Department of MBA

Individual Assignment

Corse title: - Management Information System

Name Aster Asfaw

ID No 0286

I. Assignment Questions
1
 1. Explain the difference between data, information and knowledge? Provide example for
your answer

Definition of Data:

Data is understood differently in various sectors. In its basic form, data is a set of different
symbols and characters whose meaning only becomes clear when they connect with context.
Collecting and measuring observations generates data. Usually machines send, receive and
process data. The confusion between data and information often arises because information is
made out of data. In addition, data often gets interpreted as facts in the context of the colloquial
meaning and are therefore regarded as information. It can be noted that computers are very good
at crunching data; they are only now learning now to make sense of it to derive information with
the help of Machine Learning.

Definition of Information:

Data reaches a more complex level and becomes information by integrating them into a context.
The information provides expertise about facts or persons. Example of information: The
information about a date of birth still has very little value when it is unknown to which person it
belongs. By adding more information like the name, inter-linked pieces of information and
context represent knowledge.

Definition of Knowledge:

Knowledge thus describes the collected information that is available about a particular fact or a
person. The knowledge of this situation makes it possible to make informed decisions and solve
problems. Thus, knowledge influences the thinking and actions of people. Machines can also
make decisions based on new knowledge generated by information. In order to gain knowledge,
it is necessary to apply such information.

2
Implicit Knowledge – Knowledge that isn’t written down or stored digitally. It is procedural or
part of the practice, and not dependent on an individual’s context. Most institutional knowledge
is implicit, usually just muscle memory of the people in the organization. Tribal knowledge that
isn’t documented

Explicit Knowledge – Knowledge that is written down and accessible. It may be in paper or
digital form. Examples include training manuals, return policies, or documented product
information.

Key Differences Between Data, Information and Knowledge

1. Data is fragmented pieces of symbols and characters strung together, information is

refined data whereas knowledge is useful information. Additionally, data can lack context
when looked at singularly, whereas information gives context to data and knowledge
brings depth in understanding to such information.
2. It is noteworthy that data is incomprehensible independently, but the outcome of
information is comprehension while the outcome of knowledge is understanding. Data is
meaningless without being compiled into a sensible structure, while information
improves representation and knowledge amplifies consciousness.
3. Data and Information alone are not sufficient to make any predictions while knowledge
prediction is possible if one possesses the required experience.
4. You can’t use Data to make any statements, while information is data strung together,
forming statements. Knowledge brings the ability to have a deduced conclusion using
pieces of information together.
5. Data cannot independently be a basis for question formation; Information is a text that
answers the questions a who, when, what, or where while knowledge is a text that
answers the questions of why and how. The final difference we can consider is that data
and information are easily transferable while transferring knowledge requires learning.

2. What is an information system? What are the major components of information?

3
Information System

An information system, therefore, can be defined as set of coordinated network of components

which act together towards producing, distributing and or processing information. An important
factor of computer based information system is precision, which may not apply to other types of
systems.

System

In a system, network of components work towards a single objective, if there is lack of co-
ordination among components, it leads to counterproductive results. A system may have
following features:

 Adaptability: some systems are adaptive to the exterior environment, while some systems
are non-adaptive to the external environment. For example, anti-lock braking system in
car reacts depending on the road conditions, where as the music system in the car is
independent of other happening with the car.
 Limitation: every system has pre-defined limits or boundaries within which it operates.
This limits or boundaries can be defined by law or current state of technology.

Information

Common definition of information is data. However, data is no true information. Data gets its
meaning and significance if only it is information. Information is represented with data, symbols
and letters.

Information has following properties:

 Objective: One of the key properties of information is its objectiveness. Objective

information is a key component of any modern scientific research.
 Subjective: Set of information which is useful to science may be abstract or irrelevant for
others. Therefore, information is subjective also.
 Temporary: Information is temporary with every update in the database.

4
Components of information systems

An information system is essentially made up of five components hardware, software, database,

network and people. These five components integrate to perform input, process, output, feedback
and control.

1. Hardware consists of input/output device, processor, operating system and media devices.
2. Software consists of various programs and procedures.
3. Database consists of data organized in the required structure.
4. Network consists of hubs, communication media and network devices.
5. People consist of device operators, network administrators and system specialist.

Information processing consists of input; data process, data storage, output and control.

During input stage data instructions are fed to the systems which during process stage are
worked upon by software programs and other queries.

During output stage, data is presented in structured format and reports.

3. Explain how information systems help organizations to achieve different business

strategic objectives such as operational excellence and cost leadership, etc.

Using Information Systems to Achieve Competitive Advantage

Firms with a competitive advantage over others typically have access to special resources that
others do not or are able to use resources more efficiently, resulting in higher revenue growth,
profitability, or productivity growth (efficiency), all of which ultimately in the long run translate
into higher stock market valuations than their competitors.

Michael Porter's competitive forces model describes five competitive forces that shape the fate of
the firm.

1. Traditional competitors: Existing firms that share a firm's market space

5
 2. New market entrants: New companies have certain advantages, such as not being locked
into old equipment and high motivation, as well as disadvantages, such as less expertise
and little brand recognition. Some industries have lower barriers to entry, ie: cost less for
a new company to enter the field.

3. Substitute products and services: These are substitutes that your customers might use if
your prices become too high. For example, Internet telephone service can substitute for
traditional telephone service. The more substitute products and services in your industry,
the less you can control pricing and raise your profit margins.

4. Customers: The power of customers grows if they can easily switch to a competitor's
products and services, or if they can force a business and its competitors to compete on
price alone in a transparent marketplace where there is little product differentiation and
all prices are known instantly (such as on the Internet).

5. Suppliers: The more different suppliers a firm has, the greater control it can exercise over
suppliers in terms of price, quality, and delivery schedules.

There are four generic strategies used to manage competitive forces, each of which often is
enabled by using information technology and systems:

1. Low-cost leadership: Use information systems to achieve the lowest operational costs and
the lowest prices. For example, a supply chain management system can incorporate an
efficient customer response system to directly link consumer behavior to distribution and
production and supply chains, helping lower inventory and distribution costs.

2. Product differentiation: Use information systems to enable new products and services, or
greatly change the customer convenience in using your existing products and services.
For instance, Land's End uses mass customization, offering individually tailored products
or services using the same production resources as mass production, to custom-tailor
clothing to individual customer specifications.

3. Focus on market niche: Use information systems to enable a specific market focus and
serve this narrow target market better than competitors. Information systems support this

6
 strategy by producing and analyzing data for finely tuned sales and marketing techniques.
Hilton Hotels uses a customer information system with detailed data about active guests
to provide tailored services and reward profitable customers with extra privileges and
attention.

Strengthen customer and supplier intimacy: Use information systems to tighten linkages with
suppliers and develop intimacy with customers. Chrysler Corporation uses information systems
to facilitate direct access from suppliers to production schedules, and even permits suppliers to
decide how and when to ship suppliers to Chrysler factories. This allows suppliers more lead
time in producing goods. Strong linkages to customers and suppliers increase switching costs
(the cost of switching from one product to a competing product) and loyalty to your firm.

4. Explain the different layers of information systems by managerial hierarchies. What are
the main input data and output information?

Operational management level

The operational level is concerned with performing day to day business transactions of the
organization.

Examples of users at this level of management include cashiers at a point of sale, bank tellers,
nurses in a hospital, customer care staff, etc.

Users at this level use make structured decisions. This means that they have defined rules that
guides them while making decisions.

For example, if a store sells items on credit and they have a credit policy that has some set limit
on the borrowing. All the sales person needs to decide whether to give credit to a customer or not
is based on the current credit information from the system.

Tactical Management Level

7
This organization level is dominated by middle-level managers, heads of departments,
supervisors, etc. The users at this level usually oversee the activities of the users at the
operational management level.

Tactical users make semi-structured decisions. The decisions are partly based on set guidelines
and judgmental calls. As an example, a tactical manager can check the credit limit and payments
history of a customer and decide to make an exception to raise the credit limit for a particular
customer. The decision is partly structured in the sense that the tactical manager has to use
existing information to identify a payments history that benefits the organization and an allowed
increase percentage.

Strategic Management Level

This is the most senior level in an organization. The users at this level make unstructured
decisions. Senior level managers are concerned with the long-term planning of the organization.
They use information from tactical managers and external data to guide them when making
unstructured decisions.

5. Discuss one of functional information system that you commonly found in any
organization such as financial information system, human resource information system,
geographic information system, etc. Each component of the information, the type of data
managed by system and main organizational activities supported by the system?

Three main categories of information systems serve different organizational levels: operational-
level systems, management-level systems, and strategic-level systems. Operational-level systems
support operational managers by keeping track of the elementary activities and transactions of
the organization, such as sales, receipts, cash deposits, payroll, credit decisions, and the flow of
materials in a factory. The principal purpose of systems at this level is to answer routine
questions and to track the flow of transactions through the organization. How many parts are in
inventory? What happened to Mr. Williams’s payment? To answer these kinds of questions,

8
information generally must be easily available, current, and accurate. Examples of operational-
level systems include a system to record bank deposits from automatic teller machines or one
that tracks the number of hours worked each day by employees on a factory floor.

Management-level systems serve the monitoring, controlling, decision-making, and

administrative activities of middle managers. The principal question addressed by such systems
is this: Are things working well? Management-level systems typically provide periodic reports
rather than instant information on operations. An example is a relocation control system that
reports on the total moving, house-hunting, and home financing costs for employees in all
company divisions, noting wherever actual costs exceed budgets.

Some management-level systems support nonroutine decision making. They tend to focus
on less-structured decisions for which information requirements are not always clear. These
systems often answer “what-if” questions: What would be the impact on production schedules if
we were to double sales in the month of December? What would happen to our return on
investment if a factory schedule were delayed for six months? Answers to these questions
frequently require new data from outside the organization, as well as data from inside that cannot
be easily drawn from existing operational-level systems.

Strategic-level systems help senior management tackle and address strategic issues and
long-term trends, both in the firm and in the external environment. Their principal concern is
matching changes in the external environment with existing organizational capability. What will
employment levels be in five years? What are the long-term industry cost trends, and where does
our firm fit in? What products should we be making in five years?

Information systems also serve the major business functions, such as sales and marketing,
manufacturing and production, finance and accounting, and human resources. A typical
organization has operational-, management-, and strategic-level systems for each functional area.
For example, the sales function generally has a sales system on the operational level to record
daily sales figures and to process orders. A management-level system tracks monthly sales
figures by sales territory and reports on territories where sales exceed or fall below anticipated
levels. A system to forecast sales trends over a five-year period serves the strategic level. We

9
first describe the specific categories of systems serving each organizational level and their value
to the organization. Then we show how organizations use these systems for each major business
function.

6. What is data mining? What are the major applications of data mining in the
organization?

What is Data Mining?

Typically, when someone talks about “mining,” it involves people wearing helmets with lamps
attached to them, digging underground for natural resources. And while it could be funny
picturing guys in tunnels mining for batches of zeroes and ones, that doesn't exactly answer
“what is data mining.”

Data mining is the process of analyzing enormous amounts of information and datasets,
extracting (or “mining”) useful intelligence to help organizations solve problems, predict trends,
mitigate risks, and find new opportunities. Data mining is like actual mining because, in both
cases, the miners are sifting through mountains of material to find valuable resources and
elements.

Data mining also includes establishing relationships and finding patterns, anomalies, and
correlations to tackle issues, creating actionable information in the process. Data mining is a
wide-ranging and varied process that includes many different components, some of which are
even confused for data mining itself. For instance, statistics is a portion of the overall data
mining process, as explained in this data mining vs. statistics article.

Additionally, both data mining and machine learning fall under the general heading of data
science, and though they have some similarities, each process works with data in a different way.
If you want to know more about their relationship, read up on data mining vs. machine learning.

Data mining is sometimes called Knowledge Discovery in Data, or KDD.

10
Data Mining History

For millennia, people have excavated places to find hidden mysteries. "Knowledge discovery in
databases" refers to the act of sifting through data to uncover hidden relationships and forecast
future trends. In the 1990s, the phrase "data mining" was invented. Data mining emerged from
the convergence of three scientific disciplines: artificial intelligence, machine learning, and
statistics.

Artificial intelligence is the human-like intelligence demonstrated by software and machines,

machine learning is the term used to describe algorithms that can learn from data to create
predictions, and statistics is the numerical study of data correlations.

Data mining takes advantage of big data's infinite possibilities and inexpensive processing
power. Processing power and speed have grown significantly in the recent decade, allowing the
globe to undertake rapid, easy, and automated data analysis.

Data Mining Steps

When asking “what is data mining,” let’s break it down into the steps data scientists and analysts
take when tackling a data mining project.

1. Understand Business

What is the company’s current situation, the project’s objectives, and what defines success?

2. Understand the Data

Figure out what kind of data is needed to solve the issue, and then collect it from the proper
sources.

3. Prepare the Data

Resolve data quality problems like duplicate, missing, or corrupted data, then prepare the data in
a format suitable to resolve the business problem.

11
4. Model the Data

Employ algorithms to ascertain data patterns. Data scientists create, test, and evaluate the model.

5. Evaluate the Data

Decide whether and how effective the results delivered by a particular model will help meet the
business goal or remedy the problem. Sometimes there’s an iterative phase for finding the best
algorithm, especially if the data scientists don’t get it quite right the first time. There may be
some data mining algorithms shopping around.

6. Deploy the Solution

Give the results of the project to the people in charge of making decisions.

Challenges of Implementation in Data Mining

Because data handling technology is always improving, leaders confront additional obstacles in
addition to scalability and automation, as mentioned below:

 Distributed Data

Real-world data saved on several platforms, such as databases, individual systems, or the
Internet, cannot be transferred to a centralized repository. Regional offices may have their own
servers to store data, but storing data from all offices centrally will be impossible. As a result,
tools and algorithms for mining dispersed data must be created for data mining.

 Complex Data

It takes a long time and money to process big amounts of complicated data. Data in the real
world is structured, unstructured,semi-structured, and heterogeneous forms, including
multimedia such as photos, music, video, natural language text, time series, natural, and so on,
making it challenging to extract essential information from many sources in LAN and WAN.

 Domain Knowledge

12
It is simpler to dig some information with domain expertise, without which collecting useful
information from data might be tough.

7. What is expert system? What is the purpose of expert system? What are main
components of expert system? Give two examples of expert system?

What is an expert system?

An expert system is a computer program that uses artificial intelligence (AI) technologies to
simulate the judgment and behavior of a human or an organization that has expertise and
experience in a particular field.

Expert systems are usually intended to complement, not replace, human experts.

The concept of expert systems was developed in the 1970s by computer scientist Edward
Feigenbaum, a computer science professor at Stanford University and founder of Stanford's
Knowledge Systems Laboratory. The world was moving from data processing to "knowledge
processing," Feigenbaum said in a 1988 manuscript. That meant computers had the potential to
do more than basic calculations and were capable of solving complex problems thanks to new
processor technology and computer architectures, he explained.

How does an expert system work?

Modern expert knowledge systems use machine learning and artificial intelligence to simulate
the behavior or judgment of domain experts. These systems can improve their performance over
time as they gain more experience, just as humans do.

Expert systems accumulate experience and facts in a knowledge base and integrate them with an
inference or rules engine -- a set of rules for applying the knowledge base to situations provided
to the program.

The inference engine uses one of two methods for acquiring information from the knowledge
base:

13
 1. Forward chaining reads and processes a set of facts to make a logical prediction about
what will happen next. An example of forward chaining would be making predictions
about the movement of the stock market.
2. Backward chaining reads and processes a set of facts to reach a logical conclusion about
why something happened. An example of backward chaining would be examining a set
of symptoms to reach a medical diagnosis.

An expert system relies on having a good knowledge base. Experts add information to the
knowledge base, and nonexperts use the system to solve complex problems that would usually
require a human expert.

The process of building and maintaining an expert system is called knowledge engineering.
Knowledge engineers ensure that expert systems have all the necessary information to solve a
problem. They use various knowledge representation methodologies, such as symbolic patterns,
to do this. The system's capabilities can be enhanced by expanding the knowledge base or
creating new sets of rules.

What are the components of an expert system?

There are three main components of an expert system:

 The knowledge base. This is where the information the expert system draws upon is
stored. Human experts provide facts about the expert system's particular domain or
subject area are provided that are organized in the knowledge base. The knowledge base
often contains a knowledge acquisition module that enables the system to gather
knowledge from external sources and store it in the knowledge base.
 The inference engine. This part of the system pulls relevant information from the
knowledge base to solve a user's problem. It is a rules-based system that maps known
information from the knowledge base to a set of rules and makes decisions based on
those inputs. Inference engines often include an explanation module that shows users
how the system came to its conclusion.

14
The user interface. This is the part of the expert system that end users interact with to get an
answer to their question or problem

8. What is knowledge management? Why knowledge management is critical for today’s

organization?

What is Knowledge Management, and what is it about?

Knowledge Management is a set of tools, procedures, methods, practices, and desired behaviors
that help an organization to be more productive. It is a discipline promoting an integrated
approach to identifying, capturing, evaluating, retrieving, and sharing all of an enterprise’s
information assets. The assets may include databases, procedures, documents, policies and
previously un-captured expertise and experience in individual workers.

For organizations, Knowledge Management is known as Knowledge Driven Business

Management where Knowledge Management facilitates the use of knowledge sharing methods
to promote learning and innovation across the organization.

Knowledge Management is often focused on how to capture knowledge. It’s about how you can
take a nugget or an insight, then communicate it in a way that intrigues people, and makes them
interested to learn more. How do you pack it in a way that doesn’t destroy all of the emotion or
context? The best way is to increase the use of multimedia internally, and improve much more
use of connections to some of the social media so that you’re only one click away from a
conversation.

Knowledge Management has a lot to do with the way that we behave and work, the culture
which we establish, support and nurture – or even come up against as organization leaders. In
some cases, you may need to confront or defy a “not invented here” culture, to support and make
it safe for people to share the experiences of their failures as well as their successes. Knowledge
management embraces all of this: processes, behaviors, learning, technologies, and networks.
This is what makes it an interesting and steadily evolving discipline.

15
The benefits of proper Knowledge Management for your business

Every organization can highly benefit from their people sharing, innovating, reusing,
collaborating and learning information. This makes it a good idea to boost knowledge
management by implementing proper knowledge management techniques in your business so
you can take full advantage of the benefits:

Improve the decision-making process

By obtaining access to the knowledge of the entire organization, employees can advance the
quality and speed of decision-making. When making decisions, enterprise collaboration tools
facilitate the access to opinions and experiences of different people with diverse viewpoints and
judgements, which may contribute new and fresh perspectives to the choices made.

Increase customer satisfaction

Knowledge sharing and cross-collaboration help to increase the value presented to customers.
The organization can give faster answers or shorten the time it takes to improve a product or
service.

Promote innovation and cultural change

Knowledge Management enables and encourages the sharing of ideas, collaboration and access
to the latest information. It also allows individuals to stimulate innovation and the cultural
changes needed to evolve the organization and meet changing business needs.

Speed up access to knowledge and information

Knowledge Management simplifies the operation of finding the information you need, or the
people who hold it. It increases effectiveness and productivity and allows you to work better,
reducing the tendency to reinvent the wheel.

16
Avoid redundant effort

No one likes spending their time doing something over and over again. However, people do so
all the time for many reasons. Avoiding effort duplication can save you a lot of time and money;
it keeps employees motivated, and streamlines work too. So, by not spending time reinventing
the wheel, you can have more time on your hands to invent something new.

9. Technology is backbone of any management information system implementation.

Explain the different technologies that are used to implement a management information
system?

Now that we have explored the different components of information systems, we need to turn our
attention to the role that information systems play in an organization. So far we have looked at
what the components of an information system are, but what do these components actually do for
an organization? From our definitions above, we see that these components collect, store,
organize, and distribute data throughout the organization. In fact, we might say that one of the
roles of information systems is to take data and turn it into information, and then transform that
into organizational knowledge. As technology has developed, this role has evolved into the
backbone of the organization. To get a full appreciation of the role information systems play, we
will review how they have changed over the years.

10. What are information system development life cycles we follow to develop an
information system? What are the main activities in each phase of system development?

The system development life cycle (SDLC) is an iterative, structured, and multistep process that
is used by teams to create high-quality information systems. It involves the activities of planning,
analysis, designing, building, testing, deploying, and maintaining a system that meets or exceeds
client expectations.

SDLC has been around since the 1960s—a time when teams were more centralized. As the
information technology sphere continues to evolve, the SDLC has been changed to keep up with
the ever-changing demands in system development.

17
Importance of the SDLC

Having a system development life cycle is essential as it serves as a platform to transform an

idea into a functional and fully-operational system. In addition to covering the technical aspects
of an IT system’s development, the SDLC also encompasses certain activities such as user
experience, security regulation compliance, procedure development, policy development, and
change in management.

Another key reason why teams need to leverage an SDLC is, it's important that they plan ahead
of time and examine the structured goals and stages of a specific project.

It’s worth noting that goal-oriented processes do not adhere to a one-size-fits-all methodology.
Instead, they are highly responsive to user needs and continuously adapt—the main reason why
teams require a well-defined plan to improve the quality of the system at each phase of the life
cycle.

Software vs. System Development Life Cycle

Oftentimes, the system development life cycle is confused with the software development life
cycle. Although they share many similarities, the development of systems is more robust and
complex in terms of its overall framework.

Given the method’s complexity, there are various methodologies out there to help you manage
and control the entire process. These methodologies may be agile, waterfall, iterative, and so on.

Phases of the SDLC

1. Planning

In the first phase, the team determines whether or not there’s a need for a new system to reach
the strategic objectives of a business. This is a feasibility study or preliminary plan for the
company to acquire any resources necessary to improve a service or build on specific
infrastructure.

18
The main purpose of this step is to identify the scope of the problem and come up with different
solutions. Some of the things to consider here include costs, benefits, time, resources, and so on.
This is the most crucial step because it sets the tone for the project’s overall success. Thorough
research is required before moving forward to the next stage.

2. Analysis

The second SDLC phase is where teams will work on the root of their problem or need for a
change. In case there’s a problem to solve, possible solutions are submitted and analyzed to
figure out the best fit for the project’s ultimate goal or goals. It’s where teams consider the
functional requirements of the solution.

Systems analysis is key in figuring out what a business's needs are. It also helps point out how
those needs can be met, who will be responsible for certain parts of the project, and the timeline
that should be expected.

3. Design

Phase 3 defines the necessary specifications, operations, and features that will satisfy all
functional requirements of the proposed system. It’s where end users can discuss and identify
their specific business information needs for the application. During this phase, users will
consider the important components, networking capabilities, and procedures to accomplish the
project’s primary objectives.

4. Development

Real work officially begins in the fourth phase. This is the part when a network engineer,
software developer, and/or programmer are brought on to conduct major work on the system.
This includes ensuring the system process is organized properly through a flow chart. Many
consider this the most robust SDLC stage as all the labor-intensive tasks are accomplished here.
Phase 4 represents the real beginning of software production and hardware installation (if
necessary).

19
5. Testing & Integration

In the fifth phase, systems integration and testing are carried out by Quality Assurance (QA)
professionals. They will be responsible for determining if the proposed design reaches the initial
business goals set by the company. It’s possible for testing to be repeated, specifically to check
for bugs, interoperability, and errors.

Testing will be conducted until the end-user finds it acceptable according to standards. Another
part of this stage is validation and verification—and both are done to help ensure the successful
completion of the project.

6. Implementation

Phase 6 begins when a huge part of the program code is completed. This phase also involves the
actual installation of the newly-developed application. The project is put into production by
moving all components and data from the old system and putting them in a new one through a
direct cutover.

This move is considered complex and uncertain but the risk is minimized substantially as the
cutover often takes place during off-peak hours. Both end-users and system analysts should see a
refined project with all necessary changes implemented at this time.

7. Maintenance

In the seventh and final phase, end users can fine-tune the completed system as necessary if they
want to improve performance. Through maintenance efforts, the team can add new capabilities
and features and meet new requirements set by the client.

This stage ensures the system stays usable and relevant by regularly replacing outdated
hardware, inspecting performance, improving software, and implementing new updates so all
standards are met. This also equips the system with the latest technologies to face new and
stronger cyber security threats.

20
Following the system development life cycle is crucial each time a new project or phase of a
software project is released. Doing so gives teams a systematic approach that in turn enables
them to come up with new solutions to existing issues in a standardized and controlled manner.

How the SDLC will cover and satisfy overall requirements should be determined before
embarking on a new project so you can achieve the best results. Once that step is done, you can
select the right SDLC methodology or a hybrid of models that is perfectly suited to your main
project requirements and expected end result.

11. What is a database? Why we need to maintain a database in the organization?

A database is an organized collection of data, stored and accessed electronically. Databases are
used to store and manage large amounts of structured and unstructured data, and they can be
used to support a wide range of activities, including data storage, data analysis, and data
management. There are many different types of databases, including relational databases, object-
oriented databases, and NoSQL databases, and they can be used in a variety of settings, including
business, scientific, and government organizations.

What Are Databases Used For?

Databases are used to store and manage large amounts of structured and unstructured data, and
they can be used to support a wide range of activities, including data storage, data analysis, and
data management. They are used in a variety of settings, including business, scientific, and
government organizations.

Some examples of how databases are used include storing customer information in a customer
relationship management (CRM) system, storing financial transactions in an accounting system,
storing inventory and orders in an e-commerce system, storing patient records in a healthcare
system, and storing student records in an educational institution.

21
In each of these cases, the database is used to store and organize data in a structured manner,
allowing multiple users to access and update the data simultaneously and ensuring the integrity
and security of the data. The database also provides tools for data analysis and decision-making
and allows for the creation of reports and other outputs based on the data.

What Is Structured Query Language (SQL)?

Structured Query Language (SQL) is a programming language designed for managing and
manipulating data stored in relational database management systems (RDBMS). It is used to
create, modify, and delete database objects such as tables, indices, and users; to manipulate data
in the database by inserting, updating, and deleting records; and to query the database to retrieve
specific data or generate reports. It is widely used in the development of web-based applications,
and it is supported by most RDBMSs, including MySQL, Oracle, and Microsoft SQL Server.

History and Evolution of Databases

The concept of a database can be traced back to the early 1960s, when computer scientists began
working on ways to store and organize large amounts of data in a structured manner. One of the
first examples of a database was created by IBM in the 1960s for the U.S. Census Bureau, and it
was used to store and process data from the 1960 U.S. Census.

In the 1970s, the relational database model was introduced, which organized data into tables that
could be related to one another through the use of keys. This model became the basis for many of
the database management systems (DBMS) that are in use today.

In the 1980s and 1990s, the rise of personal computers and the development of client-server
architectures led to the widespread use of databases in businesses and other organizations. In the
2000s, the growth of the internet and the proliferation of web-based applications led to the
development of new types of databases, such as NoSQL databases, which are designed to
support the storage and management of large amounts of unstructured data.

22
Today, databases are an integral part of many modern systems, and they play a vital role in a
wide range of applications, including financial systems, customer relationship management,
inventory management, and more.

What’s the Difference Between a Database and a Spreadsheet?

A database and a spreadsheet are both tools for storing and organizing data, but they have some
key differences. A database provides more powerful and sophisticated tools for manipulating
data than a spreadsheet, such as the ability to create complex queries and update and delete data
in a controlled manner. However, a spreadsheet is better suited for simple calculations and data
entry. While a database is generally better suited for storing and managing large amounts of data
that need to be accessed by multiple users simultaneously, a spreadsheet is more suitable for
storing small amounts of data that are used primarily by a single user.

Types of Databases

There are several different types of databases, including:

 Relational databases: These databases store data in the form of tables, with rows
representing records and columns representing fields. Relationships between data can be
established using keys.
 Object-oriented databases: These databases store data in the form of objects, which are
self-contained units of data and functionality. Object-oriented databases are designed to
support the storage and management of complex, interrelated data.
 NoSQL databases: These databases are designed to support the storage and management
of large amounts of unstructured data. They do not use the traditional table-based
structure of relational databases, and they often support horizontal scaling, which allows
them to handle very large amounts of data and high levels of concurrency.

Database Architecture

Database architecture refers to the overall design and structure of a database system, including
the hardware and software components that make up the system, the way the data is organized

23
and stored, and the ways in which the data can be accessed and manipulated. There are several
different types of database architectures, including:

 Centralized database architecture

 Distributed database architecture
 Client-server database architecture
 Cloud database architecture

The choice of database architecture depends on the needs of the organization, including the
amount and type of data being stored, the number of users who need to access the data, and the
performance and scalability requirements of the system.

12. What is information security? Why information security is hot issue at present time?

What is Information Security (InfoSec)?

Information security (sometimes referred to as InfoSec) covers the tools and processes that
organizations use to protect information. This includes policy settings that prevent unauthorized
people from accessing business or personal information. InfoSec is a growing and evolving field
that covers a wide range of fields, from network and infrastructure security to testing and
auditing.

Information security protects sensitive information from unauthorized activities, including

inspection, modification, recording, and any disruption or destruction. The goal is to ensure the
safety and privacy of critical data such as customer account details, financial data or intellectual
property.

The consequences of security incidents include theft of private information, data tampering, and
data deletion. Attacks can disrupt work processes and damage a company’s reputation, and also
have a tangible cost.

Organizations must allocate funds for security and ensure that they are ready to detect, respond
to, and proactively prevent, attacks such as phishing, malware, viruses, malicious insiders, and
ransomware.

24
Whitepaper: Meeting Data Security Challenges in the Age of Digital Transformation.

What are the 3 Principles of Information Security?

The basic tenets of information security are confidentiality, integrity and availability. Every
element of the information security program must be designed to implement one or more of these
principles. Together they are called the CIA Triad.

Confidentiality

Confidentiality measures are designed to prevent unauthorized disclosure of information. The

purpose of the confidentiality principle is to keep personal information private and to ensure that
it is visible and accessible only to those individuals who own it or need it to perform their
organizational functions.

Integrity

Consistency includes protection against unauthorized changes (additions, deletions, alterations,

etc.) to data. The principle of integrity ensures that data is accurate and reliable and is not
modified incorrectly, whether accidentally or maliciously.

Availability

Availability is the protection of a system’s ability to make software systems and data fully
available when a user needs it (or at a specified time). The purpose of availability is to make the
technology infrastructure, the applications and the data available when they are needed for an
organizational process or for an organization’s customers.

13. Mention some common human related security threats? Why employees are the main
source information security threats?

25
What is Information Security (InfoSec)?

Information security (sometimes referred to as InfoSec) covers the tools and processes that
organizations use to protect information. This includes policy settings that prevent unauthorized
people from accessing business or personal information. InfoSec is a growing and evolving field
that covers a wide range of fields, from network and infrastructure security to testing and
auditing.

Information security protects sensitive information from unauthorized activities, including

inspection, modification, recording, and any disruption or destruction. The goal is to ensure the
safety and privacy of critical data such as customer account details, financial data or intellectual
property.

The consequences of security incidents include theft of private information, data tampering, and
data deletion. Attacks can disrupt work processes and damage a company’s reputation, and also
have a tangible cost.

Organizations must allocate funds for security and ensure that they are ready to detect, respond
to, and proactively prevent, attacks such as phishing, malware, viruses, malicious insiders, and
ransom ware.

Whitepaper: Meeting Data Security Challenges in the Age of Digital Transformation.

What are the 3 Principles of Information Security?

The basic tenets of information security are confidentiality, integrity and availability. Every
element of the information security program must be designed to implement one or more of these
principles. Together they are called the CIA Triad.

Confidentiality

Confidentiality measures are designed to prevent unauthorized disclosure of information. The

purpose of the confidentiality principle is to keep personal information private and to ensure that

26
it is visible and accessible only to those individuals who own it or need it to perform their
organizational functions.

Integrity

Consistency includes protection against unauthorized changes (additions, deletions, alterations,

etc.) to data. The principle of integrity ensures that data is accurate and reliable and is not
modified incorrectly, whether accidentally or maliciously.

Availability

Availability is the protection of a system’s ability to make software systems and data fully
available when a user needs it (or at a specified time). The purpose of availability is to make the
technology infrastructure, the applications and the data available when they are needed for an
organizational process or for an organization’s customers.

14. Mention some common software related security threats? What kind of consequence it
brings to the organization?

What are Cyber Security Threats?

Cybersecurity threats are acts performed by individuals with harmful intent, whose goal is to
steal data, cause damage to or disrupt computing systems. Common categories of cyber threats
include malware, social engineering, man in the middle (MitM) attacks, denial of service (DoS),
and injection attacks—we describe each of these categories in more detail below.

Cyber threats can originate from a variety of sources, from hostile nation states and terrorist
groups, to individual hackers, to trusted individuals like employees or contractors, who abuse
their privileges to perform malicious acts.

27
Common Sources of Cyber Threats

Here are several common sources of cyber threats against organizations:

 Nation states—hostile countries can launch cyber attacks against local companies and
institutions, aiming to interfere with communications, cause disorder, and inflict damage.
 Terrorist organizations—terrorists conduct cyber attacks aimed at destroying or abusing
critical infrastructure, threaten national security, disrupt economies, and cause bodily
harm to citizens.
 Criminal groups—organized groups of hackers aim to break into computing systems for
economic benefit. These groups use phishing, spam, spyware and malware for extortion,
theft of private information, and online scams.
 Hackers—individual hackers target organizations using a variety of attack techniques.
They are usually motivated by personal gain, revenge, financial gain, or political activity.
Hackers often develop new threats, to advance their criminal ability and improve their
personal standing in the hacker community.
 Malicious insiders—an employee who has legitimate access to company assets, and
abuses their privileges to steal information or damage computing systems for economic
or personal gain. Insiders may be employees, contractors, suppliers, or partners of the
target organization. They can also be outsiders who have compromised a privileged
account and are impersonating its owner.

Types of Cybersecurity Threats

Malware Attacks

Malware is an abbreviation of “malicious software”, which includes viruses, worms, trojans,

spyware, and ransomware, and is the most common type of cyberattack. Malware infiltrates a
system, usually via a link on an untrusted website or email or an unwanted software download. It
deploys on the target system, collects sensitive data, manipulates and blocks access to network
components, and may destroy data or shut down the system altogether.

Here are some of the main types of malware attacks:

28
 Viruses—a piece of code injects itself into an application. When the application runs, the
malicious code executes.
 Worms—malware that exploits software vulnerabilities and backdoors to gain access to
an operating system. Once installed in the network, the worm can carry out attacks such
as distributed denial of service (DDoS).
 Trojans—malicious code or software that poses as an innocent program, hiding in apps,
games or email attachments. An unsuspecting user downloads the trojan, allowing it to
gain control of their device.
 Ransomware—a user or organization is denied access to their own systems or data via
encryption. The attacker typically demands a ransom be paid in exchange for a
decryption key to restore access, but there is no guarantee that paying the ransom will
actually restore full access or functionality.
 Cryptojacking—attackers deploy software on a victim’s device, and begin using their
computing resources to generate cryptocurrency, without their knowledge. Affected
systems can become slow and cryptojacking kits can affect system stability.
 Spyware—a malicious actor gains access to an unsuspecting user’s data, including
sensitive information such as passwords and payment details. Spyware can affect desktop
browsers, mobile phones and desktop applications.
 Adware—a user’s browsing activity is tracked to determine behavior patterns and
interests, allowing advertisers to send the user targeted advertising. Adware is related to
spyware but does not involve installing software on the user’s device and is not
necessarily used for malicious purposes, but it can be used without the user’s consent and
compromise their privacy.
 Fileless malware—no software is installed on the operating system. Native files like
WMI and PowerShell are edited to enable malicious functions. This stealthy form of
attack is difficult to detect (antivirus can’t identify it), because the compromised files are
recognized as legitimate.
 Rootkits—software is injected into applications, firmware, operating system kernels or
hypervisors, providing remote administrative access to a computer. The attacker can start
the operating system within a compromised environment, gain complete control of the
computer and deliver additional malware.

29
Social Engineering Attacks

Social engineering involves tricking users into providing an entry point for malware. The victim
provides sensitive information or unwittingly installs malware on their device, because the
attacker poses as a legitimate actor.

Here are some of the main types of social engineering attacks:

 Baiting—the attacker lures a user into a social engineering trap, usually with a promise of
something attractive like a free gift card. The victim provides sensitive information such
as credentials to the attacker.
 Pretexting—similar to baiting, the attacker pressures the target into giving up information
under false pretenses. This typically involves impersonating someone with authority, for
example an IRS or police officer, whose position will compel the victim to comply.
 Phishing—the attacker sends emails pretending to come from a trusted source. Phishing
often involves sending fraudulent emails to as many users as possible, but can also be
more targeted. For example, “spear phishing” personalizes the email to target a specific
user, while “whaling” takes this a step further by targeting high-value individuals such as
CEOs.
 Vishing (voice phishing)—the imposter uses the phone to trick the target into disclosing
sensitive data or grant access to the target system. Vishing typically targets older
individuals but can be employed against anyone.
 Smishing (SMS phishing)—the attacker uses text messages as the means of deceiving the
victim.
 Piggybacking—an authorized user provides physical access to another individual who
“piggybacks” off the user’s credentials. For example, an employee may grant access to
someone posing as a new employee who misplaced their credential card.
 Tailgating—an unauthorized individual follows an authorized user into a location, for
example by quickly slipping in through a protected door after the authorized user has
opened it. This technique is similar to piggybacking except that the person being tailgated
is unaware that they are being used by another individual.

30
Supply Chain Attacks

Supply chain attacks are a new type of threat to software developers and vendors. Its purpose is
to infect legitimate applications and distribute malware via source code, build processes or
software update mechanisms.

Attackers are looking for non-secure network protocols, server infrastructure, and coding
techniques, and use them to compromise build and update process, modify source code and hide
malicious content.

Supply chain attacks are especially severe because the applications being compromised by
attackers are signed and certified by trusted vendors. In a software supply chain attack, the
software vendor is not aware that its applications or updates are infected with malware.
Malicious code runs with the same trust and privileges as the compromised application.

Types of supply chain attacks include:

 Compromise of build tools or development pipelines

 Compromise of code signing procedures or developer accounts
 Malicious code sent as automated updates to hardware or firmware components
 Malicious code pre-installed on physical devices

Man-in-the-Middle Attack

A Man-in-the-Middle (MitM) attack involves intercepting the communication between two

endpoints, such as a user and an application. The attacker can eavesdrop on the communication,
steal sensitive data, and impersonate each party participating in the communication.

Examples of MitM attacks include:

 Wi-Fi eavesdropping—an attacker sets up a Wi-Fi connection, posing as a legitimate

actor, such as a business, that users may connect to. The fraudulent Wi-Fi allows the
attacker to monitor the activity of connected users and intercept data such as payment
card details and login credentials.

31
  Email hijacking—an attacker spoofs the email address of a legitimate organization, such
as a bank, and uses it to trick users into giving up sensitive information or transferring
money to the attacker. The user follows instructions they think come from the bank but
are actually from the attacker.
 DNS spoofing—a Domain Name Server (DNS) is spoofed, directing a user to a malicious
website posing as a legitimate site. The attacker may divert traffic from the legitimate site
or steal the user’s credentials.
 IP spoofing—an internet protocol (IP) address connects users to a specific website. An
attacker can spoof an IP address to pose as a website and deceive users into thinking they
are interacting with that website.
 HTTPS spoofing—HTTPS is generally considered the more secure version of HTTP, but
can also be used to trick the browser into thinking that a malicious website is safe. The
attacker uses “HTTPS” in the URL to conceal the malicious nature of the website.

Denial-of-Service Attack

A Denial-of-Service (DoS) attack overloads the target system with a large volume of traffic,
hindering the ability of the system to function normally. An attack involving multiple devices is
known as a distributed denial-of-service (DDoS) attack.

DoS attack techniques include:

 HTTP flood DDoS—the attacker uses HTTP requests that appear legitimate to
overwhelm an application or web server. This technique does not require high bandwidth
or malformed packets, and typically tries to force a target system to allocate as many
resources as possible for each request.
 SYN flood DDoS—initiating a Transmission Control Protocol (TCP) connection
sequence involves sending a SYN request that the host must respond to with a SYN-ACK
that acknowledges the request, and then the requester must respond with an ACK.
Attackers can exploit this sequence, tying up server resources, by sending SYN requests
but not responding to the SYN-ACKs from the host.

32
  UDP flood DDoS—a remote host is flooded with User Datagram Protocol (UDP) packets
sent to random ports. This technique forces the host to search for applications on the
affected ports and respond with “Destination Unreachable” packets, which uses up the
host resources.
 ICMP flood—a barrage of ICMP Echo Request packets overwhelms the target,
consuming both inbound and outgoing bandwidth. The servers may try to respond to each
request with an ICMP Echo Reply packet, but cannot keep up with the rate of requests, so
the system slows down.
 NTP amplification—Network Time Protocol (NTP) servers are accessible to the public
and can be exploited by an attacker to send large volumes of UDP traffic to a targeted
server. This is considered an amplification attack due to the query-to-response ratio of
1:20 to 1:200, which allows an attacker to exploit open NTP servers to execute high-
volume, high-bandwidth DDoS attacks.

Injection Attacks

Injection attacks exploit a variety of vulnerabilities to directly insert malicious input into the
code of a web application. Successful attacks may expose sensitive information, execute a DoS
attack or compromise the entire system.

Here are some of the main vectors for injection attacks:

 SQL injection—an attacker enters an SQL query into an end user input channel, such as a
web form or comment field. A vulnerable application will send the attacker’s data to the
database, and will execute any SQL commands that have been injected into the query.
Most web applications use databases based on Structured Query Language (SQL),
making them vulnerable to SQL injection. A new variant on this attack is NoSQL attacks,
targeted against databases that do not use a relational data structure.
 Code injection—an attacker can inject code into an application if it is vulnerable. The
web server executes the malicious code as if it were part of the application.

33
  OS command injection—an attacker can exploit a command injection vulnerability to
input commands for the operating system to execute. This allows the attack to exfiltrate
OS data or take over the system.
 LDAP injection—an attacker inputs characters to alter Lightweight Directory Access
Protocol (LDAP) queries. A system is vulnerable if it uses unsanitized LDAP queries.
These attacks are very severe because LDAP servers may store user accounts and
credentials for an entire organization.
 XML eXternal Entities (XXE) Injection—an attack is carried out using specially-
constructed XML documents. This differs from other attack vectors because it exploits
inherent vulnerabilities in legacy XML parsers rather than unvalidated user inputs. XML
documents can be used to traverse paths, execute code remotely and execute server-side
request forgery (SSRF).
 Cross-Site Scripting (XSS)—an attacker inputs a string of text containing malicious
JavaScript. The target’s browser executes the code, enabling the attacker to redirect users
to a malicious website or steal session cookies to hijack a user’s session. An application
is vulnerable to XSS if it doesn’t sanitize user inputs to remove JavaScript code.

15. What are the common security prevention mechanisms? Explain how an information
security policy is used as security prevention mechanism?

Types of Security Mechanism are :

1. Encipherment :
This security mechanism deals with hiding and covering of data which helps data to
become confidential. It is achieved by applying mathematical calculations or algorithms
which reconstruct information into not readable form. It is achieved by two famous
techniques named Cryptography and Encipherment. Level of data encryption is
dependent on the algorithm used for encipherment.
2. Access Control :
This mechanism is used to stop unattended access to data which you are sending. It can

34
 be achieved by various techniques such as applying passwords, using firewall, or just by
adding PIN to data.
3. Notarization :
This security mechanism involves use of trusted third party in communication. It acts as
mediator between sender and receiver so that if any chance of conflict is reduced. This
mediator keeps record of requests made by sender to receiver for later denied.
4. Data Integrity :
This security mechanism is used by appending value to data to which is created by data
itself. It is similar to sending packet of information known to both sending and receiving
parties and checked before and after data is received. When this packet or data which is
appended is checked and is the same while sending and receiving data integrity is
maintained.
5. Authentication exchange :
This security mechanism deals with identity to be known in communication. This is
achieved at the TCP/IP layer where two-way handshaking mechanism is used to ensure
data is sent or not
6. Bit stuffing :
This security mechanism is used to add some extra bits into data which is being
transmitted. It helps data to be checked at the receiving end and is achieved by Even
parity or Odd Parity.
7. Digital Signature :
This security mechanism is achieved by adding digital data that is not visible to eyes. It is
form of electronic signature which is added by sender which is checked by receiver
electronically. This mechanism is used to preserve data which is not more confidential
but sender’s identity is to be notified.

35
36