CHAPTER I- INTRODUCTION MANAGEMENT INFORMATION SYSTEM INTRODUCTION Information is the basis for every decision taken in an organization.

The efficiency of management depends upon the availability of regular and relevant information. Thus it is essential that an effective and efficient reporting system be developed as part of accounting system. The main object of management information is to obtain the required about the operating results of an organization regularly in order to use them for future planning and control. The old techniques like intuition, rule of thumb, personal whim and prestige, etc. are now considered useless in the process of decision taking. Modern management is constantly on look out for such quantitative and such information, which can help in analyzing the proposed alternative actions and choosing one as its decision. Thus, modern management functions are information-oriented more popularly known as ³management by information´. And the system through which information is communicated to the management is known as ³management information system (MIS)´. The management needs full information before taking any decision. good decisions can minimize costs and optimize results. Management information system can be helpful to the management in undertaking management decisions smoothly and effectively. Management information system can be analyzed thus: 1. Management: management covers the planning, control, and administration of the operations of a concern. The top management handles planning; the middle management concentrates on controlling; and the lower management is concerned with actual administration. 2. Information: information, in MIS, means the processed data that helps the management in planning, controlling and operations. Data means all the facts arising out of the operations of the concern. Data is processed i.e. recorded, summarized, compared and finally presented to the management in the form of MIS report. 3. System: data is processed into information with the help of a system. a system is made up of inputs, processing, output and feedback or control. Thus MIS means a system for processing data in order to give proper information to the management for performing its functions.

CONCEPTUAL VIEW OF MIS

The concept is a blend of principles, theories and practices of management, information and system giving rise to a single product called MANAGEMENT INFORMATION SYSTEM. The concept of management gives high regard to the individual and his ability to use the information. MIS gives information through data analysis. While analyzing the information, it relies on many academic disciplines like management science, OR, organization behavior, psychology, etc. The foundation of MIS is the principles of management and its practices. MIS uses the concept of management control in its design and relies heavily on the fact that the decision maker is a human being and is a human processor of information. A MIS can be evolved for a specific objective it is evolved after systematic planning and design. It calls for an analysis of business, management views and policies, organization culture and the management style. The MIS, therefore relies heavily on systems theory. The systems theory offers solutions to handle complex situations of the input and output flows. it uses theory of communication which helps to evolve a system design capable of handling data inputs, process, the outputs with the least possible noise or distortion in transmitting the information from a source to destination WHO ARE THE INFORMATION USERS? ‡ Managers The idea of using the computer as a management information system was a breakthrough because it recognized managers¶ need for problem solving information. Embracing the MIS concept made several firms develop applications specifically aimed at management support. ‡ Non-managers Non-manages and staff specialists also use the MIS output. ‡ Persons & organizations in the firm¶s environment

Users outside the company benefit from the MIS as well. They can be customers receiving invoices, stockholders getting dividend checks, and the federal government checking tax reports. Management Levels Strategic Planning Level The strategic planning level involves mangers at the top of the organizational hierarchy. The term strategic indicates the long-term impact of top managers¶ decisions on the entire organization. The term executive is often used to describe a manager on the strategic planning level. Management Control Level Middle-level managers include regional managers, product directors, and division heads. Their level is called ³management control level´ due to their responsibility of putting plans into action and ensuring the accomplishment of goals. Operational Control Level Lower level managers are persons responsible for carrying out the plans specified by managers on upper levels. Their level is called the ³operational control level´ because this is where the firm¶s operations occur. Influence of Management Level on Information Source and Form When designing information systems, it is important to consider the manager¶s level. Such levels can influence both the source of information and how it is presented. Managers on the strategic level place greater emphasis on environmental information than do managers on the lower levels. Managers on the operational control level regard internal information as vital. The second figure shows that strategic planning-level managers prefer information in a summary format, whereas operational control-level managers prefer detail.

Business Areas Managers are found in various business areas of the firm. The three traditional business areas are marketing, manufacturing, and finance in addition to other two areas that have gained major importance-human resources and information services.

What managers do According the French management theorist, Henri Fayol, managers perform five major functions. ‡ They plan what they are to do ‡ They organize to meet the plan. ‡ They staff their organization with the necessary resources.

Management Knowledge ‡ Computer literacy This knowledge includes an understanding of computer terminology.. where this information can be obtained from.‡ They direct the available resources to execute the plan. and how to share information with others. A manager can be information literate but computer illiterate. keeping them on course. a recognition of its strengths and weaknesses. THE MANAGER AND SYSTEMS System Components A system is a group of elements that are integrated with the common purpose of achieving an objective. Not all systems have the same combination of elements. they control the resources. ‡ Finally.etc ‡ Information literacy A manager should also have information literacy which consists of understanding how to use information at each step of the problem solving process. but a basic configuration is Illustrated in the figure below: . All managers perform these functions. however with varying emphasis as shown below. an ability to use the computer . Information literacy is not dependent on computer literacy.

The control mechanism compares the feedback signals to the objectives and directs signals to the input element when it is necessary to change the system operation. A control mechanism monitors the transformation process to ensure that the system meets its objectives. through the transformation element.. The control mechanism is connected to the resource flow by means of a feedback loop. The resources flow from the input element.g. Open Loop or Close Loop System Open and Closed Systems ‡ Open system: Connected to its environment by means of resource flows (e. heating system) . which obtains information from the system output and makes it available to the control mechanism. and to the output element.Input resources are transformed into output resources.

A TWO WAY COMMUNICATION FLOW is greatly enhanced by the MIS. It usually represents a number of options from which one can choose the best.‡ Closed system: Not connected to its environment. Its designed by the top management of an organization. Importance of MIS in Organizations In today's scenario MIS plays a pivotal role in Organizations. its very difficult to cover the whole in one article. Managers use past/historical data as well as the current data to analyze the performance & hence apply controlling measures. Organizations worldwide makes extensive use of MIS. The top management ANALYSES whether its resources are being utillized optimally. As & when need arises the organization is able to incorporate the needed changes & improvements in the area of concern. . MIS supports the planning & controlling function of managers in the organization. The employees in return discuss their doubts & grievances. is a tool to assembling & accumulating facts & figures of all the important business processes. MIS facilitates informed DECISION MAKING. route & tabulate all important business transactions. What is a subsystem? A subsystem is simply a system within a system. Decentralizations possible when there's a system to measure operations at the lower levels. MIS is a very vast topic. They usually exist in tightly controlled laboratory systems. Thus here are some of the major importance / advantages of MIS in organizations: y y y y y y The organization that uses MIS is able to record . The management freely tells the job v responsibilities to its employees. MIS encourages DECENTRALISATION in the organisation.process. This means that systems exist on more than one level and can be composed of subsystems or elemental parts.

y It brings COORDINATION. information system can be broadly categorized into following : y y y y Transaction processing system Management Information System Decision support system Executive support system The information needs are different at different organizational levels. in some way MIS keeps the organization binded. Hence. Accordingly the information can be categorized into following: y y y Strategic information Managerial information Operational information. . CHAPTER -II----TYPES OF INFORMATION SYSTEM Information systems differ in their business needs and the information varies depending upon different levels in organization. It facilitates integration of specialized activities by keeping each department aware of the problems & requirements of other departments.

3. Transaction rocessing ystems Systems that perform and record daily routine transactions necessary for business perational level ystems rder tracking achine control ecurities trading ayroll ompensation rder processing lant scheduling ash management Accounts payable Accounts receivable Training and development mployee records Human Resources 9 aterial movement and control Sales and Marketing Manufacturing Finance Accounting Management Information Systems 1. This provides high speed and accurate processing of record keeping of basic operational processes and include calculation. storage and retrieval. 2. Booking. Transaction can be any activity of the organization.Transaction Processing Systems 1. . canceling. Transaction processing systems provide speed and accuracy. etc are all transactions. Any query made to it is a transaction. It assist lower management in problem solving and making decisions. For example. It processes business transaction of the organization. and can be programmed to follow routines functions of the organization. They use the results of transaction processing and some other information also. take a railway reservation system.

An important element of MIS is database. A decision support system must very flexible. These systems assist higher management to make long term decisions. Management Information Systems Systems that serve planning. A decision is considered unstructured if there are no clear procedures for making the decision and if not all the factors to be considered in the decision can be readily identified in advance. The user should be able to produce customized reports by giving particular data and format specific to particular situations. 3.   2 . control and decisionmaking through routine summary and reports Management-level Systems Sales management Inventory control Annual budgeting apital investment elocation analysis Sales and Marketing Manufacturing inance ccounting Human esources Decision Support Systems 1.A database is a non-redundant collection of interrelated data items that can be processed through application programs and available to many users. 2.2. These type of systems handle unstructured or semi structured decisions.

models and analysis tools for non-routine decision-making Management-level ystems ales region analysis Sales and Marketing Production scheduling Manufacturing Cost analysis Pricing / profitability analysis Accounting Contract cost analysis Human Resources Finance 13 Executive Information ystem Also known as an Executive upport ystem (E ). They let the CEO of an organisation tie in to all levels of the organisation. Used by top level (strategic) management.Decision-support ystems ystems that combine data. They are a form of MI intended for top-level executive use. interactive format. They also use data produced by the ground-level TP so the executives can gain an overview of the entire organisation. They are designed to the individual. An EI /E usually allows summary over the entire organisation and also allows drilling down to specific levels of detail. They are very expensive to run and require extensive staff support to operate. it provides executives information in a readily accessible. .

Exec ti e S rt S stems S stems t at s rt -r ti e ecisi -ma i t r a a ce ra ics a c mm icati s Strate ic-le el S stems 5. T e escri ti s f i f rmati as a asset a a res rce (B r & H rt . Best. 1988.DETERMINING INFORMATION NEEDS FOR AN ORGANISATION/ INDIVIDUAL MANAGER Or a isati s are i creasi l aware f t e te tial f i f rmati i r i i c m etiti e lis e case st ies a a a ta e a s stai i t eir s ccess as e i e ce i a m er f c mme taries. t e ri i f t ese escri ti s i classical mics i res t e lace f i f rmati i t e fa ric f a litical s stem r c lt re f a ec r a isati . 1996) are l er s al.ear la erati 5. INFORMATION & INDIVIDUAL MANAGER we res ee t si ilities w i f rmati ee s f ma a ers i strate f i i i als i r a isati s.ear sales tre f recasti S les nd M rketin 5. Beca se f t e e el me t a im leme tati a i e a li .ear f recasti et Pr fit la i Acc untin Pers el la i Hu n Res urces M nuf cturin Fin nce 14 CHAPTER III. H we er.

outward-looking and ritualistic aspects of managerial work as well as managers' strong preferences for verbal media in finding information. Networking is a feature of another view of managerial work . The key challenges for general managers reflect the information and people oriented demands of these three processes: "figuring out what to do (making decisions) in an environment characterised by uncertainty. between those who are promoted and those who have "satisfied. The final study considered here explores the work of middle managers. and spokesman derive from the manager's interpersonal contacts. Three other categories of activity developed from the research of managers and their subordinates were routine communication. creating a mindset and facilitating learning are integral to creating competitive advantage. It suggests that managing relationships. The decisional roles of entrepreneur. The roles were categorised into three groups to form an integrated view of what senior managers do. traditional management activities consist of planning. coordinating and controlling suggest a rational and ordered approach to management activities. The work of managers The classic view of managerial functions as planning. managing conflict. The type of activity with the weakest relationship with success is human resource management and with effectiveness the weakest is networking. communicating. resource handler and negotiator arise from the manager as the formal authority of the organisational unit who can commit the unit to action. This study distinguished between successful and effective managers. traditional management and human resources management. and human resource management includes motivating/reinforcing. committed subordinates and produce organisational results". Networking includes interaction with outsiders and socialising/politicking inside and outside the organisation. Yet studies of managers in their workplaces present a picture of an approach to managerial activities that is quite different. great diversity. and an enormous quantity of potentially relevant information" and "getting things done (implementation) through a large and diverse group of people despite having relatively little control over them" . One study identified ten different roles for managers. leader and liaison stem from the manager's formal authority. network building and implementing their agendas through networks. In this role the manager emerges as the "nerve centre" of the organisational unit . whereas routine communication had the strongest with effectiveness. Networking had the strongest relationship with success. The interpersonal roles of figurehead. organising. Another study of managers at work identified three major processes in which they are engaged (: agenda setting.organisations to meet their goals it is appropriate to restrict ourselves to considering managers rather than all individuals in organisations. routine communication activities include exchanging information and handling paperwork. The informational roles of monitor. finding innovation. disciplining/ punishing. a . disturbance handler. staffing and training/developing. disseminator. This approach to managing acknowledges the action-oriented. decision making and controlling. The study of middle managers focussed on strategy formation.

and implementing deliberate strategy. By engaging in these roles. Data storage areas are also indicated on DFDs. data-flow diagrams do not show specific processing details. synthesising information. Data-flow diagrams can be designed to illustrate existing processes as well as to document better and even ideal situations. facilitating adaptability. and what they do to the data. rectangles signify outside units) so that a simple glance at the chart is enough to differentiate each element. and whether a data element inputs to an element or reads from an element. However. who or which system receives the data.g. inside units such as the employees who actually manipulate data. middle managers link strategic purpose and organisational action. Four distinct roles for middle managers in strategy were identified: championing strategic alternatives. Diagrams can also be annotated to show the volume and frequency with which these changes occur. team-based work units. DATA-FLOW DIAGRAMS Specific elements included on data-flow diagrams (DFDs) include outside units such as customer needs.Banking organization . These studies of managerial work range across managers at different levels in organisations from senior management to middle management. They also span different kinds of organisational structures from the more traditional hierarchies to post-entrepreneurial organisations with leaner.. DFDs are helpful in that they show exactly how data flow is initiated and by whom. nor are they a helpful representation of how the process fits onto a timeline. Each type of element is denoted within a prescribed symbol (e. Data flow Diagram. command and control model of strategy as a two stage process of formulation and implementation and has "more to do with learning than planning" . flatter structures and participative.process that moves away from the overly rational.

so as to best fulfill the aims or goals of the decision maker Therefore. in common with most of the other symbols used. in order to select one. . In order to avoid complex flows. like this. followed by an arbitrary number. an external source or recipient. Data Flows Double headed arrows can be used (to show two-way flows) on all but bottom level diagrams. avoid glossing over them.Data Flow Diagrams ± The Rules External Entities It is normal for all the information represented within a system to have been obtained from. without really understanding their role. the same data store may be drawn several times on a diagram. and/or to be passed onto. Multiple instances of the same data store are indicated by a double vertical bar on their left hand edge. The most important thing to remember is that the description must be meaningful to whoever will be using the diagram. to avoid crossing data flow lines.indicates a manual file 'T' .like 'process' or 'update'. Data Stores Each store should be given a reference letter. there are two main components involved in decision making: the set of alternatives.indicates a transient store. These reference letters are allocated as follows: 'D' . one that is deleted after processing. Indications that this has been done are the use of vague terms in the descriptive title area . The addition of a lowercase letter to each entity on the diagram is a good way to uniquely identify them. These external entities may be duplicated on a diagram. Processes When naming processes. ANALYSIS OF INFORMATION FOR DECISION PROCESSES ETC DECISION MAKING Decision making is usually defined as a mental process.indicates a permanent computer file 'M' . Furthermore. a data flow at a particular level of a diagram may be decomposed to multiple data flows at lower levels. which involves judging multiple options or alternatives. Where they are duplicated a stripe is drawn across the left hand corner.

With the decision. safest. most efficient. etc. etc. The key step of this process is making the decision itself. there are difficult problems which require large resources. and in general support the process with some method. In decision support. money and willpower. When approaching a problem. we give precedence to the selected alternative. ‡ identifying decision alternatives. ‡ evaluating the consequences of the decision. Informing concerned people and public of the decision and rationale. we should at least partly know the alternatives and their properties. ‡ anticipating the consequences of decisions.) solution to our decision problem. how to organise public transportation in a capital city. whether to stop at the red light or not.e. we have to be aware of possible uncertainties. One classification is into routine and non-routine problems.judged by the decision maker. The consequences of a decision cannot be taken back. what kind of bread to buy. consequences and uncertainties are well understood and under control. The output of this process can be an action or an opinion of choice. they can only be affected by new decisions. CLASSIFICATION OF DECISION PROBLEMS Decision problems are incredibly diverse. assuming (and hoping) that this alternative will provide the best (i. Decision problems can be classified along different dimension. In other words. which are usually simple and easy to solve: when to get up in the morning. cheapest. It is also important to understand that it is possible to effectively support only decision problems and processes that are sufficiently well understood. the easiest. and the goals to be satisfied with the choice of one alternative. ‡ collecting and verifying relevant information. if necessary. Decision making is a process. what makes the decision maker responsible for its consequences. energy. and is therefore irrevocable . such as time.. choosing the most preferred alternative using judgement based on available information. The decision is considered a conscious and deliberate act. This means that in general it takes some time and effort until the choice is made. which often implies a considerable difference in difficulty. that is. affect many people and have important consequences: which strategy to take on European market. On the other hand. In contrary. non-routine decisions . The implementation of the decision often consumes resources. etc. Somewhere in between are important problems of individuals (what to study?). it should make sense to collect information about these problems. computer program or information system. All key factors. Routine decisions are taken frequently and repeatedly. what are the goals and what are the possible consequences of the decision. we have to know what exactly we are deciding about. involving several activities: ‡ identification of the decision problem. which are ³worth´ approaching in an organised and systematic manner and which have sufficiently ³important´ consequences. etc. think and discuss about the possible solutions. . On the one hand. families (where to live?) and organisations (how to survive in the economic crisis?). The decision maker typically knows them well and feels familiar with the problem. ‡ implementing the selected alternative. we are typically interested only in ³sufficiently difficult´ decision problems. ‡ making the decision. we are faced with everyday problems. Such decisions are usually easy.

Uncertainty occurs whenever there are external factors that influence the decision. he cannot quantify his uncertainty in any way. Individual decision problems typically involve a single decision maker. However. most real-life decisions depend on multiple criteria. it is often more important to implement an effective decision-making process. The nature of decision is represented with three categories referring to the level of structure of decision problems (Figure 2): ‡ Structured decisions: These are all decisions for which a well-defined decision-making . for example. In group decision-making processes. non-routine decisions are risky and have important consequences. ‡ Decisions with risk: The decision maker does not know the true value of external factors (³state of nature´) for certain. Alternatively. Another classification considers the number of criteria. The corresponding decision analysis methods are called multi-criteria or multi-attribute. the decision maker has all the necessary information about alternatives and the consequences of decisions are certain and accurate. The process ends when the alternative has been chosen (or implemented in some cases). the emphasis is on the decision itself: the goal is to find and implement the best alternative. Often. this usually requires the use of methods for the evaluation and analysis of alternatives. Although it is still important to find the best alternative each time. With recurring decisions. they can even involve more participants. With respect to frequency.tend to be more difficult. either by consensus or leverage. decision support aims at resolving the conflict and finding the common solution. provided that they have the same goals and decide ³as one´. and the use of general-purpose decision support software. in addition to return of investment (a single criterion). decision problems are classified in decision theory into : ‡ Decisions under certainty: Here. this often requires to design and implement dedicated decision support software. we may also want to consider the increase of market share and employment generated by the investment. From decision-support perspective. particularly because of the lack of knowledge and experience in taking such decisions. Single-criterion (or single-attribute) methods take into account only one criterion. such as decision tables and decision trees in their basic forms. the frequency dimension is important because it largely determines the focus of the decision-making process. we distinguish between individual and group decisions. consider only one criterion. but are beyond the control of the decision maker and are unknown to the decision maker at the time of decision. Depending on the number and role of participants in the decision-making process. With respect to uncertainty. In particular. From decision-support perspective. decision can be one-time or recurring. Many well-known decision analysis tools. In the latter case. Uncertainty refers to a state of limited knowledge or information so that something is unknown or is not perfectly known [6]. there is a very important categorisation of decision problems based on the nature of the decision to be made and the scope of the decision itself . ‡ Decision under strict uncertainty: The decision maker feels that he can say nothing at all about the true ³state of nature´. such as profit or income. For decision support in organisations. but he can quantify his uncertainty through a probability distribution of possible outcomes. most often some monetary value. there are several individuals or groups that have different and often conflicting goals. which are taken into account when assessing alternatives. the focus usually shifts to finding the most effective method or procedure for choosing alternatives. Although there is some overlap with the previous classification. With one-time decisions.

‡ Unstructured decisions: Here. Most organisational decisions are of this type. Tactical decisions are generally made by middle managers and take place in the context of previous strategic decisions. the decision has some structured elements but cannot be completely structured. Another dimension. entering a new market. or a major part of it. This means that all inputs. Examples of operational decisions are whether to approve a loan to a client. Typical examples are related. Structured decisions can be left to a clerk or a computer. scope. ‡ Operational decisions affects only current activities in an organisation. In most cases. but only indirectly and with a low level of support. ‡ Semi-structured decisions: Here. ‡ Tactical decisions affect a part of the organisation for a limited time into the future. refers to the levels of management in an organisation (Figure 2): ‡ Strategic decisions affect the entire organisation. outputs and internal procedures are known and can be specified. internal procedures). Operational decisions are usually made by lower level managers or non-managerial personnel. or reorganising the production. all decision components are unstructured. . This may be because the decision is so new. they are made at the upper level of organisational management. We do not know how to specify at least one of the components (inputs. or how to repair a malfunctioned machine. so complex or so rare that we have not studied them completely.procedure exists. Examples of strategic decisions are decisions about introducing a new product or service. they have no or very limited impact for a short period of time. They are generally structured or semistructured. for instance. for a long period of time. Computers can still help the decision maker. Computers can provide a great deal of specific help. outputs. to personnel management: recruiting new employees and making expert teams.

consists of a series of other decisions. we have to ³decide´ for action. We seek for a sequence of decision subproblems that are sufficiently easy to solve and can be combined together in order to solve the overall decision problem. Actually. the distinction between sequential and parallel decisions is sometimes difficult. The understanding of information characteristics is an important factor for a successful design and implementation of any decision support system. Decision analysis approaches a decision problem systematically by structuring and breaking it down into smaller and possibly more manageable subproblems. or in some organised way. It also attempts to formally represent these components and combine them in a form of decision models. operational research.The scope of decisions importantly affects the characteristics of information required in the process (Table 1). it explicitly considers the possible decision alternatives. and relevant preferences of the decision maker. let us mention single. theory. DECISION SUPPORT METHODS In this section we present three typical approaches to decision support and illustrate them through examples: decision analysis. the decision analysis process proceeds in stages. DECISION ANALYSIS Decision analysis is popularly known as ³applied decision theory´ It is the discipline comprising the philosophy. In a single-stage decision process. and professional practice necessary to address important decisions in an organised and formal manner. there is only one key decision to be made. which can be taken sequentially or in parallel. In principle. rational decisions are proposed in this way. identification of the decision problem 2. ad-hoc. when we encounter a decision process. identification of alternatives 3. we have first to ³decide´ how to approach it: intuitively. a multi-stage decision processes consist of several related decisions. even a single-stage one. In the case of missing information and other difficulties. Finally. after we have chosen the alternative. evaluate and analyse alternatives. For example. such as: 1. Who are the decision makers and with whom to collaborate? Where to get the relevant information? Which decision support method or computer program to use? And finally. methodology. because any decision process. decision analysis tries to provide decisions which are not optimal but ³satisfactory´ or ³sufficiently good´. this takes place as a decomposition of the decision process into a series of smaller and smaller decision subprocesses. Essentially. In doing that. evaluation and analysis of alternatives . uncertainties involved. which are used to assess. In contrast. and decision support systems. Usually. impulsively. We also have to ³decide´ which alternatives to take on board and which goals to consider. available information.and multi-stage decisions. problem decomposition and modelling 4.

If necessary. He got four job offers from four companies. Preference relations are conveniently represented in a comparison matrix (Table 2). and the fourth stage. and/or decision analysts. called A (a manufacturing company). influence diagrams. we enter 1. In the remaining cells. and D (information technology). but in the reverse order. The most distinctive stages of decision analysis are the third stage. in which the model is used to evaluate and analyse alternatives. John is an economist who has just finished his MBA studies. . The number ±1 also indicates the strict preference. in which a decision model is developed.5. who give methodological advice and may even coordinate the whole process. The number 1 indicates that we prefer the alternative written in the first column over the alternative in the first row. and long term prospects of the job. Usually. or ±1. and to compare each pair of alternatives only once. Typical decision modelling techniques include decision trees. 0. C (consulting). He wants to formalize these factors and use them to assess each job offer. selection of the best alternative 6. In order to avoid comparing each alternative with itself. The number 0 indicates indifference. the stages can be intermixed or repeated. salary. John wants to take into account four important factors: location. implementation of the decision If necessary. more than half of the table is greyed-out and should be left empty. B (banking). the decision maker can consult experts. the model is developed by the decision maker using one of the many decision modelling methods or tools. and multi-attribute models Let us illustrate decision analysis concepts through a hypothetical decision problem. relation to management science (which he particularly likes). who provide information and experience about the decision problem.

good things (³pros´) and bad things (³cons´) are identified about each alternative.The next possible step is to look at job offers in more detail and consider their positive and negative aspects. The alternative with the strongest pros and weakest cons is preferred. Assessment of job offer: on the basis of multi-criteria model . It requires no mathematical skills and can be used without computers. Pros and cons analysis is subjective and is usually suitable for simple decisions with few alternatives (2 to 4). Lists of the pros and cons are compared one to another for each alternative. Table 3 illustrates a simple qualitative comparison method called pros and cons analysis . In the table.

The main characteristics of DSS are: ‡ DSS incorporate both data and models. using these models. DSS are differentiated into the following types : ‡ communication-driven DSS: support more than one person working on a shared task. DSS can incorporate all types of decision analysis and operational research models presented above. The results can be presented in reports and tables. . Also. Data can be viewed and analysed using pivot tables and other methods of online analytical processing (OLAP). DSS can contain rules that guide specific decision processes. etc. ‡ They are designed to assist managers in their decision processes in semi-structured or unstructured decision-making tasks. Last but not least. DSS can support decision makers in a number of different ways. Consequently. ‡ Their objective is to improve the quality and effectiveness (rather than efficiency) of decision making. In contrast with decision analysis and operational research. DSS can provide computational and statistical models. DSS focus on providing information technology for decision makers at various levels in organisations. They can store data and provide means to search for relevant data items. where the emphasis is on making and using decision models. external data. and make decisions. managerial judgment.DECISION SUPPORT SYSTEMS Decision support systems (DSS) are defined as interactive computer-based information systems intended to help decision makers utilize data and models in order to identify and solve problems. sometimes. ‡ data-driven DSS or data-oriented DSS: emphasize access to and manipulation of a time series of internal company data and. video. With data mining algorithms. Taking into account all this variety and using the mode of assistance as the criterion.). documents. rather than replace. ‡ They support. The emphasis is on providing relevant information and presenting it in a suitable form so as to improve the decision making process and tasks. DSS can evaluate and assess decision alternatives or find optimal solutions of mathematically formulated problems. More advanced techniques include query languages and data warehouses. for instance for trend analysis. as well as graphically using advanced visualisation techniques. the decision maker can find interesting patterns in data. DSS can integrate data from different sources and of different types (relational data. DSS can provide communication and other means to support the collaboration of decision makers.

All instructions are (in principle) pre-defined by the programmer. even in this very simple case.‡ document-driven DSS: manage. Externally. The computer has to be programmed to carry out some given task. When executing instructions (i. from decision sciences to decision systems (see Figure 1). knowledge-driven DSS: provide specialized problem-solving expertise stored as facts. DECISION SYSTEMS For the final section. rules. however the branching occurs while the program is running. but rather issue some message to the user or perform some other corrective action. Otherwise. the computer must ³decide´ whether to carry out the division or not. we can still observe and compare the performance of the two. ‡ model-driven DSS: emphasize access to and manipulation of a statistical. and manipulate unstructured information in a variety of electronic formats. Even though instructions are explicitly specified by the programmer and their execution is deterministic (fully predictable). In a computer programming language. the computer must check the value of y. Although we cannot really compare the mechanisms of human and computer decision making. procedures. the program dynamically chooses between different courses of actions. this is available to the program. In this way. this appears as an ability of the computer tocadapt and makes decisions. retrieve. or simulation model. it must ³decide´ which sequence of instructions to take for further execution. Computers make decisions according to programmed procedures. For this reason. let us step from human to computer decision making ± that is. it should not make the calculation. depending on the current state ofcthe program and data available to the program. it is often necessary that the program reacts differently in different situations. when the program is running). This means that the programmer has to define a sequence of instructions that are executed by the computer. modified and observed during their operation. or in similar structures. we can . which can be easily analysed. For example. Computer decision making is fundamentally different from human decision making and has an advantage that we understand it very well. let us consider a very simple mathematical operation: division of two numbers say x/y.e. optimization. financial.. one of the fundamental characteristics of computer programs is their ability to branch: programs contain instructions that ³switch´ between branches composed of other sequential instructions. the division is possible and the program should calculate the result. evaluation. If y=0. Before each division. these instructions may be formulated as follows: Every computer program contains instructions like these. On the basis of data. Therefore. This operation makes sense only if y0.

CHAPTER IV. corporate executives often discuss actions in ways that make business competition sound like war. game playing programs. identifying a problem is easier than creating an opportunity. we can create computer programs that exhibit very complex behaviour. Other disciplines. using only the information it detects with its sensors and public signals such as GPS. In business. Mars Rovers were designed as highly autonomous vehicles. is related to the DARPA Urban Challenge. which is currently at the borderline of decision systems. etc. and detect scientific events.STRATEGIC USE OF INFORMATION & IS The word ³strategy´ originates from the Greek word strategos. calls attention to itself. In order to explore the surface of Mars. This makes it almost impossible to steer the vehicle from Earth.gradually add more and more instructions and combine them into complex branching sequences. In this way. obeying the driving laws. The requirements were to build a fully autonomous vehicle. Another example. there is a particularly interesting class of programs which are able to ³learn´.´ In war. Autonomous vehicles provide good examples of advanced decision systems. two Mars Rover vehicles were sent by the USA to that planet. machine learning programs can find patterns that explain there a sons for such behaviour. they can find rules that improve performance. Therefore. a strategy is a plan designed to help an organization outperform its competitors. Why? Because a problem already exists. which involved a 96 km urban area course. The distance between Earth and Mars is so large that it takes 12 minutes in average for a signal to travel that distance. The scientific discipline that is concerned with the design and development of algorithms that allow computers to change behaviour based on data is called machine learning . An opportunity. It takes a certain amount of imagination. and vision to identify an opportunity. many others are built to seize opportunities. which were receiving basic commands from the Earth. 2007. intelligent agents. as such. a prize competition held in 2007. to be completed in less than 6 hours. including the world chess champion Among ³intelligent´ computer programs. on the other hand. Unlike battle plans. meaning ³general. creativity. chess-playing programs are already capable of outperforming most human players. even to the point that is often referred to as ³intelligent´: intelligent control systems. Information systems that help seize opportunities are . The main event took place on November 3. business strategy often takes the form of creating new opportunities rather than beating rivals. have borrowed the term. as anyone in business can tell you. Businesspeople must devise decisive courses of action to win²just as generals do. Although many information systems are built to solve problems. is less tangible. or can even modify themselves (by modifying their own operating instructions) to achieve better performance in the future. what is considered a groundbreaking success. especially business. a strategy is a plan to gain an advantage over the enemy. These programs either observe their own performance or monitor some data generated through performance of other systems. but were also capable to navigate challenging and unknown terrain. on a course in California. it is an obstacle to a desired mode of operation and. And. and which would be able to drive autonomously between two given points in an urban area. Six of 11 vehicles accomplished the mission. For example. which must be entirely autonomous. As you know from media coverage. Based on examples of successful or unsuccessful performances. or to create one and seize it. however. investigate targets.

special consideration for high-value customers and customized products and services. The results are lost opportunities to improve customer loyalty and to promote customer growth through the purchase of additional products and services. it is feasible to build and maintain customer relationships entirely through face-to-face interactions between the staff and the customers. paired with information technology support. But as a business grows in size and number of customers. building and maintaining customer relationships and managing customer information quickly become complicated tasks. 4) The real-time information Systems that intend to maintain a rapid-response and the quality indicators. They can be developed from scratch. Maintaining control of customer relationships is possible only through consistent implementation of classic. Add such factors as increased competition. these time-honored techniques become difficult to implement. Corporate marketing departments. or they can evolve from an organization¶s existing ISs. Key features of the Strategic Information Systems are the following: 1) Decision support systems that enable to develop a strategic approach to align Information Systems (IS) or Information Technologies (IT) with an organization's business strategies 2) Primarily Enterprise resource planning solutions that integrate/link the business processes to meet the enterprise objectives for the optimization of the enterprise resources 3) Database systems with the "data mining" capabilities to make the best use of available corporate information for marketing. economic fluctuations. production. a smaller available share of the customer's financial resources. A Strategic Information System (SIS) is a system that helps companies change or otherwise alter their business strategy and/or structure. But as a company's number of customers increases.often called strategic information systems (SISs). promotion and innovation. technological advances. For a small business servicing less than a thousand or so customers. Growth requires increasingly sophisticated technology to properly implement the best practices in customer relationship management. rewards for customer value and loyalty. It is typically utilized to streamline and quicken the reaction time to environmental changes and aid it in achieving a competitive advantage. such as individualized customer care and communications. well-proven customer bonding techniques. have made the greatest contributions in developing customer relationship strategies that successfully leverage . employee turnover and limited resources to invest in customer relationship management and a company can easily find that it has lost the ability to positively influence customer relationships. USE OF INFORMATION FOR CUSTOMER BONDING Customer relationship management is a business concept as old as business itself. The SIS systems also facilitate identification of the data collection strategies to help optimize database marketing opportunities.

Database marketing drove the initial design and development of data marts.giure how IT helps to build customer loyalty. through integration of the marketing data mart with advanced analysis techniques. but also the ability to predict critical patterns of customer behavior. marketing communications and innovative customer acquisition.information. fully focused on customerlevel data and marketing communications. as one would expect. database marketing concepts and approaches form the foundation for a corporation's CRM strategy. Let¶s understand from foll. Database marketing campaigns have effectively lowered customer attrition and bolstered acquisition and cross-sell response rates in many companies and industries. retention and growth strategies. . "best-of-class" database marketers have defined the basic requirements of campaign management. In most cases. Marketing data marts have enabled advanced analysis of customer data to provide not only valuable customer profiles and segmentation capabilities. Now. or marketing data warehouses.

deliver the service. In that way. disseminate it widely throughout the organization.Finally. and products become obsolete almost overnight. systems. Long-time employees of a company often ³know´ many things about how to manufacture a product.´ As illustrated in FOLL. and rewards for getting employees to share what they know and make better use of accumulated workplace and enterprise knowledge. Knowledge-creating companies exploit two kinds of knowledge. When markets shift. successful knowledge management creates techniques. much of this tacit knowledge is never shared with anyone who might be in a position to record it in a more formal way because there is often little incentive to do so or simply. and use of workplace and enterprise knowledge. competitors multiply. and systems that promote the collection. organization. Furthermore. and business partners that builds great customer loyalty as it fosters cooperation to provide an outstanding customer experience. Figure . documents. technologies. This tacit knowledge is not recorded or codified anywhere because it has evolved in the employee¶s mind through years of experience. ³Nobody ever asked. The other kind is tacit knowledge . which resides in workers. or the ³how-tos´ of knowledge. One is explicit knowledge . successful companies are those that consistently create new knowledge. or operate an essential piece of equipment. FOR KNOWLEDGE MANAGEMENT In an economy where the only certainty is uncertainty. whose sole business is continuous innovation . Many companies today can only realize lasting competitive advantage if they become knowledge-creating companies or learning organizations. deal with a particular vendor. employees. technologies. That means consistently creating new business knowledge. technologies proliferate. Knowledge management can be viewed as three levels of techniques. . a successful business nurtures an online community of customers. disseminating it widely throughout the company. and things written down or stored on computers. employees of a company are leveraging knowledge as they do their jobs. access. and quickly embody it in new technologies and products. the one sure source of lasting competitive advantage is knowledge. and quickly building the new knowledge into their products and services. which is the data. These activities define the³knowledge-creating´ company. sharing. Tacit knowledge can often represent some of the most important information within an organization.

The return on investment is hard to quantify. reference works. It¶s hard to place a value on knowledge management systems. This integration helps the company become a more innovative and agile provider of high-quality products and customer services. encourage behavior changes by employees. They are designed to provide rapid feedback to knowledge workers. and significantly improve business performance.Making personal knowledge available to others is the central activity of the knowledgecreating company. and fixes. formulas. As the organizational learning process continues and its knowledge base expands. as well as a formidable competitor in the marketplace. Many companies are building knowledge management systems (KMS) to manage organizational learning and business know-how. procedures. knowledge bases. and services. ³best practices. the case for implementing a system to leverage intellectual capital and expertise rests mainly on intuition: . and make available important business knowledge. data mining. products. Too often. their links to cost savings frequently seem tenuous. wherever and whenever it¶s needed in an organization. Internet and intranet Web sites. This information includes processes. It takes place continuously and at all levels of the organization . Knowledge management systems also facilitate organizational learning and knowledge creation. organize. As you will see in Chapter 10. and online discussion groups are some of the key technologies that may be used by a KMS. the knowledge-creating company works to integrate its knowledge into its business processes.´ forecasts. The goal of such systems is to help knowledge workers create. Knowledge management has thus become one of the major strategic uses of information technology. Their ability to generate income is often measured indirectly. groupware. Now let¶s close this chapter with an example of knowledge management strategies from the real world. patents.

but they¶re going up. such as Priceline¶s name-your-ownprice model. Differentiation ³tweaks´ existing products and services to offer the customer something special and different. called AskIntec. it became more difficult to keep track of and access information. A classic example is the introduction of automated teller machines (ATM) by Citibank. Source: Adapted from Kathleen Melymuka. An engineering firm serving the oil and gas industry. they can get to market sooner and get that revenue earlier. ³Some of the return on information is not quantified just by how quickly you can do something. The Internet.. But intuition wasn¶t nearly enough to sell executives at Intec Engineering Partnership Ltd. The pilot. Innovation implies something so new and different that it changes the nature of the industry. put new features in existing products and services. the ATM changed the nature of competition in the banking industry so that now an ATM network is a competitive necessity for any bank. Like many innovative products. Eight ways that IT can introduce technological innovation for competitive advantage are shown in foll. according to KPMG International.´ says Steele. as the product most likely to facilitate Intec¶s problemsolving model. They diagrammed how they solved engineering problems and envisioned an ideal process: An engineer with a question would go to a knowledge database that would either provide an answer or refer him to an expert. began in May 2002.com¶s affiliate program. and Amazon. All new knowledge would be automatically captured and stored in the database. a company whose dedication to thrift is exceeded only by its passion for sharing knowledge. A group of Intec engineers volunteered to work on the problem of how to better capture lessons learned and share knowledge among them. or develop new ways to produce them.´ says CIO Fran Steele. After nearly a year. Table. it had exceeded all of the performance and user metrics.It seems like a good idea. . especially. As Intec grew through expansion and international acquisitions. In the late 1990s innovation became almost synonymous with electronic commerce. In the end. Auto-by-Tel¶s informediary model. Innovation is similar to differentiation except that the impact is much more dramatic. That¶s the ultimate value. ³If we can cut weeks off a project and help them get their facility ready earlier. enabled dot-com entrepreneurs to create innovative Web-based business models. Three months later. In fact. ³Our numbers were pretty spot-on.´ FOR INNOVATION Introduce new products and services. The convenience and cost-cutting features of this innovation gave Citibank a huge advantage over its competitors. ³Knowledge Management Helps Intec Get Smarter by the Hour. 6 out of 10 employees say difficulty in accessing undocumented knowledge is a major problem. customers profit from Intec¶s knowledge management investment.´ she says. and ROI calculations projected an annual return of 133 percent. noting that the company estimates payback of 50 percent more next year as nonengineering employees are added and the system becomes embedded in the culture. but by the fact that you can do it at all. the system is paying off almost exactly as projected. Intec shopped around and selected software from AskMe Corp. Intec is headquartered in Houston with offices throughout the world.

Especially in electronic commerce. the visibility of technologies on the Web makes keeping innovations secret more difficult. FOR MANAGING BUSINESS RISKS . other companies in the industry need to respond to the threat by attempting to duplicate or better that innovation.A key consideration in introducing innovation is the need to continually innovate. When one company introduces a successful innovation.

b) the bargaining power of buyer. Strategic information systems theory is concerned with the use of information technology to supportor sharpen an enterprise's competitive strategy. and defending them against imitation by other firms.Out of many possible interpretations of a strategy an organization adopts in business. Porter's classic diagram representing these forces is indicated below. Competitive strategy is an enterprise's plan for achieving sustainable competitive advantage over. . its adversaries. c) the threat of new entrants. Competition means cultivating unique strengths and capabilities. d) the threat of substitute products. or reducing the edge of. and e) rivalry among existing firms. The performance of individual corporations is determined by the extent to which they manage the following (as given by Porter) ± a) the bargaining power of suppliers. market. Another alternative sees competition as a process linked to innovation in product. it is found that a majority is concerned with competition between corporations. or technology.

the range of product varieties it offers. They are: a) cost leadership. Under Porter's framework.Porter's Forces Driving Industry Competition (Porter 1980) There are two basic factors which may be considered to be adopted by organization in their strategies: a) low cost b) product differentiation Enterprise can succeed relative to their competitors if they possess sustainable competitive advantage in either of these two. c) cost focus. b) differentiation. enterprises have four generic strategies available to them whereby they can attain above average performance. or the breadth of the enterprise's target markets within its industry. Another important consideration in positioning is 'competitive scope'. i. the geographic areas in which it sells. and . the types of buyers it serves. the distribution channels it employs.e. and the array of related industries in which it competes.

inventory. · place (channels. competitive advantage grows out of the way an enterprise organizes and performs discrete activities.returns). Porter's representation of them is indicated below Porter's Four Generic Strategies (Porter 1980) According to Porter. such as salespeople making sales calls. allowances. · price (list. coverage. The operations of any enterprise can be divided into a series of activities The ultimate value an enterprise creates is measured by the amount customers are willing to pay for its product or services. and · promotion (advertising. To gain competitive advantage over its rivals. transport). discounts. The connection between the producer and buyers may be reinforced. and treasurers raising capital. personal selling. the degree to which buyers perceive imperfections in product substitutability. services. a firm must either provide comparable value to the customer. A firm is profitable if this value exceeds the collective cost of performing all of the required activities. sales promotion. locations. and perhaps to the point of establishing a partnership between them. publicity). features. style. because its internal processes become adapted to the beneficial peculiarities of the particular factor of production. service technicians performing repairs. credit terms). brand name. and use of an . or perform activities in a unique way that creates greater buyer value and commands a premium price (differentiation). sizes. but perform activities more efficiently than its competitors (lower cost). As per Borden 1964. warranties. at least to the level of customer loyalty.d) focused differentiation. enterprises create value for their customers. It is expressed by economic theory. Product differentiation and Value Chain Product differentiation is the degree to which buyers perceive products from alternative suppliers to be different. packaging. in return for greater addedvalue. Such a relationship imposes 'switching costs' on the buyer. By performing these activities. The buyers of differentiated products may have to pay a price when satisfying their preference for something special. payment period. The various attributes listed above can be sharpened the firms product by the support of a suitable information technology. scientists in the laboratory designing products or processes. options. quoted in Wiseman 1988many differentiation bases can be classified as 4 P¶s as given below: · product (quality.

Any activity of an organization is subjected to one or more of the following . through intellectual property protections. Porter's Enterprise ValueChain( Porter 1980) Value addition activities like production. Therefore coordination is very important to achieve competitive advantage. Support activities include those providing purchased inputs. What Porter termed as 'value system'. This chain consists of mainly the suppliers and distribution channels. marketing delivery. human resources. such as patents. which directly add value to the enterprise's factors of production. and servicing of the product. or overall infrastructure functions to support the primary activities. a continuous process of product differentiation may produce an additional cost advantage over competitors and potential entrants. and the cost of imitation.alternative would force internal changes. which are together referred to as the 'value chain'. It will also be possible to reduce the overall time required to complete an activity. An enterprise's value chain for competing in a particular industry is embedded in a larger stream of activities. For this it is necessary to manage the value chain as a system rather than as separate parts. It should be possible to gather better information for various controls and also replace the same by less costlier activities. Hence product differentiation also serves as an entry barrier. It is possible to reduce the transaction cost by proper coordination of all the activities. In addition. The activities performed by a particular enterprise can be analysed into primary activities. These activities are connected in a chain. may be referred to as the 'industry valuechain'. and supporting activities. technology.

This demand influences a change in the related market segments. hardware. value-adding activities. The sharp rise in cheap information technology. y Changes in the costs It is possible to gain competitive advantage by optimizing the activities based on present conditions. The development of the digital economy and its contribution in development of e-business models . types of business models (e. such as parts of a business model (e. bandwidth. Shifting buyer needs The buyers have been increasing their demands to satisfy their needs in the form convenience and better price and features. Thus. the Dell model) or concepts (elements and relationships of a model). Companies.g. "new business model" or "Internet business model". Enterprises which continue to work on the older approaches in outdated modes of operation suffer. That is. which fail to adjust will have to close down their business. online. The business model concept is a candidate to replace the industry as a unit of analysis. but to enhance the company's sales of iPods. and trade barriers then it affect the performance of the enterprise. Organizations. and communication possibilities made it much easier for companies to work in so-called value webs because coordination and transaction costs fell substantially. In the literature. the business design choices for managers increased substantially based on cheap and available information technology. Consider iTunes Software/Website of Apple Computer a successful music downloading service. direct-to-customer model). jointly offer and commercialize value to their customers.g. consumer behavior and strategies for competitive advantage among others is vital in modern business. This cost decrese led to industry boundaries becoming increasingly blurred. The main role of this service is not only to sell music. concepts and their relationships with the objective to express the business logic of a specific firm. and music industriesIn terms of business models this website forms a whole set of business design choices that reinforce one another.The search included several variations of the original term like "e-business model". restrictions on entry to the market. including the . y y y Part of the relationship between technology and business models stems from the business model concept¶s roots in transaction cost economics (TCE). this website includes the software.New technologies ± Newer technologies changes the direction of the value chain. y Variation in industry segmentation ± The value system undergoes a change depending upon the existence of old and new systems and its components in the value chain. how this is done and with which financial consequences. Therefore we must consider which concepts and relationships allow a simplified description and representation of what value is provided to customers. the expression business models stands for various things. FOR CREATING NEW BUSINESS MODELS AND NEW BUSINESS REALITIES A business model is a conceptual tool containing a set of objects. a portable digital music player. y changes in government regulations If there is a change in the standards of the product of the enterprise. The development of e-business has forced a review of the value of traditional business models and focused attention on how ICTs. auction model). with respect to the environmental controls. concrete real world instances of business models (e. in terms of industry sectors.g. in some cases even competitors.

). but all feature the basic element of interactive communication for undertaking business using mobile devices. Bluetooth. and building new relationships with suppliers and customers and creating partnerships. media content in the form of video. retailing and logistics and distribution. etc. Other industries have also been radically changed by the digital revolution such as financial services. (2002) highlights how m-commerce has changed the business view of time and space. Crucially. there has to be some economic or business element to the communication. travel. an e-business model differs from traditional models by emphasizing the technology driven interactivity of key actors along the supply chain as a means of adding value. satellite. Many e-business model definitions feature an architecture for information flows that underpin value added product or service delivery and a source of revenue (subscription. advertising. Firms such as News Corporation and Google have become increasingly powerful as they acquire ever-greater influence in the supply of media products and services around the world.internet. the development of e-business models has not been without its critics. home computer. Another effect of the digital revolution has been the evident convergence of industries and technologies. Wireless Application Protocol (WAP) and 3G services. However.A key technological development affecting e-business is the emergence of the mobile wireless internet. universality. Key concepts underpinning the m-commerce environment include ubiquity. and often cheaper than ever before. M-commerce business models. Key components of e-business models typically comprise strategy. can be used as a basis for creating new types of business models and the strategies that are built around them. Porter (2001) noted that the empirical use of the e-business model concept was unclear and lacked theoretical rigour. broadcasting and computing were separate sectors. audio or text-based products can be distributed via the internet. uniqueness and unison. Key to the success of competing firms in the digital world is the creation of effective strategies for competitive advantage. There are many definitions of what constitutes m-commerce. industries such as telecommunications. For example. Where once. Technology is another key feature that should be included. All have acquired the types of hardware and software that helps deliver better quality products and services faster. compact disc and accessed through different platforms such as television. value chain and core competencies. structure. . The convergence has not only been evident in the technologies that support these industries. There are numerous types of technologies that can be installed in devices to facilitate mcommerce including Short Message Service (SMS). business processes. This technology provides another channel for communications and transactions ± mobile commerce (m-commerce). mobile wireless phone or PDAs among others. Watson et al. now they have converged to provide a range of products and services that rely on the overlap of activities and attributes that characterize each. cable. For it to be termed m-commerce. Collaboration and consolidation have been key features of the global multimedia industry with more and more market share being vested in fewer firms. but also in the firms that supply the products and services. increasing efficiency.

When information is read or copied by someone not authorized to do so. new product specifications. Confidentiality is also. Examples include research data. Firms have responded by developing new mobile technologies such as the i-mode (internet service) and FOMA (3G mobile service) produced by leading Japanese communications company DoCoMo. whether by human error or intentional tampering. or even explaining to your employees what information about the company they can and cannot disclose over the phone. Confidentiality. Information can be corrupted when it is available on an insecure network. individuals or agencies that offer services such as psychological counseling or drug treatment. In order to promote Confidentiality. it would defeat the point of being public. Encryption is the most commonly thought of method used to promote Confidentiality. can not see it. Integrity is particularly important for critical safety and financial data used for activities such as . This is particularly true for banks and loan companies. businesses that extend credit to their customers or issue credit cards. ironically. Whilst US consumers continue to use mobile phones primarily for personal communication. fast paced and global in scale. and agencies that collect taxes. depending on the nature of the information. and for good reason. the result is known as loss of confidentiality. PCs and other devices. the one of the three goals you most often do not need. since that's all the media seems to think security is about. so manufacturers sought competitive advantage by extending functionality and differentiating through design. As mobile telephony services reached saturation in leading markets such as the USA. video streaming and photographic capability. As you can see. For some types of information. known as the security triad: Confidentiality ± Making sure that those who should not see your information. the security triad can be remembered as the letters CIA. In some locations. When most people think about Information Security. CHAPTER ± V. all steps taken within security are to help complete one or more of these three security goals. but other methods include Access Control Lists (ACLs) that keep people from having access to information. medical and insurance records. Europe and Japan. debt collectors. Japanese and European customers have sought additional functionality such as internet access. Integrity ± Making sure the information has not been changed from how it was intended to be.INFORMATION SECURITY Information Security has three primary goals. the result is known as loss of integrity. but when you think about it more in depth. When information is modified in unexpected ways. you have several tools at your disposal. and corporate investment strategies. there may be a legal obligation to protect the privacy of individuals. These principals are simplistic when broken down. Availability ± Making sure that the information is available for use when you need it. for communications by facilitating the exchange of information between mobile devices. A public web-site does not want to be confidential. doctors¶ offices. using smart cards plus pin numbers to prevent unauthorized people into your building and looking around. This means that unauthorized changes are made to information.Market penetration for mobile phones has been exponential in growth. confidentiality is a very important attribute. they will generally only think of the first item. hospitals. and medical testing laboratories.

physical security. This means that people who are authorized to get information cannot get what they need. and can also be a way that an attacker can get information out of your network. and regular backups all fall under integrity (And sometimes confidentiality and availability. part of the security triad. Threats The potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. The files on your operating system must maintain a high level of integrity. even non-security based ones. One fix can solve multiple problems). but it can also cover subjects such as accidentally denying a user access to a resource they should have. and most visible. or even major issues such as natural disasters.electronic funds transfers. The list . having a user locked out of the front door because the biometrics does not recognize his fingerprints (False negative). Availability is the part of the triad most administrators have to worry about at work. and fewer still think of it as a security issue. Availability is often the most important attribute in service-oriented businesses that depend on information (for example. risk management is the process of understanding and responding to factors that may lead to a failure in the confidentiality. It's the most common. but few seem to notice it. It's mostly about system uptime for them. viruses and trojans are a major issue in IT. Risk is present in every aspect of our lives and many different disciplines focus on risk as it applies to them. Risk is a function of the likelihood of a given threat-source¶s exercising a particular potential vulnerability. TYPES OF THREATS AND RISK What Is Risk With Respect To Information Systems? Risk is the potential harm that may arise from some current process or from some future event. airline schedules and online inventory systems). It is often expedient to incorporate threat sources into threats. and how the company should recover in case of one. IT security risk is the harm to a process or the related information resulting from some purposeful or accidental event that negatively impacts the process or the related information. Threat-Source: Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability The threat is merely the potential for the exercise of a particular vulnerability. And integrity is not just about malicious parties. This is an important distinction when assessing and managing risks. which. Threats must be coupled with threat-sources to become dangerous. since each threat-source may be associated with a different likelihood. affects risk assessment and risk management. but worms. and with good reason. or accidental changes made to files by unauthorized users. Threats in themselves are not actions. or inject his own information into it. Information can be erased or become inaccessible. Integrity is the part of the triad that affects the most people in the IT world. it also covers items such as disk errors. and the resulting impact of that adverse event on the organization. and it is part of the job duties of just about every administrator. resulting in loss of availability. From the IT security perspective. and financial accounting. as will be demonstrated. air traffic control. Access control lists (ACLs). integrity or availability of an information system.

understanding the specific risks to a system allow the system owner to protect the information system commensurate with its value to the organization. So. Control Methods Security controls encompass the use of technical and nontechnical methods. Why Is It Important to Manage Risk? The principle reason for managing risk in an organization is to protect the mission and assets of the organization. and in particular. risk management must be a management function rather than a technical function. Technical controls . especially the magnitude of the risk. allows organizations to prioritize scarce resources. CONTROL ANALYSIS The goal of this step is to analyze the controls that have been implemented. understanding risk. Understanding risk. by the organization to minimize or eliminate the likelihood (or probability) of a threat¶s exercising a system vulnerability. It is vital to manage risks to systems.below shows some (but not all) of the possible threats to information systems. or are planned for implementation. The fact is that all organizations have limited resources and risk can never be reduced to zero. Therefore.

. accountability). pervasive and interrelated with many other controls. by their very nature. Cryptographic key management includes key generation. These two subcategories are explained as follows: ‡ Preventive controls inhibit attempts to violate security policy and include such controls as access control enforcement. and firmware. Underlying a system¶s various security functional capabilities is a base of confidence in the technical implementation. or firmware (e. intrusion detection methods. ‡ Detect and Recover . This represents the quality of the implementation from the perspective both of the design processes used and of the manner in which the implementation was accomplished. information. process separation.. discretionary access control [DAC]. Preventive Technical Controls . Commercial off-the-shelf add-on security products are available. distribution. These controls must be in place in order to implement other controls. enabled or disabled) to meet the needs of a specific installation and to account for changes in the operational environment. ‡ Security Administration. The control categories for both technical and nontechnical control methods can be further classified as either preventive or detective. To implement other security controls (e. operational procedures. software.g. and environmental security. and information resources. System security can be built into operating system security or the application. ‡ Prevent . Technical Security Controls Technical security controls for risk mitigation can be configured to protect against given types of threats. software. ‡ Cryptographic Key Management. processes. All of these measures should work together to secure critical and sensitive data. The security features of an IT system must be configured (e.. intrusion detection software). This control provides the ability to uniquely identify users. The supporting controls are as follows: ‡ Identification. and authentication. Cryptographic keys must be securely managed when cryptographic functions are implemented in various other controls. identification and authentication mechanisms. and personnel. mandatory access control [MAC]. such as security policies. encryption methods. modularity. Nontechnical controls are management and operational controls. physical.are safeguards that are incorporated into computer hardware. Technical controls can be grouped into the following major categories. These controls may range from simple to complex measures and usually involve system architectures. and minimization of what needs to be trusted. according to primary purpose: ‡ Support . and security packages with a mix of hardware. and IT system functions. Some examples of system protections are residual information protection (also known as object reuse).g. least privilege (or ³need to know´).Preventive controls focus on preventing security breaches from occurring in the first place. access control mechanisms. and maintenance. and checksums.These controls focus on detecting and recovering from a security breach. ‡ Detective controls warn of violations or attempted violations of security policy and include such controls as audit trails. Supporting Technical Controls Supporting controls are. layering. it is essential that both subjects and objects be identifiable.g. encryption.Supporting controls are generic and underlie most IT security capabilities. System Protections. storage. engineering disciplines.

Data integrity and confidentiality are enforced by access controls. As a result.g. wiretapping. ‡ Nonrepudiation. or eavesdropping. Both government and private sector systems are increasingly required to maintain the privacy of individuals.g. personal identification numbers. The authorization control enables specification and subsequent management of the allowed actions for a given system (e. Kerberos). it is necessary to enforce the defined security policy (e. MD4. and deployment of cryptographic technologies (e. In a distributed system. Secure Sockets Layer. or PINs.These controls. digital certificate. smart card. packet sniffing. the design of software or hardware security). The effectiveness and the strength of access control depend on the correctness of the access control decisions (e. intrusion detection methods. which can inhibit attempts to violate security policy. These policy-based controls are enforced via access control mechanisms distributed throughout the system (e.g. Triple DES..g. It has been placed in the prevention category in this guide because the mechanisms implemented prevent the successful repudiation of an action (e. Transaction Privacy. how the security rules are configured) and the strength of access control enforcement (e.. and checksums. Recovery controls can be used to restore lost computing resources.. because none of the measures in these other areas is perfect.g. ‡ Protected Communications. roles. The auditing of security-relevant events and the monitoring and tracking of system abnormalities are key elements in the after-the-fact detection of. DAC file permission sets. and confidentiality of sensitive and critical information while it is in transit. security breaches. network break-ins..g. include the following: ‡ Authentication. Protected communications use data encryption methods (e. It is also of little . ‡ Intrusion Detection and Containment. MAC or DAC). the digital certificate that contains the owner¶s private key is known only to the owner).. ‡ Access Control Enforcement.g. this control is typically applied at the point of transmission or reception. When the subject requesting access has been authorized to access particular processes..g. virtual private network. and emerging authentication technology that provides strong authentication (e. Detection and Recovery Technical Controls Detection controls warn of violations or attempted violations of security policy and include such controls as audit trails. ‡ Authorization. token. Data Encryption Standard [DES]. availability. suspicious activities) so that a response can occur in a timely manner. Nonrepudiation spans both prevention and detection. MAC sensitivity labels. access control lists. the information owner or the database administrator determines who can update a shared file accessed by a group of online users). Detection and recovery controls include² ‡ Audit.. They are needed as a complement to the supporting and preventive technical measures. The protected communications control ensures the integrity. and escrowed encryption algorithms such as Clipper) to minimize network threats such as replay.g. and recovery from..g. secure shell) protect against loss of privacy with respect to transactions performed by an individual. Authentication mechanisms include passwords. the ability to accomplish security objectives is highly dependent on trustworthy communications.. Transaction privacy controls (e. The authentication control provides the means of verifying the identity of a subject to ensure that a claimed identity is valid. interception. RAS. user profiles). Internet Protocol Security [IPSEC] Protocol). It is essential to detect security breaches (e. MD5. System accountability depends on the ability to ensure that senders cannot deny sending information and that receivers cannot deny receiving it. secure hash standard.g...

system integrity tool) analyzes system integrity and irregularities and identifies exposures and potential threats.g. ‡ Virus Detection and Eradication.4.2 Management Security Controls Management security controls. Operational Security Controls An organization¶s security standards should establish a set of controls and guidelines to ensure that security procedures governing the use of the organization¶s IT assets and resources are properly enforced and implemented in accordance with the organization¶s goals and mission. Virus detection and eradication software installed on servers and user workstations detects. guidelines. This service enables a system to return to a state that is known to be secure. ‡ Proof of Wholeness. in conjunction with technical and operational controls. . identifies. and removes software viruses to ensure system and data integrity. are implemented to manage and reduce the risk of loss and to protect an organization¶s mission.. The proof-of-wholeness control (e. which are carried out through operational procedures to fulfill the organization¶s goals and missions. Management plays a vital role in overseeing policy implementation and in ensuring the establishment of appropriate operational controls.use to detect a security breach if no effective response can be initiated. This control does not prevent violations of security policy but detects violations and helps determine the type of corrective action needed. ‡ Restore Secure State. The intrusion detection and containment control provides these two capabilities. and standards. after a security breach occurs. 4. Management controls focus on the stipulation of information protection policy.

Sign up to vote on this title
UsefulNot useful