MANAGEMENT INFORMATION SYSTEM

S.Santhiya.,M.Sc

Assistant professor

DEPARTMENT OF BUSINESS ADMINISTRATION

MEENAAKSHI RAMASAMY ARTS AND SCIENCE COLLEGE

M.R.KALVI NAGAR, THATHANUR,

UDAYARPALAYAM (TK), ARIYALUR (DT),

PIN CODE:621 804.

1
 Part-1

Management Information system

● Study of how people use technology and manage information

● Include both hardware and software used to store, process and retrieve
information.
● Role of information and decision support system in business.
● To introduce fundamental principles of computer-based information system
analysis.

IT Trends:
Information technology (IT) consists of all the hardware and software that a
firm needs to use in order to achieve its business objectives. This includes not only
computer machines, storage devices, and handheld mobile devices, but also
software, such as the Windows or Linux operating systems, the Microsoft Office
desktop productivity suite, and the many thousands of computer programs that can
be found in a typical large firm. “Information systems” are more complex and can
best be understood by looking at them from both a technology and a business
perspective.
Information system:
An information system can be defined technically as a set of interrelated
that components collect (or retrieve), process, store, and distribute information to
support decision making and control in an organization. In addition to supporting
decision making, coordination, and control, information systems may also help
managers and workers analyze problems, visualize complex subjects, and create
new products.
Information systems contain information about significant people, places,
and things within the organization or in the environment surrounding it. By
information we mean data that have been shaped into a form that is meaningful and
useful to human beings. Data, in contrast, are streams of raw facts representing

2
events occurring in organizations or the physical environment before they have been
organized and arranged into a form that people can understand and use.
A brief example contrasting information and data may prove useful. Supermarket
checkout counters scan millions of pieces of data from bar codes, which describe
each product. Such pieces of data can be totaled and analyzed to provide meaningful
information, such as the total number of bottles of dish detergent sold at a particular
store, which brands of dish detergent were selling the most rapidly at that store or
sales territory, or the total amount spent on that brand of dish detergent at that store
or sales region (see Figure 1).
Three activities in an information system produce the information that
organizations need to make decisions, control operations, analyze problems, and
create new products or services.
These activities are input, processing, and output (see Figure 2). Input captures or
collects raw data from within the organization or from its external environment.

FIGURE-1 Information system

Processing converts this raw input into a meaningful form. Output transfers the
processed information to the people who will use it or to the activities for which it
will be used. Information systems also require feedback, which is output that is
returned to appropriate members of the organization to help them evaluate or correct
the input stage.
For example, in Disney World’s systems for controlling crowds, the raw input

3
consists of data from airline bookings and hotel reservations, satellite weather data,
historic attendance data for the date being analyzed, and images of crowds from
video cameras stationed at key locations throughout the park. Computers store these
data and process them to calculate projected total attendance for a specific date as
well as attendance figures and wait times for each ride and restaurant at various times
during the day.

FIGURE-2 Information system

The systems indicate which rides or attractions are too overcrowded, which have
spare capacity, and which can add capacity. The system provides meaningful
information such as the number of raw data from a supermarket checkout counter
can be processed and organized to produce meaningful information, such as the total
unit sales of dish detergent or the total sales revenue from dish detergent for a
specific store or sales territory. An information system contains information about
an organization and its surrounding environment.
Three basic activities—input, processing, and output—produce the information
organizations need. Feedback is output returned to appropriate people or activities
in the organization to evaluate and refine the input. Environmental actors like
customers, suppliers, competitors, stockholders, and regulatory agencies interact
with the organization and its information systems.

4
Information system-concepts:
An IS is a powerful tool that can bring many different functions together. By
connecting system components, it enables IT departments to collect, store and
process information in an efficient way and distribute it for a variety of purposes.
The system can also produce reporting in different formats and to a variety of
devices. Reports can include text files, spreadsheets, graphics and complex data
visualizations. This comprehensive platform streamlines internal operations and
allows businesses to access data quickly and accurately.

The basic process an IS follows includes the following steps:

● Input: The system collects data and information from various sources,
such as sensors, keyboards, scanners or databases.
● Processing: The system transforms the raw data into meaningful
information by applying various operations, such as sorting,
classifying, calculating, analyzing or synthesizing.
● Storage: The system stores the processed information in a structured
and secure way, such as in a database, a file system or in cloud storage.
● Output: The system presents the information to the users in a usable
format, such as reports, graphs, charts or dashboards.
● Feedback: The system collects feedback from users and other
stakeholders to evaluate its performance and improve its design and
functionality.

The effectiveness of an IS depends on its alignment with the organization's

goals, reliability, security and usability

5
Characteristics of IS:

Classification of IS:
• Transaction Processing System (TPS)
• Decision-Support
systems(DSS)
• Management Information System
(MIS)
• Executive Support System (ESS).

6
FIGURE-3 The four major types of information systems

Transaction processing systems(TPS):

Transaction processing systems (TPS) are the basic business systems that serve the
operational level of the organization.
A transaction processing system is a computerized system that performs and record
the daily routine transactions necessary to conduct business.

7
Examples are sales order entry, hotel reservation systems, payroll, employee record
keeping, and shipping.
At the operational level, tasks, resources, and goals are predefined and highly
structured.
The decision to grant credit to a customer, for instance, is made by a lower-level
supervisor according to predefined criteria.
All that must be determined is whether the customer meets the criteria.

Figure -4 depicts a payroll TPS, which is a typical accounting transaction

processing system found in most firms. A payroll system keeps track of the money
paid to employees.
The master file is composed of discrete pieces of information (such as a
name, address, or employee number) called data elements.
Data are keyed into the system, updating the data elements. The elements on the
master file are combined in different ways to make up reports of interest to
management and government agencies and to send paychecks to employees.
These TPS can generate other report combinations of existing data
elements.
FIGURE- 4 A symbolic representation for a payroll TPS

8
 Other typical TPS applications are identified in Figure 5 The figure shows
that there are five functional categories of TPS: sales/marketing,
manufacturing/production, finance/accounting, human resources, and other types of
TPS that are unique to a particular industry. The United Parcel Service (UPS)
package tracking system described in Chapter 1 is an example of a manufacturing
TPS. UPS sells package delivery services; the TPS system keeps track of all of its
package shipment transactions.
FIGURE-5 Typical applications of TPS

Management information system(MIS):

We define management information systems as the study of information
systems in business and management. The term management information systems
(MIS) also designates a specific category of information systems serving
management-level functions.
Management information systems (MIS) serve the management level of the
organization, providing managers with reports and often online access to the
organization’s current performance and historical records.

9
 Typically, MIS are oriented almost exclusively to internal, not environmental
or external, events. MIS primarily serve the functions of planning, controlling, and
decision making at the management level.
Generally, they depend on underlying transaction processing systems for
their data MIS summarizes and reports on the company’s basic operations.
The basic transaction data from TPS are compressed and are usually presented
in long reports that are produced on a regular schedule.
Figure-6 shows how a typical MIS transforms transaction level data from
inventory, production, and accounting into MIS files that are used to provide
managers with reports.
FIGURE-6 How managementinformation systems obtain their data from
the organization’s TPS

10
 FIGURE-7 A sample MIS report

This report showing summarized annual sales data was produced by the MIS in
Figure -7. MIS usually serve managers primarily interested in weekly, monthly, and
yearly results, although some MIS enable managers to drill down to see daily or
hourly data if required. MIS generally provides answers to routine questions that
have been specified in advance and have a predefined procedure for answering them.
For instance, MIS reports might list the total pounds of lettuce used this quarter by
a fast-food chain or, as illustrated in Figure-7, compare total annual sales figures for
specific products to planned targets. These systems are generally not flexible and
have little analytical capability. Most MIS use simple routines such as summaries
and comparisons, as opposed to sophisticated mathematical models or statistical
techniques.

Decision support system(DSS):

Decision-support systems (DSS) also serve the management level of the
organization. DSS help managers make decisions that are unique, rapidly changing,
and not easily specified in advance. They address problems where the procedure for
arriving at a solution may not be fully predefined in advance. Although DSS use

11
internal information from TPS and MIS, they often bring in information from
external sources, such as current stock prices or product prices of competitors.

Clearly, by design, DSS has more analytical power than other systems. They
use a variety of models to analyze data, or they condense large amounts of data into
a form in which they can be analyzed by decision makers. DSS are designed so that
users can work with them directly; these systems explicitly include user-friendly
software. DSS are interactive; the user can change assumptions, ask new questions,
and include new data.

An interesting, small, but powerful DSS is the voyage-estimating system of a

subsidiary of a large American metals company that exists primarily to carry bulk
cargoes of coal, oil, ores, and finished products for its parent company. The firm
owns some vessels, charters others, and bids for shipping contracts in the open
market to carry general cargo. A voyage-estimating system calculates financial and
technical voyage details. Financial calculations include ship/time costs (fuel, labor,
capital), freight rates for various types of cargo, and port expenses. Technical details
include a myriad of factors, such as ship cargo capacity, speed, port distances, fuel
and water consumption, and loading patterns (location of cargo for different ports).

The system can answer questions such as the following: Given a customer
delivery schedule and an offered freight rate, which vessel should be assigned at
what rate to maximize profits? What is the optimal speed at which a particular vessel
can optimize its profit and still meet its delivery schedule? What is the optimal
loading pattern for a ship bound for the U.S. West Coast from Malaysia? Figure-6
illustrates the DSS built for this company. The system operates on a powerful
desktop personal computer, providing a system of menus that makes it easy for users
to enter data or obtain information.

12
FIGURE-8 Voyage-estimating decision-support system
This voyage-estimating DSS draws heavily on analytical models.
Other types of DSS are less model-driven, focusing instead on extracting useful
information to support decision making from massive quantities of data.
For example, Intrawest—the largest ski operator in North America—collects
and stores vast amounts of customer data from its Web site, call center, lodging
reservations, ski schools, and ski equipment rental stores.
It uses special software to analyze these data to determine the value, revenue
potential, and loyalty of each customer so managers can make better decisions on
how to target their marketing programs.
The system segments customers into seven categories based on needs, attitudes,
and behaviors, ranging from “passionate experts” to “value-minded family
vacationers.”
The company then e-mails video clips that would appeal to each segment to
encourage more visits to its resorts.

13
Executive support system:
Senior managers use executive support systems (ESS) to help them make
decisions. ESS serves the strategic level of the organization. They address no routine
decisions requiring judgment, evaluation, and insight because there is no agreed-on
procedure for arriving at a solution.

ESS are designed to incorporate data about external events, such as new tax laws
or
competitors, but they also draw summarized information from internal MIS and
DSS. They filter, compress, and track critical data, displaying the data of greatest
importance to senior managers. For example, the CEO of Liner Health Products, the
largest manufacturer of private-label vitamins and supplements in the United States,
has an ESS that provides on his desktop a minute-to-minute view of the firm’s
financial performance as measured by working capital, accounts receivable,
accounts payable, cash flow, and inventory.

ESS employs the most advanced graphics software and can present graphs and data
from many sources. Often the information is delivered to senior executives through
a portal, which uses a Web interface to present integrated personalized business
content from a variety of sources.

Unlike the other types of information systems, ESS are not designed primarily to
solve specific problems. Instead, ESS provides a generalized computing and
communications capacity that can be applied to a changing array of problems.
Although many DSS are designed to be highly analytical, ESS tend to make less use
of analytical models.

It consists of workstations with menus, interactive graphics, and communications

capabilities that can be used to access historical and competitive data from internal
corporate systems and external databases such as Dow Jones News/Retrieval or
Standard & Poor’s. Because ESS are designed to be used by senior managers who

14
often have little, if any, direct contact or experience with computer-based
information systems, they incorporate easy-to-use graphic interfaces.

FIGURE-9 Model of a typical executive support system

This system pools data from diverse internal and external sources and makes them
available to executives in an easy-to-use form

Relationship of Systems to One Another:

Figure-10 illustrates how the systems serving different levels in the organization
are to one another.
TPS are typically a major source of data for other systems, whereas ESS are
primarily a recipient of data from lower-level systems.
The other types of systems may exchange data with each other as well.
Data may also be exchanged among systems serving different functional areas.

For example, an order captured by a sales system may be transmitted to a

manufacturing system as a transaction for producing or delivering the product
specified in the order or to a MIS for financial reporting.

15
 FIGURE-10 Interrelationships among system

The various types of systems in the organization have interdependencies. TPS are
major producers of information that is required by the other systems, which, in turn,
produce information for other systems. These different types of systems have been
loosely coupled in most organizations.

Components of IS:
Computer hardware:
User interact with hardware and command to perform specific task
Physical equipment used for input, processing and outputs activities in
an information system
Computer hardware includes the physical parts of a computer, such as
the case, central processing unit (CPU), random access memory (RAM),
monitor, mouse, keyboard, computer data storage, graphics card, sound
card, speakers and motherboard.

16
Computer software:
● Computer instructions or data, anything that can be stored
electronically is called software
● Programmed instructions that control and coordinate the computer
hardware components in an information system.
● Software depends upon hardware and hardware also depends upon
software.
➢ System software example: MS Windows, Android, Linux,
Interpreter, compiler, Assembler, Antivirus, etc.,
➢ Software example: MS Word, MYSQL, VLC ,Adobe Photoshop,
Google Chrome, Microsoft edge, etc.,

Database management system:

A database management system – abbreviated as DBMS – is defined as a
computerized solution that helps store information in a manner that is
easy to read, edit, delete, and scale, with the primary objective of
drawing correlations, powering analysis, and supporting data-driven
workflows

17
 Interface between end-user
Provides high level of security
Large database maintenance
storage space and cost Duplication
and redundancy.

DBMS Types:
Relational database management system:
Stores data in separate tables consisting of rows and columns. All tables are linked
using data relationships.
Object-oriented database management system:
Stores data in the form of objects and offers high data control when
connecting the DBMS with other business applications.
Hierarchical database management system:
Organizes data into a hierarchical structure, with each level representing a
different category of information.
Network databases management system:
Stores, retrieves and manages data within a networked environment. It ensures data
is
consistent across network-connected devices.

DBMS Example: MYSQL, MariaDB, PostgreSQL, Microsoft SQL Server, Oracle

Database and Microsoft Access.

Advantages:
● Minimum data redundancy
● Improve data security
● Lower updating error

● Improve data access using host and query language.

18
Disadvantages:
● Many individuals using the same application simultaneously lead to
data loss.
● Software and hardware are expensive.

Internet technologies:

• Internet- Interconnected network millions of computers connected

around the world via telephone lines or wireless medium of
communication.
● 1960’s creation of ARPANET(Advanced Research Projects Agency
Network) U.S department of defense's
● ARPANET used packet switching to allow multiple computers to
communicate in a single network.
● Transmission Control Protocol /Internet protocol are international
internet protocol suites.
● Communicate with each other across distance
● Fastest type of internet currently available with gigabit speeds.
Figure -11 Optical fibers

19
 ● Fiber is truly the faster, most reliable and high-tech internet around.
● The invention of fiber optic cables made a revolutionary impact on the
technology of the internet world wide for Instant messaging,
communication via electronic mail, voice over internet protocol
(VOIP), telephone calls, and video calls were made possible at the
beginning of the 21st century.
● Fiber optic: up to 10Gbps (at a data transfer rate of up to 10 billion bits
per second) Copper cable: 25-300 Mbps (at a data transfer rate of up to
300 million bits per second)

Advantages of internet:
● online Banking and Transaction
● Education, online jobs, freelancing
● Entertainment
● New job roles
● Best communication medium
● Comfort to humans
● GPS tracking and Google maps.
● E-Commerce
● Abundant information
● Communicate forum.
Disadvantages of internet:
● Time wastage
● Bad impact of health
● Cyber crimes
● Effects on children
● Internet addiction disorder
● Social Alienation
● Spam
● Virus/malware.

20
Trends in network computing:
5G and Wi-Fi 6 technology
5G is the fifth generation of mobile network technology that promises
faster speeds, lower latency, higher capacity, and more reliability than
previous generations.
It also enables new applications and services such as cloud computing,
edge computing, Internet of Things (IoT), and augmented reality.
However, 5G is not the end of the road. Researchers and developers are
already working on 6G and beyond, which aim to achieve terabit-level
data rates, sub-millisecond latency, massive connectivity, and intelligent
network management.
Artificial Intelligence (AI) and Machine Learning (ML)
AI and ML may solve complex network and business issues in real-
time.
A wide range of application cases is covered, including anything from
tiny towns to industrial plants to government agencies. ML and AI can
produce predictions based on network data, and these predictions may
be used to execute intelligent actions.

Self-operating networks will be a possible wonder to advanced analytics

in automation systems.
Cloud computing
Cloud allows faster transition to remote work and helps to organize
remote workplace more efficiently and this contributes to business
continuity during any crisis. Maintaining consistent network and
security policies across multiple clouds using multi cloud policy
management.
Internet of things

21
 IoT is all about connecting the unconnected. Majority of objects are
unconnected however with IoT devices are acquiring capabilities to
communicate and connect with other devices and people changing the
way we work.

Data security
Usability and integrity of the network is crucial to security. Effective
network security manages network access effectively and stops a
variety of threats entering or spreading within the network.
Devops
DevOps is tied up to software development and IT. DevOps improve
relationship between network service designers and engineers to make
operational changes to the services.
Intent- Based networking
This approach bridges the gap between business and IT. Business intent
is captured and continuously aligned to end to end networks related to
application service levels, security policies, compliance, operational
and business processes.
Virtual segmentation of IoT devices from the remaining network will be
one of the major tasks for Networking teams.
The creation of secure zones called Microsegments which will allow IoT
devices to operate on the same corporate network and reduce the risks to
other parts of the network.

Messaging and collaboration:

• Instant messaging is real time mutual communication between persons via
the internet. This is a private chat.
• Once the recipient is online, you can start sending messages to him/her.
• Unlike emails, where you have to wait for the reply from the recipient,
collaboration uses instant messaging techniques.

22
 • This also supports the usage of add-on features like smiley or emoticons
with the text message.
• Examples of instant messaging applications include Facebook, We Chat,
Twitter, LinkedIn, etc.
• Collaboration occurs when two or more people work together to achieve
common Goals and Results.
Types of collaboration:
○ Team collaboration
○ Community collaboration
○ Network collaboration
○ Cloud collaboration
○ Video collaboration
○Internal collaboration
o External
collaboration
○ Strategic collaboration.

SMAC(Social, Mobile, Analytics and cloud)

This concept cover four technology currently business innovation
● Social: Twitter, Facebook, Instagram, YouTube, Snapchat provide
business with new ways to reach, interact with target and acquire
customers.
● Mobile: iPhone, iPad are changing the way people communicate shop
and work, new models and new services offered to customers.
● Analytics: processing power and storage decreased, analytics became
the priority of top companies. Open source project Apache Hadoop
ushered in new era analytics called big data.

23
● Cloud: Cloud computing business is quick and flexible and access
important data. Infrastructure, platform and services Amazon Web
Service.

24
 UNIT - 2
Organizational Application
MIS software is used to track sales, inventory, equipment and related business
information. In the past, these applications ran on mainframe computers. However, as
computing systems evolved, organizations began to run MIS software on client-server
systems.

Functional information system:

The information systems that perform or support the completion of these tasks are often
referred to as Functional management information systems, or transaction processing
systems. In fact financial transactions typically come to mind when you think of
Functional management information systems because many Functional management
information systems focus on the routine, repetitive financial transactions that are an
important part of the basic activities of most business enterprises.
However, Functional management information systems include more than the financial
transactions of an organization. Functional management information systems record,
process, and report all routine and repetitive activities or organizations. These activities
occur not only in accounting and finance but also in human resources, production, and
marketing. Just go through the following table.
Functional information system
1.Accounting and Financial Information Systems
2.Marketing Information Systems
3.Production information systems
4.Human resource management information systems.
The Nature of Functional management Information Systems:
Functional management information systems primarily produce routine, repetitive,
descriptive, expected, and objective data that describe past activities. The information
they produce is usually detailed, highly structured, accurate, derived from internal
sources, and produced regularly. To some, these systems may appear to represent pure
drudgery for employees who must complete them. However, the application of
information sys-tem technology to Functional management information systems has
reduced this drudgery to a great extent and provided managers with a number of major
advantages.
Management Advantages
Automating Functional management information systems usually increases the
efficiency of these systems; they typically run faster and require fewer personnel and
other business re-sources than manual systems. Organizations that automate
Functional management information systems usually receive several benefits for their
efforts
· Reduced Cost

1
· Increased Speed
· Increased Accuracy
· Increased Customer Service
· Increased Data for Decision Making

I. Accounting and Financial Information Systems:

Typically, the first applications that organizations computerize are Functional

management-level financial accounting systems. Functional management financial
accounting information systems are typically task oriented. They focus on processing
financial transactions to produce the routine, repetitive information outputs that every
organization finds necessary. These outputs include paychecks, checks to vendors,
customer invoices, purchase orders, stock reports, and other regular forms and reports.
Financial Accounting Systems
The heart of an organization’s Functional management financial information system is
its financial accounting system. A computerized financial accounting system is
composed of a series of software modules or subsystems that may be used separately
or in an integrated fashion. The system modules typically include
· General ledger
· Fixed assets
· Sales order processing
· Accounts receivable
· Accounts payable
· Inventory control
· Purchase order processing
· Payroll
When these computerized financial accounting systems are integrated, each sys-tem
receives data as input from some systems and provides information as output to other
systems.
Components of Finance and Accounting Systems :
General Ledger System provides managers with periodic accounting reports and
statements such as the income statement and balance sheet.
Fixed Assets System maintains records of equipment, property, and other long--term
assets that an organization owns. The records include the original cost of the as-sets,
their depreciation rates, the accumulated depreciation to date, and the book value of the
assets, or the original cost less accumulated depreciation.
Sales Order Processing System or order-entry system, routinely records sales orders
and also provides data to other systems that fill those orders, maintain inventory levels,
and bill

2
the customer. This system provides sales tax data to the general ledger system for
posting to taxing agency accounts, stock data to the inventory sys-tem for updating
inventory balances, and sales data to the accounts receivable system for posting to
customer accounts.
Accounts Receivables System allows you to enter, update, and delete customer
information such as sales made on account, credit terms, cash payments received,
credit memorandums, and account balances. Inputs to the accounts receivab1e system
include sales invoices, credit memorandums, and cash received from customers.
Typical outputs of this system are monthly customer statements of account and a
schedule of accounts receivable listing each ac-count and its balance.
Accounts Payable System processes much the same routine, repetitive information as
the accounts receivable system, except that in this case the information is about the
organization’s creditors rather than about its customers.
Inventory Control System provides input to the general ledger system and receives
input from the purchase order and the sales order systems. The basic purpose of the
system is to
keep track of inventory levels and inventory costs. The system maintains information
about each stock item, such as stock numbers and stock descriptions, receipts and
issues of stock,
stock damage, and stock balances.
Purchase Order Processing System processes purchase orders and tracks which
purchase orders have been filled, which stock items ordered are on backorder, which
stock items have been damaged or do not meet the specifications of the original order,
and which orders are still on order and when those orders are expected to arrive. The
purchase order system provides information to the accounts payable and inventory
systems. The system produces a variety of reports, including a list of all stock on
backorder and an open-order report that lists
all purchase orders not yet received and their expected arrival dates.
Payroll System processes wage and salary information such as payments to
employees; deductions from employee paychecks; and payments to federal, state, and
other taxing agencies for taxes used. The payroll system produces such repoft4 as the
weekly payroll summary report, overtime reports, forms for taxing agencies such as
wage and tax statements (Forms W-2), payroll checks, and checks for payroll taxes
owed to taxing agencies.

II. Marketing Information Systems:

The marketing function occurs in all organizations, including profit and not-for-profit,
manufacturing, agricultural, financial, educational, and service organizations. The basic
goal of the marketing function in any organization is to satisfy the needs and wants of its
customers. To achieve that goal, marketing personnel engage in activities such as

3
planning and developing new products; advertising, promoting, selling, storing, and
distributing goods and services; providing financing and credit to customers’ and
conducting market research.
Functional marketing information systems include systems such as sales systems,
advertising systems, sales promotion systems, warehousing systems, and pricing
systems. The systems collect data that describe marketing operations, process those
data, and make marketing information available to marketing managers to help them
make decisions
Computer information systems have been widely applied to Functional
management-level marketing tasks. Information technology has increased the
productivity of sales people; helped firms manage customers better, locate prospective
customers, customize marketing efforts to specific groups and individuals, and reduce
costs; and vastly widened the reach of many organizations in terms of the geographic
territory they serve.
Computer technology applied to Functional management-level marketing systems also
captures data useful for tactical and strategic decisions.

Components of marketing information Systems

Sales Force Automation Systems are designed to increase the productivity of

sales-people. Bread-and-butter sales activities usually include identifying potential or
prospective customers, contacting customers, calling on customers, making sales
pitches, closing the sale, and following up on sales. Typically, automating a sales force
involves equipping salespeople with notebook computers and software to support their
activities
Prospect information systems: Locating potential customers
are often a time- consuming and frustrating part of the salesperson’s work. The sources
of information used to obtain sales leads are diverse and may include other customers,
other
vendors who sell supporting or ancillary products, newspaper notices, telephone
directories, and customer inquiries. Searching directories and other customer lists may
take a lot of time and yield few actual customers
Contact management systems: Provide information to the sales force pertaining to
customers, their product or service preferences, sales history data, and a historical
record of sales calls and/or visits. One output of these systems may be a call report
showing the number of sales calls made by a salesperson categorized by size of
organization, previous sales, or some other characteristic, and the number or amount of
sales made per customer, per visit, and/or per category.

4
Other sales force automation systems: May also provide support for many other routine,
repetitive salesperson activities, for example, travel expense reports, appointment
calendars,
telephone and address rolodexes, sales letter creation and distribution, e-mail, and fax.
Internet access may also be provided so that salespeople can keep current on business
news
at any hour, especially news about the industry, competitors, and customers.
Micromarketing and Data Warehouse Systems: Pitching sales or advertising
campaigns to very narrowly defined customer targets is called micromarketing.
Computer systems have made micromarketing possible. They can be used to identify
and target specific customers or prospects from large databases
Telemarketing systems: Usually include support for the automatic dialing of parties
and/or delivering voice messages to the answering party under the control of a
computer system.
Some systems allow you to make notes about the calls, to generate follow-up letters,
and to view a customer file while a call to that customer is in progress.
Direct Mail Advertising Systems: Many organizations generate sales by mailing sales
brochures and catalogs directly to customers using direct mail advertising systems. To
distribute sales documents rapidly to large numbers of potential customers, most
marketing departments maintain customer mailing lists that are used for mass mailings.
The ‘lists may be drawn from customer files; accounts receivable records; prospect files;
commercial databases of households, businesses, and organizations; or they can be
purchased from other firms.
Point of Sale System: Systems provide immediate updates to sales and inventory
systems and allow firms to monitor sales trends minute by minute. They also allow firms
to capture customer data and preferences and add the information to their data
warehouses.
Delivery Tracking and Routine Systems: Customers like to receive their merchandise
on time. In a manual system, customers called in to a customer representative to check
on the delivery of their merchandise. The customer rep would then have to call the
delivery vehicle driver who uses a cell phone to tell the rep where he or she is and how
soon the merchandise might be delivered. That process took time, frequently frustrated
the customer, and cost the firm money to support.
Electronic Shopping and Advertising: Firms have been able to advertise and
customers to shop via TV; radio, and the telephone for many years. The computer age,
however, has made
other avenues for shop-ping and advertising available, the most dramatic of which is
clearly the Internet

5
Virtual shopping: When people view, select, and purchase products and services from
a store in another location using electronic means, they are virtually shopping at that
store.
Virtual shopping, or electronic shopping, allows organizations to present information
about goods and services to potential customers who are connected to their electronic
“store.” Selecting and buying goods using an electronic kiosk (described in the next
section), from an organization’s Internet site, and from a “virtual mall” of Internet Web
“stores'’ are all examples of virtual or electronic shopping.

III. Production Information Systems:

Production information systems are diverse; they include continuous flow

production, mass production, job order production, and project production. In addition,
Functional management production systems include the production of services as well
as hard goods. The purpose of the production system is to acquire the raw materials
and purchased parts; test the materials for quality; acquire the appropriate human
resources, work space, and equipment; schedule the materials, human resources,
space, and equipment; fabricate the products or services; test the product or service
outputs; and monitor and control the use and costs of the resources involved.
Numerous Functional management information systems support the production
function. Some are part of the financial accounting system of an organization

Components of Production information Systems

Purchasing Systems: To produce goods and services, you must have the right
quantity of raw materials and production supplies on hand. Furthermore, you will want to
procure these
materials and supplies at the lowest cost and have them delivered at the right time. To
assist in this function, the purchasing system has to maintain data on all phases of the
acquisition
of raw materials and purchased parts used in production.
Receiving Systems: When shipments of purchased goods and supplies are received,
they must usually be opened, inspected, and verified against purchase orders, and the
information about their status passed to the accounts payable, inventory, and production
departments Delivery dates should also be noted for several reasons, including
collecting data on the delivery-time reliability of suppliers. This type of information is
supplied by receiving systems
Quality Control Systems provide information about the status of production goods as
they move from the raw materials state, through goods in process, to finished goods.
Quality control systems ensure that raw materials or parts purchased for use in the

6
production processes meet the standards set for those materials. The systems also
monitor quality during the production cycle.
Shipping Systems: At the other end of the production process, finished goods are
placed in inventory and/or shipped to customers. Many records and documents are
used to assist
and monitor in the inventorying and shipping processes-for example, shipping reports
and packing slips. The information from the shipping system affects the inventory and
accounts
receivable systems.
Cost Accounting Systems: Many Functional management-level financial accounting
systems collect and report information about the resources that are used in the
production processes so that managers can obtain accurate costs of production on
products and services. Cost accounting systems monitor the three major resources
used in production: human resources, materials, and equipment and facilities.
Materials management systems provide information on current inventory levels of
production materials, use of these materials in the production processes and their
locations, and specifications of how these materials are employed in products. The
lat-ter system is usually called a bill-of-materials (BOM) system. A bill-of-materials
system produces a list of the raw materials, subassemblies, and component parts
needed to complete each product. It provides, in essence, a list of ingredients for the
end product
Inventory Control System: Maintaining inventories at their proper levels eliminates
production shutdowns from lack of raw materials and lost sales from lack of finished
goods.
However, maintaining inventories also represents a number of costs to the organization,
including the costs of procuring and carrying the inventory, and stock out costs, or those
costs that result when the right amount of the right item is not on hand at the right time.
Automated Material Handling Systems track, control, and otherwise support the
movement of raw materials, work in process and finished goods from the receiving
docks to the shipping docks.
Computer Aided Design and Manufacturing Systems are aiding product engineers
design new products and improve old products.
Image Management Systems are designed to manage the storage and retrieval of
engineering and architectural drawings using optical disk storage media.
Material Selection Systems aid in choosing the materials for the product under design.
Shop-Floor Scheduling Systems help in scheduling production jobs. The tasks include
scheduling the time, building and rooms, tools and equipment, inventory, and personnel
to
complete factory orders.

7
IV.Human Resource Information Systems
Human resource departments are responsible for many facets to human resource
management, including recruiting, assessment, selection, placement, training,
performance appraisal, compensation and benefit management, promotion, termination,
occupational health and safety, employee services, complaints with legal constraints,
helping managers with human resource problems, and providing top management with
information
for strategic planning.
Human Resource Information Systems provide managers with data to support the
routine, repetitive human resource decisions that occur regularly in the management of
organization’s human resources. There are many Functional management level human
resource information systems including systems that help managers keep track of the
organization’s positions and employees, conduct performance evaluation, provide
alternative or flexible scheduling, recruit new employees, place employees, train
employees, relocate employees, terminate employees, provide employment benefits
and provide reports
to governmental agencies.

Components of human resource information

Position Control Systems is to identify each position in the organisation, the job title in
which the position is classified, and the employee currently assigned to the position.
Reference to the position control systems allows a human resource manager to identify
the details about unfilled positions.
Employee Information Systems is a set of employee profile records, or employee
inventory. An employee profile usually contains personal and organization-related
information, such as
name, address, sex, minority status, marital status, citizenship, years of service or
seniority data, education and training, previous experience, employment history within
the organization, salary rate, salary or wage grade, and recruitment and health plan
choices. Employee Skills Inventory contains information about every employee’s work
experience, work preferences, test scores, interests, and special skills or proficiencies.
Performance Management Systems: Many organizations review the work of
employees on a regular basis to make decisions regarding merit pay, pay increases,
transfer or promotion.
Typically, a new employee is evaluated at the end of the first six months of employment,
and other employees are evaluated annually. These reviews are often called
performance appraisals. The data for performance appraisals are frequently collected
by asking each employee’s immediate superior to complete an employee appraisal

8
form. The form may be also given to peers, the employees themselves, and even
customers
or clients.
Government Reporting Systems: Data Secures from the payroll, position control,
employee profiles, performance management, and other human resource information
systems can be used to produce reports required by myriad governmental laws and
regulations, including affirmative action and equal employment opportunity laws and
regulations.
Applicant Selection and Placement Systems After jobs and the employee
requirements for those jobs have been identified and after a pool of suitable job
candidates has been recruited,
candidates must be screened, evaluated, selected, and placed in the positions that are
open. The primary purpose of the application selection and placement system is to
assist the
human resources staff in these tasks.
Training Systems: A great deal of software available today providing on-line training for
employees, including management training software, sale training software,
microcomputer
training software, and word processing software.

Decision support systems (DSS):

Decision support systems (DSS) are interactive software-based systems intended to
help managers in decision-making by accessing large volumes of information generated
from various related information systems involved in organizational business processes,
such as office automation systems, transaction processing systems, etc.
DSS uses the summary information, exceptions, patterns, and trends using the
analytical models.A decision support system helps in decision-making but does not
necessarily give a decision itself. The decision makers compile useful information from
raw data,documents,personal knowledge, and/or business models to identify and solve
problems and make decisions.
Characteristics of a DSS
Support for decision-makers in semi-structured and unstructured problems.Support for
managers at various managerial levels, ranging from top executive to line managers.
Support for individuals and groups. Less structured problems often require the
involvement of several individuals from different departments and organization
levels.Support for interdependent or sequential decisions.Support for intelligence,
design, choice, and implementation.Support for a variety of decision processes and
styles.DSSs are adaptive over time.

9
Classification of DSS
There are several ways to classify DSS. Hoi Apple and Whinstone classifies DSS as
follows:
Text Oriented DSS: It contains textually represented information that could have a
bearing on decision.It allows documents to be electronically created, revised and
viewed as needed.
Database Oriented DSS: Database plays a major role here; it contains organized and
highly structured data.
Spreadsheet Oriented DSS: It contains information in spreadsheet that allows create,
view, modify procedural knowledge and also instructs the system to
execute self- contained instructions. The most popular tools are Excel and Lotus 1-2-3.
Solver Oriented DSS: It is based on a solver, which is an algorithm or procedure
written for performing certain calculations and particular program types.
Rules Oriented DSS: It follows certain procedures adopted as rules.
Rules Oriented DSS: Procedures are adopted in rules oriented DSS. Export system is
the example.
Compound DSS: It is built by using two or more of the five structures explained above.
Types of DSS
Following are some typical DSS:
Status Inquiry System: It helps in taking operational, management level, or
middle level management decisions, for example daily schedules of jobs to machines or
machines to operators.
Data Analysis System: It needs comparative analysis and makes use of formula
or an algorithm, for example cash flow analysis, inventory analysis etc.
Information Analysis System: In this system data is analyzed and the
an information report is generated. For example, sales analysis, accounts receivable
systems, market analysis etc.
Accounting System: It keeps track of accounting and finance related information, for
example, final account, accounts receivables, accounts payables, etc. that keep track of
the major aspects of the business.
Model Based System: Simulation models or optimization models used for decision-
making are used infrequently and creates general guidelines for
operation or management.
Model of Decision Support System:-

10
Knowledge Management System:
A knowledge management system comprises a range of practices used in an organization to
identify, create, represent, distribute, and enable adoption to insight and experience. Such
insights and experience comprise knowledge, either embodied in individual or
embedded in organizational processes and practices.
Purpose of KMS
● Improved performance
● Competitive advantage
● Innovation
● Sharing of knowledge
● Integration
Continuous improvement by:
Driving strategy
Starting new lines of business
Solving problems faster
Developing professional skills
Recruit and retain talent
Activities in Knowledge Management:
Start with the business problem and the business value to be delivered first.Identify
what kind of strategy to pursue to deliver this value and address the KM
problem.Think about the system required from a people and process point of view.

11
 Finally, think about what kind of technical infrastructure are required to support the
people and processes.
Implement system and processes with appropriate change management and iterative
staged release.

Enterprise systems:
Enterprise systems also known as enterprise resource planning
(ERP)systems—provide integrated software modules and a unified database that
personnel use to plan, manage, and control core business processes across multiple
locations. Modules of ERP systems may include finance, accounting, marketing, human
resources, production, inventory management, and distribution.
ERP is an integrated, real-time, cross-functional enterprise application, an
enterprise-wide transaction framework that supports all the internal business processes
of a company.
It supports all core business processes such as sales order processing, inventory
management and control, production and distribution planning, and finance.

ERP is very helpful in the following areas:

●Business integration and automated data update
●Linkage between all core business processes and easy flow of integration
●Flexibility in business operations and more agility to the company
●Better analysis and planning capabilities
●Critical decision-making
●Competitive advantage
●Use of latest technologies

Scope of ERP
●Finance − Financial accounting, Managerial accounting, treasury management, asset
management, budget control, costing, and enterprise control.
●Logistics − Production planning, material management, plant maintenance, project
management, events management, etc.
●Human resource − Personnel management, training and development, etc.
●Supply Chain − Inventory control, purchase and order control, supplier scheduling,
planning, etc.
●Workflow − Integrate the entire organization with the flexible assignment of tasks and
responsibility to locations, position, jobs, etc.

Features of ERP
The following diagram illustrates the features of ERP
● Accommodating variety

12
 ● Seamless integration
● Resource management
● Integration management information
● Supply chain management
● Integration data model.

Advantages of ERP
●Reduction of lead time
●Reduction of cycle time
●Better customer satisfaction
●Increased flexibility, quality, and efficiency
●Improved information accuracy and decision making capability
●One Time shipment
●Improved resource utilization
●Improve supplier performance
●Reduced quality costs
●Quick decision-making
●Forecasting and optimization
●Better transparency.

Disadvantage of ERP
●Expense and time in implementation
●Difficulty in integration with other system
●Risk of implementation failure
●Difficulty in implementation change
●Risk in using one vendor.

Expert System:
An expert system is the highest form of automation of the management computing office
which allows document communication and manipulation. Decision support systems
help with problem-solving by allowing data and model manipulation. Expert systems go
beyond conventional manipulation of this kind, as they allow experts to 'teach'
computers about their fields so that fewer expert decision-makers can support the
system more of the decision-making process.
Expert systems are one of the most cutting-edge information technology facts. That is,
in some of the most complex and least-understood human information handling tasks,
i.e. decision-making, problem-solving, diagnosis and learning, they help people. We do
this by holding a large amount of factual information on a subject area, along with lines
of reasoning employed in that field by human experts.

13
Expert System Components
The key components of Expert System are as followings,
User Interface:
It contains a computerized system between the user and the machine for friendly
communication. This system provides an interface to the user in a graphical way.
Interference Engine:
It regains & determines the data process. It performs this task to deduce new facts
which are subsequently used to draw further conclusions. This component is associated
with an expert system as the brain of the expert system.
Knowledge Base:
This is the most important element of an expert system because it holds the expert's
knowledge of problem-solving. It is here that the expert's elicited knowledge is stored. It
contains the rules, facts and object descriptions, etc. The knowledge base is always
stored in the data with the newest expert system products. The knowledgebase
information is all that is needed to understand & formulate the problem, and then solve
it.
Data Acquisition Subsystem:
The specialist has to learn the information reflected in the knowledge base. Information
acquisition software is used by a person who has problem experience to build,
incorporate or modify the base of knowledge. Potential knowledge sources include
human experts, research reports, textbooks, databases and the experience of the user
himself.
Advantages of Expert System
● Expert System (ES) gives clear responses for routine actions, procedures and
activities .

● Expert System (ES) retains significant levels of the knowledge base.

● Expert System (ES) supports organizations to explain the rationale of their
decision-making.
Disadvantages Expert System
● Expert System (ES) doesn't reply creatively as a human expert in unusual ways.
● Expert System (ES) requires more technical aspects due to this difficulty in use.
● Highly costlier system.

RFID:
Radio frequency identification (RFID) provides a way to locate and track individual
items and collect data about them. It is the technology at the heart of the internet of
things (IOT), and has made it possible to design systems that link automatically to the
world around them and create new ways of working.

14
Features of RFID:
● RFID has a number of unique features that set it apart from other technologies.
● Our short guide will help you understand its capabilities and why it is an ideal
choice for such a wide range of applications.

15
Uses:
RFID systems use radio waves at several different frequencies to transfer data. In
health care and hospital settings, RFID technologies include the following applications:

● Inventory control
● Equipment tracking
● Out-of-bed detection and fall detection
● Personnel tracking
● Ensuring that patients receive the correct medications and medical devices
● Preventing the distribution of counterfeit drugs and medical devices
● Monitoring patients
● Providing data for electronic medical records systems.
Classification and types:
RFID systems can be broken down by the frequency band within which they
operate:
● low frequency
● high frequency
● ultra-high frequency

16
There are also two broad categories of systems:
● passive RFID
● active RFID
In the sections below we will explore the frequencies and types of RFID systems.

Low Frequency (LF) RFID

The LF band covers frequencies from 30 KHz to 300 KHz. Typically LF RFID
systems operate at 125 KHz, although there are some that operate at 134 KHz.
This frequency band provides a short read range of 10 cm, and has slower read
speed than the higher frequencies, but is not very sensitive to radio wave
interference.
LF RFID applications include access control and livestock tracking.
Standards for LF animal-tracking systems are defined in ISO 14223, and
ISO/IEC 18000-2.
The LF spectrum is not considered a truly global application because of slight
differences in frequency and power levels throughout the world.

High-Frequency (HF) RFID

The HF band ranges from 3 to 30 MHz.
Most HF RFID systems operate at 13.56 MHz with read ranges between 10 cm
and 1cm
HF systems experience moderate sensitivity to interference.
HF RFID is commonly used for ticketing, payment, and data transfer applications.
There are several HF RFID standards in place, such as the ISO 15693 standard
for tracking items, and the ECMA-340 and ISO/IEC 18092 standards for Near
Field Communication (NFC), a short range technology that is commonly used for
data exchange between devices.
Other HF standards include the ISO/IEC 14443 A and ISO/IEC 14443 standards
for MIFARE technology, which used in smart cards and proximity cards, and the
JIS X 6319-4 for FeliCa, which is a smart card system commonly used in
electronic money Cards.

Ultra-high frequency (UHF) RFID

The UHF frequency band covers the range from 300 MHz to 3 GHz. RAIN RFID
systems comply with the UHF Gen2 standard and use the 860 to 960 MHz band.
While there is some variance in frequency from region to region, RAIN RFID
systems in most countries operate between 900 and 915 MHz.

17
 The read range of passive UHF systems can be as long as 12 m, and UHF RFID
has a faster data transfer rate than LF or HF.
UHF RFID is the most sensitive to interference, but many UHF product
manufacturers have found ways of designing tags, antennas, and readers to
keep performance high even in difficult environments.
Passive UHF tags are easier and cheaper to manufacture than LF and HF tags.

Active RFID Systems

In active RFID systems, tags have their own transmitter and power source. Usually, the
power source is a battery. Active tags broadcast their own signal to transmit the
information stored on their microchips.

Active RFID systems typically operate in the ultra-high frequency (UHF) band and offer
a range of up to 100 m. In general, active tags are used on large objects, such as rail
cars, big reusable containers, and other assets that need to be tracked over long
distances.

There are two main types of active tags:

● Transponders
● Beacons.

18
Transponders are “woken up” when they receive a radio signal from a reader, and then
power on and respond by transmitting a signal back. Because transponders do not
actively radiate radio waves until they receive a reader signal, they conserve battery life.
Beacons are often used in real-time locating systems (RTLS), in order to track the
precise location of an asset continuously. Unlike transponders, beacons are not
powered on by the reader’s signal. Instead, they emit signals at preset intervals.
Depending on the level of locating accuracy required, beacons can be set to emit
signals every few seconds, or once a day. Each beacon’s signal is received by reader
antennas that are positioned around the perimeter of the area being monitored, and
communicates the tag’s ID information and position.The wireless ecosystem for
customers is very large and growing daily, there are use cases where Active RFID and
Passive RFID are deployed simultaneously for an additive approach to asset or sensor
management.

Passive RFID Systems

In passive RFID systems the reader and reader antenna send a radio signal to the tag.
The RFID tag then uses the transmitted signal to power on, and reflect energy back to
the reader.

Passive RFID systems can operate in the low frequency (LF), high frequency (HF) or
ultra-high frequency (UHF) radio bands. As passive system ranges are limited by the
power of the tag’s backscatter (the radio signal reflected from the tag back to the
reader), they are typically less than 10 m. Because passive tags do not require a power
source or transmitter, and only require a tag chip and antenna, they are cheaper,
smaller, and easier to manufacture than active tags.

Passive tags can be packaged in many different ways, depending on the specific RFID
application requirements. For instance, they may be mounted on a substrate, or
sandwiched between an adhesive layer and a paper label to create smart RFID labels.
Passive tags may also be embedded in a variety of devices or packages to make the
tag resistant to extreme temperatures or harsh chemicals.

19
 UNIT- 3

SYSTEM ANALYSIS AND DESIGN

OVERVIEW OF SYSTEMS DEVELOPMENT

Whatever their scope and objectives, new information systems are an outgrowth
of a process of organizational problem solving. A new information system is built
as a solution to some type of problem or set of problems the organization perceives
it is facing. The problem may be one in which managers and employees realize
that the organization is not performing as well as expected, or it may come from
the realization that the organization should take advantage of new opportunities
to perform more successfully.

The activities that go into producing an information system solution to an

organizational problem or opportunity are called systems development. Systems
development is a structured kind of problem solving with distinct activities. These
activities consist of systems analysis, systems design, programming, testing,
conversion, and production and maintenance.

Figure 14-5 illustrates the systems development process. The systems

development activities depicted here usually take place in sequential order. But
some of the activities may need to be repeated or some may take place
simultaneously, depending on the approach to system building that is being
employed (see section 14.4).

FIGURE 14-5 The systems development process

Building a system can be broken down into six core activities.

The systems development process

Building a system can be broken down into six core activities.

Systems Analysis:

Systems analysis is the analysis of the problem that the organization will try to
solve with an information system. It consists of defining the problem, identifying
its causes, specifying the solution, and identifying the information requirements
that must be met by a system solution.

The systems analyst creates a road map of the existing organization and
systems, identifying the primary owners and users of data along with existing
hardware and software. The systems analyst then details the problems of existing
systems. By examining documents, work papers, and procedures; observing
system operations; and interviewing key users of the systems, the analyst can
identify the problem areas and objectives a solution would achieve. Often the
solution requires building a new information system or improving an existing one.

The systems analysis would include a feasibility study to determine

whether that solution was feasible, or achievable, from a financial, technical, and
organizational standpoint. The feasibility study would determine whether the
 proposed system was a good investment, whether the technology needed for the
system was available and could be handled by the firm’s information systems
specialists, and whether the organization could handle the changes introduced by
the system.

Normally, the systems analysis process identifies several alternative

solutions that the organization can pursue. The process then assesses the
feasibility of each. A written systems proposal report describes the costs and
benefits, advantages and disadvantages of each alternative. It is up to management
to determine which mix of costs, benefits, technical features, and organizational
impacts represents the most desirable alternative.

Systems Design:

Systems analysis describes what a system should do to meet information

requirements, and systems design shows how the system will fulfill this objective.
The design of an information system is the overall plan or model for that system.
Like the blueprint of a building or house, it consists of all the specifications that
give the system its form and structure.

The systems designer details the system specifications that will deliver the
functions identified during systems analysis. These specifications should address
all of the managerial, organizational, and technological components of the system
solution. Table 14-3 lists the types of specifications that would be produced during
systems design.

TABLE DESIGN SPECIFICATION

Like houses or buildings, information systems may have many possible

designs. Each design represents a unique blend of all technical and organizational
components. What makes one design superior to others is the ease and efficiency
with which it fulfills user requirements within a specific set of technical,
organizational, financial, and time constraints.

DEVELOPMENT OF LONG RANGE PLANS OF MIS:

We need MIS flexible enough to deal with, changing information needs of the
organisation. It should be conceived as an open system to interact with the
business environment, with a built in mechanism to provide desired information
as per the new requirement. The designing of such open information is
complex. Therefore the planning of MIS is necessary. The MIS plan is
concurrent to the business plan of organisation. The development plan of MIS
is linked with the steps of implementation in business development plan in the
form of short range plan, long range plan
.
Business Plan MIS Plan
1 Business Goals and Consistent with the business. objectives
2 Business plan & Business supports to
. strategy.
Strategy in MIS.
3 Strategic planning & decisions. MIS itself is responsible for
decision making.
4 Management plan for the execution MIS provides system
& development. development schedule & plan
execution.
5 Operational plan for execution Hardware & software plan for
the procurement & the
implementation.

CONTENTS OF MIS PLAN OR LONG RANGE

PLAN:-
MIS plan is linked to the business plan where it is necessary to develop the goal
and the objective for MIS which will support the business goal. This will
consider the management philosophy, policy, constraints, business risks,
internal external environment of the organisation and the business.
MIS follows the following steps in the long range plan.

Strategy for plan achievements:

The designer has to take numbers of decision for the achievement, goods &
objectives such as development approach, online batch real time.
a] system development: it can operational v/s functional, accounting v/s db v/s
conventional, distributed v/s centralised ,SSAD v/s OOT. b] resources for
system development: Internal v/s external customized development. c] man
power composition : it considers the quality of manpower for analyst,
programmer etc….
Architecture of MIS:
It provides the sub-system structure and their I/O with links. It can also provide
the relationship and functionality.

System development schedule:

While preparing the schedule some considerations is given to the
implementation of system in the overall information requirement. Schedule
prepares the development steps against the timescale of execution of the system
development.

Hardware and software plan:

Hardware investment is considered from lower configuration to higher level.
The process is to match the technical decisions with the final decisions. The
selection of h/w & s/w architecture is the strategic decisions. It is important to
consider the following issues
1. Organisation strategic plan should be the basis for MIS strategic plan
2. The system development should match the implementation schedule of
business plan.
3. The choice of I.T. is a strategic decision is not a financial decision.

General model of MIS plan i] The corporate information focuses on the

current operations and the environment position ii] Corporate philosophy
defines the policy, guidelines which form the work culture in the organisation.
iii] Corporate mission, goals, objectives defines the long term aspects of the
system .
iv] Business risk and rewards defines the trade of between these factors to
give the clear quantitative factors.
v] Business strategy and policy focuses on the key areas of information
system.
vi] Information needs focuses on the critical information as well as how do
we achieve the goals and the objectives in the system. vii] Architecture of plan
focuses on the tools for the achievement. viii] System development schedule
focuses on the details of system and sub-systems with their linkages charted
against the timescale. ix] Organisation and execution of the plan focuses on the
individual toll in the system.
x] Budget focus on its cost investment schedule.

ASCERTAINING THE CLASS OF INFORMATION:

Organisational information:

Information Manager
Entity Personnel Production Administration A/C

Employee
Attendance n n n y

Salary
Ages/
Overtime n n y y

Human
Resource
Information n n n y

Organisational information focuses on the user at all levels in the organisation

structure. It defines the information required by the number of department,
division, function etc. It can be determined in matrix form. It can be observed
from the table that the information entity is one but its usage is different. Since
the usage of the organisation information is different at different level for
different purposes. It is advisable to store the data in the form of database which
will be used by the user for generating their respective information needs.

Functional information:
Functional information is defined as a set of information required by the
functional head in conducting the administration and management function. It
is purely local to that functional organisation and by the definition it does not
has any use elsewhere except for the manager. Functional information is largely
factual, statically and detail in multidimensional functional information is
normally generated at equal time interval for understanding the trends and
making the comparison against time scale.
The functional information can be accessed on the following 3
parameters:
Working design
Responsibility
Functional Objective

Work design specifies procedure, work culture etc. The functional

responsibility of individuals is used for accounting and decision making for
achieving the target to identify the performance. Each function has its own
objective which is delivered out of the corporate goals.

The functional goals and objective are necessary to achieve.

Overall corporate achievement such information can be collected from the

manager and their functional head who together executes the business
activities.

Knowledge information:
It shows the trend of the activity or the result against the time scale. It creates
an awareness of those aspects of the business where the manager is forced to
think, decide and act. It highlights the deviation from non-standards and also
the abnormal level. The knowledge information supports the function of middle
and top management. It is recorded in the graphical format for quick grasp. If
the sales are declining the trend is likely to continue. The product is
continuously failing the reason can be process of manufacture.

Decision-support information:
The information doesn‘t act as a direct i/p to the decision making information.
Information issued in decision-support system & model building & problem
solving in two ways justifying the need of decision. It aids in decision making:
eg: The information on non-moving inventory justifies the decision of disposal
of item.
The demand forecast information aids in the decision on determining the orders
quantity for orders & sales. The source of this information may be internal or
external.

Operational information:
This information is required by the operator and the lower level of the
management . the main purpose of this information is fact finding and taking
such action and decision which wil affect this operator at macro level.
The source of such information is largely internal through the transaction
processing and the information relate to the small time span which is mostly
current status.

DETERMINING INFORMATION REQUIREMENT

Based on the uncertainty level following methods are used to handle the
uncertainty.
Low knowledge (near certainty)
It is handled by operation management by determining the needs for the
system.
Precise probabilistic knowledge(risk situation)
It is handled by middle level management which determines the existing
system, methods of decision making & problem solving. not able to
determine probabilistic term (very risky)
It is handled by the middle and the top level management which is determined
through critical functions & decision making system.
High risk (Total uncertainty)

It is handled by top management which is determined by experimentation,

modeling and sensitivity analysis.

Asking & interviewing, determine the information requirement when the user
have to select one answer from finite set of answer. A closed question should
be asked instead of open question which are the raw material used for making
a product indicates a closed question, which are the raw materials used for a
product indicates an open ques. the experts or the expertise users are suppose
to give their best answers. This approach is called as Delphi method where the
system designer has to check the validity separately.

The additional information required can be collected in minimum percent by

decision making and problem solving where the other percent information is
common to the existing.

For Example: payroll, accounting system etc.

Every business organisation performs successfully on the basis of certain
critical factor which are important and the other plays a supportive role in
functioning the organisation. Many times a function is singularly critical to the
successful function of business organisation. The experimentation would define
the methodology for handling the complex situation. If the method is finalized
information needs can be determined. Models are used for determining initial
needs and they are modified, determined during the implementation on stage.

DEVELOPMENT OF MIS:
When the system is complex the development strategy is prototyping the
system. It is the progress of the information needs, development methodology
trying it out in a smaller scale with respect to the data and complexity ensuring
that it specifies the needs of the user and access the problem in development.
This process identifies the problem area inadequacies in prototype the designer
then takes the steps to remove inadequacies. The prototype approach brings the
multiple users on same platform & changing their attitude towards a corporate
goal is the managerial task of the system designer.

LIFE CYCLE:
There are many systems which have a life cycle that is starting and ending step
which indicates that the system is very much structured and rule based. They
have 100% clarity of input & their resources, definite set of o/p in terms of the
contents and formats. This system can be developed in systematic manner eg;
accounting , payroll etc…

Prototype Approach Life Cycle approach

1 It refers to open system with high It refers to open system with degree of
uncertainty of high degree of certainty of information. information.
2 The system design is unstable The system design is stable due to
uncertainty.
3 It is necessary to try for fixed .Here it is not necessary ideas and complete
information because it is already structured.
4 It is necessary to find the cost, Scope, cost of the system is scope and
application of the fully determined in clear terms.
system. Experimentation is Experimentation is not necessary. necessary.
5 Information needs are not fixed. Information needs are fixed. 6 It is
Custom oriented system. Life cycle system is universal and governed by
principles & practices

IMPLEMENTATION OF MIS:
For the successful implementation of the system. The system designer should
i] Satisfy all the information needs of the user ii] Offer the services to the
user. iii] Respect the demands of the user iv] Not to recommend the
modification of the needs unless technically feasible. v] Explain the nature of
the system to the user to realise the information requirement of the current
system. vi] Have a better decision making capability vii] Not expect the
perfect understanding from the user as he may be the user of non-
computerized system. viii] Conduct a periodical user meeting on system where
it is easier to get the opportunities to know the ongoing difficulties of the user.
ix] Lewin‘s model suggest 3 aspects in implementation of MIS
Unfreezing: organisation to make people more receptive and interested in
change.
Choosing: A course of action where the process begins & reaches to the
desired level.
Refreezing: Where the changes are consolidated and equilibrium is
reinforced.
PARAMETERS OF MANAGEMENT OF QUALITY IN MIS
i ] Complete data of all the transaction achieves the integrity of data with respect
to the period. ii] Valid transaction input data ensures the validity of data and in
turn assumes the valid information. iii] Accuracy & precision assures that
results are accurate & precisely correct based on rules. iv] Relevance to user is
appropriate in the quality of decision making. v] If the information is received
late it becomes useless with the view of decision making.
vi] Information should be complete & meaningful. It should be represented in
proper format with references.

ORGANISATION FOR DEVELOPMENT OF MIS:

Organisation development consist of the following issues i] Whether the
function should be handled as centralised or decentralised activities. This can
be resolved by accessing the information resources in the organisation i.e.
information system management in centralised manner and information
resource management in decentralised manner.
ii] The allocation of h/w & s/w resources are available depending upon the
functional resources. In a decentralised setup the allocation of h/w is a
centralised decision but the data processing is user‘s responsibility. iii] The
maintenance of service at an approx level is needed. iv] Fitting the organisation
of MIS in the corporate organisation, it‘s culture & management philosophy is
the important issue in organisation.

MIS- THE FACTORS CONTRIBUTING TO

SUCCESS:

MIS should have the adequate development resource for organisation.

i] An appropriate information processing technology requires meeting the
data processing & analysis is need of the users.
ii] MIS should be defined & designed in terms of user‘s requirement and
the operational feasibility is ensured. iv] MIS should be the open system in
nature to modify the information needs.
v] MIS should focus on the result and the goals and highlight the factors &
reasons for non-achievement. vi] MIS should collect the complete information
to avoid the noise in the information.
vii] MIS must consider the factors in the management process according to the
human behaviour. viii] MIS should be easy to operate & user friendly. ix] MIS
should concentrate on all the level of information needs.

MIS-FACTORS CONTRIBUTING TO THE

FAILURE:

i] MIS is conceived as a data processing not as information processing.

ii] MIS doesn‘t provide the managerial information.
iii] Underestimating the complexity in business system and not recognising.
iv]] Adequate attentions not given to the quality control aspects of inputs ,
process and output.
v] MIS is developed without streamlining the transaction processing in the
organisational
vi] MIS does not meet certain critical factors for data processing.
vii] Administrative in discipline, wrong coding & deviation in system
specification also cause failure.
viii] MIS does not give the perfect information .
STRUCTURE SYSTEM PROCESS REQUIREMENTS:
NORMALIZATIONS DATABASE:
Database Normalization is a process and it should be carried out for
every database you design. The process of taking a database design, and apply a
set of formal criteria and rules, is called Normal Forms.

The database normalization process is further categorized into the following

types:

• First Normal Form (1 NF)

• Second Normal Form (2 NF)
• Third Normal Form (3 NF)
• Boyce Codd Normal Form or Fourth Normal Form ( BCNF or 4 NF)
• Fifth Normal Form (5 NF)
• Sixth Normal Form (6 NF)

One of the driving forces behind database normalization is to streamline data by

reducing redundant data. Redundancy of data means there are multiple copies of
the same information spread over multiple locations in the same database.

Normal Forms
This article is an effort to provide fundamental details of database
normalization.
The concept of normalization is a vast subject and the scope of this article is to
provide enough information to be able to understand the first three forms of
database normalization.

1. First Normal Form (1 NF)

2. Second Normal Form (2 NF)
3. Third Normal Form (3 NF)
A database is considered third normal form if it meets the requirements of the
first 3 normal forms.

First Normal Form (1NF):

The first normal form requires that a table satisfies the following conditions:

Rows are not ordered

Columns are not ordered
There is duplicated data
Row-and-column intersections always have a unique value
All columns are “regular” with no hidden values
In the following example, the first table clearly violates the 1 NF. It contains
more than one value for the Dept column. So, what we might do then is go back
to the original way and instead start adding new columns, so, Dept1, Dept2, and
so on. This is what’s called a repeating group, and there should be no repeating
groups. In order to bring this First Normal Form, split the table into the two
tables. Let’s take the department data out of the table and put it in the dept table.
This has the one-to-many relationship to the employee table.

Let’s take a look at the employee table:

Now, after normalization, the normalized tables Dept and Employee looks like
below:

Second Normal Form and Third Normal Form are all about the relationship
between the columns that are the keys and the other columns that aren’t the key
columns.

Second Normal Form (2NF):

An entity is in a second normal form if all of its attributes depend on the whole
primary key. So this means that the values in the different columns have a
dependency on the other columns.

The table must be already in 1 NF and all non-key columns of the tables must
depend on the PRIMARY KEY
The partial dependencies are removed and placed in a separate table
Note: Second Normal Form (2 NF) is only ever a problem when we’re using a
composite primary key. That is, a primary key made of two or more columns.

The following example, the relationship is established between the Employee and
Department tables.

This example, the Title column is functionally dependent on Name and Date
columns. These two keys form a composite key. In this case, it only depends on
Name and partially dependent on the Date column. Let’s remove the course
details and form a separate table. Now, the course details are based on the entire
key. We are not going to use a composite key.

Third Normal Form (3NF):

The third normal form states that you should eliminate fields in a table that do not
depend on the key.
 1. A Table is already in 2 NF
2. Non-Primary key columns shouldn’t depend on the other non-Primary key
columns
3. There is no transitive functional dependency
Consider the following example, in the table employee; empID determines the
department ID of an employee, department ID determines the department name.
Therefore, the department name column indirectly dependent on the empID
column. So, it satisfies the transitive dependency. So this cannot be in third
normal form.

In order to bring the table to 3 NF, we split the employee table into two.

Now, we can see the all non-key columns are fully functionally dependent on the
Primary key.

Although a fourth and fifth form does exist, most databases do not aspire to use
those levels because they take extra work and they don’t truly impact the
database functionality and improve performance.

UNIT – 4

BUSINESS INTELLIGENCE(BI):
The term ‘Business Intelligence’ has evolved from
the decision support systems and gained strength with the
technology and applications like data warehouses, Executive
Information Systems and Online Analytical Processing
(OLAP).
Business Intelligence System is basically a system used for
finding patterns from existing data from operations.

Characteristics of BI:
• It is created by procuring data and information for use
in decision-making.
• It is a combination of skills, processes, technologies,
applications and practices.
• It contains background data along with the reporting
tools.
• It is a combination of a set of concepts and methods
strengthened by fact-based support systems.
• It is an extension of Executive Support System or
Executive Information System.
• It collects, integrates, stores, analyzes, and provides
access to business information
• It is an environment in which business users get
reliable, secure, consistent, comprehensible, easily
manipulated and timely information.
• It provides business insights that lead to better, faster,
more relevant decisions.
Benefits of BI:
• Improved Management Processes.
• Planning, controlling, measuring and/or applying
changes that results in increased revenues and reduced
costs.
• Improved business operations.
• Fraud detection, order processing, purchasing that
results in increased revenues and reduced costs.
• Intelligent prediction of future.

Approaches to BI:
• Improving reporting and analytical capabilities
Using scorecards and dashboards
• Enterprise Reporting
• On-line Analytical Processing (OLAP) Analysis
• Advanced and Predictive Analysis
• Alerts and Proactive Notification
• Automated generation of reports with user
subscriptions and “alerts” to problems and/or
opportunities.

Capabilities of BIS:
• Data Storage and Management
• Data ware house
• Ad hoc analysis
• Data quality
• Data mining
 • Information Delivery
• Dashboard
• Collaboration /search
• Managed reporting
• Visualization
• Scorecard
• Query, Reporting and Analysis
• Production reporting
• OLAP analysis

Data warehousing:
A data warehouse is a central repository of
information that can be analyzed to make more informed
decisions. Data flows into a data warehouse from
transactional systems, relational databases, and other
sources, typically on a regular cadence. Business analysts,
data engineers, data scientists, and decision makers access
the data through business intelligence (BI) tools, SQL
clients, and other analytics applications.

Data and analytics have become indispensable to businesses

to stay competitive. Business users rely on reports,
dashboards, and analytics tools to extract insights from their
data, monitor business performance, and support decision
making. Data warehouses power these reports, dashboards,
and analytics tools by storing data efficiently to minimize
the input and output (I/O) of data and deliver query results
quickly to hundreds and thousands of users concurrently.

Benefits of a data warehouse include the following:

• Informed decision making
• Consolidated data from many sources
• Historical data analysis
• Data quality, consistency, and accuracy
• Separation of analytics processing from transactional
databases, which improves performance of both
systems.

Business Intelligence framework:

✓ The Business Intelligence Framework is the foundation
where you build a set of reports.
✓ The Business Intelligence Framework contains a Data
Model (see Business Intelligence Framework: Data
Model).
✓ Complete the following tasks to utilize Business
Intelligence for analysis and reporting:
✓ Build reports (see Business Intelligence Framework:
Designing reports).
✓ Deploy, refresh, and optionally extend reports (see
Deploying reports ).
✓ Business Intelligence Framework: Data Model
 ✓ You can review the metadata model for Business
Intelligence Framework.
✓ Data Model objects
✓ The Data Model provides a simplified, English-
oriented, nontechnical view of the metadata.

Business Analytics:
✓ Business analytics is the process of transforming data
into insights to improve business decisions. Data
management, data visualization, predictive modeling,
data mining, forecasting simulation, and optimization
are some of the tools used to create insights from data.
Yet, while business analytics leans heavily on
statistical, quantitative, and operational analysis,
developing data visualizations to present your findings
and shape business decisions is the end result. For this
reason, balancing your technical background with
strong communication skills is imperative to do well in
this field.
✓ At its core, business analytics involves a combination
of the following:
✓ Identifying new patterns and relationships with data
mining;
✓ Using quantitative and statistical analysis to design
business models;
✓ Conducting A/B and multi-variable testing based on
findings;
✓ Forecasting future business needs, performance, and
industry trends with predictive modeling; and
✓ Communicating your findings in easy-to-digest reports
to colleagues, management, and customers.

OLAP:
✓ Online analytical processing (OLAP) is software
technology you can use to analyze business data from
different points of view.
✓ Organizations collect and store data from multiple data
sources, such as websites, applications, smart meters,
and internal systems.
✓ OLAP combines and groups this data into categories to
provide actionable insights for strategic planning.
✓ For example, a retailer stores data about all the
products it sells, such as color, size, cost, and location.
✓ The retailer also collects customer purchase data, such
as the name of the items ordered and total sales value,
in a different system.
✓ OLAP combines the datasets to answer questions such
as which color products are more popular or how
product placement impacts sales.
✓
Importance of OLAP:
❖ Faster decision making:
Businesses use OLAP to make quick and accurate decisions
to remain competitive in a fast-paced economy. Performing
analytical queries on multiple relational databases is time
consuming because the computer system searches through
multiple data tables. On the other hand, OLAP systems
precalculate and integrate data so business analysts can
generate reports faster when needed.

❖ Non-technical user support:

OLAP systems make complex data analysis easier for non-
technical business users. Business users can create complex
analytical calculations and generate reports instead of
learning how to operate databases.

❖ Integrated data view:

OLAP provides a unified platform for marketing, finance,
production, and other business units. Managers and decision
makers can see the bigger picture and effectively solve
problems. They can perform what-if analysis, which shows
the impact of decisions taken by one department on other
areas of the business.

OLAP operations:
To facilitate this kind of analysis, data is collected from
multiple sources and stored in data warehouses, then
cleansed and organized into data cubes. Each OLAP cube
contains data categorized by dimensions (such as customers,
geographic sales region and time period) derived by
dimensional tables in the data warehouses. Dimensions are
then populated by members (such as customer names,
countries and months) that are organized hierarchically.
OLAP cubes are often pre-summarized across dimensions to
drastically improve query time over relational databases.

Analysts can then perform five types of OLAP analytical

operations against these multidimensional databases:

❖ Roll-up. Also known as consolidation, or drill-up, this

operation summarizes the data along the dimension.
❖ Drill-down. This allows analysts to navigate deeper
among the dimensions of data. For example, drilling
down from “time period” to “years” and “months” to
chart sales growth for a product.
❖ Slice. This enables an analyst to take one level of
information for display, such as “sales in 2017.”
❖ Dice. This allows an analyst to select data from
multiple dimensions to analyze, such as “sales of blue
beach balls in Iowa in 2017.”
❖ Pivot. Analysts can gain a new view of data by
rotating the data axes of the cube.
OLAP software locates the intersection of dimensions, such
as all products sold in the Eastern region above a certain
price during a certain time period, and displays them. The
result is the measure; each OLAP cube has at least one to
perhaps hundreds of measures, which derive from
information stored in fact tables in the data warehouse.

Data Mining in Business:

The importance of data mining in business is that it is
used to turn raw data into meaningful, consumable,
actionable insights. Data engineers employ software to look
up patterns that aid in analyzing consumers. Data sets are
compared to unearth relevant metrics having an impact on
revenue lines to follow up with strategies, sales improvement
measures, and optimizing marketing campaigns.

Due to the overlapping nature of the subject between

data operations, data mining is often confused and used
interchangeably with data analysis and business intelligence.
But each term is different from one another.

Data mining refers to the process of extracting

information from large data sets whereas data analysis is the
process used to find patterns from the extracted information.
Data analysis involves stages such as inspecting, cleaning,
transforming, and modeling data. The objective is to find
information, draw inferences, and act on them. Moving on,
let us look at the differences between data mining and
business intelligence.

Feature Data Mining BI

Purpose Extract data to Visualizing &
solve business presenting data to
problems stakeholders
Volume Work on smaller Work on relational
data sets for databases for
focused insights organizational-
level insights
Results Unique data sets Dashboards, pie
in a usable format charts, graphs,
histograms, etc.
Focus Highlight key Indicate progress
performance on KPIs
indicators
Tools Data mining Business
techniques use Intelligence
tools like techniques use
DataMelt, Orange tools like Sisense,
Data Mining, R, SAP for BI,
Python, and Rattle Dundas BI, and
GUI Tableau
Processes like data mining and data analysis converge into
business intelligence helping organizations generate usable
and demonstrable information on products and services.

Data Mining Used in Business Intelligence

The way we use data mining for business analytics and
intelligence varies from one business to another. But there is
a structure to this business process management that remains
pretty much iron clad. Here’s a look at it.

Data mining for business analytics

• Business Understanding
If you are undertaking data mining for business
analytics and want it to be successful then begin by
identifying the purpose of data mining. Subsequent steps in
the plan could tackle how to use the newfound data bits.
Ideating your data mining algorithm would be a far-fetched
task lest you underline the purpose of data mining concisely.

• Data Understanding
After getting to know the purpose of data mining
it is time to get a touch and feel for your data. There could be
just as many ways to store and monetize data as there are
businesses. How you create, curate, categorize, and
commercialize your data is upto your enterprise IT strategy
and practices.

• Data Preparation
Considered one of the most important stages in the
course of nurturing data mining for business intelligence,
company data needs expert handling. Data engineers convert
data into a readable format that non-IT professionals can
interpret in addition to cleansing and modeling it as per
specific attributes.

• Data Modeling
Statistical algorithms are deployed to decipher
hidden patterns in data. A lot of trial and error goes into
finding relevant trends that can enhance revenue metrics.

• Data Evaluation
The steps involved in data modeling should be
evaluated microscopically for inconsistencies. Remember, all
roads (must) lead to streamlining operations and augmenting
profits.

• Implementation
The final step is to act on the findings in an
observable way. Field trials of the recommendations should
be piloted at a smaller scale and then expanded onto branch
outlets upon validation.

Classification:

Classification
This is a complex procedure that uses data attributes to
compartmentalize information to draw understandable
collusions. As a reference to this, an example of data mining
in business could be using supermarket data to group
information into categories such as groceries, dairy products,
etc. Tagging and studying this data can help users understand
customer preferences for each line item.

Clustering
Although it may sound similar to the previous step yet there
are differences. Cluster groups are not as defined in structure
as Classification groups. An example could be edible items,
non-edible items, perishable products, etc. instead of specific
groceries, dairy products in the earlier case.

Association Rules
Here, we use link variables to track patterns. Continuing on
our supermarket example, this could mean customers who
purchase a grocery item (edible), are more likely to purchase
fruits (perishable) as well. Upon validating this fact, store
owners can itemize the shelves in accordance with customer
choices.
Regression Analysis
Regression helps miners determine the relationship between
different variables in a set. It is used to foresee the
probability of a future event. In the case of a supermarket
store, business owners can set price points based on seasonal
demand, competition, and supply chain issues.

Anomaly Detection
The last of the data mining techniques includes identifying
outliers. There will always be anomalies in the data which
have to be accounted for. For instance, the majority of buyers
in the supermarket happen to be females but for a week in
(say) January they are displaced by men. Why? Such outliers
have to be studied for a balanced approach.

The aforementioned techniques make clear how data mining

is used in business operations.

BPM:
Business performance management is a continuous cycle
of planning, tracking, analyzing performance, and making
adjustments. The cycle begins with defining strategic
business goals, which are then translated into operational
plans and goals for individual departments within the
organization. These departmental plans may include detailed
descriptions of targets, timelines and budgets. By defining
and monitoring KPIs and metrics, each department — from
finance and production to marketing and human resources —
continuously assesses whether its performance is on track to
meet those goals. Analyzing the business data underlying the
KPIs helps the organization determine whether it needs to
adjust its strategy or tactics.

A variety of methodologies have been devised for business

performance management. These processes are designed to
help companies set strategic goals, execute detailed
operational plans, track progress and make improvements.
Some of the best-known frameworks include the balanced
scorecard, objectives and key results (OKRs), total quality
management (TQM) and Six Sigma. (More on these later.)

Business Performance Management Important:

BPM aims to provide organizations with a set of tools for
measuring and increasing business success. It helps
companies link business goals to specific financial and
operating metrics. Tracking these metrics enables businesses
to compare their forecasts with their actual performance.
BPM helps to align everyone in the company toward
common goals, and it also provides early warning signs of
potential problems that require adjustments to enable the
company to stay on track. Here are some of the most
significant benefits:

Better alignment:
The company’s goals are translated into specific objectives
and metrics for each group within the organization. This
helps ensure that all employees are working toward the same
goals. Each department, by managing performance based on
these business metrics, contributes to the organization’s
success.

Track business health:

By tracking KPIs, the company can monitor performance
across every aspect of the business. Software that supports
real-time KPI dashboards and status reports can help
departments keep tabs on progress and spot warning signs.

Better planning and responsiveness:

BPM provides companies with tools for more informed
decision-making and planning. It helps businesses quickly
detect problems and trends and adjust plans accordingly.

Improved process efficiency:

Tracking KPIs can highlight process inefficiencies that the
company can target for improvement. For example, an
excessively long sales cycle can indicate that the company
needs to identify bottlenecks and determine how to
streamline its processes.

Automation:
Software that automates the steps of gathering KPIs and
presenting them in dashboards and reports reduces the effort
and time required to manage the business — and makes it
feasible for all employees to continuously track their
progress.

Business Performance Management Processes:

The BPM cycle consists of four primary processes, with each
stage feeding into the next.

• Develop strategy:
This initial stage consists of identifying the
organization’s overall goals and developing strategies to
reach those goals. This stage may include defining the
company’s vision, values and strategic objectives in addition
to identifying revenue and profitability targets. Strategy
development is typically carried out by the organization’s
CEO and other top managers, based on input from experts
across the company.

• Create operational plans:

 Create specific operational plans for achieving
the goals laid out in the previous stage. This includes
defining specific tactics, initiatives and anticipated results for
each department in the business, from production and
finance to marketing and HR. The plans also detail the
budget and other resources required to reach these goals.

• Define, monitor and analyze KPIs:

Determine the most important metrics for
tracking progress toward each objective. Some KPIs, such as
revenue growth, may apply across the entire business, while
others are specific to each department. This step also
involves determining

• Review and respond:

Based on reviewing the analysis of KPIs and
underlying data, the company takes action to respond to
changing business conditions. This stage may include
reviewing how much progress the company has made toward
its goals and determining whether strategic or operational
changes are needed to achieve success. The results of this
stage feed back into the first and second stages of the cycle,
enabling the organization to continuously make course
corrections by adjusting its goals and plans.

Dashboard:
Dashboards are one of the most frequently used business
analysis tools in modern companies. They are used for
visualizing large sets of data through graphs, charts, maps,
and other visual features, all in one place.

You can incorporate dashboards to monitor various

operational activities within the company and track the most
important key performance indicators in a project or process.
Furthermore, dashboards provide an instant overview of key
metrics that the highest-ranking members of the company
need to make everyday decisions, and are constantly updated
when real-time changes occur.
They can also help you better comprehend certain aspects of
the business and understand how the company is performing
on a certain issue.
The best dashboards are informative, simple, concise,
quickly accessible, and include tons of valuable insights.
Depending on the purpose behind it, there are four types of
data dashboards you can create:
Strategic dashboards – Used for monitoring long-term
company strategies by analyzing trend-based metrics and
KPIs.
Operational dashboards – Tracking the operations that
have a shorter time frame.
Analytical dashboards – Used by analysts to extract
valuable information from larger data sets.
Tactical dashboards – Best suited for mid-level
management. They can help you make better strategies based
on the latest trends.

Scorecard:
A scorecard is a performance management reporting
tool that is used for comparing the current activities in your
company with the planned objectives and results.
In essence, companies use scorecards to align their
strategies with the objectives by tracking important metrics
related to customer information, projected growth, financial
data, and business activities.
Scorecards are also the perfect solution in case you
need to fine-tune the points of control, sharpen the
organization’s processes, or optimize any current strategies.
This tool focuses more on providing a static overview
of the organization at a specific moment, which means it
isn’t really suitable for automatic analyses, real-time updates,
or showcasing more granular details.
To better understand just how beneficial scorecards
can be, here is a brief list of some of the main reasons why
companies incorporate them:
They can help you understand whether you are
producing the right products, see how profitable they are,
and check if they are in line with the current trends.
They showcase which call center scripts are functioning
properly and whether there is any room for improvement in
customer experience.
They analyze the current safety standards and help
you figure out ways to make the manufacturing environment
more profitable.
In summary, scorecards track KPIs and analyze both
the current metric status and the overall target value. Once
you understand the gap between the two, you will have an
easier time managing performance and coming up with
better strategies to reach your company goals.
For best results, scorecards should be updated each
week or month, depending on the amount of data you are
dealing with.

Unit – 5
ECONOMIC OF IT AND MANAGING IT SECURITY:

Evaluating IT-investments:
IT-investments are more complex than other types
investments due to; their demand for great technical skills,
the problem to comprehend the expenditures in advance, the
fast technology development, to only name a few (Bannister,
2004). IT cannot either be seen as an isolated phenomenon
within the organisation. Leavitt (1965) claims that there are
in- terdependencies between the actors (employees),
technology, structure and the tasks to be performed. From
this, we can see that the organisational processes needs to be
adjusted along with the changes in IT, in order to realise all
the benefits of an investment. This im- plies that IT raises
different demands in terms of evaluation-models, compared
to other types of investments. A model for IT-evaluation has
to be able to capture this complexity and transform it into an
understandable and measurable result. A discussion about
how well PENG manages to deal with the inherent
complexity of IT will be discussed below.

The PENG-model offers a specialised framework for

evaluations of IT-investments. Ac- cording to Danielsson et
al. (2007), the PENG-model can be used for several means,
such as prioritising between different IT-investments, pricing
a system and evaluating an organi- sation’s IT from a total
perspective. It is also possible to use it both before and after
an IT- investment is set. Our case study verifies this
information; Kalmar county council has used PENG to
motivate investments, to identify possible outcomes of an IT-
investment and for following up different projects. They also
have the intentions to evaluate the effects of the total IT in
the organisation.

PENG can and have certainly been used in all the above
mentioned situations. However, our first impression of
PENG was that it offered a specialised framework for
valuing and transforming all the aspects of IT into monetary
terms. This is true in that way, that all ra- tios of the model
are illustrated in actual amounts. However, the process of
getting the re- sults lacks a clear approach in how it shall be
performed. The model leaves much of the valuation work
into the hands of the evaluation team. Based on the
descriptions of PENG in our empirical chapter, PENG offers
a framework for evaluating IT-investments, but it does not
give sufficient instruction for how the evaluations should be
performed.

The framework
In order to perform a PENG-evaluation ten steps has to be
covered. The steps serve as a guidance to help the evaluator
through the evaluation process. Our impression is that the
steps are relevant and useful in terms of the outline.
However, when going deeper into the different steps, no
clear guidelines for the procedures can be found. In addition
to this we have in the case study found that the PENG lacks a
final step, which gives propositions for how the work shall
go on after the evaluation is set. Based on this, a project
might fail to incorporate the results of the evaluation into the
continuing work. The extra step may therefore be a valuable
complement to the model. If this step shall belong to the
evaluation model or not can be discussed, nevertheless this is
a vital issue for the organisation. Our opinion is though that a
follow up meeting after any type of evaluation is essential, so
that an organisation can introduce the gathered information
into the project(s).

Another characteristic of using PENG is that it demands the

use of a certified PENG- consultant to perform the
evaluation. This can be considered as both a strength and a
weakness, due to that the consultant comes to the evaluation
with an open mindset, which is not restricted into some
special way of thinking, i.e. “how we do things around here”.
The weakness is however the cost of using a consultant. It is
possible to certify a person within the own organisation to
lead the evaluations, but this is only an alternative if you use
PENG frequently, and in that case you also lose the “outside”
perspective of a consultant.

The case study at Kalmar county council shows that the

PENG-model is especially suited for imaging the effects and
costs of IT-investments. The implementation of the model
and the results of it are also easy for everyone to grasp and to
draw conclusions from. This appears to be extra important
when it comes to organisation, like Kalmar county council,
which are governed by political forces. In this case, the
politicians need to be convinced by delivering concrete and
easily available information, in order to motivate the IT-
investments and put them on the agenda. However, the
evaluations are, as mentioned ear- lier, very dependent on the
knowledge and experience of the evaluators. The result of
the evaluations is easy to grasp, but how can you know that
they are correct when there are no concrete rules for the
valuation process? To us, this decreases the credibility of
PENG. Depending on which persons performing the
evaluation, you can end up with poles apart conclusions.

A broader basis for evaluation

Lundberg (2004) has identified four important aspects that
needs to be reviewed in order to grasp the total effect of an
IT-investment; that is reduction of costs (The cost of running
a organisation before an IT-investment, reduced by the costs
after the installation is set), in- creased income(The income
after an IT-investment reduced by the incomes before),
qualitative benefits (Improvements in the qualitative
business ratios that are used within the enterprise e.g.;
customer satisfaction, staff turnover, comfort and so on), and
IT-benefits (The costs of IT before the change, reduced by
the cost after.) All these aspects are in one way or an- other
counted for within the PENG-framework. Reduced costs are
measured by mapping all the local hidden costs, local visible
costs and central costs. The increased income and the
qualitative benefits are calculated for by identifying all the
potential and attained bene- fits. The benefits can further on
be separated based on the reliability of their estimation into
the following groups; hardly evaluated benefits, benefit with
indirect influence on the result and benefit with direct
influence on the result. This issue is seen as a great
advantage within the case study. The IT-benefits are taken
into consideration within the final step of PENG, which is
when you calculate the net benefits (attained benefits +
potential benefits – IT-costs).

This comparison makes it obvious that PENG has the

intention to cover all the important aspects of an IT-
investment identified by Lundberg (2004). However, since
many of the important aspects are hard to value, the results
becomes to a large extent based on estima- tions. An
example from the case study is; how to calculate the number
of lives a system will save. This is of course impossible to
predict and will only be an assumption. PENG’s in- tention
to value all aspects in monetary terms is good, but how shall
the model be able to value things that can not be bought.

Involving all levels of the organisation

A good aspect of PENG is that it makes managers from
different departments come to- gether to discuss their
problems and how they can be solved. This makes it possible
to in- volve all the managers and to make them gather around
the same objectives. These aspects can be recognised as two
of the foundations for successful IT-investments by
Lundberg (2004); i.e. IT in line with the strategies and IT in
line with the organisation. The PENG- model also, besides
engaging the managers, involves other members of the staff,
which re- inforces the changes to be spread and positively
acquired within the different levels of the organisation.

There can though be difficulties in the involvement of all

levels of the organisation, e.g. the concerned people can be
present when discussing savings in the business. This can be
ex- emplified in for example a discussion of personnel
reduction among the secretaries when a secretary is present.
This can lead to that, the concerned person gets frustrated
and tries to emphasise their own importance within the
organisation, instead of thinking about what is best for the
organisation. In the case of Kalmar county council, these
kinds of personnel reductions are looked after by natural
causes (retirements) and changes in working tasks.
Nevertheless, we still believe that this can be a problem, on
the other hand the organisation will loose the broader
perspective in the evaluation if not every level is represented.

The results of a PENG-evaluation becomes to a large extent

dependent on the personnel’s attitude towards change work
in general and the current project in particular. Haverblad
(2006) means that; how the organisation reacts on the change
plays a conclusive part in the difference between a successful
and unsuccessful initiative. How does the PENG-model deal
with this? Well, it involves personnel from all divisions and
levels of the organization’s, which make the employees feel
involved in the change work, and it also helps to spread in-
formation through out the organisation. However, as
mentioned earlier, sensitive subjects as savings can be
discussed, which also can lead to a dismal atmosphere within
the organi- sation. This is though a natural part of all
evaluations, due to their purpose of making the processes
and the organisation as a whole more efficient.

IT-investments are often thought of, as in the example above,

being radical improvements (BPR) in terms of organisational
development. We imagined that this could lead to much
resistance among the employees, and thereby a successive
implementation (TQM), could be more beneficial. However,
PENG partly overcomes this problem by involving all levels
of the organisation into the evaluation process and in that
way increases the understanding for the effects of IT. PENG
is described to be suitable for BPR-projects, but we do not
see any restrictions for it to also be used for evaluating the
results of TQM change work.

Evaluating IT from different perspectives

An important aspect when evaluating an investment is to
look at it from different perspec- tives (Svavarsson, 2005).
The model by Walsham (1993) shows that an information
system has great influence on the employees, the
organisation, and its structure. These perspectives can further
on be used to understand the organisational implementation,
which is multidi- missional. Kalmar county council do
always evaluate their IT-investments from three dif- ferent
perspectives: society, organisation and their customers
(patients). The main perspec- tive here is the patients, due to
that; this is where the major change shall take place, at least
in the projects of “Vård–IT”. In the organisational
perspective, it may be possibilities of streamlining processes
in order to increase the efficiency in the use of human and
monetary resources. The societal perspective might benefit
from a more effective health care, which can lead to tax
reductions or increased service for the citizens. The PENG-
model has no limitation in whatever perspectives to use for
evaluating an investment. The only requirement is that the
perspective can be counted for as belonging to either the
benefit or the cost side of the balance sheet, or both. PENG
does not give any instructions for which perspective to be
used. It seems to us like this is dependent on the people
performing the evaluation and probably also in which branch
the evaluation is being done.

Hardly evaluated benefits and costs

The conventional models for evaluating IT mostly focuses on
the hard parts of IT- investments, that is to say monetary
savings and increased incomes. PENG adds a “softer” aspect
of IT, as a complement to the traditional measurement. This
is a major advantage due to that an IT-investment implies a
lot more than monetary effects. The IT-benefits are often
greater within the business activities compared to the
reduced costs (Lundberg, 2004). In the case study, we found
benefits such like increased customer service, improved
working situation of the employees, enhanced quality in
service et cetera. Lundberg (2004) further argues that you
need to evaluate all the aspects of IT in order to grasp the
total effects of it. By this, it is quite clear that PENG
provides a broader basis for evaluation com- pared to
traditional evaluation methods, which are more restricted.
The model also offers the possibility to measure the “softer”
values by putting a price tag on each of them, in or- der to
make them comparable.

It can be difficult to decide the value of a benefit when

performing an evaluation. The framework of PENG adds
another arbitrary decision, i.e. to value the “softer” aspects of
an investment in monetary terms. As mentioned before the
most of the effects of IT are calculated for within softer
values, so this part surely belongs to the evaluation in order
to grasp the total picture of the investment. Nevertheless, this
is a very complex moment of the model where different
persons can come to dissimilar conclusions. If you compare
this to research methodology this phenomenon would be
counted for as reliability. Saunders et al (2007, p.149)
explains reliability as “the extent to which your data
collection techniques or analysis procedures will yield
consistent findings”. If you think about PENG in terms of
reliability, the result would most probably not be consistent
if diverse persons performed the evaluation due to
arbitration, i.e. occurrences have different values to various
persons.

According to our empirical investigation of PENG, the

model does not offer much guidance in the different steps of
the evaluation process. This is to us the major dissatisfaction
of the model. PENG tells you which steps to perform, but it
does not provide further in- formation for how the actual
work shall be done. PENG has the intention to cover much
of the complexity inherent in IT through its ten steps, and at
a superficial glance it does. But when you analyse each step
more deeply, the model seems to be lacking a concrete
framework. It may be possible that the PENG-consultant can
further structure the steps of the model. However, according
to our case study the PENG-consultant was merely providing
an outside perspective instead of a structured framework to
approach the evaluation. It is thereby rather up to the persons
performing the evaluation to do their own judgements. The
only guidance you can have, is that the benefits can be
separated into three sub groups depending on the security of
their valuation, i.e. direct, indirect and hardly valuated bene-
fits. The case study at Kalmar county council supplemented
that the result of the evaluation is better the more time spent
and that those who have performed PENG-evaluations be-
fore are better in valuing different aspects of IT. We believe
that this is a consequence of the models ambiguity when it
comes to the working procedures of the evaluation phases.

The above discussion might as well be mentioned within the

phase of PENG where costs shall be monitored and valued.
According to Bannister (2004) all costs and benefits of IT are
not always fully realised, which means that they are not fully
known. A solid evaluation can however only be done if the
costs and benefits are totally understood. In PENG the most
of the costs can be categorised as central or local visible
costs. The major problem here is the hidden costs, which in
accordance to the “soft” benefits are hard to evaluate and
would probably be valued differently by diverse persons.
The hidden costs can though be a large part of the costs and
is thereby a necessary part of the evaluation. The model also
here lacks a structured approach for how the work shall be
done. There is a step for defining and evaluating IT-costs,
but there is not much substance behind the step. You can split
the costs, as mentioned above, into three different categories.
The rest of the work is up to the evaluator, and this seems to
us like a very treacherous game.

Timeframe
It is evident that a PENG-evaluation demands a great effort
of the persons involved and according to the case study, it
often takes 5-6 meetings during a period of at least six
weeks. In this aspect, PENG is very time-consuming
compared to other methods that are merely focused on
“measurable” aspects as Return On Investment (ROI) et
cetera. On the other hand, the result of PENG is much wider
and is probably better to mirror all the aspects of an IT-
investment, by not just focusing on costs and incomes. This
might, according to the case study, make the model
especially suited for evaluations within the public sector and
primary within health care, where “softer” aspects of IT are
the main reason behind most of the investments. In
organisation outside the health care area, the “softer” values
are important but merely in terms of attracting customers and
generating in savings or in- creased returns. Nevertheless,
this does not mean that other types of organisation cannot
find the PENG-model to be suitable for evaluating their
businesses.

The results of a PENG-evaluation

Kalmar county council has performed several PENG-
evaluations and the results of them have turned out to be
very exact compared to the outcomes. In terms of the project
“Vård- IT”, the result came out to be as precise as
corresponding to the second decimal of the result in the
evaluation. The other evaluations that have been performed
did also turn out to be very exact compared to the reality.
Based on this information, the PENG-framework seems to be
quite precise in valuing the hard aspects of IT, i.e. reduced
costs. However, much of the benefits of IT are, as mentioned
before, counted for in terms of “soft” bene- fits. The “soft”
benefits are hard to estimate in the evaluation process, and
they do not of- ten result in monetary savings. It is thereby
hard to know if they are realised or not. Kalmar county
council were satisfied of the result of their evaluations, and
the respondent mentioned that they saved x number of
employments. However, the “soft” aspects cannot be counted
for in lowered personnel, and the result of the “soft” aspects
was thereby not followedup after the projects. Our opinion is
further that “soft” aspects of IT cannot be more accurately
measured afterwards, than they were before. And how shall
you then know if the result of the evaluation agreed to the
reality or not.

Method
A method is a tool, a way to solve a problem and find new
knowledge (Holme & Solvang, 1997). Saunders, Lewis &
Thornhill (2007, p. 602) gives another definition of a method
and state that a method is “the techniques and procedures
used to obtain and analyse research data, including for
example questionnaires, observation, interviews, and
statistical and non statistical techniques”. The use of a
method will not in itself lead to new knowledge, it is
therefore important to bare in mind that the method is just at
tool to facilitate the work that needs to be done in order to
find new knowledge (Goldkuhl, 1998). This chapter will
describe the different methods and techniques used in this
thesis, but firstly we will talk about the research process.

Research process
Research is often illustrated as a process (Ghauri &
Grønhaug, 2005). This can be ex- plained by that all research
requires a lot of time and reflection. As a researcher, it is
useful to look at it as a process consisting of different stages
with different tasks (Ghauri & Grønhaug, 2005). For
example, as researchers we first have to decide in what area
we want to do our research in. Then we have to formulate
our research problem, before we can decide what data to
collect and how to collect the information. In the figure
below, you can see an example of how the research process
can be illustrated.
We have chosen to use this figure to illustrate that the thesis
work is not a linear process, rather a progress performed in
cycles. During the research process we will gain new
knowledge that further on will be added to the parts already
written. This will primarily occur after the different seminars
where we will get feedback on what we have performed so
far. Another reason for adding new information is that we
will be more versed In the subject of IT-evaluations during
the working progress. In the following section our research
methods will be described.

Qualitative versus Quantitative methods

Authors often draw a distinction between qualitative and
quantitative research (Saunders et al., 2007). Even though
distinctions are made, attempts to define the distinctiveness
of qualitative research, and therefore the way in which it can
be distinguished from quantitative research, can be
problematic. However, when looking at the data produced by
qualitative research it is possible to draw some significant
distinctions from the results based on quantitative work
(Saunders et al., 2007). These distinctions can be seen in the
figure be- low.

Case Study
According to Saunders et al. (2007, p. 139) a case study is “a
strategy for doing research which involves an empirical
investigation of a particular contemporary phenomenon
within its real life context using multiple sources of
evidence”. The case study can be useful when the concepts
and variables under the study are difficult to quantify
(Ghauri & Grønhaug, 2005). So why have we chosen to use
the case study strategy?

The power lies In that the strategy gives us a rich

understanding of the context of the re- search and the process
being enacted (Saunders et al., 2007). Since we are going to
investigate the PENG-model and as stated above, want to get
a rich understanding, this method will suit our purpose. The
case study will make it possible for us to see how IT-
investments are performed in organisation. This will further
create a natural environment where we can study IT-
evaluations, and in this case the PENG-model. Our
assumption about why choosing the case study method is
also strengthened by Ghauri & Grønhaug (2005) who claims
that the case method is useful for theory testing, which is
what we will do in this thesis.

We have also found support for choosing this method in a

statement from Ghauri & Grønhaug (2005, p. 116) where
they say; a case study is preferred “if we want to follow a
theory that specifies a particular set of outcomes in some
particular situation, and if we find a firm which finds itself in
that particular situation, we can use the case study method
for a critical test of theory and its applicability to the
organisation”. In this case we will test the usability of PENG
in an organisation to see how the model contributes to
evaluations of IT.

The techniques for collecting data In a cast study can be for

example, interviews, observations, and exploratory research.
In this thesis, we will use interview and literature review as
our techniques to gather data, these will be described below.

Literature review
According to Ghauri & Grønhaug (2005), a literature study
helps the researcher to discover relevant variables and
relationships between them and to put together these
variables in a new way. A critical review of the literature is
also necessary to help us develop thorough understanding of,
and insight into, previous research that relates to our research
questions and objectives (Saunders et al., 2007).

Primary information can be of different quality and character

(Holme & Solvang, 1997). However, if we are aware of the
limitations and if we ask the right questions to the material
we can get good quality information. An example of a
limitation that we have to consider is for example the origin
of the source (Holme & Solvang, 1997).

In this thesis, we will use the literature study to examine

relevant theories. The theories will help us understand how
IT-investments affect an organisation in terms of qualitative
and quantitative aspects. The theoretical framework will also
cover the most important parts of IT-evaluations and
investments. In the empirical part of the thesis, we will
perform a fur- ther literature study of the PENG-model based
on a book written by the originators of the model. This will
then serve as the foundation for the analysis when
interpreting the primary data (interview).

The sources for the literature review will mainly come from
scientific articles and books, collected both from libraries
and from the internet, videlicet different databases. We have
reviewed all literature according to Holme & Solvangs
(1997) four phases; source- observation, -origin, -
interpretation and -usability to increase the trustworthiness of
the theoretical framework. See the reference for more
information about this review.

Interview
We will use interviews to collect the main part of the data
used in this thesis. The reason for this choice is that it will
help us to get a deeper understanding about our case. The
first thing we have to consider is to decide what sort of
interview we are going to perform. There exist many types of
interviews, for example semi-structured, in-depth, and group
interviews.

In this thesis, we will use semi-structured interviews, which

often are referred to as qualitative research interviews
(Saunders et al., 2007). When using a semi-structured
interview the researcher has a list of themes and questions to
be covered, although these may vary from interview to
interview. “This means that you may omit some of the
questions in particular interviews, given a specific
organisational context that is encountered in relation to the
re- search topic. The order of the questions may also be
varied depending on the flow of the conversation” (Saunders
et al., 2007, p. 312). During our interview, it is possible that
new aspects of the studied phenomenon might arise and
thereby we need to shape additional questions. The semi-
structured interview also gives us the possibility to structure
the themes that we want to discuss with the respondent, so
that none of the important areas are left out or forgotten.

Throughout the interview, we will take notes from the

respondents’ answers. These notes will then directly after the
interview session be reviewed and compared. This will result
in an interview document that further on will be sent back to
the respondent for confirmation. By doing this we will
eliminate the possibility of misunderstanding parts of the
inter- view.

Sample
The sample is often a critical task of a thesis, since much of
the research credibility (see chapter 2.5 Research credibility)
is linked to this. When using a qualitative method the se-
lection of respondent will be decisive. If we get the wrong
person from our sample, it can lead to that, the whole
interview will be worthless (Holme & Solvang, 1997). The
purpose with qualitative interviews is to increase the value of
the information and to create a base for deeper and more
complete understanding. This means that the sample will not
be random or temporary, but done in a more systematic way
based on predefined criteria (Holme & Solvang, 1997). This
involves that we will search for an “extreme” case, and not
the average, to get as large width in the material as possible
(Holme & Solvang, 1997).

However, how large sample do we need? In the book by

Ghauri & Grønhaug (2005, p. 119) they state that; “Students
often ask how many cases they should include in their study.
The answer to this question is very difficult, as there is no
upper or lower limit to the number. Often one case is
enough”. To be able to find a case that would be useful in
this thesis we contacted the persons who developed the
PENG-model. We asked them if they could provide us with
contact information to persons who had used the model
several times and recently and that they thought would be
suited for our thesis. We are fully aware that this selection
might be biased, since the developers of the model most
certainly will not give us a case where the use of the PENG-
model has showed to be unhelpful. However, this is the only
chance to access cases. We will deal with this problem by
questioning the use of the model both according to the real
life use and further on in the analysis where we will assess
the model in terms or our theoretical framework. More about
how we will treat the risk of bias is described in the next
chapter.

Research credibility
All researchers endeavor to produce data or material that is
as close to the truth as possible. However, how can a
researcher be sure that what he/she writes is the truth? The
answer is of course that he/she cannot. All he/she can do is to
reduce the possibility of getting the answers wrong. This
means that we as researchers have to pay attention to two
particular emphases on research design: reliability and
validity (Saunders et al., 2007).

Reliability
The term reliability refers to the stability of the measurement
(Ghauri & Grønhaug, 2005) or it “refers to the extent which
your data collection techniques or analysis procedures will
yield consistent findings” (Saunders et al., 2007, p. 149).
Robson (2002) asserts that there may be four general threats
to reliability.

The first one is subject or partic”pant’error. One example of

this may be that you will find that your questionnaires will
reveal different results if they are done at different times of
the week. By choosing a more “neutral” day this problem
should be solved (Saunders et al., 2007). In our case, we
choose a Wednesday that we thought of as a neutral day
since it is in the middle of the week, i.e. not linked to
something positive (near a holiday) or negative (in the
beginning of the week).

Next threat may be subject or participant bias. This can be

explained by that the interviewees are saying what they
thought their bosses wanted them to say. It is important to be
aware of this when designing the research (Saunders et al.,
2007). To minimize this problem we will interview a CIO
(IT-manager), which makes it less probable that he/she will
be restricted in his/her answers.
The third threat to reliability is observer error. One example
of this might be that three persons conduct three different
interviews, but with the same questions. However, these
three persons might ask these questions in three different
ways and in that way end up with a biased result. In our case
we are two persons at the interview and both will take notes
in order get as much and as correct information as possible.
The questions will be asked of one person so that the other
one can listen and take notes even more carefully.

The last threat is observer bias. This threat deals with that
there might be many ways of interpreting the answers. As
mentioned above we were two persons taking notes from the
interview. These notes are then directly after the meeting
written down in a document, where we will discuss all the
answers so that all the received information is covered. This
document will then be send to the respondent so that he/she
could confirm, add or remove parts, which he/she believes
are incorrect. However, since the interview will be
performed in Swedish and then later on translated into
English, there is a possibility that some parts can be
mistranslated. This is a problem that we will take into
consideration when perform- ing the translation and which
will lead to us being extra careful in this process to avoid
errors.

Validity
“Validity is concerned with weather the findings are really
about what they appear to be about” (Saunders et al., 2007,
p. 149). It is here common to separate between inner and
outer validity, the later is often referred to as generalisability,
see the next section. As men- tioned before, our intention is
to interview the most “extreme” case, and not the average.
This means that we have to find a person that has “the right”
knowledge about PENG. We will then, based on our purpose,
create a number of interview questions that further on are
used to collect accurate data. Our intention is that these
measures will generate in a high validity.

Generalisability
This part of the research credibility is concerned with
whether the findings may be equally applicable to other
research settings (Ghauri & Grønhaug, 2005). In this thesis,
we will not be able to achieve a high generalisability. This
due to that we have performed a case study and from that we
are not able to draw general conclusions that will be the
same for all other settings where the PENG-model is used.
On the other hand, we think that our conclusions can be
applicable into similar settings, as the one we will use in this
case.
Benefits and costs of IT-investments
Lundberg (2004) argues that in order to see the total effect of
an investment you need to evaluate all the aspects of IT. He
further defines two kinds of IT-benefits; the ones that IT
creates within the business activities and the benefits that are
visible in terms of reduced costs. Both of these benefits are
important, especially within large corporations with a great
IT-dependency. The cost reduction is however often not as
great as the benefits within the business (Lundberg, 2004).

When considering IT-investments, the literature makes a

distinction between “hard” and “soft” benefits. Hard benefits
are usually associated with efficiency gains as a direct result
of the implementation and are in the most cases relatively
easy to calculate. The soft bene- fits on the other hand are
more difficult to measure (Svavarsson, 2005). “Many of the
companies do not formally evaluate their IT-investments
because they maintain that many of the important benefits
cannot be quantified in monetary terms and are hence left out
of the evaluation” (Svavarsson, 2005, p. 116). However, the
soft benefits are often the most important due to that IT often
is used as a support to realise the business concept, and not
the business concept itself. Therefore It is vital that also
these, hardly evaluated benefits, are taken into consideration
in the evaluation model

IT-investments can be evaluated from many different points

of view. Lundberg (2004, p. 68) has identified four ways to
view the effects of an IT-investment:

Reduction of costs: The cost of running an

organisation before an IT- investment, reduced by the
costs after the installation is set.

Increased income: The income after an IT-

investment reduced by the incomes before.

Qualitative benefits: Improvements in the qualitative

business ratios that are used within the enterprise e.g.;
customer satisfaction, staff turn- over, comfort and so on.

IT-benefits:
The costs of IT before the change, reduced by the cost
after. The different posts in the table above are used to
compare the costs, revenues and ratios before and after an
investment are accomplished. This results in an estimate of
the net- benefits of IT. From this, it becomes quite evident
that IT-investments can be reviewed from many different
standpoints and that persons from unlike divisions of the
organisation can come to poles apart conclusions when
evaluating the result of the investment. How- ever, in order
to get the total picture of an IT-investment, you need to
evaluate all the dif- ferent aspects of an investment
(Lundberg, 2004).

Bannister (2004) claims that long-term control of costs and

benefits require investments in management, which in turn
involves suitable evaluation and monitoring procedures. He
has particularly identified the following aspects to be
important; clear identification of all costs and benefits, ways
of measuring costs and benefits, methods of evaluating
proposed expenditure, and appropriate evaluation measures
and techniques (Bannister, 2004). This makes it evident that
an evaluation model must offer ways to identify, measure,
and valuate costs and benefits of IT.

Many studies show that organisation often do not understand

costs and benefits when it comes to IT. All costs and benefits
of IT are not always fully realised, which means that they are
not fully known. A solid evaluation can however only be
done if the costs and benefits are totally understood.
Bannister (2004) names some examples of potential bene-
fits (decreased costs) when investing in IT:

Competitive advantage – Provide a service that the

competitors can not match. Depending on how an
organisation combines their unique competence with
information technology, they may be able to gain an
advantage that their competitors can not match.

New products or services – IT can facilitate the

creation of new products or services. One example of this
can be to provide video rentals through the internet,
which is an example of how IT can offer an old product
through a new medium. This results in increased service
for the customers, and lower costs for the lessor.

Increased productivity – Removing steps in the

production by automating procedures. Many tasks can be
automated, which leads to decreased costs in terms of
reduction in staff, inventory or working capital.

Improved product delivery – For certain products

electronic delivery can be effective. An ex- ample of this
is the possibility to upload digital photos, get them
developed and send to your mailbox.

Better decision making – Decision support systems.

Services like business Intelligence systems can provide
 real-time data and customised reports in order to support
strategic decisions.

Improved communication – The use of email, intranet

and Internet for internal and external communication.
This facilitates the spreading of information inside the
organisation and to external customers.

Reduction of errors – Computers makes no errors.

Working tasks performed by routine can be automated,
which leads to fewer errors caused by the human factor.

Haverblad (2006) also states that measuring the performance

regarding IT is essential to be able to follow up, verify and
evaluate what has been achieved in relation to set up goals.
These measurements shall be linked to the IT-strategy and be
integrated with planning and budgeting. “What is not
measured can neither be improved” (Haverblad, 2006, p. 96).

Many of the above mentioned benefits are quite easy to

identify and comprehend. It is much harder to assess the
expenditures of IT. The cost-evaluation is often made before
the investment or in retrospect. Hidden costs are a major
problem within IT-investments. In this case, hidden costs are
the ones that are not perceived at the time when the
investment is planned. Examples here can be costs for
training, maintenance, support, testing, installation and
different adjustments. These are costs that might be visible,
but which are not always recognised as IT-costs and may
thereby be overlooked when evaluating a project (Bannister,
2004).

Conventional methods to use here are; return on investment,

payback period, net present value, internal rate of return,
cost-benefit analysis et cetera. A problem with these
evaluation methods is however that their result can be
misleading. The figures do not create any measure of the
effectiveness of the investment. Is the money effectively
spent or could the investment have been done in a better
way? It can also be useful to benchmark IT- investments
against peer organisation in order to compare the
effectiveness of different IT-solutions (Bannister, 2004).
Based on this, we can see that a model used for IT-
evaluations must be able to measure the effectiveness for
each aspect of an investment and provide ratios for these.

Strategies:
To be in line with the market is usually not enough, the
organisation’s ambitions are also of great importance when
doing IT-investments. The organisation needs to be aware of
what they expect of the investment in relation to its
strategies. This can be exemplified with an organisation that
works on a market with a decreasing price level. The strategy
of the organisation is then to consolidate, save and reduce the
personnel. To start with large IT- investments to realise new
sophisticated services would be directly wrong and not in
line with the organisational strategies (Lundberg, 2004).

The mentioned example contained a ”adic’l deviation from

the organisation’s strategies. In other cases, it can be harder
to differentiate between what is an accurate investment and
what is not. The important lesson from this is to at least
always consider the strategy when discussing new IT-
investments. One way to find investments that are in line
with the strategy and with great potential of improving the
business is to search for the parts of the organisation that
contribute the most to its revenues. Many studies shows that
the productivity and usefulness of IT mostly depends on in
what parts of the organisation you invest (Lundberg, 2004).

Securing the enterprise:

Understanding Enterprise Security Management
ESM pertains to all risks that may affect the core
business of an organization. It includes failed software
processes, inadvertent or deliberate mistakes
committed by staff members, internal security threats,
and external security threats. The concept also takes
into account the following factors related to the
security architecture framework.

• Enterprise-Wide Compliance
The number of regulatory requirements can affect the
end product/service delivery. The ESM framework
aims to resolve conflicting business objectives, as
well as fulfill regulatory and internal compliance
requirements.

• Business-Focused Outcome
In a standard ESM framework, security risks and
company objectives drive the selection of security
implementations. As it is a top-down architecture, it
ensures the identification and control of all policies.

• Clarity at Data-Infrastructure Level

The key challenge for the enterprise is to gain clarity
and resolve conflicts pertaining to data privacy
requirements, vulnerability vectors, and company
objectives. The ESM approach to clarity enables the
enterprise to gain transparency around the
aforementioned, both at the infrastructure and data
security level.

• Transformation of Security at All Levels

ESM adopts the approach called “architecting a
security framework at all levels” of an organization. It
defines security capabilities from the governance level
all the way through architecture, and involves
planning to build, monitor, and deliver security within
all organizational units, processes, and business
functions.

Information system vulnerabilities and threats:

This area provides advice, guidance and other resources
aimed specifically at those with an interest in vulnerability.
All systems contain vulnerabilities. They may take the form
of a configuration issue for system administrators to resolve,
software defects requiring a vendor update, or even a
vulnerability which the vendor doesn’t yet know exists, for
which a mitigation isn’t available.
This makes vulnerability management a critical control for
organisations.
An effective vulnerability management process allows your
organisation to understand, and validate on a regular basis,
which vulnerabilities are present in your technical estate,
where updates are failing, and to actively reduce the impact
of both. It also allows you to react quickly when a critical
vulnerability is disclosed, by helping you understand your
organisation’s exposure to it.
A vulnerability is a weakness in an IT system that can be
exploited by an attacker to deliver a successful attack. They
can occur through flaws, features or user error, and attackers
will look to exploit any of them, often combining one or
more, to achieve their end goal.

Flaws
A flaw is unintended functionality. This may either be a
result of poor design or through mistakes made during
implementation. Flaws may go undetected for a significant
period of time. The majority of common attacks we see
today exploit these types of vulnerabilities. Between 2014
and 2015, nearly 8,000 unique and verified software
vulnerabilities were disclosed in the US National
Vulnerability Database (NVD).
Vulnerabilities are actively pursued and exploited by the full
range of attackers. Consequently, a market has grown in
software flaws, with ‘zero-day’ vulnerabilities (that is
recently discovered vulnerabilities that are not yet publicly
known) fetching hundreds of thousands of pounds
Vulnerabilities are actively pursued and exploited by the full
range of attackers. Consequently, a market has grown in
software flaws, with ‘zero-day’ vulnerabilities (that is
recently discovered vulnerabilities that are not yet publicly
known) fetching hundreds of thousands of pounds

Zero-day vulnerabilities
Zero-days are frequently used in bespoke attacks by the more
capable and resourced attackers. Once the zero-days become
publicly known, reusable attacks are developed and they
quickly become a commodity capability. This poses a risk to
any computer or system that has not had the relevant patch
applied, or updated its antivirus software. The ability for an
attacker to find and attack software flaws or subvert features
depends on the nature of the software and their technical
capabilities. Some target platforms are relatively simple to
access, for example web applications could, by design, be
capable of interacting with the Internet and may provide an
opportunity for an attacker.

Features
• A feature is intended functionality which can be
misused by an attacker to breach a system. Features
may improve the user’s experience, help diagnose
problems or improve management, but they can also be
exploited by an attacker.
• When Microsoft introduced macros into their Office
suite in the late 1990s, macros soon became the
vulnerability of choice with the Melissa worm in 1999
being a prime example. Macros are still exploited
today; the Dridex banking Trojan that was spreading in
late 2014 relies on spam to deliver Microsoft Word
documents containing malicious macro code, which
then downloads Dridex onto the affected system.
• JavaScript, widely used in dynamic web content,
continues to be used by attackers. This includes
diverting the user’s browser to a malicious website and
silently downloading malware, and hiding malicious
code to pass through basic web filtering.

Threats:
Information System Threats
A threat is anything (man made or act of nature) that has the
potential to cause of harm. A threat is also defined as “A
potential for violation of security, which exists when there is
a circumstance, capability, action, or event that could breach
security and cause harm. That is, a threat is a possible danger
that might exploit vulnerability”.

Threat modeling is a procedure for optimizing network

security by identifying objectives and vulnerabilities, and
then defining countermeasures to prevent, or mitigate the
effects of, threats to the system.

In this context, a threat is a potential or actual adverse event

that may be malicious (such as denial-of-service attack) or
incidental (such as the failure of a storage device), and that
can compromise the assets of an enterprise.

CLASSIFICATION OF SECURITY THREATS:

In order for one to produce a secure system, it is important to
classify threats. The classification of threats could be:

1. Physical threats
2. Accidental error,
3. Unauthorized access
4. Malicious misuse.

1. PHYSICAL THREAT:
• Physical threat to a computer system could be as a
result of loss of the whole computer system,

• Damage of hardware,

• Damage to the computer software,

• Theft of the computer system, vandalism,

• Natural disaster such as flood, fire, war, earthquakes

etc.

• Acts of terrorism such as the attack on the world trade

centre is also one of the major threats to computer
which can be classified as physical threat.

• Another good example of a physical threat to computer

system is the flooding of the city of New Orleans
(Hurricane Katrina) during which valuable information
was lost and billions of computer data were destroyed.

2. ACCIDENTAL ERROR:
This is also an important security issue which computer
security experts should always put into consideration when
designing security measures for a system. Accidental errors
could occur at any time in a computer system but having
proper checks in place should be the major concern of the
designer. Accidental error includes corruption of data caused
by programming error, user or operator errors.

3. UNAUTHORIZED ACCESS:
Data stored on the computer system has to be accessed for it
to be translated into useful information. This also poses a
great security threats to the computer system due to
unauthorized person’s having access to the system. Not only
this, information can be accessed via a remote system in the
process of being transmitted from one point to the other via
network media which includes wired and wireless media.
Considering an example of an organization in which a
member of staff at a particular level of hierarchy within the
establishment is only allowed access to specific area
according to the policy of the organization. If these
employees by other means not set in the organization policy
gain access to the restricted data area on the computer, this
can be termed an unauthorized access.

4. MALICIOUS MISUSE#
Any form of tampering of the computer system which
includes penetration, Trojan horses, viruses and any form of
illegal alteration of the computer system which also includes
the generation of illegal codes to alter the standard codes
within the system can be termed as malicious misuse. This
could also lead to a great financial loss and should be
prevented in all cases access.

Network security :
• Network security is any activity designed to protect
the usability and integrity of your network and
data.
• It includes both hardware and software
technologies
• It targets a variety of threats
• It stops them from entering or spreading on your
network
• Effective network security manages access to the
network.

Network security work

Network security combines multiple layers of defenses at the
edge and in the network. Each network security layer
implements policies and controls. Authorized users gain
access to network resources, but malicious actors are blocked
from carrying out exploits and threats.

Benefit from network security

Digitization has transformed our world. How we live, work,
play, and learn have all changed. Every organization that
wants to deliver the services that customers and employees
demand must protect its network. Network security also
helps you protect proprietary information from attack.
Ultimately it protects your reputation.

Types of network security:

Firewalls:
Firewalls put up a barrier between your trusted internal
network and untrusted outside networks, such as the Internet.
They use a set of defined rules to allow or block traffic. A
firewall can be hardware, software, or both. Cisco offers
unified threat management (UTM) devices and threat-
focused next-generation firewalls.

Email security
Email gateways are the number one threat vector for a
security breach. Attackers use personal information and
social engineering tactics to build sophisticated phishing
campaigns to deceive recipients and send them to sites
serving up malware. An email security application blocks
incoming attacks and controls outbound messages to prevent
the loss of sensitive data.

Anti-virus and anti-malware software

“Malware,” short for “malicious software,” includes viruses,
worms, Trojans, ransomware, and spyware. Sometimes
malware will infect a network but lie dormant for days or
even weeks. The best antimalware programs not only scan
for malware upon entry, but also continuously track files
afterward to find anomalies, remove malware, and fix
damage.

Network segmentation
Software-defined segmentation puts network traffic into
different classifications and makes enforcing security
policies easier. Ideally, the classifications are based on
endpoint identity, not mere IP addresses. You can assign
access rights based on role, location, and more so that the
right level of access is given to the right people and
suspicious devices are contained and remediated.

Access control
Not every user should have access to your network. To keep
out potential attackers, you need to recognize each user and
each device. Then you can enforce your security policies.
You can block noncompliant endpoint devices or give them
only limited access. This process is network access control
(NAC).

Application security
Any software you use to run your business needs to be
protected, whether your IT staff builds it or whether you buy
it. Unfortunately, any application may contain holes, or
vulnerabilities, that attackers can use to infiltrate your
network. Application security encompasses the hardware,
software, and processes you use to close those holes.
Behavioral analytics
To detect abnormal network behavior, you must know what
normal behavior looks like. Behavioral analytics tools
automatically discern activities that deviate from the norm.
Your security team can then better identify indicators of
compromise that pose a potential problem and quickly
remediate threats.

The Information security implementation is through two

approaches –

Bottom-up and Top-down

These approaches help data from theft or loss, modification,

and unauthorized access which ensures integrity. Also,
sensitive information is encrypted to safeguard the data.
Definition
Information security is the set of procedures to protect
information from disruption, misuse, destruction, disclosure,
modification, or unauthorized access.

There are two approaches discussed as follows –

Bottom-Up Approach
The responsibility of the system administrator, cyber
engineer, or network security professional does not include
top-level management positions. The main duty of such
individuals is to secure the information system by using their
expertise, knowledge, education, and training to build a
highly secure model.

Advantages of the Bottom-up Approach

• The individual or team addresses the intricate security
of the information system using their expertise. The
company threat is identified to mitigate the possible
potential threat.
• The existing team or individual is assigned instead of
new hire which is a way to save time, and money in a
complex plan. It is a great way to use available
valuable resources.
• The strategies are not assisted by top-level
management or expert and also incorporation would
have thoroughness or longevity.
• The top-level management collaboration gives a wide
vantage point using company standards, concerns,
resources, etc.

Top-Up Approach
The approach is created, initiated, or implemented by top-
level management. This approach implements data security
by instruction procedures, creating an information security
policy, and following procedures. The priority and liability of
project activities are taken by top-level management. The
top-level managers take help from other professionals in the
infosec system.

Advantages of the Top-up Approach

• The top-up approach is more efficient than the bottom-
up approach.
• The company’s management level is more powerful for
protecting data than an individual or team considering
company-wide priority.
• Each problem is unique and vulnerabilities exist in
every department or office. To resolve the problem a
top-up approach is important.
• Steps for an information security program
• The security team is building a framework according to
the current situation.
• To understand the source of the threat.
• Risk assessment.
• Manage and Remediate the threat.
• Develop an action plan to evaluate any damage.
• Acknowledge third parties.
• Security controls to mitigate risk
• Awareness regarding security and training.
• Audit and monitor to assess the vulnerability.

Layers in Information Security Approach

The Infosec implementing protection includes cybersecurity,
security based on web, application, device, network,
physical, or software. The data recovery and backup during
the disaster were also included.

The approach of integrating concerns into smaller parts to

assure protection to each layer and manage it easily. Let’s
discuss each layer approach –

Device security
Security in the smartphone, app system is as follows –
• The software or device is up-to-date.
• The user credentials are secured with a
password and changing it on regular intervals.
• Maintenance of the system is important.
• Intrusion detection is required as also detect
possible threats.
• Patch Management is also essential to ensure
the security of the system.

Network and Web security

• The security covering Infosec policies in networks,
and browsers such as follows –
 • The authentication for each person like a manager,
third parties, or employees.
• Antivirus, Firewalls, intrusion detection, and
antimalware system.
• Protecting from phishing attacks using mail,
attachments in the mail, etc.
• Lock the pop-up messages.
• Access to the legitimate user.
• VPN and analyzing traffic, IP network security.
• Devices such as Smartphones, tablets, etc security.
• Data loss of messages and files.
• Segmentation of the network.

Disadvantages of InfoSec
• The system is complex and time-consuming for a large
organization.
• It is costly to maintain and implement the
requirements.
• InfoSec system is difficult to change the usual system.
• Lack of adapting to new changing systems and rigid.
• Security may give false alerts causing them to
overlook control access.

Implementing security:
A solid information security program is an essential
component of running a business in the digital age—a time
when the number of data breaches and security incidents are
increasing exponentially. Without a security program, you
leave your company, customers, and data at risk. Let’s
explore the components of an information security program,
and walk through a step-by-step guide on how you can
implement one at your organization.

What is an Information Security Program?

Think about your organization’s information security
culture, policies, procedures, standards, and guidelines.
Together, these elements create a security program by
outlining how your organization plans for and acts when it
comes to security management.

The purpose of the program is to make certain the data and

information you’re responsible for is safe. By safe, we mean
your organization ensures three vital principles:
confidentiality (secured from unauthorized access), integrity
(accurate and free from tampering), and availability
(accessible in a timely manner) of its data.

Information security programs need to:

• Establish a benchmark for security;
• Measure against that benchmark;
• Enable informed decision making; and,
 • Support the execution of decisions.

9 Steps on Implementing an Information Security

Program
Step 1: Build an Information Security Team
Before you begin this journey, the first step in information
security is to decide who needs a seat at the table. One side
of the table holds the executive team, made up of senior-
level associates responsible for crafting the mission and
goals of the security program, setting security policies, risk
limitations, and more. On the other side of the table sits the
group of individuals responsible for daily security
operations. As a whole, this group designs and builds the
framework of the security program.

Step 2: Inventory and Manage Assets

The security team’s first job is to understand which assets
exist, where those assets are located, ensure the assets are
tracked, and secure them properly. In other words, it’s time
to conduct an inventory of everything that could contain
sensitive data, from hardware and devices to applications
(both internally and third party developed) to databases,
shared folders, and more. Once you have your list, assign
each asset an owner, then categorize them by importance
and value to your organization should a breach occur.

Step 3: Assess Risk

To assess risk, you need to think about threats and
vulnerabilities. Start by making a list of any potential threats
to your organization’s assets, then score these threats based
on their likelihood and impact. From there, think about what
vulnerabilities exist within your organization, categorize
and rank them based on potential impact. These
vulnerabilities can consist of people (employees, clients,
third parties), processes or lack thereof, and technologies in
place.

Look at the two lists you’ve created and find where threats
and vulnerabilities may intersect, showing you where your
greatest levels of risk exist. A high-impact threat with high
vulnerability becomes a high risk, for example. Contact us if
you need assistance putting together a risk analysis like this.

Step 4: Manage Risk

Now that you have your risks ranked, decide whether you
want to reduce, transfer, accept, or ignore each risk.
• Reduce the risk: Identify and apply fixes to counter
the risk (e.g., setting up a firewall, establishing local
and backup locations, purchasing water leak detection
systems for a data center).
• Transfer the risk: Purchase insurance for assets or
bring on a third party to take on that risk.
 • Accept the risk: If the cost to apply a countermeasure
outweighs the value of the loss, you can choose to do
nothing to mitigate that risk.
• Avoid the risk: This happens when you deny the
existence or potential impact of a risk, which is not
recommended as it can lead to irreversible
consequences.

Step 5: Develop an Incident Management and Disaster

Recovery Plan
Without an Incident Management and Disaster Recovery
Plan, you put your organization at risk should any security
incident or natural disaster occur. This includes things like
power outages, IT system crashes, hacking, supply chain
problems, and even pandemics like COVID-19. A good plan
identifies common incidents and outlines what needs to be
done—and by whom—in order to recover data and IT
systems.

Step 6: Inventory and Manage Third Parties

Make a list of vendors, suppliers, and other third parties
who have access to your organization’s data or systems,
then prioritize your list based on the sensitivity of the data.
Once identified, find out what security measures high-risk
third parties have in place or mandate necessary controls. Be
sure to consistently monitor and maintain an updated list of
all third-party vendors.

Step 7: Apply Security Controls

You’ve been busy identifying risks and deciding on how
you’ll handle each one. For the risks you want to act on, it’s
time to implement controls. These controls will mitigate or
eliminate risks. They can be technical (e.g., encryption,
intrusion detection software, antivirus, firewalls), or non-
technical (e.g., policies, procedures, physical security, and
personnel). One non-technical control you’ll implement is a
Security Policy, which serves as the umbrella over a number
of other policies such as a Backup Policy, Password Policy,
Access Control Policy, and more.

Step 8: Establish Security Awareness Training

Conduct frequent security awareness trainings to share your
information security plan and how each employee plays a
role in it. After all, new security measures and policies do
nothing if employees working with the data are not educated
on how to minimize risk. Any time an element of your
security program changes, your employees need to be
aware. And be sure to document and retain evidence of
trainings for future auditing purposes.
Auditing:
Step 9: Audit
The best way to determine the effectiveness of your
information security program is to hire a third-party auditor
to offer an unbiased assessment on security gaps. In some
cases, this is mandatory to confirm compliance. Third-party
assessors can also perform vulnerability assessments, which
include penetration tests to identify weaknesses in your
organization’s networks, systems, and applications, along
with audits against criteria such as ISO 27001, PCI DSS,
FedRAMP, and HITRUST; as well as SOC 2® reports using
the AICPA Trust Service Principles. Your company can also
conduct internal audits to assess controls, policies,
procedures, risk management, and more.

RISK MANAGEMENT APPROACH

Firms use a variety of approaches to manage risks associated
with IT security. Secure Business Quarterly, a trade
publication, highlighted these approaches [SBQ 2001]:
1. The fear, uncertainty, and doubt (FUD). For years, it
was used to sell investments in security.
2. The cost of deploying security. For example the
approach based on cost effectiveness of investments
asks, “What is the most I can get for $X, given that I
am going to spend $X?” This analysis is tractable
because it does not seek to quantify the benefits of
security investment and assumes security investment
simply as an overhead cost.
3. The traditional risk or decision analysis framework.
The idea is to identify the potential risks, possible
losses, and their likelihoods and compute the expected
loss.
4. Several proposed variations of the decision analysis
approach that manage IT security risks using non-
technical controls, such as insurance.
While these approaches can provide a useful starting point
for managing security risk, they are incomplete because of
the security problem’s strategic nature. The limitation of
these approaches can be stated as one simple proposition:
They do not allow a firm’s investment level to influence the
behavior of hackers.
The behavioral Influences of security technology on hackers
have long been recognized by researchers and practitioners
in the security community. Many pointed out that security
should be viewed as a “cat-and-mouse” game played by
firms and hackers. Tighter security technology employed by
firms requires higher investment but also makes hacking
more difficult. Hackers do not select their targets randomly.
They rationally make their choice based on how much effort
will be required to succeed in hacking and the reward as a
result. The strategic interaction between a firm’s investment
and hacking activity must be captured in the model used to
determine investment levels. Because decision theory is
designed to analyze decision making under uncertainty
where “nature” is the only “opponent”, it is fundamentally
inadequate to deal with security investment decision making
where these behavioral effects occur. Modeling the
interaction between firm and hacker decisions requires game
theory.
The game-theoretic aspect of IT security was first noted by
Jajodia and Miller [1993, p. 85]:
“Computer security is a kind of game between two parties,
the designer of a secure system, and a potential attacker.”
A video illustration of the strategic game played by the
security experts in a firm and the hackers is provided by
cable channel MSNBC at its website

http://www.msnbc.com/modules/ hack_attack/hach.swf. The

interactive site shows, step-by-step, how an attack against a
honeypot computer is launched. The intruder is referred to
as black-hat while the security expert is called the white-hat.
Since an intrusion detection system (IDS) is installed in the
system, all the actions committed by the black-hat are
captured. One can see that how the expert takes actions
based on what (s)he learned from IDS logs.

We use a simple example to illustrate how the game theory

and the decision analysis approaches can lead to different
decisions. Suppose that the game between the hacker and the
firm yields the payoff matrix given in Table 2. Each player
can take two actions.

The firm can invest to have high or low security, and the
hacker can choose to hack less or more. If the firm invests
low in security and the hacker chooses to intrude less, the
payoff for the firm is -5, which includes the cost of
investment and the cost of undetected intrusions while the
hacker gets a payoff of 6, which is the utility from hacking
minus cost if the hack is detected by security controls. We
can interpret other payoffs in other cells in a similar fashion.
That is, the first element in a cell is the firm’s payoff and the
second element in the same cell is the hacker’s payoff
corresponding to an actions pair.

The dominant strategy equilibrium of the game is (high

investment and high hack). Because the firm is always better
off if it invests high in security as the payoff is higher when
it invests high than when it invests low.
At the same time the hacker is better off if he hacks high
whatever the action the firm takes.

Suppose the firm does not act strategically, and assume that
the firm thinks the hacker will hack low. Then it will choose
to invest less because the cost of additional investment does
not justify the savings associated with prevention or
detection of possible security breaches (i.e. -5>-8).

Because the hacker always prefers high hack to low hack, the
game ends up in (low investment, high hack). Note that not
incorporating the strategic nature of the game makes the firm
actually worse off since it gets a payoff of -10, the worst case
among all cases.

Table 2. Game Theory Matrix for Firm and Hackers

HACKERS

Low High

Low -5,6 -10,8

FIRM
High
-8,4 -7,5

The example shows that how a firm can make a wrong

choice about its security investment by ignoring the tactical
battle with the hacker.
We conclude that strategic nature of the problem is a
significant dimension that needs to be considered when
dealing with security. To be able to compete, organizations
should also act strategically when choosing controls and
their capabilities. Several papers recognize the game
theoretic aspect of IT security problem and report on how to
use game theory to evaluate security investments [Cavusoglu
et al. 2004b, Cavusoglu et al. 2002].