Jatiya Kabi Kazi Nazrul Islam University

Trishal, Mymensingh-2220

Course Name: Management Information System

Course Code: HRM-409
An assignment on
Securing Information System and
Contemporary Approaches to Information System

Submitted to
Rimon Sarker
Assistant Professor
Department of Human Resource Management
Jatiya Kabi Kazi Nazrul Islam University

Submitted By
Rakibul Islam
Roll: 17133042
Session: 2016-17
Department of Human Resource Management
Jatiya Kabi Kazi Nazrul Islam University

Date of Submission: 31-01-2022

Question: 1 Why are information systems vulnerable to destruction, error and
abuse?
Information system is vulnerable to destruction, error and abuse because it is one type of digital
data. Digital data are vulnerable to destruction, misuse, error, fraud, and hardware or software
failures. When large amounts of data are stored in electronic form, they are vulnerable to many
more kinds of threats than when they existed in manual form. The Internet is designed to be an
open system and makes internal corporate systems more vulnerable to actions from outsiders. It
also is more vulnerable because it virtually opens to anyone. Hackers can unleash denial-of-service
(DoS) attacks or penetrate corporate networks, causing serious system disruptions. Wi-Fi networks
also can easily be penetrated by intruders using sniffer programs to obtain an address to access the
resources of the network. Computer viruses and worms can disable systems and Web sites.
Software presents problems because software bugs may be impossible to eliminate and because
software vulnerabilities can be exploited by hackers and malicious software. Therefore, end users
often introduce errors.
Why systems are vulnerable
• Hardware problems
• Breakdowns, configuration errors, damage from improper
use or crime
• Software problems
• Programming errors, installation errors, unauthorized
changes)
• Disasters
• Power failures, flood, fires, etc.
• Use of networks and computers outside of
firm’s control
• E.g., with domestic or offshore outsourcing vendors
Internet vulnerabilities
• Network open to anyone
• Size of Internet means abuses can have wide impact
• Use of fixed Internet addresses with permanent connections to Internet eases identification by
hackers
• attachments
• used for transmitting trade secrets
• IM messages lack security, can be easily intercepted
Wireless security challenges
• Radio frequency bands easy to scan
• SSIDs (service set identifiers)
• Identify access points
• Broadcast multiple times
• War driving
• Eavesdroppers drive by buildings and try to intercept network traffic
• When hacker gains access to SSID, has access to network’s
resources
• WEP (Wired Equivalent Privacy)
• Security standard for
• Basic specification uses shared password for both users and access point
• Users often fail to use security features
Malicious software (malware)
• Viruses: Rogue software program that attaches itself to other software programs or data files in
order to be executed
• Worms: Independent computer programs that copy themselves from one computer to other
computers over a network
• Trojan horses: Software program that appears to be benign but then does something other than
expected
• Spyware: Small programs install themselves surreptitiously on computers to monitor user Web
surfing activity and serve up
advertising
• Key loggers: Record every keystroke on computer to steal serial numbers, passwords, launch
Internet attacks
Hackers and computer crime
• Activities include
• System intrusion
• Theft of goods and information
• System damage
• Cybervandals
• Intentional disruption, defacement, destruction of Web site or corporate information system
Spoofing
• Misrepresenting oneself by using fake addresses or masquerading as someone else
• Redirecting Web link to address different from intended one, with site masquerading as intended
destination
• Sniffer: Eavesdropping program that monitors information traveling over network
• Denial-of-service attacks (DoS): Flooding server with thousands of false requests to crash the
network
• Distributed denial-of-service attacks (DDoS): Use of numerous computers to launch a DoS
Computer crime
• Defined as “any violations of criminal law that involve a
knowledge of computer technology for their perpetration,
investigation, or prosecution”
• Computer may be target of crime, e.g.:
• Breaching confidentiality of protected computerized data
• Accessing a computer system without authority
• Computer may be instrument of crime, e.g.:
• Theft of trade secrets
• Using for threats or harassment
Identity theft
Theft of personal Information (social security id, driver’s license or credit card numbers) to
impersonate someone else.
• Phishing: Setting up fake Web sites or sending messages that look like legitimate businesses to
ask users for confidential personal data.
• Evil twins: Wireless networks that pretend to offer trustworthy Wi-Fi connections to the Internet
• Pharming: Redirects users to a bogus Web page, even when individual types correct Web page
address into his or her browser
Click fraud
• Individual or computer program clicks online ad without any intention of learning more or
making a Purchase.
• Global threats - Cyberterrorism and cyberwarfare
• Concern that Internet vulnerabilities and other networks make digital networks easy targets for
digital attacks by terrorists, foreign intelligence services, or other groups.
Internal threats – Employees
• Security threats often originate inside an organization
• Inside knowledge
• Sloppy security procedures
• User lack of knowledge
• Social engineering:
• Tricking employees into revealing their passwords by pretending to be legitimate members of
the company in need of information.
Software vulnerability
• Commercial software contains flaws that create security vulnerabilities
• Hidden bugs (program code defects)
• Zero defects cannot be achieved because complete testing is not possible with large programs
• Flaws can open networks to intruders
• Patches
• Vendors release small pieces of software to repair flaws
• However, amount of software in use can mean exploits
created faster than patches be released and implemented
Lack of security, control can lead to Loss of revenue
• Failed computer systems can lead to significant or total loss of business function
• Lowered market value:
• Information assets can have tremendous value
• A security breach may cut into firm’s market value almost immediately
• Legal liability
• Lowered employee productivity
• Higher operational costs

Question: 2 What is the business value of security and control?

Security and control provide a lot of business value for an organization. Without the two, a business
can crumble due to loss of information and data that is needed for the company’s operations.
Business value of security:
• Security pertains to the measurements that a company takes in order to help prevent intrusions
from hackers or other unauthorized individuals.
• These measurements can be certain policies and procedures that will ultimately aim to eliminate
the threats of identity theft or possible damage to a company’s system.
• Security makes sure that a business is running very smoothly and free of any possible external
threats.
• Information can be kept confidential which would ensure great customer service and reliability.
Lack of sound security and control can cause firms relying on computer systems for their core
business functions to lose sales and productivity. Information assets, such as confidential employee
records, trade secrets, or business plans, lose much of their value if they are revealed to outsiders
or if they expose the firm to legal liability. New laws, such as the Personal Information Protection
and Electronic Documents Act (PIPEDA), require companies to practise stringent electronic
records management and adhere to strict standards for security, privacy, and control. Legal actions
requiring electronic evidence and computer forensics also require firms to pay more attention to
security and electronic records management.
Security and control have become a critical, although perhaps unappreciated, area of information
system investment.
• When computer system fail to run or work as required, first that depends heavily on computer
experience serious loss.
• Longer computer systems down serious loss. • These days every organization depends on Internet
and Networked system.
Corporate networks and home computer systems were overwhelmed by attacks from the SoBig.F
worm. SoBig. SoBig caused an estimated $50 million in damage in the United States alone during
that period, temporarily disabling freight and computer traffic • Companies have very valuable
information assets to protect. Systems often house confidential information about individuals’
taxes, financial assets, medical records, and job performance reviews. • Businesses must protect
not only their own information assets but also those of customers, employees, and business
partners.

Question: 3 What are the components of an organizational framework for

security and control?
Firms need to establish a good set of both general and application controls for their information
systems. A risk assessment evaluates information assets, identifies control points and control
weaknesses, and determines the most cost-effective set of controls. Firms must also develop a
coherent corporate security policy and plans for continuing business operations in the event of
disaster or disruption. The security policy includes policies for acceptable use and identity
management. Comprehensive and systematic MIS auditing helps organizations determine the
effectiveness of security and controls for their information systems.
Even with the best security tools, your information systems won’t be reliable and secure unless
you know how and where to deploy them. You’ll need to know where your company is at risk and
what controls you must have in place to protect your information systems. You’ll also need to
develop a security policy and plans for keeping your business running if your information systems
aren’t operational.
1. Information Systems Controls
Information systems controls are both manual and automated and consist of general and
application controls. General controls govern the design, security, and use of computer programs
and the security of data files in general throughout the organization’s information technology
infrastructure. On the whole, general controls apply to all computerized applications and consist
of a combination of hardware, software, and manual procedures that create an overall control
environment.
General controls include software controls, physical hardware controls, computer operations
controls, data security controls, controls over the systems development process, and administrative
controls. Table 8.4 describes the functions of each of these controls. Application controls are
specific controls unique to each computerized application, such as payroll or order processing.
They include both automated and manual procedures that ensure that only authorized data are
completely and accurately processed by that application. Application controls can be classified as
(1) input controls, (2) processing controls, and (3) output controls.
Input controls check data for accuracy and completeness when they enter the system. There are
specific input controls for input authorization, data conversion, data editing, and error handling.
Processing controls establish that data are complete and accurate during updating. Output controls
ensure that the results of computer processing are accurate, complete, and properly distributed.
You can find more detail about application and general controls in our Learning Tracks.
Information systems controls should not be an afterthought. They need to be incorporated into the
design of a system and should consider not only how the system will perform under all possible
conditions but also the behavior of organizations and people using the system.
2. Risk Assessment
Before your company commits resources to security and information systems controls, it must
know which assets require protection and the extent to which these assets are vulnerable. A risk
assessment helps answer these questions and determine the most cost-effective set of controls for
protecting assets.
A risk assessment determines the level of risk to the firm if a specific activity or process is not
properly controlled. Not all risks can be anticipated and measured, but most businesses will be
able to acquire some understanding of the risks they face. Business managers working with
information systems specialists should try to determine the value of information assets, points of
vulnerability, the likely frequency of a problem, and the potential for damage. For example, if an
event is likely to occur no more than once a year, with a maximum of a $1000 loss to the
organization, it is not wise to spend $20,000 on the design and maintenance of a control to protect
against that event. However, if that same event could occur at least once a day, with a potential
loss of more than $300,000 a year, $100,000 spent on a control might be entirely appropriate.
Table 8.5 illustrates sample results of a risk assessment for an online order processing system that
processes 30,000 orders per day. The likelihood of each exposure occurring over a one-year period
is expressed as a percentage. The next column shows the highest and lowest possible loss that
could be expected each time the exposure occurred and an average loss calculated by adding the
highest and lowest figures and dividing by two. The expected annual loss for each exposure can
be determined by multiplying the average loss by its probability of occurrence.
This risk assessment shows that the probability of a power failure occurring in a one-year period
is 30 percent. Loss of order transactions while power is down could range from $5000 to $200,000
(averaging $102,500) for each occurrence, depending on how long processing is halted. The
probability of embezzlement occurring over a yearly period is about 5 percent, with potential losses
ranging from $1000 to $50,000 (and averaging $25,500) for each occurrence. User errors have a
98 percent chance of occurring over a yearly period, with losses ranging from $200 to $40,000
(and averaging $20,100) for each occurrence.
After the risks have been assessed, system builders will concentrate on the control points with the
greatest vulnerability and potential for loss. In this case, controls should focus on ways to minimize
the risk of power failures and user errors because anticipated annual losses are highest for these
areas.
3. Security Policy
After you’ve identified the main risks to your systems, your company will need to develop a
security policy for protecting the company’s assets. A security policy consists of statements
ranking information risks, identifying acceptable security goals, and identifying the mechanisms
for achieving these goals. What are the firm’s most important information assets? Who generates
and controls this information in the firm? What existing security policies are in place to protect the
information? What level of risk is management willing to accept for each of these assets? Is it
willing, for instance, to lose customer credit data once every 10 years? Or will it build a security
system for credit card data that can withstand the once-in-a-hundred-years disaster? Management
must estimate how much it will cost to achieve this level of acceptable risk.
The security policy drives other policies determining acceptable use of the firm’s information
resources and which members of the company have access to its information assets. An acceptable
use policy (AUP) defines acceptable uses of the firm’s information resources and computing
equipment, including desktop and laptop computers, mobile devices, telephones, and the Internet.
A good AUP defines unacceptable and acceptable actions for every user and specifies
consequences for noncompliance.
The access rules illustrated here are for two sets of users. One set of users consists of all employees
who perform clerical functions, such as inputting employee data into the system. All individuals
with this type of profile can update the system but can neither read nor update sensitive fields, such
as salary, medical history, or earnings data. Another profile applies to a divisional manager, who
cannot update the system but who can read all employee data fields for his or her division,
including medical history and salary. We provide more detail about the technologies for user
authentication later on in this chapter.
4. Disaster Recovery Planning and Business Continuity Planning
If you run a business, you need to plan for events, such as power outages, floods, earthquakes, or
terrorist attacks, that will prevent your information systems and your business from operating.
Disaster recovery planning devises plans for the restoration of disrupted computing and
communications services. Disaster recovery plans focus primarily on the technical issues involved
in keeping systems up and running, such as which files to back up and the maintenance of backup
computer systems or disaster recovery services.
For example, MasterCard maintains a duplicate computer center in Kansas City, Missouri, to serve
as an emergency backup to its primary computer center in St. Louis. Rather than build their own
backup facilities, many firms contract with cloud-based disaster recovery services or firms such as
SunGard Availability Services that provide sites with spare computers around the country where
subscribing firms can run their critical applications in an emergency.
Business continuity planning focuses on how the company can restore business operations after a
disaster strikes. The business continuity plan identifies critical business processes and determines
action plans for handling mission-critical functions if systems go down. For example, Health ways,
a well-being improvement company headquartered in Franklin, Tennessee, implemented a
business continuity plan that identified the business processes of nearly 70 departments across the
enterprise and the impact of system downtime on those processes. Health ways pinpointed its most
critical processes and worked with each department to devise an action plan.
Business managers and information technology specialists need to work together on both types of
plans to determine which systems and business processes are most critical to the company. They
must conduct a business impact analysis to identify the firm’s most critical systems and the impact
a systems outage would have on the business. Management must determine the maximum amount
of time the business can survive with its systems down and which parts of the business must be
restored first.
5. The Role of Auditing
How does management know that information systems security and controls are effective? To
answer this question, organizations must conduct comprehensive and systematic audits. An
information systems audit examines the firm’s overall security environment as well as controls
governing individual information systems. The auditor should trace the flow of sample transactions
through the system and perform tests, using, if appropriate, automated audit software. The
information systems audit may also examine data quality. Security audits review technologies,
procedures, documentation, training, and personnel. A thorough audit will even simulate an attack
or disaster to test the response of the technology, information systems staff, and business
employees.
The audit lists and ranks all control weaknesses and estimates the probability of their occurrence.
It then assesses the financial and organizational impact of each threat. Figure 8.4 is a sample
auditor’s listing of control weaknesses for a loan system. It includes a section for notifying
management of such weaknesses and for management’s response. Management is expected to
devise a plan for countering significant weaknesses in controls.

Question: 4 What are the Tools for Information Security?

In order to ensure the confidentiality, integrity, and availability of information, organizations can
choose from a variety of tools. Each of these tools can be utilized as part of an overall information-
security policy, which will be discussed in the next section.
Authentication
The most common way to identify someone is through their physical appearance, but how do we
identify someone sitting behind a computer screen or at the ATM? Tools for authentication are
used to ensure that the person accessing the information is, indeed, who they present themselves
to be. Authentication can be accomplished by identifying someone through one or more of three
factors: something they know, something they have, or something they are. For example, the most
common form of authentication today is the user ID and password. In this case, the authentication
is done by confirming something that the user knows (their ID and password). But this form of
authentication is easy to compromise (see sidebar) and stronger forms of authentication are
sometimes needed. Identifying someone only by something they have, such as a key or a card, can
also be problematic. When that identifying token is lost or stolen, the identity can be easily stolen.
The final factor, something you are, is much harder to compromise. This factor identifies a user
through the use of a physical characteristic, such as an eye-scan or fingerprint. Identifying someone
through their physical characteristics is called biometrics. A more secure way to authenticate a
user is to do multi-factor authentication. By combining two or more of the factors listed above, it
becomes much more difficult for someone to misrepresent themselves. An example of this would
be the use of an RSA SecurID token. The RSA device is something you have, and will generate a
new access code every sixty seconds. To log in to an information resource using the RSA device,
you combine something you know, a four-digit PIN, with the code generated by the device. The
only way to properly authenticate is by both knowing the code and having the RSA device.
Access Control
Once a user has been authenticated, the next step is to ensure that they can only access the
information resources that are appropriate. This is done through the use of access control. Access
control determines which users are authorized to read, modify, add, and/or delete information.
Several different access control models exist. Here we will discuss two: the access control list
(ACL) and role-based access control (RBAC). For each information resource that an organization
wishes to manage, a list of users who have the ability to take specific actions can be created. This
is an access control list, or ACL. For each user, specific capabilities are assigned, such as read,
write, delete, or add. Only users with those capabilities are allowed to perform those functions. If
a user is not on the list, they have no ability to even know that the information resource exists.
ACLs are simple to understand and maintain. However, they have several drawbacks. The primary
drawback is that each information resource is managed separately, so if a security administrator
wanted to add or remove a user to a large set of information resources, it would be quite difficult.
And as the number of users and resources increase, ACLs become harder to maintain. This has led
to an improved method of access control, called role-based access control, or RBAC. With RBAC,
instead of giving specific users access rights to an information resource, users are assigned to roles
and then those roles are assigned the access. This allows the administrators to manage users and
roles separately, simplifying administration and, by extension, improving security.
Encryption
Many times, an organization needs to transmit information over the Internet or transfer it on
external media such as a CD or flash drive. In these cases, even with proper authentication and
access control, it is possible for an unauthorized person to get access to the data. Encryption is a
process of encoding data upon its transmission or storage so that only authorized individuals can
read it. This encoding is accomplished by a computer program, which encodes the plain text that
needs to be transmitted; then the recipient receives the cipher text and decodes it (decryption). In
order for this to work, the sender and receiver need to agree on the method of encoding so that
both parties can communicate properly. Both parties share the encryption key, enabling them to
encode and decode each other’s messages. This is called symmetric key encryption. This type of
encryption is problematic because the key is available in two different places. An alternative to
symmetric key encryption is public key encryption. In public key encryption, two keys are used: a
public key and a private key. To send an encrypted message, you obtain the public key, encode the
message, and send it. The recipient then uses the private key to decode it. The public key can be
given to anyone who wishes to send the recipient a message. Each user simply needs one private
key and one public key in order to secure messages. The private key is necessary in order to decrypt
something sent with the public key.
Physical Security
An organization can implement the best authentication scheme in the world, develop the best
access control, and install firewalls and intrusion prevention, but its security cannot be complete
without implementation of physical security. Physical security is the protection of the actual
hardware and networking components that store and transmit information resources. To implement
physical security, an organization must identify all of the vulnerable resources and take measures
to ensure that these resources cannot be physically tampered with or stolen. These measures
include the following.
Locked doors: It may seem obvious, but all the security in the world is useless if an intruder can
simply walk in and physically remove a computing device. High-value information assets should
be secured in a location with limited access.
Physical intrusion detection: High-value information assets should be monitored through the use
of security cameras and other means to detect unauthorized access to the physical locations where
they exist.
Secured equipment: Devices should be locked down to prevent them from being stolen. One
employee’s hard drive could contain all of your customer information, so it is essential that it be
secured.
Environmental monitoring: An organization’s servers and other high-value equipment should
always be kept in a room that is monitored for temperature, humidity, and airflow. The risk of a
server failure rises when these factors go out of a specified range.
Employee training: One of the most common ways thieves steal corporate information is to steal
employee laptops while employees are traveling. Employees should be trained to secure their
equipment whenever they are away from the office.
Backups
Another essential tool for information security is a comprehensive backup plan for the entire
organization. Not only should the data on the corporate servers be backed up, but individual
computers used throughout the organization should also be backed up. A good backup plan should
consist of several components. A full understanding of the organizational information resources.
What information does the organization actually have? Where is it stored? Some data may be
stored on the organization’s servers, other data on users’ hard drives, some in the cloud, and some
on third-party sites. An organization should make a full inventory of all of the information that
needs to be backed up and determine the best way back it up.
Regular backups of all data. The frequency of backups should be based on how important the data
is to the company, combined with the ability of the company to replace any data that is lost. Critical
data should be backed up daily, while less critical data could be backed up weekly.
Offsite storage of backup data sets. If all of the backup data is being stored in the same facility as
the original copies of the data, then a single event, such as an earthquake, fire, or tornado, would
take out both the original data and the backup! It is essential that part of the backup plan is to store
the data in an offsite location.
Test of data restoration. On a regular basis, the backups should be put to the test by having some
of the data restored. This will ensure that the process is working and will give the organization
confidence in the backup plan.
Firewalls
Network configuration with firewalls, IDS, and a DMZ. Click to enlarge. Another method that an
organization should use to increase security on its network is a firewall. A firewall can exist as
hardware or software (or both). A hardware firewall is a device that is connected to the network
and filters the packets based on a set of rules. A software firewall runs on the operating system and
intercepts packets as they arrive to a computer. A firewall protects all company servers and
computers by stopping packets from outside the organization’s network that do not meet a strict
set of criteria. A firewall may also be configured to restrict the flow of packets leaving the
organization. This may be done to eliminate the possibility of employees watching YouTube
videos or using Facebook from a company computer.
Some organizations may choose to implement multiple firewalls as part of their network security
configuration, creating one or more sections of their network that are partially secured. This
segment of the network is referred to as a DMZ, borrowing the term demilitarized zone from the
military, and it is where an organization may place resources that need broader access but still need
to be secured.
As computing and networking resources have become more and more an integral part of business,
they have also become a target of criminals. Organizations must be vigilant with the way they
protect their resources. The same holds true for us personally: as digital devices become more and
more intertwined with our lives, it becomes crucial for us to understand how to protect ourselves.
 Contemporary approaches to information systems
The study of information systems is a multidisciplinary field. No single theory or perspective
dominates. It illustrates the major disciplines that contribute problems, issues, and solutions in the
study of information systems. In general, the field can be divided into technical and behavioral
approaches. Information systems are sociotechnical systems. Though they are composed of
machines, devices, and “hard” physical technology, they require substantial social, organizational,
and intellectual investments to make them work properly.
TECHNICAL APPROACH

The technical approach to information systems emphasizes mathematically based models to study
information systems, as well as the physical technology and formal capabilities of these systems.
The disciplines that contribute to the technical approach are computer science, management
science, and operations research. Computer science is concerned with establishing theories of
computability, methods of computation, and methods of efficient data storage and access.
Management science emphasizes the development of models for decision-making and
management practices. Operations research focuses on mathematical techniques for optimizing
selected parameters of organizations, such as transportation, inventory control, and transaction
costs.
BEHAVIORAL APPROACH

An important part of the information systems field is concerned with behavioral issues that arise
in the development and long-term maintenance of information systems. Issues such as strategic
business integration, design, implementation, utilization, and management cannot be explored
usefully with the models used. in the technical approach. Other behavioral disciplines contribute
important concepts and methods. For instance, sociologists study information systems with an eye
toward how groups and organizations shape the development of systems and also how systems
affect individuals, groups, and organizations. Psychologists study information systems with an
interest in how human decision makers perceive and use formal information. Economists study
information systems with an interest in understanding the production of digital goods, the
dynamics of digital markets, and how new information systems change the control and cost
structures within the firm. The behavioral approach does not ignore technology. Indeed,
information systems technology is often the stimulus for a behavioral problem or issue. But the
focus of this approach is generally not on technical solutions. Instead, it concentrates on changes
in attitudes, management and organizational policy, and behavior.
APPROACH OF THIS TEXT: SOCIOTECHNICAL SYSTEMS

The study of management information systems (MIS) arose to focus on the use of computer-based
information systems in business firms and government agencies. MIS combines the work of
computer science, management science, and operations research with a practical orientation
toward developing system solutions to real-world problems and managing information technology
resources. It is also concerned with behavioral issues surrounding the development, use, and
impact of information systems, which are typically discussed in the fields of sociology, economics,
and psychology. Our experience as academics and practitioners leads us to believe that no single
approach effectively captures the reality of information systems. The successes and failures of
information are rarely all technical or all behavioral. Our best advice to students is to understand
the perspectives of many disciplines. Indeed, the challenge and excitement of the information
systems field is that it requires an appreciation and tolerance of many different approaches. The
view we adopt in this book is best characterized as the sociotechnical view of systems. In this
view, optimal organizational performance is achieved by jointly optimizing both the social and
technical systems used in production
Adopting a sociotechnical systems perspective helps to avoid a purely technological approach to
information systems. For instance, the fact that information technology is rapidly declining in cost
and growing in power does not necessarily or easily translate into productivity enhancement or
bottom-line profits. The fact that a firm has recently installed an enterprise-wide financial reporting
system does not necessarily mean that it will be used, or used effectively. Likewise, the fact that a
firm has recently introduced new business procedures and processes does not necessarily mean
employees will be more productive in the absence of investments in new information systems to
enable those processes.
This means that technology must be changed and designed in such a way as to fit organizational
and individual needs. Sometimes, the technology may have to be “de-optimized” to accomplish
this fit. For instance, mobile phone users adapt this technology to their personal needs, and as a
result manufacturers quickly seek to adjust the technology to conform with user expectations.
Organizations and individuals must also be changed through training.