Professional Documents
Culture Documents
3 PDF
3 PDF
Dr.D.S.RAO
Dr.dsrao@yahoo.in
HCL Info systems sdn bhd. Malyasia.
Co-Authors
Disha.Handa ,Gaurav Bagga , Ajay Kumar Rangra
Nandini Nayar ,Karan Bajaj ,Shweta Rajput
K.V.Praveen, Vanita.Jaitely
Abstract
Vulnerability is discussed in the context of data processing and information management
applications. It is argued that a new class of information technology applications must now
be recognised, in which one or more organisations cooperate with small enterprises and
private individuals. The term 'extra-organisational systems' is coined for such applications.
Using illustrations arising from studies in the field of consumer EFTS, it is shown that the
public is generally regarded as 'usees', beyond the system and affected by it, rather than as
part of the system. It is argued that conventional systems life-cycle notions and techniques are
inappropriate to extra-organisational systems. Rather than the software engineering,
artefact-oriented philosophy inherent in existing techniques, such systems demand an
alternative organically-based paradigm.
1. Introduction
Parallel with the literature on vulnerability, a number of related areas have developed,
especially safety-critical systems and system- and software-safety (e.g. Neumann
1979-, 1986, 1989; Malasky 1982; Perrow 1984; Leveson 1984, 1986, 1990, 1991;
Parnas 1985; Smith 1985; Borning 1987). Systems engineering defines safety
management as the measures taken to reduce the risk of accidents and of hazards,
where the term 'hazard' means a set of conditions that can lead to an accident
(Leveson 1991). Other relevant areas include software quality assurance (AS3563
1991), trusted systems (DoD 1987), risk management (Shain & Anderson 1989),
25
International Journal of Advanced Science and Technology
Vol. 20, July, 2010
2. Intra-Organisational Systems
26
International Journal of Advanced Science and Technology
Vol. 20, July, 2010
Apart from the job-displacement issues, which are briefly discussed later in this
paper, other vulnerabilities were created, but were seldom considered in a cohesive
and systematic fashion. For example:
27
International Journal of Advanced Science and Technology
Vol. 20, July, 2010
The natural result of this increase in sophistication has been the emergence of 'multi-
organisational' systems. These can be distinguished from inter-organisational
applications in that they are designed to support multiple linkages with many
organisations, and, in principle, with any other organisation with which there is a need
to communicate. Particular forms include:
In each case, standards and interfaces have been established, and appropriate controls
and security features imposed.
28
International Journal of Advanced Science and Technology
Vol. 20, July, 2010
The removal of inefficiencies is, of course, a cause for rejoicing, because it means that
society can produce more goods and services for the same amount of labour input.
There is, however, an inevitable negative impact on those employees who are
displaced, and on their dependants, at the very least during an interim period while the
person finds a new job.
To the extent that displaced people prove unable or unwilling to re-train and/or re-
locate, the impact can be severe. Under some conditions, moreover, the impact may
be long-term, when, for example:
Where long-term unemployment results, the consequences for the people affected can
be very severe, particularly if there is an inadequate 'safety net'. Given that the main
avenue for distributing national income to people is on the basis of their employment,
social vulnerability appears to be now arising from the more advanced forms of
applications of IT in commerce, industry and government.
Apart from the work-and-income issue, other vulnerabilities have emerged in greater
number, and of greater severity, during this era. For example:
• data has flowed across corporate boundaries, generally without the data
subject's knowledge or consent, and with reckless disregard for the
misunderstandings inevitable from its loss of context. Legislative activity
throughout the world has imposed fair information practices on some of these
flows, but has in the process legitimised the flows themselves; and
• the scope for bureaucratic procrastination and obstructionism has become even
greater, because the inadequacies of not only the organisation's own
computer(s), but also those of the computers of other organisations can be
blamed, or their authority invoked.
29
International Journal of Advanced Science and Technology
Vol. 20, July, 2010
The following section distinguishes a related class of IT application which has not to
date received attention in the literature.
4. Extra-Organisational Systems
Implicit in the notions of inter- and multi-organisational systems are the assumptions
that each of the nodes of the network is professionally managed, and that the facilities
are used in an organisational context, with all of the discipline and cultural constraints
that entails. These assumptions are important, because business partners depend on
one another's professionalism in relation to such matters as:
In these cases, many of the organisation's 'business partners' are small, single-site (and
in many cases single-person) enterprises, such as retail outlets and service agents, or
are members of the public. These partners do not have professional IT managers with
an understanding of such arcane arts and technologies as systems analysis and
communications protocols. Despite this, some of them will reliably and consistently
perform the intended functions, and interpret their interaction with the facility in the
30
International Journal of Advanced Science and Technology
Vol. 20, July, 2010
way the designer intended. It would be a highly idealistic designer, however, who
relied upon all, or even a large percentage of these partners to do so.
The following section draws on prior research relating to one particular form of extra-
organisational system, to identify some specific instances of vulnerabilities, and trace
the origins of those weaknesses to the philosophy and methods of contemporary
systems life-cycle thinking.
A variety of studies of electronic funds transfer systems have been undertaken (see, in
particular, Kling 1983). This section draws heavily on studies of consumer EFTS in
Australia (Walters 1989, Clarke and Walters 1989, Clarke 1990a and 1990b, Clarke
and Greenleaf 1990, APSC 1990); and in Switzerland (Clarke 1992).
Consumer EFTS may be defined narrowly, to include only ATM services and point of
sale systems in merchants' premises (EFT/POS), in which value is transferred
between accounts on the basis of data captured from a card inserted in a remote
terminal and an associated keyboard. A broader definition includes all transactions in
which the magnetic-stripe on a credit- or debit-card is used to effect payment, whether
with or without use of a personal identification number (PIN). Used in this less
restrictive manner, the term also covers remote banking services from home or office,
and card-facilitated tele-shopping, phone-calls, bill payments and reservations.
Automated Teller Machines were adopted very quickly when they were introduced in
Australia in the late 1970s and early 1980s. Consumers have enjoyed the benefits of
greater convenience, but unfortunately for the financial institutions, the anticipated
large net savings in transaction-handling costs were not realised. This was because the
average size of transactions is now much smaller than was the case before the
introduction of ATMs, and the number of transactions is much greater.
Australia has been among the world leaders in the rate of adoption of consumer
EFTS, but most forms, and especially EFT/POS, have achieved much slower growth
rates than was the case with ATMs. A number of factors were involved, some
peculiar to Australia, but many similar to those which have retarded growth in many
other countries. They included:
31
International Journal of Advanced Science and Technology
Vol. 20, July, 2010
On the basis of successful EFT/POS implementations, it appears that there are several
important features of system architecture:
Once these corporate difficulties had been overcome, there remained the question as
to whether consumers would actually use the resulting system. Too little attention was
paid to the interests of the consumer, indicating a failure to appreciate the extra-
organisational dimension of consumer EFTS. In particular:
32
International Journal of Advanced Science and Technology
Vol. 20, July, 2010
Debates about the security aspects of Australian consumer EFTS provide further
evidence of the extent to which the consumer was long regarded as being outside the
EFT/POS system, rather than an integral part of it. The Australian finance industry
has been a world leader in the establishment of security standards, and the level of
security is very high (AS2805 1988, Weber 1989). The banks have had, however, an
internally focussed and technically oriented view of security. Some of the deficiencies
during the late 1980s are documented in Appendix I.
During the period 1987-90, steps were taken by a variety of Australian Federal and
State Government agencies to ensure that the financial institutions addressed at least
the most pressing of consumers' concerns (although at no stage to date have privacy
considerations been addressed). One remarkable aspect of the procedure was that the
development and successive reviews of the EFTS Code of Conduct were undertaken
without the formal participation of consumer representatives or advocates.
Despite the litany of inadequacies, the adaptability of both the technology and the
major players has proven to be of a high order, and the confusion and mistrust which
reigned in Australia from 1984 until 1989 is now being overcome, and steady growth
is being experienced. Similarly, the openness and consumer-orientation of consumer
EFTS in Switzerland appears to be resulting in brisker growth rates in transaction
volumes.
The conclusions drawn from these studies of consumer EFTS are that the major
players made costly mistakes as a result of conceiving of the consumer and his actions
as being outside the system boundaries. They treated the system as (at best) a multi-
organisational system, when it was really an extra-organisational application. It was
only when external pressure was brought to bear that the financial institutions were
forced to reflect consumers' interests in their system designs.
33
International Journal of Advanced Science and Technology
Vol. 20, July, 2010
requirements are not readily analysable, because they are subject to interpretation by a
wide variety of players, and are subject to ongoing change. The following section
proposes a shift in the framework within which extra-organisational systems are
developed, which will enable vulnerabilities to be reduced.
This paper is not concerned with the efficacy of that approach to intra-, inter- and
multi-organisational systems. It argues that the software engineering paradigm is
inapplicable to extra-organisational systems, and that an alternative, more open and
'organic paradigm' is needed, based on a less deterministic interpretation of general
systems theory and cybernetics than has been common in recent decades.
As far as I am aware, the term 'organic paradigm' is original. The concept, however, is
well-established. Presursors include 'sociotechnical systems' (Emery & Trist 1960,
Mumford 1983), Beer (1972, 1975), Miller's 'living systems' (1978), Checkland's 'soft
systems methodology' (Checkland 1981, Checkland & Scholes 1990), the Multiview
approach (Wood-Harper et al 1985), and the stream of thought emerging at the less
mechanistic end of the cognitive science community (Winograd & Flores 1986).
34
International Journal of Advanced Science and Technology
Vol. 20, July, 2010
With them, I am arguing not for the rejection of rationalism and science in favour of
holism, vitalism or some other ascientific framework, but rather for the re-direction of
the rationalistic tradition.
There are increasing echoes of these kinds of thinking in the management and
management information systems literatures. For example, Ciborra's at first sight
revolutionary arguments about 'designing-in-action' and 'bricolage' (which holds that
systems are not products designed by a master-architect, but rather the result of
tinkering by the many people involved - Ciborra and Lanzara 1989, Ciborra 1991) is
not meeting rejection, but rather being absorbed and rationalised back into the
mainstream of information systems thinking.
7. Conclusions
Vulnerability has been discussed in the context of data processing and information
management applications. A great deal of attention has been paid in the literature to
inter-organisational and multi-organisational systems, and the opportunities, impacts
and management of such systems have become clearly distinguishable from those of
the long-standing class of intra-organisational applications. It has been argued that a
new class of system must now be recognised, which is referred to in this paper as
'extra-organisational'. By this is meant systems in which one or more organisations
cooperate with other entities which are not organisations, but rather are small
enterprises and private individuals. Reports from studies in the field of consumer
EFTS have illustrated ways in which the public is still generally regarded as 'usees',
beyond the system and affected by it, rather than part of the system. It has been
argued that conventional systems life-cycle notions and techniques are inappropriate.
35
International Journal of Advanced Science and Technology
Vol. 20, July, 2010
36
International Journal of Advanced Science and Technology
Vol. 20, July, 2010
References
APSC (1990) 'Report on EFT Security Survey' Australian Payments System Council,
Reserve Bank of Australia, Sydney (Novermber 1990)
AS2805 (1988) 'PIN Management and Security' Standards Australia, Sydney (1988)
Borning A. (1987) 'Computer Systems Reliability and Nuclear War' Commun. ACM
30,2 (February 1987) Republished in Dunlop C. and Kling R. (Eds.) 'Computerization
and Controversy' Academic Press, 1991 560-592
37
International Journal of Advanced Science and Technology
Vol. 20, July, 2010
Ciborra C.U. and Lanzara G.F. (1989) 'Designing Networks in Action: Formative
Contexts and Post-Modern Systems Development' in Clarke R. and Cameron J. (Eds.)
'Managing Information Technology's Organisational Impact' Elsevier / North Holland,
1991 pp. 265-279
Clarke R.A. (1990a) 'Consumer EFTS in Australia - Part II - Security Issues' Comp.
L. & Sec. Reporter (1989-90) 5 CLSR (Jan/Feb 1990)
______ (1990b) 'Consumer EFTS in Australia - Testing Times for Guided Self-
Regulation' Comp. L. & Sec. Reporter (1989-90) 6 CLSR (Mar/Apr 1990)
______ (1991) 'Towards a Framework for the Analysis of EDI's Impact on Industry
Sectors' Proc. 4th Int'l EDI Conf., Bled, Slovenia, Uni. of Maribor, June 1991
Clarke R.A. and Greenleaf G.W. (1990) 'Consumer EFTS in Australia - Privacy
Implications' Comp. L. & Sec. Reporter (1990-91) 1 CLSR (May/Jun 1990)
Clarke R.A. and Walters M. (1989) 'An Introduction to Consumer EFTS With
Particular Reference to Australia' Comp. L. & Sec. Reporter (1989-90) 4 CLSR
(Nov/Dec 1989)
Emery F.E. and Trist E.L. (1960) 'Socio-technical systems' in Churchman C.W. and
Verhulst M. (Eds.) 'Management Science Models and Techniques Vol. 2' Pergamon,
Oxford, 1960
38
International Journal of Advanced Science and Technology
Vol. 20, July, 2010
Franke R.H. (1987) 'Technological Revolution and Productivity Decline: The Case of
U.S. Banks' Techno. Forecasting and Social Change 31 (1987) 143-154 Republished
in Forester T. (Ed.) 'Computers in the Human Context' Basil Blackwell, Oxford, 1989
Hoffman L.J. and Moran L.M. (1986) 'Social Vulnerability to Computer System
Failure' Computers & Security 5 (1986) 211-217
Johnson H.R. and Vitale M.R. (1988) 'Creating Competitive Advantage with
Interorganisational Systems' MIS Qtly 12,2 (June 1988) 153-165
Kaufman F. (1966) 'Data Systems That Cross Company Boundaries' Harv. Bus. Rev.
(Jan/Feb 1966)
Kling R. (1983) 'Value Conflicts in the Design and Organisation of EFT Systems'
Telecommunications Policy (March 1983) 12-34 Republished in Dunlop C. and Kling
R. (Eds.) 'Computerization and Controversy' Academic Press, 1991 421-435
Konsynski B.R. and McFarlan F.W. (1990) 'Information Partnership - Shared Data,
Shared Scale' Harv. Bus. Rev. (Sep/Oct 1990) 114-120
______ (1986) 'Software Safety: Why, What and How' Comput. Surv. 18,2 (June
1986) 25-69
Malasky S.W. (1982) 'System Safety Technology and Application' Garland STPM
Press, New York, 1982
39
International Journal of Advanced Science and Technology
Vol. 20, July, 2010
Malone T.W. and Yates J. and Benjamin R.I.(1987) 'Electronic Markets, Electronic
Hierarchies' Commun. ACM 30,6 (June 1987) 484-497
Marx G.T. and Sherizen S. (1986) 'Monitoring on the Job' Technology Rev. (Nov-Dec
1986) Republished in Forester T. (Ed.) 'Computers in the Human Context' Basil
Blackwell, Oxford, 1989
_____ (1986) 'On Hierarchical Design of Computer Systems for Critical Applications'
IEEE Trans. on Software Eng. SE-12, 9 (September 1986) 905-920
OTA (1987) 'The Electronic Supervisor: New Technology, New Tensions' Office of
Technology Assessment, Washington DC, 1987
Parnas D.L. (1985) 'Software Aspects of Strategic Defense Systems' Commun. ACM
28,12 (December 1985) 1326-1335 Republished in Dunlop C. and Kling R. (Eds.)
'Computerization and Controversy' Academic Press, 1991 593-611
Rockart J.F. and Short J.F. (1989) 'IT in the 1990s: Managing Organisational
Interdependence' Sloan Mngt Rev. (Winter 1989)
40
International Journal of Advanced Science and Technology
Vol. 20, July, 2010
Smith B.C. (1985) 'The Limits of Correctness' Computers & Society 14,4 (Winter
1985)
Toigo J.W. (1989) 'Disaster Recovery Planning - Managing Risk and Catastrophe in
Information Systems' Yourdon / Prentice-Hall, New York, 1989
Wiener N. (1949) 'The Human Use of Human Beings' Avon Books, New York, 1949,
1974
41
International Journal of Advanced Science and Technology
Vol. 20, July, 2010
42