Week 2-5 MIS PDF

ADM 2372 Management Information Systems Mayur Joshi, PhD Assistant Professor of Information Systems [email protected] © Copyright. Mayur Joshi. 2024. and © 2024 John Wiley & Sons Canada, Ltd. or the authors All Rights Reserved. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or b y any means, electronic, mechanical, photocopying, recording or otherwise without prior written permission from the professor. Shar ing course materials without permission or uploading course materials to a content sharing website may be treated as an instance of acad emic fraud as well as copyright infringement. 1 Week 2 Organizational Strategy, Competitive Advantage, and Information Systems (Chapter 2) 2 Learning Objectives 1. Discuss ways in which information systems enable business processes for a single functional area and cross-functional processes. 2. Differentiate among business process reengineering, business process improvement, and business process management. 3. Identify effective IT responses to different kinds of business pressures. 4. Describe the strategies that organizations typically adopt to counter Porter’s five competitive forces. 3 Chapter Outline 1. Business Processes 2. Business Process Reengineering, Business Process Improvement, and Business Process Management 3. Business Pressures, Organizational Responses, and Information Technology Support 4. Competitive Advantage and Strategic Information Systems 4 Opening Case IKEA Reshapes its Strategy With the Help of Digital Technologies Questions: 1. Is IKEA’s use of information technology consistent with the company’s overall strategy? Why or why not? 2. Browse the web for IKEA’s most recent information technology innovations? Are they consistent with the company’s overall strategy? Why or why not? 5 2.1 Business Processes Cross-Functional Processes Information Systems and Business Processes Robotic Process Automation 6 Business Processes A business process is an ongoing collection of related activities that create a product or service of value to the organization, its business partners, and/or its customers Comprised of three elements: o Inputs o Resources o Outputs Efficiency vs. effectiveness 7 Cross-Functional Processes No single department or functional area is responsible Steps executed in a coordinated, collaborative way Procurement and fulfillment cross-functional processes 8 Table 2.1 Examples of Business Processes Accounting Business Processes Managing accounts payable Managing invoice billings Managing accounts receivable Managing petty cash Reconciling bank accounts Producing month-end close Managing cash receipts Producing virtual close Finance Business Processes Managing account collection Producing property tax assessments Managing bank loan applications Managing stock transactions Producing business forecasts Generating financial cash-flow reports Applying customer credit approval and credit terms Marketing Business Processes Managing post-sale customer follow-up Handling customer complaints Collecting sales taxes Handling returned goods from customers Applying copyrights and trademarks Producing sales leads Using customer satisfaction surveys Entering sales orders Managing customer service Training sales personnel 9 Table 2.1 Examples of Business Processes Continued Production/Operations Management Business Processes Processing bills of materials Managing quality control for finished goods Processing manufacturing change orders Auditing for quality assurance Managing master parts list and files Receiving, inspecting, and stocking parts and materials Managing packing, storage, and distribution Processing physical inventory Handling shipping and freight claims Handling shipping and freight claims Handling vendor selection, files, and inspections Human Resources Business Processes Applying disability policies Producing performance appraisals and salary adjustments Managing employee hiring Handling employee orientation Managing resignations and terminations Managing files and records Applying training and tuition reimbursement Applying health care benefits Managing travel and entertainment Managing pay and payroll Managing workplace rules and guidelines Overseeing workplace safety Management Information Systems Business Processes Managing antivirus control Applying electronic mail policy Handling computer security issues incident reporting Generating internet use policy Training computer users and staff Managing service agreements and emergency services Applying disaster recovery procedures Applying user workstation standards Managing the use of personal software 10 FIGURE 2.1 Business process e-ticket ordering. 11 Information Systems and Business Processes IS play vital role in three areas of business processes o Executing the process o Capturing and storing process data o Monitoring process performance 12 Executing the Process IS help execute the process by: o Informing employees when it is time to complete a task o Providing required data o Providing a means to complete the task 13 Capturing and Storing Process Data Processes generate data o Dates, times, product numbers, quantities, prices, addresses, names, employee actions IS’s capture and store process data (aka transaction data) Capturing and storing data provides immediate, real-time feedback 14 Monitoring Process Performance IS evaluate information to determine how well a process is being executed Evaluations occur at two levels: o Process level o Instance level Monitoring identifies problems for process improvement 15 Robotic Process Automation Robotic process automation (RPA) is a system that enables enterprises to automate business processes and tasks that historically were carried out by employees. Companies that employ RPA develop software “robots”—known as bots—that automate the steps in a business process. 16 Example: IT’s About Business 2.1 Pizza Hut to Use Robots to Deliver Pizzas in Vancouver Questions: 1. Describe the steps of a typical pizza delivery business process. 2. Describe the fundamental elements of Pizza Hut’s new delivery business process in terms of inputs, resources, and outputs. 3. Explain the use of robots, such as those used by Pizza Hut, in terms of the three roles of information systems: executing the process, capturing and story data, and monitoring performance. 17 2.2 Business Process Reengineering, Business Process Improvement, and Business Process Management Reengineering Improvement Management 18 Measures of Excellence in Executing Business Processes Customer satisfaction Cost reduction Cycle and fulfillment time reduction Quality Differentiation Productivity 19 Business Process Reengineering (BPR) Michael Hammer & James Champy, 1993, Reengineering the Corporation Business process reengineering (BPR) o A radical redesign of an organization’s business processes to increase productivity and profitability o Examines business processes with a “clean slate” approach 20 Business Process Improvement (BPI) Business process improvement (BPI) o An incremental approach to move an organization toward business process centered operations o Focuses on reducing variation in process outputs by identifying the underlying cause of the variation Six Sigma is a popular methodology for BPI 21 Business Process Improvement (BPI) and DMAIC Five basic phases of successful BPI o Define o Measure o Analyze o Improve o Control 22 BPI versus BPR BPI BPR Low risk/low cost High risk/high cost Incremental change Radical redesign Bottom-up approach Top-down approach Takes less time Time consuming Quantifiable results Impacts can be All employees trained overwhelming in BPI High failure rate 23 Business Process Management (BPM) and Key Components A management system used to support continuous BPI initiatives for core business processes over time Important components of BPM: o Process modeling o Business activity monitoring (BAM) 24 BPMS and Social BPM Business process management suite (BPMS) o An integrated set of applications used for BPM Emerging trend of social BPM o Technologies enabling employees to collaborate across functions internally and externally using social media tools 25 2.3 Business Pressures, Organizational Responses, and Information Technology Support Business Pressures Organizational Responses 26 Business Pressures Market pressures Technology pressures Societal, political, and legal pressures 27 FIGURE 2.2 Business pressures, organizational performance and responses, and IT support. 28 Market Pressures Globalization Changing nature of the workforce Powerful customers 29 Globalization The integration and interdependence of economic, social, cultural, and ecological facets of life, made possible by rapid advances in IT. Globalization is markedly increasing competition. Many labour-intensive industries have moved their operations to countries with low labor costs. IT has made such moves much easier to implement. 30 Changing Nature of the Workforce The workforce is becoming more diversified: o Women o Single parents o Minorities o Persons with disabilities IT is enabling telecommuting employees 31 Powerful Customers Increasing consumer sophistication and expectations Consumers are more knowledgeable about o Products and services o Price comparisons o Electronic auctions Customer relationship management (CRM) 32 Technology Pressures Technological innovation and obsolescence o Rapid development of both new and substitute products and services Information overload o Vast stores of data, information, and knowledge o Difficulties in managing data for decision making 33 Societal, Political, and Legal Pressures Social responsibility Compliance with government regulations Protection against criminal activities Ethical issues 34 Social Responsibility Green IT o Facilities design and management o Carbon management o International and U.S. state environmental laws Digital Divide o Refers to gap between those individuals who have access to information and communications technologies and those who do not o Exists both within and among countries 35 Social Responsibility and Philanthropy in Business PatientsLikeMe Kiva Canadian Red Cross 36 Compliance with Government Regulations Government regulations regarding health, safety, environmental protection, and equal opportunity Personal Information Protection and Electronic Document Act (PIPEDA) 37 Protection against Criminal Activities Computer systems can be used to create fraudulent or fictitious transactions that are used to steal funds from banks or other organizations, or to engage in identity theft—the use of another person’s identity for financial gain. US Department of Homeland Security’s (DHS) and Canada Border Services Agency (CBSA) o Biometric screening systems 38 Ethical Issues General standards of right and wrong o Information-processing activities o Monitoring employee e-mail o Privacy of customer data 39 Group Assignment 1: IT’s About Business 2.2 Renting Electric Vehicles for Competitive Advantage Questions: 1. Describe the political/social/legal pressures on Hertz. 2. Describe the technological pressures on Hertz. 3. Describe the economic pressures on Hertz. 4. How will EVs create a competitive advantage for Hertz? 40 End of Session 41 Next session Competitive Advantage and Strategic IS 42 Organizational Responses Strategic systems Customer focus Make-to-order and mass customization E-business and e-commerce 43 2.4 Competitive Advantage and Strategic Information Systems Competitive Strategy Strategic Information Systems (SIS) Porter’s Competitive Forces Model Porter’s Value Chain Model Strategies for Competitive Advantage Business–Information Technology Alignment 44 Porter’s Competitive Forces Model 1. Threat of entry of new competitors 2. Bargaining power of suppliers 3. Bargaining power of customers/buyers 4. Threat of substitute products or services 5. Rivalry among existing firms within the industry 45 FIGURE 2.3 Porter’s Competitive Forces Model. 46 Porter’s Value Chain Model Value chain o A sequence of activities through which the organization’s inputs are transformed into valuable outputs Primary activities o Relate to production and distribution of products and services Support activities o Support primary activities contributing to competitive advantage 47 FIGURE 2.4 Porter’s Value Chain Model. 48 Primary Activities Five primary activities for manufacturing 1. Inbound logistics (inputs) 2. Operations (manufacturing and testing) 3. Outbound logistics (storage and distribution) 4. Marketing and sales 5. Services 49 Support Activities Four support activities 1. Firm’s infrastructure (accounting, finance, management) 2. Human resources management 3. Product and technology development (R&D) 4. Procurement 50 Strategies for Competitive Advantage Cost leadership Differentiation Innovation Operational effectiveness Customer orientation 51 FIGURE 2.5 Strategies for Competitive Advantage. 52 Business–Information Technology Alignment Six characteristics of excellent alignment: 1. Organizations view IT as an engine of innovation that continually transforms the business, often creating new revenue streams. 2. Organizations view their internal and external customers and their customer service function as supremely important. 3. Organizations rotate business and IT professionals across departments and job functions. 4. Organizations provide overarching goals that are completely clear to each IT and business employee. 5. Organizations ensure that IT employees understand how the company makes (or loses) money. 6. Organizations create a vibrant and inclusive company culture. 53 Example: IT’s About Business 2.3 Deploy Technology to Win Championships and Attract and Connect Fans Questions 1. Consider all the technologies discussed in this case. Taken together, are they strategically important to the MLSE’s Toronto Raptors team? Why or why not? Provide specific examples to support your answer. 2. Are they strategically important to MLSE’s Scotiabank Arena? Why or why not? Provide specific examples to support your answer. 3. Have you experienced any of the technologies discussed in the case? Do you feel your experience was improved with the use of technology? 54 Closing Case Pick n Pay Creates an Operational and Customer- Oriented Advantage with Cloud Questions: 1. Why did Pick n Pay want to upgrade their enterprise solution to one that was hosted in the cloud? 2. Why did Pick n Pay make use of Lemongrass’s services for this project? 3. How do AWS and SAP provide a competitive advantage to Pick n Pay and other retailers who use their products? 55 ADM 2372 Management Information Systems Mayur Joshi, PhD Assistant Professor of Information Systems [email protected] © Copyright. Mayur Joshi. 2024. and © 2024 John Wiley & Sons Canada, Ltd. or the authors All Rights Reserved. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or b y any means, electronic, mechanical, photocopying, recording or otherwise without prior written permission from the professor. Shar ing course materials without permission or uploading course materials to a content sharing website may be treated as an instance of acad emic fraud as well as copyright infringement. 1 Week 3 Data and Knowledge Management (Chapter 5) 2 Learning Objectives 1. Discuss ways that common challenges in managing data can be addressed using data governance. 2. Identify and assess the advantages and disadvantages of relational databases. 3. Define Big Data and explain its basic characteristics. 4. Explain the elements necessary to successfully implement and maintain data warehouses. 5. Describe the benefits and challenges of implementing knowledge management systems in organizations. 6. Understand the processes of querying a relational database, entity-relationship modelling, and normalization and joins. 3 Agenda 1. Quiz 1 Review 2. Recap on Data, Information, and Knowledge 3. Managing Data 4. The Database Approach 5. Data Warehouses and Data Marts 6. Big Data 7. Knowledge Management NOT COVERING: Appendix: Fundamentals of Relational Database Operations 4 Quiz 1 Review 5 Recap Data o facts or observations representing events such as business transactions Information o data shaped into a form that is meaningful and useful to humans Knowledge o created by analyzing information; may lead to action 6 Recap Data, Information, Knowledge, and Wisdom Hierarchy [Source: Rowley, J. (2007). The wisdom hierarchy: representations of the DIKW hierarchy. Journal of information science, 33(2), 163-180.] 7 Recap This chapter, we will learn how organizations transform data first into information, and then into knowledge o This process is called “Business Intelligence” Knowledge Management o an organizational process that “captures and stores knowledge in forms that all organizational employees can access and apply” 8 Managing Data The Difficulties of Managing Data Data Governance 9 The Difficulties of Managing Data Data increases exponentially with time Data silos Multiple sources of data New sources of data Data degrade (less relevant over time) Data rot (imagine your hard drive crashing) Data security, quality, and integrity Government regulations Unstructured data Big data 10 Data Governance Is part of IT governance An approach to managing information across an entire organization Ensures that data is available, transparent, and useful Fosters “a single version of the truth” Provides a planned approach to data management for all types of data Includes a formal set of business processes and policies for data handling Requires well-defined, unambiguous rules (both manual and IT) to avoid functional inconsistency o Such rules address creating, collecting, handling, and protecting data 11 Data Governance Transactional data o represents activities or events, such as a customer invoice; o stored as tables in a database Master data o is core data, such as employee name, address, or customer credit limit that are applied to multiple transactions; o stored as tables as part of a database 12 The Database Approach The Data Hierarchy The Relational Database Model Database Management Systems 13 The Data Hierarchy Bit – the smallest unit of data, 0s and 1s Byte – group of 8 bits that represent a character Field (column)– logical grouping of characters/ words representing an attribute or characteristic Record (row) - group of related fields describing an entity (e.g., person, event) Data file or table – logical grouping of related records (several rows and columns) Database – logical grouping of related data files 14 Hierarchy of data for a computer- based file. 15 Hierarchy of data for a computer- based file. 16 Example of a table (books) Key Field Field Record 17 The Relational Database Model Key terms o Data model – a diagram representing entities and relationships. o Entity – a person, place, thing (e.g., employee, customer, city) o Attribute – characteristic of a particular entity o Primary key – unique identifier of each record o Secondary key – identifying information that is not unique o Foreign key – a field in one table that uniquely identifies a record in another table Examples – Oracle, MS Access 18 The Relational Database Model ORDER and PARTS Primary key Secondary key Foreign key share “Part_Number” PARTS and SUPPLIER share “Supplier_Number” To find the name and address of the supplier of part 137 we need data from 2 tables Data stored in one table relates to data stored in another table when both tables share a common element 19 Employee database One big table 20 Employee database Split into three relational tables – Table 1 21 Employee database Split into three relational tables – Tables 2 & 3 22 Database Management Systems Minimize Three Main Problems Data redundancy Data isolation Data inconsistency 23 Database Management Systems Maximize Three Things Data security Data integrity Data independence 24 FIGURE 5.1 Database management system. 25 Challenges with Databases A bookstore manager needs to know “the trend in the profit margins on used books over the past 10 years” o the database contains the information needed by the manager, but it is not organized in a way that it is easy to find (need to construct complicated queries) o the database is designed to process large numbers of transactions daily, hence complicated queries might degrade its performance o the database is designed to be updated, which requires extra processing o databases are designed to access a single record at a time 26 Challenges with Databases Solution o Data Warehouses o Data Marts Before o DSS or EIS = database (DB) + model + interface After: Introduction of the Data Warehouse (DW) o Reporting and analysis = DW o Transaction processing = DB 27 End of Session 28 Next Session Data Warehouses and Data Marts Big Data Knowledge Management 29 Describing Data Warehouses and Data Marts Data warehouse o A repository of historical data that are organized by subject to support decision makers in the organization o Primary purpose is to aggregate information throughout an organization into a single repository for decision-making purposes Data mart o A low-cost, scaled-down version of a data warehouse designed for end-user needs in a strategic business unit (SBU) or individual department 30 Describing Data Warehouses and Data Marts Databases store the information necessary for day-to- DW day transactions (operational level) Data Warehouses DW store information for analysis and decision- DB making (management and strategic levels) 31 Basic Characteristics of Data Warehouses and Data Marts Organized by business dimension or subject Use online analytical processing (OLAP) Integrated Time variant Nonvolatile Multidimensional 32 A Generic Data Warehouse Environment Source systems Data integration Storing the data Metadata Data quality Data governance Users 33 Data warehouse framework. 34 Relational databases. 35 FIGURE 5.6 Data cube. 36 Equivalence between relational and multidimensional databases. 37 Big Data Defining Big Data Characteristics of Big Data Issues with Big Data Managing Big Data Putting Big Data to Use Big Data Used in the Functional Areas of the Organization 38 Defining Big Data Difficult to define Big Data Two descriptions 39 Big Data Description (From Gartner Research) Diverse, high-volume, high-velocity information assets that require new forms of processing to enable enhanced decision making, insight discovery, and process optimization (www.gartner.com) 40 Big Data Description (From the Big Data Institute - TBDI) Exhibit variety Includes structured, unstructured, and semi-structured data Are generated at high velocity with an uncertain pattern Do not fit neatly into traditional, structured, relational databases Can be captured, processed, transformed, and analyzed in a reasonable amount of time only by sophisticated information systems. (https://thebigdatainstitute.wordpress.com) 41 Big Data Makeup Big Data generally consists of: o Traditional enterprise data o Machine-generated/sensor data o Social data o Images captured by billions of devices located around the world Digital cameras, camera phones, medical scanners, and security cameras 42 Characteristics of Big Data Volume Velocity Variety 43 Issues with Big Data Big Data can come from untrusted data sources Big Data is dirty Big Data changes, especially in data streams 44 Managing Big Data When properly analyzed, big data can reveal valuable patterns and information Database environment Traditional relational databases versus NoSQL databases Open-source solutions 45 Putting Big Data to Use Making Big Data available Enabling organizations to conduct experiments Micro-segmentation of customers Creating new business models Organizations can analyze more data 46 Big Data Used in the Functional Areas of the Organization Human resources Product development Operations Marketing Government operations 47 Example: IT’s About Business 5.2 Data Lakes and Lakehouses Questions 1. Discuss the advantages and disadvantages of enterprise data warehouses. 2. Describe the advantages and disadvantages of data lakes. 3. Why don't organizations use enterprise data warehouses to manage Big Data? 4. Describe the advantages and disadvantages of data lakehouses. 48 Summarizing Data Management A database is used to capture and store data. o Databases are well-suited for applications that require transactional operations and structured data storage. o Databases are typically very cost-effective for transactional workloads. Data warehouses are databases used for analysis and reporting, rather than transactional processing. o Data warehouses are often best for complex querying, analytics, reporting, and OLAP (online analytical processing). o While they are typically more expensive than databases, especially for large-scale analytics, they excel with complex analytics queries on large datasets. 49 Summarizing Data Management A data mart is a subset of a data warehouse, containing data focused on a particular business function or team. o They are generally used for business unit-specific reporting and analytics. o Like data warehouses, data marts work best with structured data, and scale based on the underlying data warehouse technology. Data lake is a storage repository that can store vast amounts of raw data in its native format. o They are generally used to store large amounts of raw, unstructured, or semi-structured data for later analysis. o Data lakes are best for handling big data processing, data exploration, and machine learning, since they can handle large volumes of raw data. 50 Summarizing Data Management: Data Warehouses vs Lakes Data Sources: Data warehouses require a defined schema before data can be saved, so only structured data can be loaded into the system. However, data lakes have no such requirement. Preprocessing: Data warehouses generally require preprocessing, using ETL tools, before the data can be stored9. On the other hand, data lakes can store any data, giving you the option to preprocess or not. Data Quality: Data warehouses tend to be more reliable since the data can be processed beforehand. 51 Summarizing Data Management: Data Warehouses vs Lakes Performance: Data warehouses are designed for fast query performance. However, data lakes prioritize storage volume and cost over performance. Typical Users: Business users typically prefer to use data warehouses because they can generate reports more efficiently. Data lakes, however, are usually preferred by data scientists, data developers, data engineers, and data architects. 52 Summarizing Data Management 53 Knowledge Management Concepts and Definitions Knowledge Management Systems The KMS Cycle 54 Concepts and Definitions Knowledge management (KM) o A process that helps manipulate important knowledge that comprises part of the organization’s memory, usually in an unstructured format Knowledge Explicit and tacit knowledge 55 Explicit vs Tacit Knowledge Explicit Knowledge o …is information captured in documents such as manuals, reports, and guides. Organizations can easily share explicit knowledge across teams. Tacit Knowledge o …is gained through experience and is understood intuitively, making it difficult to explain to others. Examples of tacit knowledge include language, leadership skills, and facial recognition. 56 Knowledge Management Systems (KMS) Refer to the use of modern information technologies—the Internet, intranet, extranets, databases—to systematize, enhance, and expedite intrafirm and interfirm knowledge management o Best practices 57 The KMS Cycle 58 Common KM Tools Document management systems Intranet Data Warehouses 59 Key challenges in KM Many organizations lack a systematic routine for capturing knowledge. So, even the most valuable knowledge might not be recorded for others to use. Even when organizations successfully capture knowledge, they often have weak systems for locating and retrieving it. Knowledge is often tied to the context in which it is created, so storing knowledge without sufficient contextual detail might render it meaningless to people who were not present when it was originally shared. Employees may be reluctant to share knowledge if their organization has a history of rewarding individual achievement over collaboration. Even when employees are willing to share knowledge and organizations have systems for capturing and storing it, there is no guarantee that other employees will access it. Furthermore, even if employees access the knowledge, they may not trust it or use it to inform their decisions. It can be difficult to strike a balance between system flexibility and structure. Overly rigid systems can interfere with knowledge creation and adaptation, while unstructured systems can make it difficult to locate and apply information. 60 Summarizing KM 61 Group Assignment 2: IT’s About Business 5.1 Governance Key to Unlocking Dark Data Questions: o 1/ Define dark data and give examples. [10 points] o 2/ Why do organizations possess "dark data" and what is the potential value of such "dark data" to organizations? [10 points] 62 ADM 2372 Management Information Systems Mayur Joshi, PhD Assistant Professor of Information Systems [email protected] © Copyright. Mayur Joshi. 2024. and © 2024 John Wiley & Sons Canada, Ltd. or the authors All Rights Reserved. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or b y any means, electronic, mechanical, photocopying, recording or otherwise without prior written permission from the professor. Shar ing course materials without permission or uploading course materials to a content sharing website may be treated as an instance of acad emic fraud as well as copyright infringement. 1 Week 4 E-business and E-commerce (Chapter 7) 2 Agenda 1. Overview of E-Business and E-Commerce 2. Business-to-Consumer (B2C) Electronic Commerce 3. Business-to-Business (B2B) Electronic Commerce 4. Ethical and Legal Issues in E-Business 3 Opening Case TEMU arrives in Canada Questions: 1. Can TEMU success be sustainable over the long run? Why or why not? 2. Can you think of other industries where the same e-commerce business model could be applied? Provide an example. 3. Consider the discussion in Chapter 2 about Business Pressures. Identify and explain three business pressures that have an impact on TEMU. 4. Could TEMU replace Amazon.ca as the top e-commerce website in Canada? Why or why not? What different ways in which online retailers could respond to TEMU’s threat? 4 Overview of E-Business and E- Commerce Definitions and Concepts Types of E-Commerce Major E-Commerce Mechanisms Electronic Payment Mechanisms Benefits and Limitations of E-Commerce 5 Definitions and Concepts Electronic commerce (e-commerce) o The process of buying, selling, transferring, or exchanging products, services, or information via computer networks, including the Internet Electronic business (e-business) o A much broader concept than e-commerce o Servicing customers, collaborating with business partners, and performing electronic transactions within an organization Degree of digitization o Brick-and-mortar organizations (e.g., traditional companies) o Clicks-and-mortar organizations – partial e-commerce (e.g., all organizations today) o Virtual organizations (e.g., born digital start-ups) 6 E-commerce vs E-business 7 Types of E-Commerce Business-to-consumer (B2C) o E.g., Amazon.ca Business-to-business (B2B) o E.g., Mohawk Medbuy (group purchasing platform), Dell.ca Consumer-to-consumer (C2C) o E.g., Ebay auctions, P2P Lending, Kijiji.ca Business-to-employee (B2E) o E.g., Canada Life portal offered through uOttawa E-government o E.g., Service Ontario online facilities Mobile commerce (m-commerce) Social commerce o E.g., Ads on Instagram where you can click and buy Conversational commerce o E.g., Chatbots that can converse 8 TABLE 7.1 E-Commerce Business Models Online direct marketing Manufacturers or retailers sell directly to customers. Very efficient for digital products and services. Can allow for product or service customization (www.dell.com). Electronic tendering system Businesses request quotes from suppliers. Uses B2B with a reverse auction mechanism. Name-your-own-price Customers decide how much they are willing to pay. An intermediary tries to match a provider (www.priceline.com). Find-the-best-price Customers specify a need; an intermediary compares providers and shows the lowest price. Customers must accept the offer in a short time, or they may lose the deal (www.hotwire.com). Affiliate marketing Vendors ask partners to place logos (or banners) on partner’s site. If customers click on a logo, go to a vendor’s site, and make a purchase, then the vendor pays commissions to the partners. Viral marketing Recipients of your marketing notices send information about your product to their friends. Group purchasing (e-coops) Small buyers aggregate demand to create a large volume; the group then conducts tendering or negotiates a low price. Online auctions Companies run auctions of various types on the Internet. Very popular in C2C, but gaining ground in other types of EC as well (www.ebay.com). Product customization Customers use the Internet to self-configure products or services. Sellers then price them and fulfill them quickly (build-to-order) (www.jaguar.com). Electronic marketplaces and Transactions are conducted efficiently (more information to buyers and sellers; lower transaction costs) in electronic exchanges marketplaces (private or public). Bartering online Intermediary administers online exchange of surplus products or company receives “points” for its contribution, which it can use to purchase other needed items (www.bbubarter.com). Deep discounters Company offers deep price discounts. Appeals to customers who consider only price in their purchasing decisions. Membership Only members can use the services provided, including access to certain information, conducting trades, and so on. 9 Major E-Commerce Mechanisms Electronic catalogs Electronic auctions o Competitive buying and selling process based on bidding. E-storefronts o A website for a single store,.e.g., AirCanada.ca. E-malls o a collection of individual shops consolidated under one Internet address E-marketplaces o E.g., digital platforms like Amazon, Ebay 10 Electronic Payment Mechanisms The key facilitating infrastructure for e-commerce Electronic cheques (e-cheques) o Encrypted, electronic version of cheques for B2B Electronic cards o Electronic credit (or debit) cards o Purchasing cards (e.g., B2B credit cards) o Stored-value money cards (e.g., Presto Card) o EMV smart cards (Euromoney, Mastercard, Visa – chip cards) Digital, online payments o Facilitated by payment gateway accounts (e.g., Paypal) Bitcoin 11 How e-credit cards work. 12 How e-credit cards work. 1/ Purchase intention > your credit card information and purchase amount are encrypted and shared with the vendor. 2/ Vendor transfers it automatically (in encrypted form) to a clearinghouse. 3/ Clearninghouse, decrypts for verification and authorization, and asks bank that issued you your credit card (the card issuer bank) to verify details. 4/ Card issuer bank verifies credit card information and reports this to the clearinghouse. 5/ Clearinghouse reports back to vendor. 6/ Vendor reports a successful purchase and amount to you. 7/ Card issuer bank sends funds to vendor’s bank. 8/ Card issuer bank notifies you (either electronically or in your monthly statement) of the debit on your credit card. 9/ Vendor’s bank notifies the vendor of the funds credited to its account. 13 Example of a purchasing card. 14 Presto Card for Ontario transport. 15 Smart cards are frequently multipurpose. 16 Benefits and Limitations of E- Commerce Benefits Limitations National and international markets Lack of universally accepted are more accessible security standards Lowers cost of processing, In less-developed countries distributing, and retrieving telecommunications bandwidth is information often insufficient, and Web Provides access to a vast number of access is expensive products and services 24/7 Perceptions that e-commerce is Deliver information, services, and products to people in cities, rural insecure areas, and developing countries Unresolved legal issues The key impetus behind how we Lacks a critical mass of buyers and survived the COVID pandemic sellers 17 Business-to-Consumer (B2C) Electronic Commerce Electronic Storefronts and Malls Online Service Industry Issues in E-Tailing 18 Electronic Storefronts and Malls Electronic retailing (e-tailing) o The direct sale of products and services through electronic storefronts or electronic malls, usually designed around an electronic catalog format and auctions. Electronic storefront o TimHortons.ca Electronic mall (or digital platforms) o Amazon.ca o Apple App Store / Google Play Store 19 Online Services Industries Fintech o Cyberbanking o Online securities trading o Buying insurance o P-2-P lending Travel o Booking flight tickets Music o Buying/renting/streaming music News o Subscriptions Online advertising Disintermediation The online job market 20 Online Services Consequences Online advertising o the practice of using the Internet to disseminate information in an attempt to influence a buyer–seller transaction through the direct response approach which personalizes advertising and marketing making the advertising process media-rich, dynamic, and interactive. Disintermediation o Ecommerce often eliminates intermediaries that just provide information 21 Advertising Methods Banners o electronic billboards containing a short text, graphics, video clips, or sound to promote a product or a vendor. Pop-up ad o an Internet ad that appears in front of the current browser window. Pop-under ad o an Internet ad appears underneath the active window; when users close the active window, they see the ad. Spamming o indiscriminate distribution of electronic ads without the permission of the receiver. Permission marketing o asks consumers to give their permission to voluntarily accept online advertising and e-mail. Viral marketing o “check this out" messages, influencers 22 Issues in E-Tailing Channel conflict o a situation in which clicks-and-mortar companies face a conflict with their regular distributors when they begin selling directly to customers online. Multichannel/ Showrooming: o occurs when shoppers visit a brick-and-mortar store to examine a product in person and then conduct research about the product on their smartphones, hence customers often purchase the product from the website of a competitor of the store they are visiting. Order fulfillment o If you directly sell, you got to do everything that your distributors used to do (packaging, shipping, handling returns) 23 Business-to-Business (B2B) Electronic Commerce Sell-Side Marketplace o organizations attempt to sell their products or services to other organizations electronically from their own private e-marketplace Web site and/or from a third-party Web site. The buyers are organizations. Buy-Side Marketplace o organizations attempt to procure needed products or services from other organizations electronically. Procurement is the overarching function that describes the activities and processes to acquire goods and services. Electronic Exchanges 24 Sell-Side Marketplace Key mechanisms for sell-side marketplace: o Forward auctions sellers solicit bids from many potential buyers. Usually, sellers place items for auction on websites, and buyers bid continuously for them. The highest bidder wins the items o Electronic catalogs Seller allows buyer to configure their products through catalogs. o Third-party auction sites e.g., Ebay 25 Buy-Side Marketplace Buy-side marketplaces model: o Procurement involves the activities necessary to establish requirements, sourcing activities such as market research and vendor evaluation, and negotiation of contracts. o Purchasing the process of ordering and receiving goods and services and it is a subset of the procurement process. o Reverse auction one buyer, usually an organization, wants to purchase a product or a service. The buyer posts a request for a quotation (RFQ) on its website or on a third-party site. The RFQ provides detailed information on the desired purchase. Interested suppliers study the RFQ and then submit bids electronically. Everything else being equal, the lowest-price bidder wins the auction. o E-procurement Procurement is done electronically, it uses reverse auctions. o Group purchasing multiple buyers combine their orders 26 Electronic Exchanges Three basic types of public exchanges: o Vertical exchanges connect buyers and sellers in a given industry. Typically owned and managed by a consortium––a group of major players in an industry. E.g., Marriott and Hyatt own a procurement consortium for the hotel industry, and Chevron owns an energy e- marketplace. o Horizontal exchanges connect buyers and sellers across many industries primarily for maintenance, operations, and repairs (MRO), e.g., Distribution Now (dnow.com), alibaba o Functional exchanges needed services such as temporary help/labor or extra office space are traded on an “as-needed” basis. E.g., ZipRecruiter for jobs, LiquidSpace for finding temporary office space 27 Ethical Issues Threats to privacy (encryption for security, cookies for tracking) Potential job loss (automation, deskilling) National governments (how much regulation is good) 28 Legal Issues Specific to E-Commerce Fraud on the Internet o Spreading deceptive information Cybersquatting o the practice of registering or using domain names for the purpose of profiting from the goodwill or the trademark that belongs to someone else. Copyright o Copying material from internet without permission o Piracy 29 Legal Issues Specific to E-Commerce 30 IT’s About Business 7.3 Online Fraud in Canada o In the puppy scam, puppies are advertised for sale online, and when the shopper pays for a puppy and tries to pick it up, they realize that the address is fake. o In the online product scam, shoppers buy an item from a website, but when payment is made, the product is never delivered, or if it is, it is something different from what was originally bought. o Rental scams involve a property (house, apartment, commercial space) that is listed online as available for rent, but after making the first payment, the renter arrives to find a property that is already occupied by another person or business. o Extortion scams Canadian Revenue Agency (CRA) scam, where the recipient is told that they need to pay the CRA for taxes due; Canada Border Services Agency (CBSA) email scam, where victims are asked to make a payment to the CBSA in order to remain in Canada; grandparent scam, where perpetrators pose as a close family member in an emergency such as a car accident or a medical episode and ask for a payment transfer to be made to them urgently. 31 IT’s About Business 7.3 32 Quiz 2 Closed book Multiple choice / fill in the blanks questions All questions carry equal marks, and all are mandatory 33 ADM 2372 Management Information Systems Mayur Joshi, PhD Assistant Professor of Information Systems [email protected] © Copyright. Mayur Joshi. 2024. and © 2024 John Wiley & Sons Canada, Ltd. or the authors All Rights Reserved. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or b y any means, electronic, mechanical, photocopying, recording or otherwise without prior written permission from the professor. Shar ing course materials without permission or uploading course materials to a content sharing website may be treated as an instance of acad emic fraud as well as copyright infringement. 1 Week 5 Ethics and Privacy (Chapter 3) 2 Agenda 1. Ethical Issues 2. Privacy 3 Ethical Issues Ethical Frameworks Ethics in the Corporate Environment Ethics and Information Technology 4 Ethics The principles of right and wrong that individuals use to make choices that guide their behavior o What is ethical to one person or a group might be unethical to another person or group (e.g., child labor) o Ethics (from the Ancient Greek “ethikos” meaning “theory of living”) attempts to understand the nature of morality; to distinguish “right” from “wrong” 5 Ethical Frameworks Five widely used standards: o Utilitarian approach o Rights approach o Fairness approach o Common good approach o Deontology approach These five standards are used to develop a general framework for ethical decision making 6 Ethical Frameworks Utilitarian approach o Utilitarian: “an ethical action is the one that provides the most good or does the least harm” o e.g., a corporation uses and promotes environmentally sustainable computing (aka green computing) Rights approach o “an ethical action is the one that best protects and respects the moral rights of the affected parties” o e.g., a corporation protects the privacy of its customers Fairness approach o treat all humans equally, or if unequally, then fairly 7 Ethical Frameworks Common good approach o respect and compassion for all others is the basis for ethical actions Deontology approach o action is right or wrong based on rules rather than the consequences of the action o e.g., the belief that killing is wrong even in self-defence 8 Table 3.1 Traditional and GVV Approaches to Resolving Ethical Issues Traditional Approach Giving Voice to Values (GVV) Approach 1. Recognize an ethical issue 1. Identify an ethical issue Could this decision or situation damage someone or some group? What are the different issues that give rise to this ethical issue? Does this decision involve a choice between a good and a bad alternative? What are the values of the individuals or organizations underlying this ethical issue? Does this issue involve more than simply legal considerations? If so, then in what Is there a possibility of action to resolve the ethical issue? way? 2. Get the facts 2. Purpose and choice What are the relevant facts of the situation? What personal choices do you have in reacting to this ethical issue? Do I have sufficient information to make a decision? What is your most appropriate professional choice, being guided by professional Which individuals or groups have an important stake in the outcome? rules, and what would be a “good” choice? Have I consulted all relevant persons and groups? 3. Evaluate alternative actions 3. Stakeholder analysis Which option will produce the most good and do the least harm? (the utilitarian Who is affected by the ethical issue? approach) How are they affected if I do give voice to resolving the issue? Which option best respects the rights of all stakeholders? (the rights approach) How are they affected if I do not give voice to resolving the issue? Which option treats people equally or proportionately? (the fairness approach) How can I connect with the stakeholders to best deal with the ethical issue? Which option best serves the community as a whole, and not just some members? (the common good approach) 4. Make a decision and test it 4. Powerful response Considering all the approaches, which option best addresses the situation? Who is my audience? What types of things could I say to provide a response to the ethical issue? What are some inhibiting arguments that would prevent me from acting? What could I say in response to the inhibiting arguments (called an enabling argument)? What external arguments (called levers) support my enabling arguments? What external research supports or refutes my arguments? 5. Act and reflect on the outcome of your decision 5. Scripting and coaching How can I implement my decision with the greatest care and attention to the concerns What words (script) could I use when talking about the ethical issue? (consider both of all stakeholders? positive and negative responses) How did my decision turn out, and what did I learn from this specific situation? Who can I practise with? How would I approach my audience to provide the best opportunity for discussing the ethical issue? 9 Ethics in the Corporate Environment Code of ethics o Most organizations have their own code of what they consider ethical 10 Ethics in the Corporate Environment 11 Ethics in the Corporate Environment 12 Ethics in the Corporate Environment Fundamental tenets of ethics o Responsibility you can recognize, interpret, and act upon multiple principles and values according to ethical standards. o Accountability acknowledgment of responsibility and the acceptance of being answerable for the results (or actions) of a system or behavior and its potential impacts. o Liability is a legal concept that gives individuals the right to recover the damages done to them by other individuals, organizations, or systems. What is unethical is not necessarily illegal 13 Unethical vs illegal Ethical Unethical Legal 1. Ethical & Legal: A 2. Unethical & Legal: A social company that complies with media company collecting data privacy regulations like extensive user data and selling it GDPR and takes additional to third parties without user steps to protect user data, consent, though it's legal under such as encrypting all certain terms and conditions. communications. E.g. Apple’s E.g. Facebook’s data-sharing focus on user privacy and practices before stronger privacy encryption beyond what is laws like GDPR. legally required. Illegal 3. Ethical & Illegal: A 4. Unethical & Illegal: A software developer who company engaging in bypasses a government- cybercrime, such as hacking into imposed internet censorship competitor systems to steal trade firewall to provide free access secrets. E.g. Corporate to information in repressive espionage involving hacking, like regimes. E.g. Developers when companies steal creating tools to access intellectual property from blocked websites in countries competitors. with strict internet censorship, like China. 14 Ethics and Information Technology Four general categories of ethical issues related to IT: Privacy issues o What kind of data collected, stored, disseminated Accuracy issues o Authenticity, fidelity, and correctness of data Property issues o Who owns the data Accessibility issues o Who uses the data, and what are their rights and obligations 15 Ethics and Information Technology Privacy Issues What information about oneself should an individual be required to reveal to others? What kinds of surveillance can an employer use on its employees? What types of personal information can people keep to themselves and not be forced to reveal to others? What information about individuals should be kept in databases, and how secure is the information there? Accuracy Issues Who is responsible for the authenticity, fidelity, and accuracy of the information collected? How can we ensure that the information will be processed properly and presented accurately to users? How can we ensure that errors in databases, data transmissions, and data processing are accidental and not intentional? Who is to be held accountable for errors in information, and how should the injured parties be compensated? Property Issues Who owns the information? What are just and fair prices for its exchange? How should we handle software piracy (illegally copying copyrighted software)? Under what circumstances can one use proprietary databases? Can corporate computers be used for private purposes? How should experts who contribute their knowledge to create expert systems be compensated? How should access to information channels be allocated? Accessibility Issues Who is allowed to access information? How much should companies charge for permitting access to information? How can access to computers be provided for employees with disabilities? Who will be provided with the equipment needed for accessing information? What information does a person or an organization have a right to obtain, under what conditions, and with what safeguards? 16 Privacy Privacy o The right to be left alone and to be free of unreasonable personal intrusions Information privacy o The right to determine when, and to what extent, information about you can be gathered and/or communicated to others 17 Privacy Rules Court decisions in many countries have followed two rules: 1. The right of privacy is not absolute. Privacy must be balanced against the needs of society. 2. The public’s right to know supersedes the individual’s right of privacy. 18 Privacy Concerns Electronic surveillance Personal information in databases Information on Internet bulletin boards, newsgroups, and social networking sites Privacy codes and policies 19 Electronic Surveillance Using technology to monitor individuals as they go about their daily routines Conducted by employers, governments, and other institutions Examples: o Surveillance cameras in airports, subways, banks, and other public venues Inexpensive digital sensors are found in laptop webcams, video game sensors, smartphone cameras, utility meters, passports, and ID cards Smartphones create geotags Google and Microsoft street view images Drones 20 Personal Information in Databases Personal data/record keepers: o Credit reporting agencies o Banks and financial institutions o Utility companies o Employers o Hospitals o Schools o Government agencies (CRA, province, municipality) 21 Personal Information and Major Concerns Major concerns about information you provide record keepers: o Do you know where the records are? o Are the records accurate? o Can you change inaccurate data? o How long will it take to make a change? o Under what circumstances will personal data be released? o How are the data used? o To whom are the data given or sold? o How secure are the data against access by unauthorized people? 22 Privacy Codes and Policies An organization’s guidelines for protecting the privacy of its customers, clients, and employees o Opt-out model o Opt-in model 23 Privacy Codes and Policy Standards Europe: o Has strong privacy laws emanating from a EU Directive o Each country implements its own legislation and supervisory authority to conform to the EU Directive o General Data Protection Regulation (GDPR) o EU AI Act (2024) 24 Privacy Codes and Policy Standards USA: o Information privacy is not highly legislated nor regulated o Some states have enacted legislation aimed at protecting citizens o Children’s Online Privacy Protection Act (COPPA) to protect children’s online safety and privacy o Health Insurance Portability and Accountability Act (HIPAA) to protect the exchange and sharing of healthcare information 25 Privacy Codes and Policy Standards Canada: o Personal Information Protection and Electronic Documents Act (PIPEDA) is a Federal act that applies to all organizations o Examples of personal information pension and employment insurance files medical records tax records security clearances student loan applications military records 26 Canada’s PIPEDA 27 Canada’s PIPEDA 28 Canada’s PIPEDA To become PIPEDA compliant, companies need to develop a privacy policy statement 29 Benefits of Privacy Policy To protect the organization’s public image or brand images To maintain or enhance trust and promote continued consumer confidence in the organization and promote goodwill To achieve a competitive advantage in the marketplace by maintaining high quality, accurate customer information To meet legal requirements of industry associations or organizations To efficiently manage personal information, reducing administration or data handling costs and avoiding additional financial costs 30 ADM 2372 Management Information Systems Mayur Joshi, PhD Assistant Professor of Information Systems [email protected] © Copyright. Mayur Joshi. 2024. and © 2024 John Wiley & Sons Canada, Ltd. or the authors All Rights Reserved. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or b y any means, electronic, mechanical, photocopying, recording or otherwise without prior written permission from the professor. Shar ing course materials without permission or uploading course materials to a content sharing website may be treated as an instance of acad emic fraud as well as copyright infringement. 1 Week 5 Session 2: Information Security (Chapter 4) 2 Agenda 1. Introduction to Information Security 2. Unintentional Threats to Information Systems 3. Deliberate Threats to Information Systems 4. What Organizations are Doing to Protect Information Resources 5. Information Security Controls 6. Personal Information Asset Protection 3 Introduction Security o … the degree of protection against criminal activity, danger, damage, or loss. Information security o … processes and policies designed to protect an organization’s information and IS from unauthorized access, use, disclosure, disruption, modification, or destruction. 4 Introduction Threat o any danger to which a system may be exposed. Exposure o is the harm, loss, or damage that can result if a threat compromises that resource. Vulnerability o the possibility that a threat will harm that resource. 5 Introduction Informatio n security: Physical security: There are so many Lock the vault things to lock 6 Introduction What makes IS vulnerable to threats? o Today’s interconnected, interdependent, wirelessly networked business environment Untrusted networks, unsecured wireless connections o Smaller, faster, inexpensive computers and storage devices Easy to steal data using portable devices More computers, means more possible threats o Decreasing skills necessary to be a computer hacker Scripts and tutorials available in plenty o International organized crime taking over cybercrime illegal activities conducted over computer networks, particularly the internet o Lack of management support 7 Information Security Threats 8 Unintentional Threats Human Errors Social Engineering 9 Human Errors Higher level employees + greater access privileges = greater threat Two functional areas pose significant threats: o Human resources department o Information systems department Other areas of threats: o Contract labor, consultants, janitors, and guards 10 Common Human Error Carelessness with computing devices 11 Common Human Error Opening questionable e-mail 12 Common Human Error Poor password selection and use 13 Common Human Error Carelessness with one’s office o Leaving computer on / logged in unattended Carelessness using unmanaged devices o Using public computers (hotels, public libraries) to do confidential work Carelessness with discarded equipment o Discarding without wiping Careless monitoring of environmental hazards Careless Internet surfing o Falling for lucrative offers 14 Common Human Error Carelessness with computing devices Opening questionable e-mail Careless Internet surfing Poor password selection and use Carelessness with one’s office Carelessness using unmanaged devices Carelessness with discarded equipment Careless monitoring of environmental hazards 15 Common Human Error Carelessness with computing devices Opening questionable e-mail Careless Internet surfing Poor password selection and use Carelessness with one’s office Carelessness using unmanaged devices Carelessness with discarded equipment Careless monitoring of environmental hazards 16 Social Engineering A type of unintended threat because here the employee is not intending to commit a fraud, but instead falls for it An attack in which the perpetrator uses social skills to trick or manipulate legitimate employees into providing confidential company information such as passwords 17 Deliberate Threats to Information Systems Espionage or trespassing Titan Rain: A series of cyber espionage attacks conducted by Chinese hackers targeting U.S. government networks between 2003 and 2005. GhostNet: Discovered in 2009, this surveillance network infiltrated over 1,000 computers in 103 countries, including embassies and government offices Information extortion WannaCry Ransomware Attack: In 2017, this ransomware encrypted data on infected computers and demanded ransom payments in Bitcoin to decrypt the data. Baltimore Ransomware Attack: In 2019, the city of Baltimore’s government systems were crippled by ransomware, demanding a ransom to restore access Sabotage or vandalism Sony Pictures Hack (2014): Hackers infiltrated Sony Pictures’ network, leaked confidential data, and deleted files, causing significant disruption. NotPetya Cyberattack (2017): This malware attack targeted Ukrainian companies and spread globally, causing widespread damage and financial losses. 18 Deliberate Threats to Information Systems Theft of equipment or information TJX Companies Data Breach (2007): Hackers stole over 45 million credit and debit card numbers from the retailer. Equifax Data Breach (2017): Personal information of 147 million people was exposed due to a cyberattack on the credit reporting agency Identity theft ChoicePoint Incident (2004): A data breach at ChoicePoint compromised the personal information of about 163,000 individuals. Anthem Inc. Breach (2015): This breach potentially exposed the personal information of 78.8 million people Compromises to intellectual property Operation Aurora (2009): A series of cyberattacks originating from China targeted intellectual property and source code repositories of major companies like Google. DuPont Trade Secrets Theft (2014): A former employee stole trade secrets related to DuPont’s Kevlar technology and sold them to a competitor 19 Deliberate Threats to Information Systems Software attacks Stuxnet (2010): A sophisticated worm that targeted Iran’s nuclear facilities, causing physical damage to centrifuges. SolarWinds Attack (2020): Hackers inserted malicious code into SolarWinds’ software updates, compromising numerous government and private sector networks. Alien software Pegasus Spyware: Used to target journalists, activists, and political figures by exploiting vulnerabilities in mobile devices. FinFisher: Spyware used by governments for surveillance, infiltrating systems across multiple countries. Supervisory control and data acquisition (SCADA) attacks Stuxnet (2010): Targeted SCADA systems controlling Iran’s nuclear centrifuges. Oldsmar Water Treatment Plant Attack (2021): Hackers gained access to the SCADA system and attempted to poison the water supply by increasing the amount of sodium hydroxide. Cyberterrorism and cyberwarfare Russian Cyberattacks on Ukraine (2015-2016): Included attacks on the power grid, causing blackouts. WannaCry and NotPetya Attacks (2017): Both attributed to state-sponsored actors, causing widespread disruption and damage. 20 Software Attacks 21 Software Attacks 22 Alien Software Adware o causes pop-up advertisements to appear on your screen. Spyware o collects personal information about users without their consent. Spamware o uses your computer as a launch pad for spammers. Cookies o small amounts of information that websites store on your computer, temporarily or more or less permanently. o Some are good (e.g., saving your passwords, remembering your shopping carts,) o Others may be problematic – tracking cookies 23 What Organizations are Doing to Protect Information Resources Risk o the probability that a threat will impact an information resource. Risk Analysis o (1) assess the value of each asset being protected, (2) estimate the probability that each asset will be compromised, and (3) compare the probable costs of the asset’s being compromised with the costs of protecting that asset. 24 Risk Mitigation How: o (1) implementing controls to prevent identified threats from occurring, and (2) developing a means of recovery if the threat becomes a reality. Risk acceptance (do nothing) < risk transference (purchase insurance) < risk limitation (purchase insurance, and minimize risk by implementing controls) 25 Information Security Controls 26 Information Security Controls General controls o Physical Controls o Access Controls o Communication Controls Application-specific controls Business Continuity Planning 27 Physical Controls Prevent unauthorized individuals from gaining access to a company’s facilities. o Walls o Doors o Fencing o Gates o Locks o Badges o Guards o Alarm systems 28 Access Controls Authorization Authentication 29 Authentication Something the user is Something the user has Something the user does Something the user knows o Passwords o Passphrases 30 Basic Guidelines for Passwords Difficult to guess Long rather than short Should have uppercase letters, lowercase letters, numbers, and special characters Not recognizable words Not the name of anything or anyone familiar, such as family names or names of pets Not a recognizable string of numbers, such as a social security number or a birthday 31 Communication Controls Firewalls Anti-malware systems Whitelisting and blacklisting Encryption Virtual private networking Transport layer security (TLS) Employee monitoring systems 32 Firewalls (a) Basic firewall for home computer. (b) Organization with two firewalls and demilitarized zone. 33 How public key encryption works. 34 How digital certificates work. 35 Virtual private network (VPN) and tunneling. 36 Application Controls Input controls o are programmed routines that edit input data for errors before they are processed. Processing controls o are programmed routines that perform actions that are part of the organization’s record-keeping, reconcile and check transactions, or monitor the operation of applications. Output controls o are programmed routines that edit output data for errors or help to ensure that output is provided only to authorized individuals. 37 Personal Information Asset Protection Importance of personal information asset protection Different level of protection for different type of information Possible actions to protect personal information assets 38 Personal Information Asset Protection Possible actions to protect personal information assets Why the actions are important Behavioural actions Verify the identity of telephone callers or emails who ask for Prevent potential social engineering attacks or phishing personal information by calling them using an independently attacks. obtained telephone number or seeking out primary websites. Ask why service providers need your social insurance number Prevent possible identity theft. (SIN) and withhold your SIN if it is not needed to obtain the service. Carefully check your credit card bills and bank statements, Detect unauthorized use of your credit card or unauthorized querying unknown transactions. access to your bank accounts promptly. If you suspect identity theft, check the mailing address and Protect your credit rating and help prevent further theft of status of your bills and follow the actions listed on the website your information and financial assets. of the Office of the Privacy Commissioner of Canada (www.priv.gc.ca/en/privacy-topics/identities/identity-theft/). Computer-related actions Use current software that is updated regularly for antivirus, Help prevent your data or programs from being disrupted or antispam and anti-adware. copied; prevent your system from being hijacked as a bot. Take regular backups of your data and system and store it off- Enable recovery of your data and system in case of disruption site, away from your computer system. due to viruses, ransomware, or theft of your equipment. Use passwords based on word phrases to make them difficult Protect your confidential data and financial assets from to guess and use different passwords for leisure and financial unauthorized access. systems. 39 Business Continuity Planning, Backup and Recovery Disaster recovery plan It is the chain of events linking planning to protection and to recovery. to provide guidance to people who keep the business operating after a disaster occurs. Backup sites: Hot (almost a replica), Warm (can be up and running in short time), Cold (mainly physical space, but everything else will have to be set up) 40

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue