiple suppliers can also help to keep prices low by introducing competition. It is smart to have a couple of providers for activities such as maintenance and application development, says Deloitte’s Mr Howard. Then you can have a mini contest between the two.
‘Otherwise,’ he says, ‘it’s very hard to know how long they need; you might get a low hourly rate that ends up costing more than another provider that charges more but does the job quicker.
Minimising the use of consultants also saves money, says Mr Burvill at Verizon. ‘Being paid by the day motivates consultants to prolong their contracts by continuously changing the specification.’
There is a lot of emotion in outsourcing, especially as it often involves transferring staff, which is upsetting and causes upheaval. This disruption is one reason why about 40 per cent of clients for which Deloitte looks at outsourcing end up keeping the service in-house. They decide there are not enough cost savings, or the risks outweigh the benefits, particularly for small and medium-sized businesses.
A number of Deloitte’s clients that have tried outsourcing are bringing it back in house, Mr Howard says. ‘It is a bit like marriage – there can be lots of suffering and violence, and occasionally a messy divorce.’
To avoid breakdown, customers should be prepared to share the financial rewards of improved efficiency. A level of mild dissatisfaction is not unusual in customers, Mr Howard says. ‘But responsibility for making it work rests as much with them as with suppliers.’
QUESTION
Discuss the economics of outsourcing.
Source: Bird, J. (2011) Outsourcing: beware false economies. Financial Times. 6 December. © The Financial Times Limited 2011. All Rights Reserved.
M14_BOCI6455_05_SE_C14.indd 523 30/09/14 7:26 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT524
Until relatively recently, the management of information systems within organisations can largely be described as belonging to the ‘strategic information systems (SIS) era: that is, management typically seeks out opportunities for competitive advantage through investment in IS/IT where those investments are aligned with corporate strategy and also where those investments can be used to shape business strategy. Peppard and Ward (2004), however, propose an alternative perspective whereby management of IS/IT in organisations can ‘continuously derive and leverage value through IT’. In a summary of antecedent literature, they point out that only IS management skills are likely to be a source of sustained competitive advantage and that ‘these skills are the ability of IS managers to understand and appreciate business needs; their ability to work with functional managers; the ability to co-ordinate IS activities in ways that support other functional managers; and the ability to anticipate future needs’.
In promoting a resource-based view of competitive advantage, Peppard and Ward identify three main elements of resource-based theory (RBT) to help establish a context for developing a model of IS/IT capability. These elements are:
■ Resources – resources in this context are available factors of production that are owned or controlled by the firm, including the information, systems and techno-logy owned or available to the firm are and ‘in the context of IS management the critical resources are the knowledge and skills residing in employees or the employees of third-party vendors’.
■ Competencies – the RBT perspective indicates that resources of themselves do not create value, but that value is created by an organisation’s ability to utilise and mobilise those resources. From an IS management perspective, competencies can be portrayed as the ability to deploy combinations of firm-specific resources to accomplish a given task and that they represent the collective knowledge of the firm in initiating or responding to change.
■ Capability – this refers to the strategic application of competencies and their use and deployment to accomplish given organisational goals; an organisation’s current capability is based on its existing competencies, will be either an enabler or inhibitor in terms of the goals it can actually achieve.
Peppard and Ward go on to suggest that one way to apply RBT to the management of IS is to focus on competencies within the IS function and that research has identified six domains of IS competence: strategy, defining the IS contribution, defining the IT capability, exploitation, delivering solutions and supply. They are defined as follows:
Strategy – ability to identify and evaluate the implications of IT based opportunities as an integral part of business strategy formulation and define the role of IS/IT in the organization
Define the IS contribution – the ability to translate the business strategy into processes, information and systems investments and change plans that match the business priorities (i.e. the IS strategy)
Define the IT capability – the ability to translate the business strategy into long term information architectures, technology infrastructure and resourcing plans that enable the implementation of the strategy (i.e. the IT strategy)
Exploitation – the ability to maximize the benefits realized from the implementation of IS/IT investments through effective use of information, applications and IT services
Deliver solutions – the ability to deploy resources to develop, implement and operate IS/IT business solutions, which exploit the capabilities of the technology
Supply – the ability to create and maintain an appropriate and adaptable information, technology and application supply chain and resource capacity.
BEYOND STRATEGIC INFORMATION SYSTEMS – THE IMPORTANCE OF IS CAPABILITY
M14_BOCI6455_05_SE_C14.indd 524 30/09/14 7:26 AM
525ChaPter 14 INFORMATION SYSTEMS MANAGEMENT
Peppard and Ward propose that a model that can be constructed to represent the components of the IS capability as illustrated in Figure 14.1.
In order to arrive at an understanding of IS capability, they suggest that first one needs to understand the relationship between resources and IS competencies and then between IS competencies and IS capability. Competencies, it is suggested, are embedded in organisational processes which in turn are bounded by the structure of the organisation. By performing roles in organisational structures, people apply and integrate their knowledge by interacting with others and coordinating their actions. A competency is, therefore, an emergent property of organisational processes. From an information systems perspective, processes include ‘formulating strategies, management decision making processes for investments in IS/IT, managing the organisational and business changes required to deliver value, and the responsibilities and accountabilities for realizing specific benefits’. The roles that need to be performed to deliver these processes require individuals to have certain abilities including their skills (e.g. the ability to draw data flow diagrams), know-ledge (e.g. what might be involved in constructing a workable outsourcing contract) and behaviours and attitudes that make knowledge useful and enable skills to be acquired (e.g. having IS staff who empathise with the user in delivering IS services). Finally, structures need to be put in place that enable processes to be performed effectively and which allow skills to be harnessed (e.g. structures that easily facilitate cross-functional communication and delivery).
When examining the relationship between IS competency and IS capability, it is suggested that an organisation’s strategy and its investment decisions are the two key contributing factors. These two factors can determine whether an organisation’s IS capability is a source of competitive advantage, competitive parity or competitive disadvantage. IS capability, according to Peppard and Ward, has three interrelated attributes.
1. Fusing IS knowledge and business knowledge – this is essential to ensure that strategies involving technological innovation can be formulated, and appropriate IS choices made and implemented quickly and effectively. In addition, knowledge will need to
Figure 14.1 A model of the IS capability
Enterprise level
Organising level
Resource level
Processes Structure
Roles
IS Competencies
IS Capability
Strategy Investment allocation
Business skills, knowledge and experience
Behaviour and attitude
Technical skills, knowledge and experience
Source: Peppard and Ward (2004)
M14_BOCI6455_05_SE_C14.indd 525 30/09/14 7:26 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT526
be integrated and coordinated from many individuals from different disciplines and backgrounds, with varied experiences and expectations, located in different parts of the organisation. In order to achieve this, a close partnership between IS staff and business staff at all levels is needed.
2. A flexible and re-usable IT infrastructure – this is the supply-side component of the IS capability that provides the technical platform, services and specialist resources needed to respond quickly to required business changes together with the capacity to develop innovative IS applications. Since an organisation’s IT infrastructure provides the shared foundation of the organisation’s ability for building and using business applications, it is one of the main elements that will determine an organisation’s level of agility as it seeks to respond to changing business needs and opportunities. Therefore, IT infrastructure and services needs to be adequately planned for, rather than simply grow in an ad-hoc manner over time. Indeed, the whole issue of IT infrastructure flexibility has been well explored by Byrd and Turner (2000) who conclude that ‘a flexible IT infra-structure is positively related to an increase in costs and competitive advantage for adopting organisations’.
3. An effective use process – since technology by itself has no inherent value, its value must be unlocked through people applying the technology and creating an environment conducive to collecting, organising and maintaining information, together with embracing the right behaviours for working with information. Therefore, business and management processes need to deploy technology to deliver business benefits, which in turn requires knowledge and skills from within the organisation. Of benefit here is the suggestion that organisations should place more emphasis on ‘human-centred information management’ in order to improve the ways in which people use and share information.
This section has emphasised the importance of management processes in providing organisations with an IS capability that is a source of competitive advantage through the harnessing of human and technical resources. Peppard and Ward rather wistfully conclude in their 2004 paper that ‘the recent re-labelling of IS/IT as “e” seemed to re-ignite that inherently flawed notion (that merely possessing a technology will deliver untold benefits). The stock market boom in technology stocks and unsubstantiated claims for the “new economy” increased that misplaced confidence for a short time – but long enough for vast sums to be wasted on failed IT investments! This suggests a significant level of incompetence exists.’
IT INFRASTRUCTURE FLEXIBILITYFOCUS ON…
Byrd and Turner (2000) have noted that, on average, IT infrastructure expenditures account for over 58 per cent of an organisation’s IT budget and this is growing annually at a rate of 11 per cent. Given that an organisation’s IT infrastructure is a key factor in its ability to respond to changing information system needs, it is useful to consider what is meant by infrastructure flexibility.
Byrd and Turner also highlight a Society for Information Management (SIM) Delphi study where IT managers indicated that the building and development of a flexible and responsive IT infrastructure was the most important issue of IT management. In a review of relevant literature they also note that there are two main components of IT infrastructure: a technical IT infrastructure relating to applications, data and technology configurations and a human IT infrastructure relating to the knowledge and capabilities required to manage effectively the IT resources within the organisation. They also point to relevant management literature where flexibility is defined as ‘the degree to which an organisation possesses a variety of actual and potential procedures, and the rapidity with which it can implement these procedures to increase the control capability of the management and improve the controllability of the organisation over its environment’.
M14_BOCI6455_05_SE_C14.indd 526 30/09/14 7:26 AM
527ChaPter 14 INFORMATION SYSTEMS MANAGEMENT
They go on to suggest that ‘IT infrastructure is the shared IT resources consisting of a technical physical base of hardware, software, communications technologies, data, and core applications and a human component of skills, expertise, competencies, commitments, values, norms, and knowledge that combine to create IT services that are typically unique to an organisation. These IT services provide a foundation for communications interchange across the entire organisation and for the development and implementation of present and future business applications.’ And when combining the above definition with the concept of flexibility, IT infrastructure flexibility can be defined as ‘the ability to easily and readily diffuse or support a wide variety of hardware, software, communications technologies, data, core applications, skills and competencies, commitments, and values within the technical physical base and the human component of the existing IT infrastructure’.
As Duncan (1995) points out, infrastructure flexibility is perceived as critical to information-intensive firms because of the amount of unplanned systems requirements faced by IT departments. Inflexibility exists when developers have difficulties with users’ demands that require systems to do things they were not designed to do. In this situation, the historic solution has been either to update the systems to do those things, or to build a new system to reflect the new requirements. The alternative approach is to develop an infrastructure that allows flexible manufacturing of systems so that the systems developers’ ability to design and build systems is improved.
The links here with agile approaches to software development, reusable code, open hardware and communications technologies are clear. From a systems management perspective, it suggests that if an organisation is to be agile in its response to a changing internal and external business environment, then it needs a flexible IS/IT infrastructure, embracing both technical and human infrastructures.
Very few models and texts embrace an overall methodology for determining the relationship between IS/IT processes, IS/IT resources and information to organisational strategies and objectives. The Control Objectives for Information and related Technology (COBIT) approach aims to address these relationships and, according to the IT Governance Institute, ‘integrates and institutionalises good (or best) practices of planning and organising, acquiring and implementing, delivering and supporting, and monitoring IT performance to ensure that the enterprise’s information and related technology support its business objectives’ (COBIT, 3rd edition, Executive Summary, July 2000).
Business objectives and the organisational activities that stem from them both provide an input to the COBIT IT processes and are themselves informed by the capabilities afforded by IS/IT. Effective governance of an organisation requires that individual and group expertise be applied where it can be most productive. IT governance provides the structure that enables IT resources and information to be incorporated as an integral part of organisational strategies and objectives. COBIT in its Control Objectives document summarises the relationship thus:
Enterprise activities require information from IT activities in order to meet business objectives. Successful organisations ensure interdependence between their strategic planning and their IT activities. IT must be aligned with and enable the enterprise to take full advantage of its information, thereby maximising benefits, capitalising on opportunities and gaining a competitive advantage.
The COBIT framework adopts seven requirements to which an organisation’s systems should comply, together with five principal categories of IT resource that are used to deliver business information. The business inputs to the COBIT framework stem from business events including business objectives, business opportunities, external requirements,
PULLING IT TOGETHER: IT GOVERNANCE AND COBIT
M14_BOCI6455_05_SE_C14.indd 527 30/09/14 7:26 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT528
regulations and risks, and it is through the application of the five categories of IT resource that the seven information requirements can be controlled. These requirements are:
■ Effectiveness: delivery of relevant information that is pertinent to the business process in a timely, correct and consistent manner.
■ Efficiency: the provision of information through the optimal use of resources. ■ Confidentiality: the protection of sensitive information from unauthorised disclosure. ■ Integrity: the accuracy, validity and completeness of information. ■ Availability: information being available as and when required by the business process; it
also refers to the safeguarding of necessary resources and associated capabilities. ■ Compliance: the externally imposed business criteria that apply, such as laws, regulations
and contractual arrangements. ■ Reliability of information: the provision of appropriate information such that the
organisation can continue to operate and for the management to exercise its fiscal and compliance reporting responsibilities.
The resources used to achieve these information objectives are:
■ Data: both internal and internal, structured and non-structured that need to be captured and stored.
■ Application systems: the sum of all manual and programmed procedures (i.e. paper-based as well as computer-based applications).
■ Technology: the hardware, operating systems, DBMS, networks etc. within the organisation.
■ Facilities: the resources needed to house and support information systems. ■ People: this includes staff skills needed to plan, organise, acquire, deliver, support and
monitor information systems and services.
The complete COBIT framework identifies four domains with a total of 34 high-level control objectives. These high-level control objectives are broken down into 318 detailed control objectives. In addition to the framework is a set of Management Guidelines which
provides management direction for getting the enterprise’s information and related processes under control, for monitoring achievement of organisational goals, for monitoring performance within each IT process and for benchmarking organisational achievement.
These comprise four elements and we will deal with each in turn.
Maturity models
The thinking here is not unlike Nolan’s stage model discussed earlier (in Chapter 13). An organisation can analyse its own position with respect to the model and in so doing can identify the steps needed to improve its IT governance. The six stages are as follows:
0. Non-existent: There is a complete lack of any recognisable IT governance process and the organisation may not even realise that there is an issue to be addressed.
1. Initial/ad hoc: IT governance is recognised as an issue, but management’s approach is chaotic; no standardised processes exist, but one-off approaches may be taken on a case- by-case basis.
2. Repeatable but intuitive: There is awareness of IT governance issues and IT gov- ernance activities are under development; basic measurement and assessment
Management guidelines
M14_BOCI6455_05_SE_C14.indd 528 30/09/14 7:26 AM
529ChaPter 14 INFORMATION SYSTEMS MANAGEMENT
methods and techniques are in use, but they have not been adopted across the organisation.
3. Defined process: The need to act with respect to IT governance is understood and ac- cepted; procedures have been standardised, documented and implemented; balanced business scorecard ideas are being adopted by the organisation; individuals are left to get training, follow standards and apply them; root cause analysis is rarely applied.
4. Managed and measurable: There is full understanding of IT governance issues at all levels, supported by formal training; responsibilities are clear and process ownership is established; all process stakeholders are aware of risks, the importance of IT and the opportunities it can offer; continuous improvement is beginning to be addressed; IT governance activities are becoming integrated with the enterprise governance process.
5. Optimised: There is advanced and forward-looking understanding of IT governance is- sues and solutions; processes have been refined to a level of external best practice; the organisation, people and processes are quick to adapt and fully support IT governance requirements; all problems and deviations are root-cause-analysed and efficient action taken; risks and returns of IT processes are defined, balanced and communicated across the organisation; enterprise and IT governance are strategically linked so that technol- ogy, human and financial resources can be leveraged to increase the competitive advan- tage of the enterprise.
The maturity model would suggest that the adoption of a framework such as COBIT will result in a seamless interface and integration between business and IS/IT strategies. The following three tools can be used to help with the alignment process.
Critical success factors
These are discussed in more detail in earlier (Chapter 13). Within the context of the COBIT model, CSFs define the most important management-oriented implementation guidelines to achieve control over and within an organisation’s IT processes. Example CSFs include:
■ integration and smooth interoperability of the more complex IS/IT processes such as problem, change and configuration management;
■ the implementation of management practices that increase the efficient and optimal use of resources and increase the effectiveness of IS/IT processes;
■ the integration of IS/IT governance activities into the enterprise governance process and leadership behaviours;
■ focusing IS/IT governance on the organisational goals, strategic initiatives, the use of technology to enhance the business and on the availability of sufficient resources and capabilities to keep up with the business demands.
Key goal indicators
These define the measures that tell management whether an IT process has achieved its business requirement. An example might be an organisation that is seeking to be the most profitable company in the industry, and that to help achieve this, investment in procurement software to help reduce materials costs has been undertaken. Therefore, the measures used might include a ‘before and after’ analysis of materials purchase costs. Needless to say, this is an ‘after the fact’ approach! Further indicators might include the following:
■ improved time-to-market; ■ reaching new and satisfying existing customers; ■ creation of new service delivery channels;
M14_BOCI6455_05_SE_C14.indd 529 30/09/14 7:26 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT530
■ appropriately integrated and standardised business processes; ■ improved return on major IS/IT investments.
Key performance indicators (KPIs)
KPIs are the lead indicators that define measures of how well the IT process is performing in enabling a key goal to be reached. For example, suppose that a hospital has a required systems availability of 99.99 per cent up-time in order to ensure that patient care is fully supported. A KPI would be the reported systems up-time when compared with the target value. Further examples include:
■ improved performance as measured by balanced scorecards; ■ improved staff productivity and morale; ■ increased satisfaction of stakeholders; ■ increased availability of knowledge and information for managing the enterprise; ■ increased linkage between IS/IT and enterprise governance.
Figure 14.2 COBIT’s four domains
IS/IT resources
Planning and
organisation
Acquisition and
implementation
Monitoring
Information
Business objectives
Delivery and
support
It is easiest to consider these if COBIT is considered as a ‘lifecycle’ model. Figure 14.2 illustrates the approach and also shows how information and IS/IT resources are embedded in the process. The diagram illustrates that the information both drives and enables business objectives and that business objectives generate the need for information as enabled through the utilisation and application of IS/IT resources. We will now consider each of the four domains.
COBIT IT processes – the four domains
M14_BOCI6455_05_SE_C14.indd 530 30/09/14 7:26 AM
531ChaPter 14 INFORMATION SYSTEMS MANAGEMENT
Planning and organisation
This domain is principally concerned with the way IS/IT can best contribute to the achievement of the business objectives. This means that an IS/IT strategy needs to be clearly articulated, particularly with respect to linkages with the overarching business strategy. The strategic vision needs to be planned, communicated and managed for different perspectives within the organisation (for example, those perspectives identified as part of the balanced scorecard method). Finally, a proper organisation as well as technological infrastructure must be put in place. This will include hardware, operating environment and communications technologies (in other words the delivery platforms that enable the right information to be delivered to decision makers). As with each of the following domains, there are a number of specific processes involved with implementing the control objectives:
■ define a strategic IT plan; ■ define the information architecture; ■ determine technological direction; ■ define the IT organisation and relationships; ■ manage the IT investment; ■ communicate management aims and direction; ■ manage human resources; ■ ensure compliance with external requirements; ■ assess risks; ■ manage projects; ■ manage quality.
Acquisition and implementation
Earlier chapters have dealt with issues relating to information systems acquisition and implementation. Therefore, in order to bring about the IS/IT strategy, solutions need to be identified, developed or acquired, as well as implemented and integrated into business processes. In addition, ongoing systems evolution and maintenance are included in this domain to make sure that the lifecycle is continued for these systems (which naturally become legacy systems once implemented). The processes involved in this domain include:
■ identify automated solutions; ■ acquire and maintain application software; ■ acquire and maintain technology infrastructure; ■ develop and maintain procedures; ■ install and accredit systems; ■ manage changes.
Delivery and support
This domain is concerned with the actual delivery of required services, which range from traditional operations over security and continuity aspects to training. In order to deliver services, the necessary support processes must be set up. One thing that perhaps sets this apart from more traditional strategy models is the fact that the actual processing of data by application systems is included, even though this would typically be regarded as more the operational domain of the functional business area concerned. The specific processes involved within this domain are:
■ define and manage service levels; ■ manage third-party services;
M14_BOCI6455_05_SE_C14.indd 531 30/09/14 7:26 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT532
■ manage performance and capacity; ■ ensure continuous service; ■ ensure systems security; ■ identify and allocate costs; ■ educate and train users; ■ assist and advise customers; ■ manage the configuration; ■ manage problems and incidents; ■ manage data; ■ manage facilities; ■ manage operations.
Monitoring
It is necessary to assess regularly all IS/IT processes to ensure that they meet the required quality standards and that they comply with control requirements. This domain, therefore, helps to address management’s oversight of the organisation’s control process through internal and external auditing and/or benchmarking against best practice. Specific activities include the following processes:
■ monitor the processes; ■ assess internal control adequacy; ■ obtain independent assurance; ■ provide for independent audit.
In conclusion, COBIT would appear to provide a control framework whereby IS/IT strategy can be more readily aligned with an organisation’s business strategy. In particular, it articulates a number of processes that organisations need to perform in order to deliver appropriate and cost-effective IS/IT strategies.
As the impact of technology change on business grows, McKinsey, has identified 10 IT-enabled business trends that it says will help shape corporate strategies over the next decade.
In the article, published in the McKinsey’s Quarterly, authors Jacques Bughin, Michael Chui and James Manyika argue that since they last reviewed the IT landscape in 2010, ‘the implications of those trends for companies’ strategies, business models, organisational approaches and relationships with customers and employees have only grown.’
Since then, they say the pace of technology change, innovation and business adoption since then has been
stunning. ‘Consider that the world’s stock of data are now doubling every 20 months; the number of Internet- connected devices has reached 12bn; and payments by mobile phone are hurtling toward the $1,000bn mark.’
In particular, the authors argue that the dramatic pace at which two trends in particular have been advancing is transforming them into 21st-century business ‘antes’: competitive necessities for most if not all companies.
‘Big data and advanced analytics have swiftly moved from the frontier of our trends to a set of capabilities that need to be deeply embedded across functions and operations, enabling managers to have a better basis
IT trends shape future corporate strategies By Paul Taylor
CASE STUDY 14.2
M14_BOCI6455_05_SE_C14.indd 532 30/09/14 7:26 AM
533ChaPter 14 INFORMATION SYSTEMS MANAGEMENT
for understanding markets and making business decisions,’ they write. ‘Meanwhile, social technologies are becoming a powerful social matrix – a key piece of organisational infrastructure that links and engages employees, customers and suppliers as never before.’
They note that the ‘Internet of All Things,’ the linking of physical objects with embedded sensors, is being exploited at breakneck pace, simultaneously creating massive network effects and opportunities.
Meanwhile ‘the cloud,’ with its ability to deliver digital power at low cost and in small increments, is not only changing the profile of corporate IT departments but also helping to spawn a range of new business models by shifting the economics of ‘rent versus buy’ trade-offs for companies and consumers.
‘The result is an acceleration of a trend we identified in 2010: the delivery of anything as a service,’ they say. ‘The creeping automation of knowledge work, which affects the fastest-growing employee segment worldwide, promises a new phase of corporate productivity.
‘Finally, up to 3bn new consumers, mostly in emerging markets, could soon become fully digital players, thanks chiefly to mobile technologies. Our research suggests that the collective economic impact (in the applications that we examined) of information technologies underlying these four trends could range from $10,000bn to $20,000bn annually in 2025.’
The next three trends identified in the article, ‘will be most familiar to digital marketers, but their relevance is expanding across the enterprise, starting with customer- experience, product and channel management,’ say the authors.
‘The integration of digital and physical experiences is creating new ways for businesses to interact with customers, by using digital information to augment individual experiences with products and services. Consumer demand is rising for products that are free, intuitive and radically user oriented. And the rapid evolution of IT-enabled commerce is reducing entry barriers and opening new revenue streams to a range of individuals and companies.’
Finally, McKinsey highlights the extent to which government, education and healthcare – which often seem outside the purview of business leaders – could benefit from adopting digital technologies at the same level as many industries have.
‘Productivity gains could help address the imperative (created by ageing populations) to do more with less, while technological innovation could improve the quality and reach of many services. The embrace of digital technologies by these sectors is thus a trend of immense importance to business, which indirectly finances many services and would benefit greatly from the rising skills and improved health of citizens everywhere.’
The trends identified in the report are:
1. Joining the social matrix – Social technologies are much more than a consumer phenomenon: they connect many organisations internally and increasingly reach outside their borders. Now it has become the environment in which more and more business is conducted.
2. Competing with ‘big data’ and advanced analytics – Three years ago, McKinsey described new opportunities to experiment with and segment consumer markets using big data. As with the social matrix, the firm now sees data and analytics as part of a new foundation for competitiveness.
3. Deploying the Internet of All Things – Tiny sensors and actuators, proliferating at astounding rates, are expected to explode in number over the next decade, potentially linking over 50bn physical entities as costs plummet and networks become more pervasive. What McKinsey described as nascent three years ago is fast becoming ubiquitous, which gives managers unimagined possibilities to fine- tune processes and manage operations.
4. Offering anything as a service – The buying and sell- ing of services derived from physical products is a business-model shift that’s gaining steam. An attrac- tion for buyers is the opportunity to replace big blocks of capital investment with more flexible and granular operating expenditures. A prominent example of this shift is the embrace of cloud-based IT services.
5. Automating knowledge work – Physical labour and transactional tasks have been widely automated over the last three decades. Now advances in data analytics, low-cost computer power, machine learning and interfaces that ‘understand’ humans are moving the automation frontier rapidly toward the world’s more than 200m knowledge workers.
6. Engaging the next 3bn digital citizens – As incomes rise in developing nations, their citizens are becoming wired, connected by mobile computing devices, particularly smartphones that will only increase in power and versatility. Although several emerging markets have experienced double-digit growth in internet adoption, enormous growth potential remains. Rising levels of connectivity will stimulate financial inclusion, local entrepreneurship and enormous opportunities for business.
7. Charting experiences where digital meets physical – The borders of the digital and physical world have been blurring for many years as consumers learnt to shop in virtual stores and to meet in virtual spaces. In those cases, the online world mirrors experiences of the physical world. Increasingly, we’re seeing an inversion as real-life activities, from shopping to factory work, become rich with digital information and as the mobile internet and advances in natural user interfaces give the physical world digital characteristics.
➨
M14_BOCI6455_05_SE_C14.indd 533 30/09/14 7:26 AM
534 Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT
1. The relationship between IS/IT investments and productivity can be problematic. The intangible nature of many benefits means that it can be difficult to put a money value on them.
2. Appropriately targeted IS/IT investments need to be rooted in a coherent IS/IT strategy so that the IS/IT applications portfolio is distributed as needed between support, key operational, high potential and strategic information systems.
3. The alternatives for structuring or locating IS within an organisation range from centralised to decentralised. A hybrid approach is often used with some aspects of IS management, such as IS strategy and security centralised and others such as user support decentralised.
4. Outsourcing is a significant trend in IS management. It involves a third party undertaking some or all of the following IS activities:
■ hardware outsourcing; ■ network management or facilities management (FM); ■ systems development; ■ IS support; ■ management of IS strategy.
When all activities are performed by the external company, this is known as ‘total outsourcing’. When some activities are performed by the external company, this is known as ‘selective outsourcing’. Outsourcing is driven by a desire to reduce costs while improving the quality of IS and user services. The debate on whether this is frequently achieved is still raging!
SUMMARY
8. ‘Freeing’ your business model through Internet- inspired personalisation and simplification – After nearly two decades of shopping, reading, watching, seeking information and interacting on the internet, customers expect services to be free, personalised and easy to use without instructions. This ethos presents a challenge for business, since customers expect instant results, as well as superb and transparent customer service, for all interactions – from web sites to brick-and-mortar stores. Fail to deliver, and competitors’ offerings are only an app download away.
9. Buying and selling as digital commerce leaps ahead – The rise of the mobile Internet and the evolution of core technologies that cut costs and vastly simplify the process of completing transactions online are reducing barriers to entry across a wide swath of economic activity. Amped-up technology platforms are enabling peer-to-peer commerce to replace activities traditionally carried out by companies and giving birth to new kinds of payment systems and monetisation models.
10. Transforming government, healthcare, and education – The private sector has a big stake in the successful transformation of government, healthcare, and education, which together account
for a third of global GDP. They have lagged behind in productivity growth at least in part because they have been slow to adopt Web-based platforms, big-data analytics, and other IT innovations. Technology-enabled productivity growth could help reduce the cost burden while improving the quality of services and outcomes, as well as boosting long- term global-growth prospects.
What does all this mean for busy senior executives? The McKinsey authors suggest that the era of pervasive connectedness underlying these trends also implies a need for more focused attention on issues such as transparent and innovative business models, talent. organisation, privacy and security.
‘In short, as these trends take hold, leaders must prepare for the disruption of longstanding commercial and social relationships, as well as the emergence of unforeseen business priorities, the authors say. ‘The difficulty of embracing those realities while addressing related risks and concerns may give some leaders pause. But it’s worth keeping in mind that if the future traces past experience, these technology-enabled business trends will not only be a boon for consumers but also stimulate growth, innovation and a new wave of pacesetting companies.’
QUESTION
Write a short essay on any of the 10 IT trends described in the case study.
Source: Taylor, P. (2013) IT trends shape future corporate strategies. Financial Times. 23 May. © The Financial Times Limited 2013. All Rights Reserved.
M14_BOCI6455_05_SE_C14.indd 534 30/09/14 7:26 AM
535ChaPter 14 INFORMATION SYSTEMS MANAGEMENT
1. When information systems costs are being considered, what kinds of costs would be considered development costs and what would be considered operations/maintenance costs?
2. How do strategic systems differ from high-potential projects?
3. Why do information systems projects fail?
4. Explain the difference between project size and project complexity when evaluating information systems risk.
5. What are the main different types of outsourcing?
EXERCISES
Self-assessment exercises
Discussion questions
1. ‘The millennium bug has demonstrated that organisations, more often than not, take a short- term view in their approach to information systems rather than a strategic one.’ Discuss.
2. ‘Public-sector organisations such as the police and health service are incapable of delivering good-quality information systems because they are dominated by the need to demonstrate tangible benefits before any investment decisions are made.’ Discuss.
3. Would you outsource the HRM or accounting functions of a company? If not, what is so different about IS/IT?
Essay questions
1. Why do many new information systems seem to deliver poor value for money?
2. It has been said that when making IS investment decisions, organisations are dominated by organisational politics. Is this really true or are there other, more important issues at stake?
3. What do you see as the main problems with outsourcing, and how can they be overcome?
4. ‘The IS capability model proposed by Peppard and Ward reaffirms the old adage that “technology is easy, people are difficult”.’ Discuss.
Examination questions
1. What are the two main alternatives for a company’s location of its information systems? Summarise the benefits and disadvantages in terms of cost and control.
2. What information systems management activities would occur with a total outsourcing contract?
M14_BOCI6455_05_SE_C14.indd 535 30/09/14 7:26 AM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT536
Byrd, T. and Turner, D.E. (2000) ‘Measuring the flexibility of information technology infrastructure: exploratory analysis of a construct’, Journal of Management Information Systems, 17, 1, 167–208
Collins, J.S. and Millen, R.A. (1995) ‘Information systems outsourcing by large American firms: choices and impacts’, Information Resources Management Journal, 8, 1, 9–14
Duncan, N.B. (1995) ‘Capturing flexibility of information technology infrastructure: a study of resource characteristics and their measure’, Journal of Management Information Systems, 12, 2, 37–57
Feeny, D., Fitzgerald, G. and Willcocks, L. (1995) ‘Outsourcing IT: the strategic implications’, Long Range Planning, 28, 5, 59–71
Gonzalez, R., Gasco, J. and Llopis, J. (2005) ‘Information systems outsourcing success factors: a review and some results’, Information Management and Computer Security, 13, 5, 399–418
Hochstrasser, B. and Griffiths, C. (1990) Regaining Control of IS Investments: A Handbook for Senior UK Managenment, Kobler Unit, Berlin
Lacity, M.C. and Hirscheim, R. (1995) Beyond the Information Systems Outsourcing Bandwagon – the Insourcing Response, John Wiley, Chichester
Lubbe, S. and Remenyi, D. (1999) ‘Management of information technology evaluation – the development of a managerial thesis’, Logistics Information Management, 12, 1/2, 145–56
Peppard, J. and Ward, J. (2004) ‘Beyond strategic information systems: towards an IS capability’, Journal of Strategic Information Systems, 13, 167–94
Robson, W. (1997) Strategic Management and Information Systems: An Integrated Approach, Financial Times Pitman Publishing, London
Strassmann, P. (2002) ‘Still a loser’s game’, Computerworld, 4 February.
Sullivan, C.H. (1985) ‘Systems planning in the information age’, Sloan Management Review, Winter, 3–12
Ward, J. and Peppard, J. (2002) Strategic Planning for Information Systems, 3rd edition, John Wiley, Chichester
References
Further reading
Curtis, G. and Cobham, D. (2008) Business Information Systems: Analysis, Design and Practice, 6th edition, Addison-Wesley, Harlow.
Johnson, G., Whittington, R., Scholes, K., Angwin, D. and Regnér, P. (2014) Exploring Strategy, 10th edition, Prentice Hall Europe, Hemel Hempstead.
Kendall, K.E. and Kendall, J.E. (2013) Systems Analysis and Design, 9th edition, Prentice-Hall, Englewood Cliffs, NJ.
Ward, J. and Peppard, J. (2012) Strategic Planning for Information Systems, 4th edition, John Wiley, Chichester.
Web links
www.outsourcing.com Outsourcing Institute web site.
www.strassmann.com The web site of Paul Strassmann includes many of his articles on the value of information and issues such as outsourcing and IS investment.
www.isaca.org/cobit.htm This website provides further information about the COBIT methodology for IT security and governance. COBIT is issued by the IT Governance Institute.
M14_BOCI6455_05_SE_C14.indd 536 30/09/14 7:26 AM
,
LEARNING OUTCOMES
After reading this chapter, you will be able to:
■ understand and assess potential threats to a computer-based information system;
■ propose an overall strategy for ensuring the security of a computer-based information system;
■ identify specific techniques that might be used to protect a computer-based information system against damage or unauthorised access.
MANAGEMENT ISSUES
The concept that information is an important and valuable business asset has been stressed throughout this text. The responsibility for ensuring the security of organisational information systems is one that cannot be taken too lightly. In addition to ensuring that the organisation has uninterrupted access to its information resources, managers must also deal with the threat of outsiders attempting to gain access to those same resources. From a managerial perspec- tive, this chapter addresses the following areas:
■ An understanding of approaches towards information systems security will help managers to develop and implement an overall strategy for security.
■ An understanding of the threats to information systems will help in predicting and anticipating acts such as denial-of-service attacks.
■ Knowledge of specific techniques for protecting information systems will help in the development of effective counter measures.
■ As organisations turn to the Internet for business purposes, it becomes important to understand some of the new threats that must be faced.
CHAPTER AT A GLANCE
MAIN TOPICS
■ The need for controls 540
■ Control strategies 548
■ Types of controls 551
■ Some techniques for controlling information systems 552
■ Threats related to Internet services 562
FOCUS ON . . .
■ Malware 556
CASE STUDIES
15.1 Online cybercrime rings forced to home in on smaller prey 547
15.2 Cybercrime costs US $100bn a year, report says 561
cHAPTER
15 Managing information security
M15_BOCI6455_05_SE_C15.indd 539 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT540
The first section of this chapter discusses the need for controls on information systems, paying particular attention to unauthorised access. Having established some of the threats facing modern computer-based systems, several strategies are introduced for ensuring the integrity of an information system. A brief description of some of the controls that can be placed on information systems is followed by a more detailed examination of two areas of contemporary interest: malicious software and threats to Internet services.
INTRODUCTION
THE NEED FOR CONTROLS
Controls upon information systems are based upon two underlying principles:
■ the need to ensure the accuracy of the data held by the organisation; ■ the need to protect against loss or damage.
Although this chapter is largely concerned with unauthorised access and the physical security of information systems, it should be noted that many of the issues raised are also relevant to the discussion of accuracy and privacy that is provided later (in Chapter 17).
The most common threats faced by organisational information systems can be placed into the following categories:
■ accidents ■ natural disasters ■ sabotage (industrial and individual) ■ vandalism ■ theft ■ unauthorised use (hacking) ■ computer viruses and malware.
The following box charts a number of major incidents that made national or international headlines between 2007 and 2011. As can be seen, there has been a marked increase in threats related to the Internet and organisational intranets.
A number of estimates suggest that 40–65 per cent of all damage caused to information systems or corporate data arises as a result of human error. The DTI’s Information Security Breaches Survey 2006, for example, states that: ‘Human error rather than flawed technology is the root cause of most security breaches.’ Some examples of the ways in which human errors can occur include:
Accidents
Why do we need controls? Some computer-related security incidents reported in the media 2007–12
February 2007 Two Dutch hackers received prison sentences and fines for creating a botnet of up to 1.5 million computers. As well as using the network of hijacked computers to steal confidential information from computer users, they also blackmailed companies by threatening to launch denial-of-service attacks.
M15_BOCI6455_05_SE_C15.indd 540 10/13/14 4:53 PM
541ChaPter 15 MANAGING INFORMATION SEcURITY
September 2007 The New Zealand secret service suggested the Chinese government had launched cyberattacks against the country’s networks and information systems. Other reports alleged that additional cyberattacks had been launched by China against the UK, France, Germany and the United States.
September 2007 Estimates of the size of the botnet created by the Storm Worm launched in January 2007 range from 10 to 50 million computers.
January 2008 A French bank, Société Générale, lost £3.6 billion as a result of the unauthorised activity of a rogue trader. Jerome Kerviel used his knowledge of anti-fraud procedures to circumvent the banks security systems.
August 2008 A senior financial analyst at Countrywide Financial Corp. was arrested for stealing and selling confidential information. The man was said to have downloaded 20,000 customer profiles each week which he sold for around $500. The information was sold to people in the mortgage industry so that they could make approaches to potential customers. Up to 17 million records were compromised.
October 2008 The FBI and other agencies around the world concluded an undercover operation that resulted in 56 arrests worldwide and saved up to $70 million in potential losses. The case involved an electronic forum called ‘Dark Market’ where criminals bought and sold stolen financial information, such as credit card details. At its peak, Dark Market had more than 2,500 members.
April 2009 The Conficker worm infected up to 15 million computers and resulted in estimated losses of $9.1 billion worldwide. The worm continues to infect computers today (see June 2011). Some specific incidents involving Conficker include:
■ In February 2009, an infection at Manchester City Council resulted in losses of approximately £1.5 million. Removing the worm cost an estimated £1.2 million. Other costs involved £169,000 for hiring extra staff to handle backlogs of work and compensation payments because of delays in issuing benefit payments.
■ In May 2009 computer systems at Ealing Council became infected by the worm from a memory stick used by an employee. The incident cost the Council more than £500,000 in repairs and lost revenues.
December 2009 A hacker gained access to 32 million records owned by social game developer, RockYou. The information compromised included log-in information from social networking sites such as Facebook and MySpace.
March 2010 Albert Gonzalez was sentenced to 20 years in prison for stealing more than 90 million credit and debit card numbers from TJX and other retailers.
September 2010 A mobile phone virus, Zombie, begins to infect phones in China. By November 2011, the virus is reported to have infected more than 1 million phones and was costing phone owners $300,000 a day. The problem is made more difficult by the fact that antivirus software is unable to detect Zombie.
➨
M15_BOCI6455_05_SE_C15.indd 541 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT542
■ Inaccurate data entry. As an example, consider a typical relational database management system, where update queries are used to change records, tables and reports. If the contents of the query are incorrect, errors might be produced within all of the data manipulated by the query. Although extreme, significant problems might be caused by adding or removing even a single character to a query.
■ Attempts to carry out tasks beyond the ability of the employee. In smaller computer-based information systems, a common cause of accidental damage involves users attempting to install new hardware items or software applications. In the case of software applications, existing data may be lost when the program is installed or the program may fail to operate as expected.
■ Failure to comply with procedures for the use of organisational information systems. Where organisational procedures are unclear or fail to anticipate potential problems, users may often ignore established methods, act on their own initiative or perform tasks incorrectly.
■ Failure to carry out backup procedures or verify data backups. In addition to carrying out regular backups of important business data, it is also necessary to verify that any backup copies made are accurate and free from errors.
September 2010 HSBC received fines of £3 million from the Financial Services Authority related to incidents involving confidential customer records, such as losing unencrypted data in the post.
November 2010 Five British teenagers, including two girls, went on trial for selling stolen identities and credit card details from a site called Gh0stMarket.net. Losses were estimated at between £12 million and £16 million from the credit card details found on the site. Four members of the group eventually received prison sentences of between 18 months to five years.
May 2011 Lulz Security (LulzSec), a group of hackers, began a ‘50 day cruise’ of incidents, attacking web sites or releasing confidential information taken from a variety of organisations. Victims reportedly included Sony, Nintendo, The Sun newspaper, the US version of the X Factor, the Arizona police department, the Serious Organised Crime Agency (SOCA), AT&T, Fox.com, US broadcaster PBS, the CIA and the United States Senate.
June 2011 A joint operation between the FBI and the Security Service of Ukraine (SBU) closed down a ‘scareware’ ring operating across a number of countries including the US, the Ukraine, the Netherlands, Latvia, Germany, France, Lithuania, Sweden and the United Kingdom. The ring used the Conficker worm to infect computers then frighten the owners into paying for worthless security software. The worm was also used to collect confidential information from infected machines. Estimates suggest that the ring managed to collect at least $72 million before being closed down.
September 2011 Kweku Adoboli, a 31-year-old trader at UBS, was arrested by London police in relation to rogue trading that was estimated to have cost the Swiss bank £1.3 billion.
June 2012 The New York Times publishes an in-depth article stating that Stuxnet, a computer virus aimed at hindering the Iranian nuclear research programme, was created as a cyberweapon by the United States and Israel. It is later alleged that other cyberweapons were created and used by both countries, including programs called Flame and Gauss.
Cyberweapon
computer code intended to cause harm to structures, systems or people.
Update query
Used to change records, tables and reports held in a database management system.
M15_BOCI6455_05_SE_C15.indd 542 10/13/14 4:53 PM
543ChaPter 15 MANAGING INFORMATION SEcURITY
A survey from the Computing Technology Industry Association found that in more than 63 per cent of IT security breaches human error played a role. Technological failures accounted for only 8 per cent of security problems (source: Jupitermedia Corporation).
Complacent staff weak link in combating cyber criminals By Kate Burgess
If your password is ‘password’ or ‘123456’, change it this minute. For even as the civil liberties brigade rails against state snooping and mythologises cyber leakers such as Edward Snowden, cyber crime is bringing down small companies and destroying livelihoods.
At the business end, the victims of cyber crime are piling up. About 90 per cent of all British companies suffered some kind of attack last year, according to the government’s department of business.
It comes in all forms – staff siphoning off cash, competitors filching customer data, contract details or product designs, or gangs (some possibly sponsored by foreign states) infecting software with viruses and worms for financial gain. Web- based crime has cost the UK as much as £27bn this year, according to the National Audit Office. The government reckons that the costs to business have tripled in a year.
The average price paid for the worst breaches by companies with fewer than 250 staff is £35,000- £65,000.
For bigger companies, the average cost is £850,000. But the grief caused to the UK’s smallest and most vulnerable enterprises is more than just financial. The combination of clean-up costs, the threat of fines for failing to protect customer data, the damage to reputation and client losses can prove fatal.
Worryingly, the unscrupulous are now targeting these small enterprises. For the first time, almost as many small companies say they were attacked last year as bigger ones.
It will only get worse, too, given the reach of the internet and the fact that almost everything we do is recorded and stored somewhere on the web. The full extent of the damage may never be known.
Many companies – like the world’s superpowers – are loathe to admit explicitly just how much data they have collected and would be embarrassed to own up to a cyber attack. Governments are working to encourage more disclosure to help to form a united defence. Police forces are wising up, too, setting up specific cyber crime units such as the Europol Cybercrime (yes, really) centre.
Prevention, though, must be the best cure. Nearly all breaches are because hackers have been able to exploit the vulnerability of staff and systems through weak passwords, out-of-date security software and the misuse of social networking sites.
The problem is that few of us, executives of small companies included, think we have much worth stealing. But even corporate minnows should not underestimate their usefulness as a route into the databases of bigger companies with which they are linked, or the importance of innovative small caps as repositories of big, groundbreaking ideas.
Mini case study
➨
M15_BOCI6455_05_SE_C15.indd 543 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT544
The lesson is that the top brass of big and small companies have to spend more on web security. We must also stop moaning about the number of times we are asked to change our passwords and guard against how we pass on corporate tittle tattle. Careless talk may not cost lives, but it certainly costs.
Source: Burgess, K. (2013) Complacent staff weak link in combating cyber criminals. Financial Times. 30 June. © The Financial Times Limited 2012. All Rights Reserved.
Where human lives rely on the proper operation of an information system, this is usually known as a safety-critical system. Perhaps a better way of describing a critical system is to suggest that it is an information system that must not fail. A good example of a critical system is an air traffic control system.
All information systems are susceptible to damage caused by natural phenomena, such as storms, lightning strikes, floods and earthquakes. In Japan and the United States, for example, great care is taken to protect critical information systems from the effects of earthquakes. Although such hazards are of less concern in much of Europe, properly designed systems will make allowances for unexpected natural disasters.
Natural disasters
Safety-critical system
Where human lives rely on the correct operation of a computer-based information system.
With regard to information systems, sabotage may be deliberate or unintentional and carried out on an individual basis or as an act of industrial sabotage.
Individual sabotage
Individual sabotage is typically carried out by a disgruntled employee who wishes to exact some form of revenge upon their employer. The logic bomb (sometimes known as a ‘time bomb’) is a well-known example of how an employee may cause deliberate damage to the organisation’s information systems. A logic bomb is a destructive program that activates at a certain time or in reaction to a specific event. In most cases, the logic bomb is activated some months after the employee has left the organisation. This tends to have the effect of drawing suspicion away from the employee. Another well-known example is known as a back door. The back door is a section of program code that allows a user to circumvent security procedures in order to gain full access to an information system. Although back doors have legitimate uses, such as for program testing, they can also be used as an instrument of sabotage. It should be noted, however, that individual sabotage is becoming more infrequent due to legislation such as the Computer Misuse Act.
Industrial sabotage
Industrial sabotage is considered rare, although there have been a number of well- publicised cases over the past few years. Industrial sabotage tends to be carried out for some kind of competitive or financial gain. The actions of those involved tend to be highly organised, targeted at specific areas of a rival organisation’s activities, and supported by access to a substantial resource base. Industrial sabotage is considered more serious than individual sabotage since, although occurrences are relatively few, the losses suffered tend to be extremely high. A well-known example concerns the legal battle between British Airways and Richard Branson’s Virgin during the 1990s, where it was alleged that BA gained access
Sabotage
Logic bomb
Sometimes also known as a time bomb, a logic bomb is a destructive computer program that activates at a certain time or in reaction to a specific event.
Back door
A section of program code that allows a user to circumvent security procedures in order to gain full access to an information system.
M15_BOCI6455_05_SE_C15.indd 544 10/13/14 4:53 PM
545ChaPter 15 MANAGING INFORMATION SEcURITY
to Virgin’s customer databases and used this information to ‘poach’ Virgin’s customers. More recently, it has been claimed that governments have used their resources to give some companies an advantage in the marketplace. At the turn of the century, for example, it was alleged that both the United States and the United Kingdom were passing commercially sensitive information gathered via the Echelon surveillance network to certain companies.
Unintentional sabotage
An intent to cause loss or damage need not be present for sabotage to occur. Imagine the case of an organisation introducing a new information system at short notice and without proper consultation with staff. Employees may feel threatened by the new system and may wish to avoid making use of it. A typical reaction might be to enter data incorrectly in an attempt to discredit the new system. Alternatively, the employee might continue to carry out tasks manually (or with the older system), claiming that this is a more efficient way of working. In such cases, the employee’s primary motivation is to safeguard their position – the damage or loss caused to the organisation’s information systems is incidental to this goal.
Vandalism
Deliberate damage caused to hardware, software and data is considered a serious threat to information systems security. The threat from vandalism lies in the fact that the organisation is temporarily denied access to some of its resources. Even relatively minor damage to parts of a system can have a significant effect on the organisation as a whole. In a small network system, for example, damage to a server or shared storage device might effectively halt the work of all those connected to the network. In larger systems, a reduced flow of work through one part of the organisation can create bottlenecks, reducing the overall productivity of the entire organisation. Damage or loss of data can have more severe effects since the organisation cannot make use of the data until they have been replaced. The expense involved in replacing damaged or lost data can far exceed any losses arising from damage to hardware or software. As an example, the delays caused by the need to replace hardware or data might result in an organisation’s being unable to compete for new business, harming the overall profitability of the company.
In recent years, vandalism has been extended to the Internet. A number of incidents have occurred where company web sites have been defaced.
Theft
As with vandalism, the loss of important hardware, software or data can have significant effects on an organisation’s effectiveness. Theft can be divided into two basic categories: physical theft and data theft.
Independent insurance broker Bland Bankart plc estimates that the cost of computer and electronic office equipment theft exceeds £50 million each year (Bland Bankart plc). Even the theft of a single piece of hardware can result in significant loss. A survey by Kensington, producers of notebook security equipment, found that the theft of a single notebook computer cost £11,500 when factors such as lost productivity were taken into account.
Physical theft, as the term implies, involves the theft of hardware and software. The DTI’s 2012 ‘Information Security Breaches Survey’ reported that 7 per cent of the worst security incidents suffered by large organisations and 5 per cent of the worst incidents suffered by small organisations involved the physical theft of equipment. It is worth noting that physical theft is not restricted to computer systems alone; components are often targeted by criminals because of their small size and relatively high value.
Data theft normally involves making copies of important files without causing any harm to the originals. However, if the original files are destroyed or damaged, then the value of the copied data is automatically increased. The Ponemon Institute (www.ponemon.org) estimates that the average cost of a “compromised” record is $214.
Data theft
This can involve stealing sensitive information or making unauthorised changes to computer records.
M15_BOCI6455_05_SE_C15.indd 545 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT546
Service organisations are particularly vulnerable to data theft since their activities tend to rely heavily upon access to corporate databases. Imagine a competitor gaining access to a customer list belonging to a sales organisation. The immediate effect of such an event would be to place both organisations on an essentially even footing. However, in the long term, the first organisation would no longer enjoy a competitive edge and might, ultimately, cease to exist. In the United States alone, lost sales due to the theft of technology and business ideas are valued at $100 billion to $250 billion a year.
Both data theft and physical theft can take a number of different forms. As an example, there has been growing concern over the theft of customer information, such as credit card details, from company web sites.
One of the most common security risks in relation to computerised information systems is the danger of unauthorised access to confidential data. Contrary to the popular belief encouraged by the media, the risk of hackers gaining access to a corporate information system is relatively small. Most security breaches involving confidential data can be attributed to the employees of the organisation. In many cases, breaches are accidental in that employees are unaware that particular sets of information are restricted. Deliberate breaches are typically the result of an employee wanting to gain some personal benefit from using the information obtained. A good example concerns the common myth of the police officer using the Police National Computer to check up on a car they wish to buy. In reality, strict guidelines cover the use of the Police National Computer and a log is kept of every enquiry made.
However, we must consider that the threat posed by hackers is starting to increase as more organisations make use of the Internet for business purposes. In addition, it should be noted that even a relatively small number of hacking incidents can account for significant losses to industry. As an example, a survey commissioned by the UK National High Tech Crime Unit (now part of SOCA – Serious Organised Crime Agency) found that 167 companies had lost £195 million to high-tech crime, such as hacking, over a period of twelve months. Furthermore, even a small number of hackers can cause a significant amount of damage. For instance, a single hacker arrested in 2006 was accused of compromising over 150 US government systems, resulting in $1.36 million in losses to NASA and nearly $100,000 in losses for the Energy Department and the Navy.
The term hacker is used for a person who attempts to gain unauthorised access to a computer-based information system, usually via a telecommunications link. However, this is the popular use of this term and is considered incorrect by many IT professionals. Traditionally, ‘hacking’ referred to the process of writing program code, so hackers were nothing more than skilled computer programmers. Even today, many people consider themselves to be ‘hackers’ of the traditional kind and dislike being associated with the stereotype of a computer criminal. Furthermore, many people draw distinctions between those who attempt to gain unauthorised access to computer-based information systems for malicious reasons and those with other motivations. A person who gains access to an information system for malicious reasons is often termed a cracker rather than a hacker. Similarly, many people claim to use hacking for ethical purposes, such as helping companies to identify security flaws or assisting law enforcement agencies in apprehending criminals. These people tend to be referred to as ‘white-hat hackers’ and their counterparts are termed ‘black-hat hackers’. However, for the purposes of this chapter, we will continue to use the term ‘hacker’ in its popular sense.
In general, most people consider hackers to fall into one of four categories:
■ those who wish to demonstrate their computer skills by outwitting the designers of a particular system;
■ those who wish to gain some form of benefit (usually financial) by stealing, altering or deleting confidential information;
Unauthorised use
Hacker
Hackers are often described as individuals who seek to break into systems as a test of their abilities. Few hackers attempt to cause damage to systems they access and few are interested in gaining any sort of financial profit.
Cracker
A person who gains access to an information system for malicious reasons is often termed a cracker rather than a hacker. This is because some people draw a distinction between ‘ethical’ hackers and malicious hackers.
M15_BOCI6455_05_SE_C15.indd 546 10/13/14 4:53 PM
547ChaPter 15 MANAGING INFORMATION SEcURITY
■ those who wish to cause malicious damage to an information system, perhaps as an act of revenge against a former employer;
■ those who wish to make a political statement of some kind.
Understandably, the most common crime committed by hackers involves telecommunications fraud. Clearly, the first task carried out by most hackers is to obtain free access to telecommunications, so that the time-consuming task of breaking into a given system can be carried out without incurring a great deal of expense. However, the growth of digital communications technology means that it is possible to implement countermeasures against hacking.
An excellent example concerns a well-known 1989 case, where a hacker managed to access information systems in more than 35 military bases across the United States. The hacker’s intention was to steal information on the Strategic Defense Initiative (SDI) – the so-called Star Wars project. The hacker was traced on the basis of an anomaly found by Clifford Stoll in telephone records. The unauthorised use of 75 cents of telephone time led to an investigation that lasted more than 18 months. Finally, following a number of failed attempts to trace the hacker via the telecommunications system, he was caught and sentenced to imprisonment.
A fairly recent development in relation to hacking concerns the emergence of hacktivists. Hacktivists are those who deface web sites, carry out denial of service attacks or publish confidential information in order to make a political statement. Although hacktivism has existed for several decades, several recent high profile cases have brought it to the attention of the public. The wars in Iraq and Afghanistan, for instance, saw various groups attempting to promote their views by attacking web sites belonging to the government or other organisations connected to the conflicts in some way. More recently, a great deal of public controversy began when Wikileaks (http://wikileaks.org) began to publish a body of confidential documents considered embarrassing to the United States and other countries.
Hacktivist
Describes a person who uses hacking as a means of making a political statement, usually as a form of protest.
Wall Street’s banks and brokerages came under a sustained cyber attack last Thursday as hackers attempted to bring down online banking and trading operations at 50 top institutions.
Websites were subjected to distributed denial of service (DDoS) attacks to put them out of action, and a ‘malware’ infection was aimed at trading platforms, in a digital offensive dubbed ‘Quantum Dawn 2’.
If this sounds more like a film than reality, that may be because the cyber warfare was part of a simulated exercise to test financial institutions’ ability to withstand global threats.
It came two months after eight members of an international cybercrime ring were indicted for allegedly hacking into the systems of global banks,
stealing customer data, and inflicting $45m of losses on the global banking system.
But, as the multinational banks have increased their efforts to thwart such security breaches, the cyber crimi- nals have been forced to target smaller prey – and these include London’s wealth managers and stockbrokers.
‘We are seeing a trend [for cyber criminals] to target small- er institutions who have higher value customers,’ explains Stephen Bonner, a partner within KPMG’s information protection and businesses resilience team in the UK.
‘Very effective work by large retail banks to protect online retail banking is moving the attacker away to easier targets,’ he warns. ‘We’re seeing them attack smaller institutions that historically didn’t have enough customers to make it worthwhile.’
Online cybercrime rings forced to home in on smaller prey By Vanessa Kortekaas
CASE STUDy 15.1
➨
M15_BOCI6455_05_SE_C15.indd 547 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT548
Mr Bonner says that this ‘displacement’ phenomenon in the cyber security landscape has also pushed the online security to the top of the agenda for UK wealth managers and stockbrokers.
Rathbone Brothers, a wealth manager with about £20bn of funds under management, says it is aware of attempts to hack in to its client data.
‘We’ve got 40,000 clients, and the fraudsters are just becoming more sophisticated,’ says Andy Pomfret, chief executive of Rathbones. ‘You constantly have a few people trying to [hack] in.’
Rathbones has emulated the big banks in putting its systems to the test, by having so-called ‘ethical hackers’ attempt to access its data.
Mr Pomfret says he also encourages his investment managers to talk to their clients as much as possible, to reduce the risk of identity theft. ‘It’s much harder for someone to impersonate a client when you’re actually talking to them,’ he says.
Rathbones is not alone. According to the Association of Private Client Investment Managers and Stockbrokers (Apcims), cyber criminals are targeting the clients of UK brokerages.
In recent months, one Apcims member firm found that online fraudsters had set up a website identical to its own, and urged clients to buy certain shares – in an online version of a ‘boiler-room’ scam.
‘It turned out [the firm’s clients] were buying into a Ponzi type fund, which means you don’t get your money
back,’ explains John Barrass, Apcims’ deputy chief executive.
Although the scam was caught quickly, Mr Barrass says the attack has served as a ‘very big warning sign’ to financial companies about the need to protect themselves against cyber crime.
Many UK companies have increased their spending on methods to combat cyber attacks.
KPMG says the number of wealth managers and brokers that have approached the firm for advice on online security has roughly doubled in the past 18 months.
Charles Stanley, the stockbroker and wealth manager, sends its IT staff for cyber security training at the Chartered Institute of Securities and Investment (CISI). It is one of many seeking to make its staff more aware of the risk.
‘Over the past year or so, I’ve seen much greater attendance from middle ranking firms, from the wealth management side and from the wealth management [business] of the big global banks,’ says George Little john, a senior adviser at the CISI.
KMPG says that wealth managers have one advantage over the large banks in tackling cybercrime: they are ‘closer to their clients’ behaviour’, and therefore more able to detect unusual activity in their accounts.
However, they also bring one disadvantage. ‘With the very high-net-worth individuals, they expect a much more personal touch,’ says Mr Bonner. ‘[They] are less willing to accept some of the inconveniences of higher security.’
Source: Kortekaas, V. (2013) Online cybercrime rings forced to home in on smaller prey. Financial Times. 19 July. © The Financial Times Limited 2012. All Rights Reserved.
Whilst some methods, such as logic bombs, are beginning to decline, others are becoming more common. The release of the ‘virus construction kits’ and ‘virus mutation engines’ places the construction of a new computer virus within the hands of most users. Additionally, whilst methods such as virus scanning provide a degree of protection against virus infection, no completely secure prevention technique has yet been found.
Computer viruses are considered in more detail later on.
Computer viruses
CONTROL STRATEGIES
In the previous section it was shown that there is a need to:
■ control access to information systems; ■ maintain the integrity of the information held within a computer-based information
system;
QUESTION
What is the key approach to combating cybercrime discussed in the case study?
M15_BOCI6455_05_SE_C15.indd 548 10/13/14 4:53 PM
549ChaPter 15 MANAGING INFORMATION SEcURITY
■ implement procedures to ensure the physical security of equipment; ■ safeguard the overall security of an information system.
In this section, strategies for reducing threats to information systems are discussed. In general, there are four major approaches that can be taken to ensure the integrity of an information system. These are containment, deterrence, obfuscation and recovery. Although each strategy is discussed separately, it is important to note that an effective security policy will draw upon a variety of concepts and techniques.
The strategy of containment attempts to control access to an information system. One approach involves making potential targets as unattractive as possible. This can
be achieved in several ways but a common method involves creating the impression that the target information system contains data of little or no value. It would be pointless, for example, attempting to steal data that had been encrypted – the data would effectively be useless to anyone except the owner.
A second technique involves creating an effective series of defences against potential threats. If the expense, time and effort required to gain access to the information system is greater than any benefits derived from gaining access, then intrusion becomes less likely. However, defences must be continually improved and upgraded in order to keep up with advances in technology and the increasing sophistication of hackers. Thus, such an approach tends to be expensive in terms of organisational resources.
A third approach involves removing the target information system from potential threats. Typical ways in which this might be achieved include distributing assets across a large geographical area, distributing important data across the entire organisation or isolating important systems.
Containment
A strategy based upon deterrence uses the threat of punishment to discourage potential intruders. The overall approach is one of anticipating and countering the motives of those most likely to threaten the security of the system.
A common method involves constantly advertising and reinforcing the penalties for unauthorised access. It is not uncommon, for example, to dismiss an employee for gaining access to confidential data. Similarly, it is not uncommon for organisations to bring private prosecutions against those who have caused damage or loss to important information systems. Attempts to breach the security of the information system are discouraged by publicising successful actions against employees or other parties.
A second approach involves attempting to detect potential threats as early as possible, for example by monitoring patterns of information system usage and investigating all anomalies. However, although such a technique can prevent some attacks and reduce the damage caused by others, it can be expensive in terms of organisational resources.
The third technique used commonly involves predicting likely areas of attack and then implementing appropriate defences or countermeasures. If an organisation feels, for example, that it is particularly vulnerable to computer viruses, it might install virus- scanning software across the entire organisation.
Deterrence
M15_BOCI6455_05_SE_C15.indd 549 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT550
Obfuscation concerns itself with hiding or distributing assets so that any damage caused can be limited.
One means by which such a strategy can be implemented is by monitoring all of the organisation’s activities, not just those related to the use of its information systems. This provides a more comprehensive approach to security than containment or deterrence since it also provides a measure of protection against theft and other threats.
A second method involves carrying out regular audits of data, hardware, software and security measures. In this way, the organisation has a more complete overview of its information systems and can assess threats more accurately. A regular software audit, for example, might result in a reduction in the use of illegal software. In turn, this might reduce the number of virus infections suffered by the organisation, avoid potential litigation with software companies and detect illegal or unauthorised use of programs and data.
The dispersal of assets across several locations can be used to discourage potential intruders and can also limit the damage caused by a successful attack. The use of other techniques, such as backup procedures, can be used to reduce any threats further.
Obfuscation
Audit
The process of monitoring an organisation’s hardware and software resources. In general, audits are used as a deterrent against theft and the use of illegal software.
A strategy based upon recovery recognises that, no matter how well defended, a breach in the security of an information system will eventually occur. Such a strategy is largely concerned with ensuring that the normal operation of the information system is restored as quickly as possible, with as little disruption to the organisation as possible.
The most important aspect of a strategy based upon recovery involves careful organisational planning. The development of emergency procedures that deal with a number of contingencies is essential if a successful recovery is to take place. The process of developing and maintaining these procedures is often called business continuity planning (sometimes also called disaster recovery).
In anticipating damage or loss, a great deal of emphasis is placed upon backup procedures and recovery measures. In large organisations, a backup site might be created, so that data processing can be switched to a secondary site immediately in the event of an emergency. Smaller organisations might make use of other measures, such as RAID facilities or data warehousing services (Chapter 4).
As cloud computing becomes more popular, many individuals and organisations have seen this as an ideal way of ensuring business continuity. Several copies of important data may be distributed across the cloud and even software applications can be accessed anywhere there is an Internet connection. However, it can be argued that cloud computing simply replaces one set of problems with another. As an example, how could a company maintain normal operations if Internet access was lost or if a service provider suffered a major breakdown? In April 2011, Amazon’s EC2 cloud computer network crashed, taking thousands of company websites offline. Some sites took two days to restore and Amazon later announced that some customer data had been permanently lost. In October 2011, Blackberry phone users in Europe, India, South America and other regions suffered disruptions to e-mail, Internet and instant messaging services for a number of days. Services were disrupted again in September 2012.
Planning for emergencies involves more than merely restoring hardware, software and data. Since the 11 September 2001 terrorist attacks in the United States and the 7 July 2005 attack in the UK, a great deal of emphasis has been placed on protecting employees from danger and making sure that competent staff are available in an emergency. This is sometimes known as ‘skills continuity’.
Recovery
Recovery
The process which is used to restore backup data.
Business continuity planning
The process of developing procedures aimed at restoring the normal operation of an information system in the event of an emergency or disaster.
Backup site
This houses a copy of the organisation’s main data processing facilities, including hardware, software and up-to-date data files. In the event of an emergency, processing can be switched to the backup site almost immediately so that the organisation’s work can continue.
RAID
This stands for ‘redundant array of inexpensive disks’. Essentially, identical copies of important data files are kept upon a number of different storage devices. If one or more of the storage devices fails, additional devices are activated automatically, allowing uninterrupted access to the data and reducing the possibility of losing transactions or updates.
M15_BOCI6455_05_SE_C15.indd 550 10/13/14 4:53 PM
551ChaPter 15 MANAGING INFORMATION SEcURITY
There are five major categories of controls that can be applied to information systems. These are:
■ physical protection; ■ biometric controls; ■ telecommunications controls; ■ failure controls; ■ auditing.
TyPES OF CONTROLS
Physical protection involves the use of physical barriers intended to protect against theft and unauthorised access. The reasoning behind such an approach is extremely simple: if access to rooms and equipment is restricted, risks of theft and vandalism are reduced. Furthermore, by preventing access to equipment, it is less likely that an unauthorised user can gain access to confidential information. Locks, barriers and security chains are examples of this form of control.
Physical protection
These controls make use of the unique characteristics of individuals in order to restrict access to sensitive information or equipment. Scanners that check fingerprints, voice prints or even retinal patterns are examples of biometric controls.
Until relatively recently, the expense associated with biometric control systems placed them out of reach of all but the largest organisations. In addition, many organisations held reservations concerning the accuracy of the recognition methods used to identify specific individuals. However, with the introduction of more sophisticated hardware and software, both of these problems have been largely resolved. As a result, laptop computers, PDAs and USB flash drives are all now available with built-in fingerprint scanners.
Many organisations have now begun to look at ways in which biometric control systems can be used to reduce instances of fraud. Within five years, for example, banks are expected to introduce automated teller machines (ATMs) that use fingerprints and retinal patterns to identify customers.
Biometric controls
Devices employing biometric security measures are now within the reach of a typical computer user. Using the Internet, magazines, product catalogues and other sources, locate at least two examples of low-cost products that employ biometrics.
Biometric securityActivity 15.1
These controls help to verify the identity of a particular user. Common types of communications controls include passwords and user validation routines.
As an example, when a new network account is created for a given user, they may be asked to supply several pieces of personal information, such as the name of their spouse or
Telecommunications controls
M15_BOCI6455_05_SE_C15.indd 551 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT552
their date of birth. When the user attempts to connect to the network system from outside of the organisation, they are asked to confirm their identity by providing some of the information given when the account was created.
Failure controls attempt to limit or avoid damage caused by the failure of an information system. Typical examples include recovery procedures and regular backups of data. Backups are explained in more detail later on.
Failure controls
Auditing involves taking stock of procedures, hardware, software and data at regular intervals.
With regard to software and data, audits can be carried out automatically with an appropriate program. Auditing software works by scanning the hard disk drives of any computers, terminals and servers attached to a network system. As each hard disk drive is scanned, the names of any programs found are added to a log. This log can then be compared to a list of the programs that are legitimately owned by the organisation. Since the log contains information concerning the whereabouts of each program found, it is relatively simple to determine the location of any unauthorised programs. In many organisations, auditing programs are also used to keep track of software licences and allow companies to ensure that they are operating within the terms of their licence agreements.
A software licence enables a company to make several copies of a program, allowing it to acquire important programs at reduced cost. Typically, a company will purchase a single copy of the program and install this on as many computers as required. Since only one copy of the program and any accompanying documentation is required, costs are reduced for both the company and the supplier. The terms of the software licence will determine how many copies of the program can be made. A ten-user licence, for example, allows a company to make up to ten copies of a program for use by its employees.
Auditing
Software licence
This sets out the terms under which a piece of software can be used. In general, licences are required for every piece of software owned and used by a company. A company using ten copies of a word processor, for instance, must own ten individual licences or a single licence giving the right to use ten copies of the program.
SOME TECHNIQUES FOR CONTROLLING INFORMATION SySTEMS
Some of the most common techniques used to control computer-based information systems are:
■ formal security policies; ■ passwords; ■ file encryption; ■ organisational procedures governing the use of computer-based information systems; ■ user validation techniques; ■ backup procedures.
The following describes each of these techniques in more detail.
Perhaps the simplest and most effective control is the formulation of a comprehensive policy on security. Amongst a wide variety of items, such a policy will outline:
Formal security policy
M15_BOCI6455_05_SE_C15.indd 552 10/13/14 4:53 PM
553ChaPter 15 MANAGING INFORMATION SEcURITY
■ what is considered to be acceptable use of the information system; ■ what is considered unacceptable use of the information system; ■ the sanctions available in the event that an employee does not comply with the security policy; ■ details of the controls in place, including their form and function and plans for
developing these further.
Once a policy has been formulated, it must be publicised in order for it to become effective. In addition, the support of management is essential in order to ensure that employees adhere to the guidelines contained within the policy.
It is worth noting that many European countries have national standards that can be used to develop and assess organisational security policies. In the UK, for example, compliance with BS 7799 demonstrates that a company has established an effective information security management infrastructure. Standards such as ISO/IEC 27001, ISO 17799 and BS 7799 are extremely useful in that they provide a framework that can be used to develop a series of policies and procedures in order to maintain the security of computer-based information systems.
In 2010, only 67 per cent of small UK organisations had a formal information management security policy in place compared to 90 per cent of large organisations.
Source: DTI, 2010
The password represents one of the most common forms of protection for computer-based information systems. In addition to providing a simple, inexpensive means of restricting access to equipment and sensitive data, passwords also provide a number of other benefits. Amongst these are the following:
■ Access to the system can be divided into levels by issuing different passwords to employees based on their positions and the work they carry out.
■ The actions of an employee can be regulated and supervised by monitoring the use of their password.
■ If a password is discovered or stolen by an external party, it should be possible to limit any damage arising as a result.
■ The use of passwords can encourage employees to take some of the responsibility for the overall security of the system.
Passwords
The InfoSecurity Europe 2007 survey found that 64 per cent of workers questioned were prepared to reveal their computer password in exchange for a small gift, such as a chocolate bar. Although this fell to 21 per cent in 2008, 60 per cent of workers were still willing to reveal personal information, such as contact details, many without needing any reward at all.
Source: PC Pro, 16 April 2008
An additional layer of protection for sensitive data can be provided by making use of encryption techniques. Modern encryption methods rely upon the use of one or more keys. Without the correct key, any encrypted data are meaningless – and therefore of no value – to a potential thief.
Encryption
M15_BOCI6455_05_SE_C15.indd 553 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT554
Using the Internet as a resource, locate information related to a well-known product called GNU Privacy Guard (GPGP, sometimes also called GnuPG). Describe how GPGP works and explain why you think the system is so popular.
Pretty Good Privacy (PGP)Activity 15.2
Under normal circumstances, a set of procedures for the use of an information system will arise from the creation of a formal security policy. Such procedures should describe in detail the correct operation of the system and the responsibilities of users. Additionally, the procedures should highlight issues related to security, should explain some of the reasoning behind them and should also describe the penalties for failing to comply with instructions.
Procedures
Of relevance to telecommunications is the use of user validation techniques. It is necessary to verify the identity of users attempting to access the system from outside of the organisation. A password is insufficient to identify the user since it might have been stolen or accidentally revealed to others. However, by asking for a date of birth, National Insurance number or other personal information, the identity of the user can be confirmed. Alternatively, if the location of the user is known, the system can attempt to call the user back at their current location. If the user is genuine, the call will be connected correctly and the user can then access the system. Although such methods do not offer total security, the risk of unauthorised access can be reduced dramatically.
User validation
User validation
checks made to ensure the user is permitted access to a system. Also known as access control systems, they often involve user names and passwords, but can also include biometric techniques.
The effects of a sudden loss of data can affect a company’s activities in a variety of ways. The disruption caused to a company’s normal activities can result in significant financial losses due to factors such as lost opportunities, additional trading expenses and customer dissatisfaction.
The cumulative effects of data loss can prove detrimental to areas as diverse as corporate image and staff morale. Perhaps the single most compelling reason for introducing effective backup procedures is simply the expense involved in reconstructing lost data. A 2008 study of UK data breaches by the Ponemon Institute in collaboration with Symantec and PGP Corporation found that the cost of a lost record ranges from £47 to £59.
One of the most common methods of protecting valuable data is to use the ‘grandfather, father, son’ technique. Here, a rotating set of backup disks or tapes are used so that three different versions of the same data are held at any one time.
To illustrate this method, imagine a single user working with a personal computer and using three flash drives to store their data on. Each day, all of the data being worked on are copied onto the flash drive containing the oldest version (‘grandfather’) of that data. This creates a continuous cycle that ensures that the oldest backup copy is never more than three days old.
Table 15.1 illustrates the operation of the ‘grandfather, father, son’ method. As can be seen, each flash drive or other storage device moves through three generations. Since three copies of the data are maintained, the risk of data loss is reduced considerably. In the event of the original data becoming corrupted or damaged in some way, only the changes made
Backup procedures
Grandfather, father, son
A common procedure used for creating backup copies of important data files.
M15_BOCI6455_05_SE_C15.indd 554 10/13/14 4:53 PM
555ChaPter 15 MANAGING INFORMATION SEcURITY
Table 15.1 The ‘grandfather, father, son’ backup method
Day 1 Day 2 Day 3
Device 1 Device 2 Device 3
Grandfather Grandfather Grandfather
Device 2 Device 3 Device 1
Father Father Father
Device 3 Device 1 Device 2
Son Son Son
since the last backup copy was made would be lost. In most cases, this would amount to new or altered data produced during the previous day. In addition, since only three sets of reusable media are required in order to make backups, the costs involved can be considered low.
It is worth noting several general points concerning backups of data:
■ The time, effort and expense involved in producing backup copies will be wasted unless they are made at regular intervals. How often backups are made depends largely upon the amount of work processed over a given period of time. In general, backups will be made more frequently as the number of transactions carried out each day increases.
■ Backup copies of data should be checked each time they are produced. Faulty storage devices and media may sometimes result in incomplete or garbled copies of data. In addition, precautions should be taken against computer viruses, in order to prevent damage to the data stored.
■ The security of backup copies should be ensured by storing them in a safe location. Typically, an organisation will produce two sets of backup copies: one to be stored at the company premises, the other to be taken off the premises and stored at a separate location. In this way, a major accident, such as a fire at the company premises, will not result in the total destruction of the organisation’s data. Many companies take additional precautions, such as storing important data online, using cloud storage as an extra safeguard.
■ Not all data need be backed up at regular intervals. Software applications, for example, can normally be restored quickly and easily from the original media. In a similar way, if a backup has already been made of a given item of data, the production of additional copies may not be necessary.
In order to reduce the time taken to create backup copies, many organisations make use of software that allows the production of incremental backups. Initially, a backup copy of all data files is made and care is taken to ensure the accuracy of the copy. This initial, complete backup is normally referred to as a full backup (sometimes also known as an ‘archival backup’). From this point on, specialised backup software is used to detect and copy only those files that have changed in some way since the last backup was made. In the event of data loss, damaged files can be replaced by restoring the full backup first, followed by the incremental backups. One of the chief advantages of creating incremental backups is that it is possible to trace the changes made to data files over time. In this way, any version of a given file can be located and restored. However, incremental backups can also have a significant disadvantage: should the full backup made initially become lost or corrupted, it may not be possible to restore any data at all. For this reason, it is essential that all backups be checked carefully as soon as they are made.
Many companies have started to adopt disk-imaging software as a way of producing backups of important programs and data. The latest and most sophisticated packages
Incremental backup
Includes only those files that have changed in some way since the last backup was made.
Full backup
A method of producing copies of important data files by including all data files considered to be important.
M15_BOCI6455_05_SE_C15.indd 555 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT556
allow users to create incremental backups of an entire hard disk drive. This helps to avoid redundancy and makes the overall process faster and easier to manage. Disk images are discussed in more detail a little later on.
MALWARE FOCUS ON…
The term ‘malware’ (malicious software) is a generic term for software intended to gather confidential information from a computer system, or cause harm to valuable data. In general, malware can be broken down into a number of categories, each of which is discussed in more detail in the following sections:
■ computer viruses; ■ Trojans and key loggers; ■ spyware.
What is malware?
The origin of the term computer virus is credited to Fred Cohen, author of the 1987 paper ‘Computer viruses – theories and experiments’. However, ‘natural’ computer viruses were reported as early as 1974 and papers describing mathematical models of the theory of epidemics were published in the early 1950s.
There are several different types of computer virus, for example parasitic viruses (sometimes known as ‘file infectors’) insert copies of themselves into legitimate programs, such as operating system files, often making little effort to disguise their presence. In this way, each time the program file is run, so too is the virus.
In recent years, a great deal of attention has been paid to the emergence of macro viruses (sometimes called ‘script viruses’). These programs are created using the high-level programming languages found in e-mail packages, web browsers and applications software, such as word processors. Technically, such viruses are extremely crude but are capable of causing a great deal of damage. Table 15.2 provides some examples of estimated losses caused by computer viruses over the years 1999–2008. As the table shows, some of the largest losses experienced were the result of relatively unsophisticated viruses distributed via e-mail.
All viruses should be considered to be harmful. Even if a virus program does nothing more than reproduce itself, it may still cause system crashes and data loss. In many cases, the damage caused by a computer virus might be accidental, arising merely as the result of poor programming.
Until quite recently, it was thought that computer viruses could not be attached to data files, such as word processing documents or e-mail messages. However, the built- in programming languages featured within many modern applications mean that data files may now be used to transmit viruses. A typical example is the Word for Windows macro viruses, which attach themselves to a document template and duplicate each time a new document is created. Using an infected document on another machine automatically infects the user’s copy of Word for Windows. However, it remains true that viruses cannot be transmitted by a conventional e-mail message. A virus can only be transmitted as an attachment to a message, or if the e-mail package being used allows active content.
The computer virus
Computer virus
This is a computer program that is capable of self-replication, allowing it to spread from one ‘infected’ machine to another.
M15_BOCI6455_05_SE_C15.indd 556 10/13/14 4:53 PM
557ChaPter 15 MANAGING INFORMATION SEcURITY
The transmission of computer viruses and malware
A number of reports suggest that consultants, maintenance engineers and employees are responsible for approximately 40 to 60 per cent of all virus infections. Often, a virus infection occurs as a result of employees’ transferring files to and from their machines at home. Other ways in which viruses and other malware may be transmitted include through the use of illegal software, software downloaded via the Internet and, occasionally, through commercial software and magazine cover-mounted discs.
It can be argued that computer users themselves are often responsible for damage arising as a result of malware, such as viruses and worms. Few users take adequate security measures, such as backing up data. It is estimated that fewer than 5 per cent of computer users are capable of carrying out backup procedures. Furthermore, inadequate training and incorrect responses to security breaches often exaggerate the problem, since anxious users may cause more damage than the malware itself.
There are few accurate estimates of the financial loss caused by computer viruses, Trojans and other forms of malware each year. This is undoubtedly due to the reluctance of major companies to disclose the fact that their systems have been compromised. Despite this, surveys have suggested that over 60 per cent of major corporates come into contact with computer viruses each year. However, the real rate of infection may be substantially higher since companies are unlikely to admit any major losses arising as a result of computer virus infections. In the UK, the Department for Trade and Industry’s Information Security Breaches Survey 2012 found that 40 per cent of large organisations had experienced virus infections, as had 43 per cent of smaller organisations. Worldwide, Fox News reported that total losses from malware infections amounted to $86 billion in 2009.
Detecting and preventing virus infection
The risk of virus infection can be reduced to a minimum by implementing a relatively simple set of security measures:
■ unauthorised access to machines and software should be restricted as far as possible; ■ machines and software should be checked regularly with a virus detection program; ■ all new disks and any software originating from an outside source should be checked
with a virus detection program before use;
Table 15.2 Examples of estimated losses due to computer viruses from 1999 to 2008
Year Virus estimated loss ($ billions)
1999 Melissa 1.10
2000 LoveLetter 8.80
2001 Code Red 2.60
2001 SirCam 1.15
2002 Klez 9.00
2003 Slammer 1.20
2004 MyDoom 4.75
2004 Sasser 3.50
2004 NetSky 2.70
2004 Bagle 1.50
2007 Conficker 9.80
2008 Storm Worm 8.50
Sources: Bocij, 2006; www.howstuffworks.com
M15_BOCI6455_05_SE_C15.indd 557 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT558
■ the use of flash drives on company systems should be monitored and controlled, especially if employees take data files to/from their homes;
■ regular backups of data and program files must be made in order to minimise the damage caused if a virus infects the system.
Virus scanners are intended to detect and then safely remove virus programs from a computer system. The most common method of detection used by these programs involves scanning for the signatures of particular viruses. It is often possible to locate a virus by simply searching every file on an infected disk for these identifying characteristics. However, since new viruses are discovered quite frequently, the list of signatures contained within a detection program quickly becomes dated. For this reason, most software developers insist that regular program updates are essential. In fact, some programs are updated every few hours, rather than once a day or less frequently.
The introduction of new kinds of viruses, such as polymorphic and stealth viruses, means that signature checking alone can no longer be regarded as a completely secure method of detection. For this reason, most virus scanners use a combination of techniques to enhance their efficiency. Amongst the methods used are checksums, virus shields, anti- viruses, heuristics and inoculation. The use of heuristics, for example, involves monitoring the computer system to detect common behaviours associated with computer viruses, such as attempts to access certain areas of the hard disk drive.
Once a virus has been detected there are three methods of removing it. The first, disinfection, attempts to restore damaged files and directory structures to their original condition. However, disinfection is not possible in all cases. The second technique involves overwriting the virus program so that it is permanently and irrevocably deleted from the disk. The third and final method of removing a virus is by restoring a backup of the infected disk to the system. The process of writing files to the disk effectively overwrites the virus and restores the system to its original state.
A distinction is made between erasing and deleting a file. Erasing a file merely removes its entry in the disk’s directory structure: the file remains intact until another file overwrites it. For this reason, virus killers delete the virus completely by overwriting it with new data.
Despite the sophistication of scanning programs, none is capable of offering complete protection against infection. Many tests have been carried out to determine the efficiency of specific virus-scanning programs. In some cases, the detection rate of some programs was found to be as low as 50 per cent.
The action that a virus carries out when activated is normally referred to as the payload. An example of a payload might be issuing the command to delete all of the files from the user’s hard disk drive when a certain condition is met, such as when a particular date or time is reached.
In recent years many companies have come to recognise that virus scanners and other software, such as firewalls, are no longer enough to provide high levels of protection in the face of sophisticated viruses and malware. For instance, computer viruses and Trojans now exist that can disable or delete security software whilst maintaining the appearance that they are working properly. Many companies have started to adopt other methods of protecting their systems, for example by investing in disk-imaging software.
Using appropriate software, it is possible to take a ‘snapshot’ of a hard disk drive at a given date and time. The entire contents of the drive can be copied into a special disk image file while the user carries on working. In the event of a disaster, the image file can be written back to the hard disk, restoring the system to the same state as when the image was created. Disk images can even be copied onto other hard disk drives, allowing users to transfer programs and data onto a new system. One of the reasons companies have started to use disk images is because the disk drive is completely erased when the image is restored. At present, no known malware can survive this process, so restoring an image to a hard disk can be taken to guarantee the destruction of a virus or Trojan. Of course,
Virus scanner
Intended to detect and safely remove virus programs from a computer system.
Signature
Unique features of a virus such as the unique series of values in its program file or message displayed on screen or hidden text.
Polymorphic virus
capable of altering its form, so that the ‘standard’ signature of the virus is not present. This means that a virus scanner may not always identify the virus correctly.
Stealth virus
Specifically designed to avoid detection. Such programs are normally written with the intention of defeating common or well-known virus- scanning programs.
Heuristics
Involves monitoring a system to detect common behaviours associated with computer viruses, such as attempts to access certain areas of the hard disk drive.
Erasing
Erasing a file removes its details from the disk’s directory structure. This leaves the file essentially intact and can allow it to be recovered.
Deleting
Deleting a file removes its details from the disk’s directory structure and overwrites it with new data. This makes it virtually impossible to recover the file.
Payload
This refers to the action that will be carried out once a computer virus becomes active. This can range from displaying a message on the screen, to deleting valuable data.
M15_BOCI6455_05_SE_C15.indd 558 10/13/14 4:53 PM
559ChaPter 15 MANAGING INFORMATION SEcURITY
this process can only be successful if no virus or other malware was present when the disk image was created.
The use of disk images has become so popular that many companies use them as the basis for their backup routines. Although disk images can be somewhat wasteful in terms of storage, they have the advantage of being very quick and easy to make. A good example of disk-imaging software is Acronis TrueImage (www.acronis.com), which can be used on individual systems or across a network. This package also allows users to restore individual files if they wish, removing the need to overwrite the entire hard disk.
Trends
There are many different estimates concerning the growth in numbers of viruses, Trojans and worms. In 1989, it was believed that there were fewer than 50 viruses in circulation. However, by the end of 2004 it was estimated that the number of viruses had grown to more than 100,000 (Bocij, 2006) and to more than one million by 2008 (Sunday Times, 10 April 2008). There has been a similar growth in the number of new viruses and similar malware that is being discovered each month. As an example, at the end of 2002, Sophos – a leading developer of anti-virus products – reported that it had detected more than 7000 new viruses, worms and Trojans during the whole of the year. By 2004, some antivirus companies were reporting the discovery of up to 1700 new viruses every month and by 2008 a leading antivirus company, Symantec, reported that it had discovered 711,000 new viruses in a single year. In 2012, McAfee reported that it was receiving 100,000 malware samples each day and attributed much of the growth to a surge in malware aimed at mobile applications and devices.
Improved access to technology, an increase in the use of networks and new communications technology have all increased the vulnerability of many users to virus infections. At most risk are universities and other large sites, such as public services.
Disk image
A perfect copy of the entire contents of a hard disk drive. Disk images are used to back up whole systems since they provide a snapshot of the system at a specific date and time.
Using the Internet as a resource, find details of at least three major virus incidents over the past three years. For each incident, describe:
1. where the virus originated and how it spread;
2. how many machines were infected around the world;
3. estimated losses resulting from the infection.
Computer virusesActivity 15.3
Two other kinds of programs are related to computer viruses: worms and Trojans. A worm is a small program that moves through a computer system randomly changing or overwriting pieces of data as it moves.
A Trojan appears as a legitimate program in order to gain access to a computer system. In the past few years, the use of Trojans to disrupt company activities or gain access to confidential information has grown sharply. Most of the Trojans en-countered by business organisations are designed to gather information and transmit regular reports back to the owner. Typically, a Trojan will incorporate a key logging facility (sometimes called a ‘keystroke recorder’) to capture all keyboard input from a given computer. Capturing keyboard data allows the owner of the Trojan to gather a great deal of information, such as passwords and the contents of all outgoing e-mail messages.
Although Trojans are often used as delivery systems for spyware and other forms of malware, some are designed to give owners control over the target computer system.
Trojans and key loggers
Worm
A small program that moves through a computer system randomly changing or overwriting pieces of data as it moves.
Trojan
A Trojan presents itself as a legitimate program in order to gain access to a computer system. Trojans are often used as delivery systems for computer viruses.
M15_BOCI6455_05_SE_C15.indd 559 10/13/14 4:53 PM
560 Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT
Effectively, the Trojan acts as a remote control application, allowing the owner to carry out actions on the target computer as if they were sitting in front of it. Sometimes, the owner of the Trojan will make no effort to conceal their activities: the victim sees actions being carried out but is unable to intervene, short of switching off the computer. More often, however, the Trojan operates silently and the victim is unaware that their computer is running programs, deleting files, sending e-mail, and so on. Back Orifice is an example of a Trojan that can be used in both of these ways. This program was designed to target Microsoft’s operating systems and is arguably the most famous program of its kind.
Some programs are designed to disrupt company activities by initiating denial-of- service attacks or by attacking company servers. In recent years, hackers have started to use specialised programs to create networks of zombie computers that can be used to send commercial spam or launch distributed denial-of-service attacks. Some Trojans are designed to take full or partial control of a computer when they receive instructions from the author. The Trojan remains inactive most of the time, only connecting to the Internet every now and then to check for new instructions. When activated by the author, the Trojan begins to generate e-mail or fake web traffic directed towards one or more specific targets. A computer infected by this type of Trojan is often called a bot or a zombie. Hackers use these networks – called botnets – to generate an income by renting them out to spammers, extortionists and other criminals, or by extorting money from companies themselves.
Bot
A computer that has been infected by a zombie program is sometimes referred to as a bot. See botnet and zombie.
Zombie
A type of Trojan capable of taking full or partial control of a computer when activated by the author. Zombie computers are usually organised into large networks (called botnets) so that their combined resources can be used to send spam or launch distributed denial-of- service attacks.
Botnet
A group of zombie computers capable of being directed towards various tasks, such as launching denial of service attacks. See zombie.
Spyware
Describes a category of software intended to collect and transmit confidential information without the knowledge or consent of a computer user.
Adware
Describes a type of software that contains spyware intended to monitor a user’s online activities, usually so that advertising can be targeted more accurately.
Spyware represents a new type of threat for business and home users. In general, spyware describes a category of software designed to capture and record confidential information without a user’s knowledge or consent. As an example, an earlier section described how key loggers record every key pressed by a user. Such programs are often used to collect passwords and other information – such as the contents of documents and e-mail messages – over a period of time. At regular intervals, the program will attempt to connect to the Internet and transmit a report to its owner by e-mail. Often, key loggers will attempt to avoid detection by waiting until the computer user is working on the Internet before attempting to transmit any data.
Applications for spyware range from monitoring the actions of a spouse to industrial espionage. Although early spyware programs were relatively crude, modern applications have a number of sophisticated features that make them difficult to detect and remove. As an example, some programs can be installed at a distance, without needing direct access to the target computer.
Spyware is also produced and disseminated as adware (advertising-supported software). Many companies produce useful software tools that are distributed free of charge or at low cost. In order to generate revenues, the software displays advertisements on behalf of other companies. However, some companies attempt to target their advertising more effectively by monitoring how people use their computers and the Internet. The software collects information, such as details of any web sites visited, and reports back to a central server. Although most companies claim that they do not collect any data that can identify a specific individual, many people frown upon the idea that their activities are being constantly monitored and reported on.
Spyware
Many modern virus scanners are also capable of detecting Trojans and spyware, however, it is also possible to detect this software in two other ways. First, it is possible to purchase specialised software that functions in much the same way as a virus scanner. The Cleaner,
Detecting Trojans and spyware
M15_BOCI6455_05_SE_C15.indd 560 10/13/14 4:53 PM
561ChaPter 15 MANAGING INFORMATION SEcURITY
for instance, is a specialised Trojan scanner capable of detecting thousands of common Trojans, as well as continuously monitoring a computer for behaviour indicative of a Trojan infection. Similar applications exist to deal with spyware, such as Ad-Aware, a package claimed to be capable of removing all known adware products.
Second, since many spyware programs need to communicate via the Internet, it is often possible to detect them by looking for unusual activity, such as attempts to send e-mail by unfamiliar programs or components. A firewall often provides a good defence against Trojans since it will detect and prevent any unauthorised Internet access.
Cybercrime and cyberspying are costing the US economy $100bn a year and the global economy perhaps $300bn annually, according to a first-of-its-kind report published on Tuesday.
The report, ‘Estimating the Cost of Cybercrime and Cyber Espionage’, prepared by the Washington-based Center for Strategic and International Studies (CSIS) and sponsored by McAfee, the security firm now owned by Intel, also estimates that malicious cyber activity costs as many as 508,000 jobs in the US alone.
‘It begs several important questions about the full benefit to the acquirers and the damage to the victims from the cumulative effect of continuous losses in cyberspace,’ the report said.
‘We believe the CSIS report is the first to use actual economic modelling to build out the figures for the losses attributable to malicious cyber activity,’ said Mike Fey, chief technology officer at McAfee.
‘Other estimates have been bandied about for years, but no one has put any rigour behind the effort. As policy makers, business leaders and others struggle to get their arms around why cyber security matters, they need solid information on which to base their actions.’
The figures confirm that malicious cyberactivites do indeed represent what some have termed ‘the greatest transfer of wealth in human history’.
‘Losses to the US [the country where data are most accessible] may reach $100bn annually,’ the report says. ‘The cost of cybercrime and cyberespionage to the global economy is some multiple of this likely measured in hundreds of billions of dollars.’
To put this in perspective, the World Bank suggests that global GDP was about $70,000bn in 2011. ‘A $300bn loss – and losses are probably in this range – would be four tenths of 1 per cent of global income.’
‘This seemingly trivial amount begs several important questions about the full benefit to the acquirers and the damage to the victims from the cumulative effect of continuous losses in cyberspace,’ the report authors say.
The report’s authors note that the cost of malicious cyberactivity involves more than the loss of financial assets or intellectual property. There are opportunity costs, damage to brand and reputation, consumer losses from fraud, the opportunity costs of service disruptions ‘cleaning up’ after cyber incidents and the cost of increased spending on cybersecurity.
To help measure the real loss from cyberattacks, CSIS enlisted economists, intellectual property experts and security researchers to develop the report. The general accepted range for cybercrime launch was between $100bn and $500bn to the global economy. Researchers used real-world analogies like figures for car crashes, piracy, pilferage and drugs to build the model.
They noted the difficulty of relying on methods such as surveys because companies that reveal their cyber losses often cannot estimate what has been taken, intellectual property losses are difficult to quantify and the self- selection process of surveys can distort the results.
‘This report is also the first to connect malicious cyberactivity with job loss,’ said James Lewis, director and senior fellow of the Technology and Public Policy Program at CSIS and a co-author of the report. ‘Using figures from the Commerce Department on the ratio of exports to US jobs, we arrived at a high-end estimate of 508,000 US jobs potentially lost from cyberespionage. As with other estimates in the report, however, the raw numbers might tell just part of the story. If a good portion of these jobs were high-end manufacturing jobs that moved overseas because of intellectual property losses, the effects could be more wide ranging.’
A second report from the CSIS, which is under way, will look at the ramifications of cybersecurity losses on the pace of innovation, the flow of trade and the social costs associated with crime and job loss.
Mr Lewis and co-author Stewart Baker of Steptoe & Johnson, point out that as thoroughly as they plan to develop their estimates, the dollar amount might not fully reflect all the damaging effects that cyber espionage and cybercrime have on the global economy.
Cybercrime costs US $100bn a year, report says By Paul Taylor in New york
CASE STUDy 15.2
➨
M15_BOCI6455_05_SE_C15.indd 561 10/13/14 4:53 PM
562562 Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT
Since 1999, a number of significant new threats to organisational information systems have emerged. Many of these threats reflect an increasing reliance on intranets and the Internet as basic tools for conducting transactions with partners, suppliers and customers. Although the following material focuses on the Internet, much of it is also relevant to company intranets.
Both activities slow the pace of innovation, distort trade and bring the spate of social costs associated with crime and job loss, according to the report.
The authors say the larger effect may be more important than any actual number, and it will be the focus of the next report.
THREATS RELATED TO INTERNET SERVICES
As companies begin to rely on network technology to reduce costs, they become more vulnerable to certain risks. For example, more harm can be caused if an individual gains access to a network server than if they merely gain access to a single PC. Similarly, companies relying on the Internet for business communications may find themselves subject to denial-of-service (DoS) attacks. Typically, these attacks involve blocking the communications channels used by a company. For example, an e-mail system might be attacked by sending millions of lengthy messages to the company. Other techniques involve altering company web pages or attacking the systems used to process online transactions. In these cases, companies are usually forced to shut down services themselves until the problem can be dealt with. Such attacks were almost unheard of before 1999 but have recently started to become more common. The DTI’s ‘Information Security Breaches Survey 2012’ found that 30 per cent of companies had experienced DoS attacks in the previous year, a figure that has grown significant from 2004 when only 5 per cent of companies reported such incidents.
The impact of a denial-of-service attack can be extremely severe, especially for organisations that rely heavily on the Internet for e-commerce. As an example, an attack on Yahoo in 2000 involved servers being flooded with 1 billion hits per minute. The attack was estimated as costing £300,000 in lost advertising revenue alone (Financial Times, 17 November 2000).
In the past few years, denial-of-service attacks have started to be used to extort money from companies that rely heavily on the Internet. Often, an initial DoS attack is accompanied by a demand for money and the threat of a more serious and prolonged attack. A well- known case took place in 2004, when Russian extortionists launched a number of DoS attacks against UK bookmakers before demanding between £10,000 and £30,000 to stop the attacks. Bookmakers who refused to pay suffered losses of approximately £40 million through lost business caused by repeated attacks. Recent studies by the FBI, Ponemon Institute and others have suggested that DoS and other attacks on a single organisation can result in losses of up to $36.5 million.
Denial of service (DoS)
Denial of service (DoS)
This is a form of attack on company information systems that involves flooding the company’s Internet servers with huge amounts of traffic. Such attacks effectively halt all of the company’s Internet activities.
Using the Internet as a resource, locate three examples of recent denial-of-service attacks. For each example, describe how the attack occurred and the losses suffered by the victim.
Denial-of-service attacksActivity 15.4
QUESTION
What are the indirect costs of cybercrime described in the report?
Source: Taylor, P. (2013) Cybercrime costs US $100bn a year, report says. Financial Times. 23 July. © The Financial Times Limited 2013. All Rights Reserved.
M15_BOCI6455_05_SE_C15.indd 562 10/13/14 4:53 PM
563ChaPter 15 MANAGING INFORMATION SEcURITY
Identity theft involves using another person’s identity to carry out acts that range from sending libellous e-mail to making fraudulent purchases. It is considered relatively easy to impersonate another person in this way, but far harder to prove that communications did not originate from the victim.
For business organisations, there is a threat that employees may be impersonated in order to place fraudulent orders. Alternatively, a company may be embarrassed if rumours or bogus press releases are transmitted via the Internet.
The term brand abuse is used to cover a wide range of activities, ranging from the sale of counterfeit goods, for example software applications, to exploiting a well-known brand name for commercial gain. As an example, the name of a well-known company might be embedded into a special web page so that the page receives a high ranking in a search engine. Users searching for the name of the company are then likely to be diverted to the special web page where they are offered a competitor’s goods instead. Some estimates suggest that the total cost of brand abuse, including counterfeiting, costs UK companies between £4 billion and £6.6 billion per year. This figure rises to between £28 and £40 billion across the EU and between $200 to $400 billion per year worldwide.
With regard to identity theft, CIFAS (www.cifas.org), a UK-based fraud prevention service, reports that there were 80,000 cases of identity theft in the UK in 2006. According to figures published on the organisation’s web site, identity fraud cost the UK economy £1.5 billion in 2005 and generates an income of £10 million per day for criminals. More recent figures suggest that identity theft costs the UK around £2.7 billion per year, affecting 1.8 million people (SkyNews, 18 October 2010).
Identity theft and brand abuse
Brand abuse
This describes a wide range of activities, ranging from the sale of counterfeit goods (e.g. software applications) to exploiting a well- known brand name for commercial gain.
Various approaches can be used to extort money from companies. Two examples include ‘cybersquatting’ and the threat of divulging customer information.
Cybersquatting involves registering an Internet domain that a company or celebrity is likely to want to own. Although merely registering a domain is not illegal in itself, some individuals attempt to extort money from companies or celebrities in various ways. Typically, the owner of the domain will ask for a large sum in order to transfer the domain to the interested party. Sometimes, however, demands for money may be accompanied by threats, such as the threat the domain will be used in a way that will harm the victim’s reputation unless payment is forthcoming. Although there is an established mechanism for dealing with disputes over domain names, many victims of cybersquatting choose not to use these procedures since they do not wish to attract negative publicity.
A more common form of extortion usually occurs after a security breach in which sensitive company information has been obtained. Often, the threat involves making the information available to competitors or the public unless payment is made. One of the best-known cases involved an incident when an online music retailer’s e-commerce systems were compromised and the details of some 300,000 credit cards were obtained. When a demand for a payment of $100,000 was not met, 25,000 credit card numbers were published on the Internet (Financial Times, 17 November 2000). A 2011 report from Detica and the Cabinet Office suggested that annual losses to UK business resulting from extortion linked to cybercrime are between £0.56 billion and £2.7 billion annually.
Extortion
Cybersquatting
The act of registering an Internet domain with the intention of selling it for profit to an interested party. As an example, the name of a celebrity might be registered and then offered for sale at an extremely high price.
Organisations have always needed to ensure that employees do not take advantage of company resources for personal reasons. Whilst certain acts, such as sending the occasional personal e-mail, are tolerated by most companies, the increased availability of Internet access
Abuse of resources
M15_BOCI6455_05_SE_C15.indd 563 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT564
and e-mail facilities increases the risk that such facilities may be abused. Two examples of the risks associated with increased access to the Internet involve libel and cyberstalking.
Cyberstalking is a relatively new form of crime that involves the harassment of individuals via e-mail and the Internet. Of interest to business organisations is the fact that many cyberstalkers make use of company facilities in order to carry out their activities. There have also been cases of ‘corporate stalking’ where an organisation has used its resources to harass individuals or business competitors. Individuals can also harass companies and government departments. Although this kind of behaviour often has a financial motive, it can also result from a desire for revenge against the organisation, or even from political beliefs. For an organisation, the consequences of cyberstalking can include a loss of reputation and the threat of criminal and civil legal action.
A number of cases where employees have abused company e-mail facilities have received a great deal of publicity. Well-known cases include an incident where Norwich Union was forced to pay £450,000 in damages after staff libelled a competitor in internal e-mails and a case where Royal & Sun Alliance dismissed ten members of staff after an internal investigation uncovered a series of lewd e-mails circulating. These cases demonstrate that allowing Internet resources to be used inappropriately can have serious repercussions for organisations. In addition to the legal and financial consequences of libel and harassment, a great deal of harm can be caused to a company’s public image and its relationships with customers and suppliers.
Cyberstalking
This refers to the use of the Internet as a means of harassing another individual. A related activity is known as corporate stalking, where an organisation uses its resources to harass individuals or business competitors.
A thorough discussion of the risks to organisations that arise from increased reliance on the Internet is beyond the scope of this chapter. However, in closing this section we provide two additional examples of emerging threats: cyberterrorism and stock fraud.
Cyberterrorism describes attacks made on information systems that are motivated by political or religious beliefs. Organisations involved in the defence industries are often the victims of such attacks. As an example, it is estimated that 20,000 UK and US web sites were attacked during the first week of the Iraq conflict in 2003. However, many other companies are also at risk from politically motivated attacks. For example, companies trading in countries that are in political turmoil or companies with business partners in these countries also face the risk of such attacks.
A number of recent cases have highlighted the danger of allowing inaccurate or misleading information to propagate across the Internet. Online stock fraud involves artificially increasing or decreasing the values of stocks by spreading carefully designed rumours across bulletin boards and chat-rooms. Whilst such activities may seem relatively harmless, companies can suffer significant losses. One of the best-known examples was reported on by the Financial Times some years ago (7 February 2001): ‘In separate incidents, Lucent Technologies, the telecoms network equipment giant, and Emulex, a computer network hardware vendor, saw $7.1bn and $2.6bn wiped off their respective stock market values within hours of bogus press releases appearing on the web.’
Incidences of online stock fraud highlight an extremely important issue: organisations are at risk from the distribution of false information across the Internet. It is important to note that the effects of online stock fraud are not limited to influencing stock prices. Imagine, for example, what might happen if bogus press releases began to appear when a company was in the process of negotiating a merger or strategic alliance. Preventing inaccurate or misleading information from appearing on the Internet is fraught with difficulty. The sheer size of the Internet means that monitoring web sites, chat-rooms and news services places an unacceptable burden on the resources of even the largest organisations. However, the use of intelligent agents, offline readers and meta-search tools, as described in Chapter 4, can go some way towards helping an organisation monitor how it is being portrayed on the Internet.
Other risks
Cyberterrorism
This describes attacks made on information systems that are motivated by political or religious beliefs.
Online stock fraud
Most online stock fraud involves posting false information to the Internet in order to increase or decrease the values of stocks.
M15_BOCI6455_05_SE_C15.indd 564 10/13/14 4:53 PM
565ChaPter 15 MANAGING INFORMATION SEcURITY
Social engineering
This involves tricking people into providing information that can be used to gain access to a computer system.
Phishing
A relatively new development, phishing involves attempting to gather confidential information through fake e-mail messages and web sites.
Although social engineering has existed for several decades, it has become of more concern in recent years because of developments such as phishing. Social engineering involves tricking people into providing confidential information that will allow access to a computer system. As an example, someone might pose as a technician during a telephone call and ask for information, such as passwords or user names.
A relatively new development related to social engineering concerns phishing which involves attempting to obtain information through bogus e-mails and web sites. As an example, computer users might receive an official-looking e-mail message from a bank asking them to confirm the details of a transaction via a web site. When users access the web site, they are asked for security information, such as an account number and password. Using this method, criminals are able to gather access to thou-sands of bank accounts and credit card accounts. As well as leading to financial losses, phishing also causes secondary damage by harming a company’s reputation and damaging public confidence in services such as online shopping and online banking.
In the United States, a Consumer Reports 2007 survey found that American consumers lost $7 billion over the last two years to viruses, spyware and phishing schemes (Information Week, 6 August 2007). Approximately 8 per cent of respondents had been taken in by phishing schemes at a median cost of $200 per incident. Similar figures have been reported for the UK and the rest of Europe, though the UK remains the most popular target for such attacks. In the UK, ZDNet (11 March 2011) found that while phishing attacks rose significantly, actual losses fell to £46.7 million in 2009–10.
In terms of companies, the DTI’s 2012 ‘Information Security Breaches Survey’ looked at how often UK companies were impersonated or subjected to phishing attacks: 36 per cent of respondents said they experienced ‘a few’ attacks over the period of a year and a further 4 per cent said they experienced hundreds of attacks a day.
Infosecurity (1 June 2011) reports:
Online fraud continues to grow. The UK Fraud Barometer, for example, suggests that the average loss from online fraud currently stands at £697/$1120 per person, against £352/$566 in March 2010. One in 10 people report that they have been victims of online fraud or theft.
In general terms, threats to information systems that originate from the Internet can be managed using the basic approaches and techniques outlined in this chapter.
Of the four basic strategies outlined earlier, an emphasis is likely to be placed on containment, obfuscation and recovery. Whilst an approach based on deterrence is likely to reduce problems associated with staff abuse of facilities, it is unlikely to discourage threats originating from outside the organisation. For example, it would be extremely difficult to take legal action against an attacker based in another country.
In terms of the specific techniques used to control access to information systems, whilst a great deal of emphasis will usually be placed on telecommunications controls, other methods are also of value. Encryption, for example, is used in a variety of circumstances to ensure that any information transmitted via the Internet is only of value to its intended recipient.
It is also important to remember that a formal security policy will play a key role in ensuring that an organisation is prepared to deal with Internet-based threats. Unfortunately, as evidenced by the DTI’s ‘Information Security Breaches Survey 2010’, around 10 per cent of large organisations have no formal security policy in place.
Managing threats to Internet services
M15_BOCI6455_05_SE_C15.indd 565 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT566
Recently, a range of specialised software applications have appeared that help individuals and companies maintain the security of their systems. Examples include:
■ Firewalls. Firewalls act as a barrier between an information system and the Inter-net. The software attempts to monitor and control all incoming and outgoing traffic in an attempt to prevent outsiders gaining access to the information system.
■ Intrusion detection software. This type of software monitors activity on a network in order to identify intruders. Typically, the software will look for characteristic patterns of behaviour that might identify the fact that someone has gained access to the network.
■ AI software. Many organisations have begun to develop applications that use artificial intelligence in order to detect intrusion attempts or unusual activity that might indicate a breach in security. As an example, Searchspace has developed a system that detects unusual activity on the London Stock Exchange in order to detect attempts at insider trading.
Firewalls
A specialised software application mounted on a server at the point the company is connected to the Internet to prevent unauthorised access into the company from outsiders.
1. Controls upon computer-based information systems are needed to ensure the accuracy of data held by an organisation and to prevent loss or damage.
2. The most common threats to computer-based information systems include accidents, natural disasters, sabotage, vandalism, theft, unauthorised use and computer viruses.
3. Accidental damage to computer-based information systems can arise from a number of sources including: inaccurate data entry, attempts to carry out tasks beyond the ability of the employee, failure to comply with procedures for the use of organisational information systems and failure to carry out backup procedures or verify data backups.
4. In some cases, a computer-based information system may be vulnerable to damage caused by natural disasters, such as flooding.
5. Computer-based information systems should be protected against deliberate or unintentional sabotage. The damage or loss caused by unintentional sabot-age is often incidental to the actions taken by an employee in pursuit of a different goal.
6. Vandalism can result in an organisation’s being deprived of critical hardware, software and data resources.
7. Theft can involve the physical theft of equipment or data theft. Whilst problems caused by physical theft can normally be overcome quickly and easily, data theft can result in significant long-term losses to an organisation.
8. The threat of unauthorised access to confidential data can arise from internal or external sources. Most security breaches involving confidential data can be attributed to the employees of the organisation.
9. There are four basic control strategies that can be applied to the security of computer-based information systems: containment, deterrence, obfuscation and recovery. Containment attempts to control access to an information system and often involves making potential targets as unattractive as possible. A strategy based upon deterrence uses the threat of punishment to discourage potential intruders. Obfuscation concerns itself with hiding or distributing assets so that any damage caused can be limited. A strategy based upon recovery recognises that, no matter how well defended, a breach in the security of an information system will eventually occur. Such a strategy is largely concerned with ensuring that the normal operation of the information system is restored as quickly as possible.
10. Types of control for computer-based information systems include: physical protection, biometric controls, telecommunications controls, failure controls and auditing. Physical protection involves the use of physical barriers intended to protect against theft and unauthorised access. Biometric controls make use of the unique characteristics of individuals, such as fingerprints, in order to restrict access to sensitive information or equipment. Telecommunications controls, such as user validation routines, help to verify the identity of a particular user. Failure controls attempt to limit
SUMMARy
M15_BOCI6455_05_SE_C15.indd 566 10/13/14 4:53 PM
567ChaPter 15 MANAGING INFORMATION SEcURITY
or avoid damage caused by the failure of an information system. Auditing involves taking stock of procedures, hardware, software and data at regular intervals.
11. Techniques used to control computer-based information systems include: formal security policies, passwords, file encryption, organisational procedures governing the use of computer- based information systems and user validation techniques.
12. A formal security policy should be supported by management and widely publicised. The policy will outline what is considered to be acceptable use of the information system and the sanctions available in the event that an employee does not comply with the policy.
13. Encryption involves encoding data so that they are meaningless to anyone except the rightful owner.
14. Backup procedures enable an organisation to protect sensitive files by making copies that can be stored at a safe location. The ‘grandfather, father, son’ technique is one of the most popular methods of making backups. An incremental backup provides a means of copying only those files that have changed in some way since the last backup was made. This provides a number of benefits, such as the ability to trace the changes that a given file has undergone over time.
15. Computer viruses, worms, Trojans and logic bombs represent a growing threat to information systems security. A computer virus is a computer program that is capable of self-replication, allowing it to spread from one ‘infected’ machine to another. All computer viruses are considered harmful and steps should be taken to protect valuable data from infection.
16. As organisations begin to rely on the Internet as a means of conducting business transactions, new threats to the security of information systems have begun to emerge. Some of these threats include denial-of-service attacks, brand abuse, identity theft, extortion and online stock fraud.
1. What are the two basic reasons for the need to control computer-based information systems?
2. List some of the advantages and disadvantages of using passwords to protect equipment and sensitive data from unauthorised users.
3. What types of controls can be used to protect a computer-based information system against vandalism, theft and unauthorised access?
4. What are the advantages and disadvantages of an approach to controlling computer-based information systems that is based on containment?
5. Describe some of the ways in which accidental damage can occur to a computer-based information system.
6. Explain why virus-scanning software and anti-virus programs are often of only limited value in detecting and removing computer viruses.
7. What is malware?
8. What is the difference between spyware and adware?
9. Why do some security specialists recommend the use of disk imaging software?
10. What is phishing?
EXERCISES
Self-assessment exercises
M15_BOCI6455_05_SE_C15.indd 567 10/13/14 4:53 PM
Discussion questions
1. What motivates an individual or organisation to create a computer virus?
2. ‘No computer-based information system can be considered completely secure – all organisations should base their control strategies on recovery.’ Make a case in favour of or against this argument.
3. ‘An increased reliance on the Internet exposes organisations to increased risk in terms of threats to information systems security.’ Make a case in favour of or against this argument.
4. How can companies reduce their vulnerability to social engineering attacks?
Essay questions
1. Conduct any research necessary and produce a formal security policy governing student access to the computer systems at the institution that you attend. In addition to providing details of any controls already in place, your work must also address the areas listed below. For each of these areas, you should also justify any decisions or choices made:
(a) what activities are considered acceptable; (b) what activities are considered unacceptable; (c) the sanctions that may be used against those failing to comply with the policy.
2. Select an organisation that you are familiar with, such as a university or bank. Conduct any research necessary to address the following tasks:
(a) Describe the potential impact of infection by computer viruses and other malware on the organisation’s computer-based information systems.
(b) Consider the effectiveness of tools, methods and procedures designed to protect computer-based information systems from computer viruses and other malware.
(c) Evaluate the level of risk posed to the organisation by computer viruses and other malware. Produce a set of recommendations that may assist the organisation in reducing this risk.
3. Outline some of the threats to information systems that arise as a result of doing business via the Internet. Illustrate your response with appropriate examples and indicate how the risks you identify can be mitigated.
Examination questions
1. Computer viruses represent a significant threat to the security of organisational computer- based information systems. Some sources have estimated that as many as 1700 new computer viruses may appear each month. You are required to:
(a) Provide a definition of the term ‘computer virus’. (b) Using relevant examples, describe the ways in which computer viruses can be
transmitted. (c) Discuss some of the ways in which organisations can protect against computer viruses.
Highlight some of the advantages and disadvantages of each method described.
2. With regard to the control of computer-based information systems, answer the following:
(a) Describe some of the common security threats facing organisational computer-based information systems.
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT568
M15_BOCI6455_05_SE_C15.indd 568 10/13/14 4:53 PM
569ChaPter 15 MANAGING INFORMATION SEcURITY
(b) Explain the four basic approaches to controlling computer-based information systems. Highlight the advantages and disadvantages of each approach.
(c) ‘More effective protection for a computer-based information system can be achieved by employing a combination of the four basic approaches to control.’ Using relevant examples, discuss this statement.
3. A formal security policy can provide an effective means of protecting an organisation’s computer-based information systems against theft, damage and other hazards.
(a) Provide an overview of the areas that will be outlined by a typical formal security policy document.
(b) Describe the ways in which a formal security policy can help to protect an organisation’s computer-based information systems.
(c) A number of factors will determine whether or not a security policy works effectively. Using relevant examples, provide a brief discussion of some of these factors.
569ChaPter 15 MANAGING INFORMATION SEcURITY
Bocij, P. (2006) The Dark Side of the Internet and How to Protect Your Family, Praeger Press, Westport, cT
Cohen, F. (1987) ‘computer viruses – theory and experiments’, Computers and Security, 6, 1, 22–35
Department of Trade and Industry (2010) ‘Information Security Breaches Survey 2010’, Department of Trade and Industry. Available online at: http://www.infosec.co.uk/files/ isbs_2010_technical_report_single_pages.pdf
References
Further reading
Andress, J. (2011) The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice, Syngress, Waltham, MA
Bocij, P. (2004) Cyberstalking: Harassment in the Internet Age and How to Protect Your Family, Praeger Press, Westport, cT.
Bocij, P. (2006) The Dark Side of the Internet, Praeger Press, Westport, cT.
Laudon, K. and Laudon, J. (2013) Management Information Systems: Managing the Digital Firm, 13th edition, Prentice-Hall, Upper Saddle River, NJ. Although some might find this book a little dense and difficult to read, it is detailed and comprehensive in its coverage. chapter 8 looks at security.
O’Brien, J. and Marakas, G. (2011) Management Information Systems, 10th edition, McGraw-Hill, Boston. chapter 13 deals with issues such as security and ethics.
http://csrc.nist.gov The NIST (National Institute of Standards and Technology) site hosts a computer Security Resource centre containing numerous articles, bulletins and other information.
http://www.sans.org/security-resources/ The SANS Institute publishes a huge number of articles dealing with computer security. This site is considered one of the most authoritative sources of information on computer security by IS professionals worldwide.
www.security-resources.com Security-resources.com offers a selection of introductory articles dealing with topics like how firewalls work.
Web links
M15_BOCI6455_05_SE_C15.indd 569 10/13/14 4:53 PM
Part 3 BUSINESS INFORMATION SYSTEMS MANAGEMENT570
www.lockdown.co.uk LockDown is a site aimed at home computer users. It provides information on security threats rated by severity. This site gives an excellent overview of the very large and diverse range of security problems that computer users face. Note that many of the problems listed in the site’s database also apply to business computer users.
www.cert.org The computer Emergency Response Team provides up-to-date information on security issues related to the Internet. The site publishes some interesting statistics concerning the number of incidents investigated.
www.infosyssec.org Information Systems Security Alert. This is a highly respected site that contains links to literally hundreds of resources. Of particular interest is a sophisticated search facility that allows information to be located on all aspects of security.
www.boran.com/security The IT Security cookbook. A set of documents that provide detailed information on security management. There is a particularly good section on firewalls.
www.mcafee.com McAfee publishes Virus Scan, widely regarded as the best virus detection package available. The site contains a great deal of information on individual computer viruses.
www.vmyths.com This site sheds light on common myths related to viruses and computer security.
M15_BOCI6455_05_SE_C15.indd 570 10/13/14 4:53 PM
