Information Systems Development and Ethics
IS Development
Information systems development (ISD) or application development is the process of developing an information system solution to business problems using a systems approach.
Customer-Driven Development (Intuit Case)
Intuit's new product ideas are driven by a psychologist.
Methods include "Playing nice" and free-association sessions.
The focus is always on the customer, aiming to:
Reduce "pain points".
Capture pencil-and-paper users.
Conduct "follow-me-homes" (observing users in their environment).
Simplify language.
The Systems Approach
A problem-solving technique using a systems orientation to define problems/opportunities and develop solutions.
Involves:
Recognizing and defining the problem using systems thinking.
Developing and evaluating alternative solutions.
Selecting the best solution.
Designing the selected system.
Implementing and evaluating the system's success.
What is Systems Thinking?
Seeing both the "forest and the trees" in a situation.
Understanding interrelationships among systems, not just linear cause-and-effect.
Recognizing change processes over time rather than static snapshots.
Identifying input, processing, output, feedback, and control components in any situation.
Systems Thinking Example
Control: Sales management.
Feedback: Sales information (potentially poor/incorrect).
Input: Inadequate selling effort & Out-of-date Sales Procedures.
Processing: Sales Performance.
Output: Sales.
Systems Analysis and Design (SA&D)
SA&D is the overall process for designing and implementing information systems.
Includes identifying business problems.
Two common approaches:
Object-oriented analysis and design.
Life cycle (SDLC).
Systems Development Life Cycle (SDLC)
Systems Investigation
Understand the Business Problem or Opportunity
Product: Feasibility Study
Determine how to address business opportunities and priorities.
Conduct a feasibility study to determine whether a new or improved business system is a feasible solution.
Develop a project management plan and obtain management approval.
Systems Analysis
Product: Functional Requirements
Analyze the information needs of employees, customers, and other business stakeholders.
Develop the functional requirements of a system that can meet business priorities and the needs of all stakeholders
Develop logical models of current system.
Systems Design
Product: System Specifications
Develop specifications for the hardware, software, people, network, and data resources, and the information products that will satisfy the functional requirements of the proposed business information system.
Develop logical models of new system.
Systems Implementation
Product: Operational System
Acquire (or develop) hardware and software.
Test the system, and train people to operate and use it.
Convert to the new business system.
Manage the effects of system changes on end users.
Systems Maintenance
Product: Improved System
Use a post-implementation review process to monitor, evaluate, and modify the business system as needed.
Systems Development Process
Systems Investigation
The first step in the systems development process.
May involve proposals from business/IT planning.
Includes a preliminary feasibility study of proposed information system solutions.
Feasibility Studies
A preliminary study to determine:
Information needs of prospective users.
Resource requirements.
Costs.
Benefits.
Feasibility.
In some cases, a feasibility study may be unnecessary.
Types of Feasibility
Operational Feasibility
How well the proposed system will:
Support the organization's business priorities.
Solve the identified problem.
Fit with the existing organizational structure.
Economic Feasibility
An assessment of:
Cost savings.
Increased revenue.
Decreased investment requirements.
Increased profits.
Cost/benefit analysis.
Technical Feasibility
Determines if the following can meet system needs and be acquired/developed in the required time:
Hardware.
Software.
Network.
Human Factors Feasibility
Assess the acceptance level of:
Employees.
Customers.
Suppliers.
Management support.
Determine the right people for new/revised roles.
Legal/Political Feasibility
Assess:
Possible patent or copyright violations.
Software licensing (developer side).
Governmental restrictions.
Changes to existing reporting structures.
Systems Analysis
An in-depth study of end-user information needs.
Produces the functional requirements for IS design.
Involves a detailed study of:
Information needs of the company and end-users.
Activities, resources, and products of current information systems.
Information system capabilities required to meet stakeholder needs.
Organizational Analysis
Study of the organization, including:
Management structure.
People.
Business activities.
Environmental systems.
Current information systems.
Input, processing, output, storage, and control.
Analysis of the Present System
Before designing a new system, study the system to be improved/replaced.
Consider:
Hardware and software.
Network.
People resources.
System activities (input, processing, output, storage, control).
Logical Analysis
A logical model is a blueprint of the current system.
Displays what the current system does, not how it does it.
Helps analysts understand processes, functions, and data without focusing on hardware/software.
Functional Requirements
Determining what type of information each business activity requires.
Identifying information processing capabilities for each system activity.
The goal is to identify what should be done, not how to do it.
Examples of Functional Requirements
User Interface: Automatic entry of product data, easy-to-use data entry screens for web customers.
Processing: Fast, automatic calculation of sales totals and shipping costs.
Storage: Fast retrieval and update of data from product, pricing, and customer databases.
Control: Signals for data entry errors and quick e-mail confirmation for customers.
Systems Design
Focuses on three areas:
User Interface Design
Screen, Form, Report, and Dialog Design
Data Design
Data Element Structure Design
Process Design
Program and Procedure Design
Prototyping
Rapid development and testing of working models.
An interactive, iterative process during the design phase.
Makes development faster/easier, especially when end-user requirements are hard to define.
Enlarges the role of business stakeholders.
Prototyping Life Cycle
Identify an End User's Business Requirements
Investigation/Analysis. End users identify their business needs and assess the feasibility of several alternative information system solutions.
Develop Business System Prototypes
Analysis/Design. End users and/or IS specialists use application development tools to interactively design and test prototypes of information system components that meet end user business needs.
Revise the Prototypes to Better Meet End User Requirements
Design/Implementation. The business system prototypes are tested, evaluated, and modified repeatedly until end users find them acceptable.
Use and Maintain the Accepted Business System
Implementation/Maintenance. The accepted business system can be modified easily since most system documentation is stored on disk.
User Interface Design
Supports interactions between end-users and computer-based applications.
Designers focus on attractive and efficient forms of user input/output.
Frequently a prototyping process.
Produces detailed design specifications for information products like display screens.
Checklist for Corporate Websites
Remember the customer.
Aesthetics.
Broadband content.
Easy to navigate.
Search ability.
Incompatibilities.
Registration forms.
Dead links.
System Specifications
Formalizing the design of:
User interface methods and products.
Database structures.
Processing procedures.
Control procedures.
Examples of System Specifications
User interface specifications: Use personalized screens for repeat web customers.
Database specifications: Use object/relational database management software.
Software specifications: Acquire an e-commerce software engine with fast response times, i.e., retrieve necessary product data and compute all sales amounts in less than one second.
Hardware and network specifications: Install redundant networked web servers.
Personnel specifications: Hire an e-commerce manager, specialists, webmaster, and web designer.
End User Development
IS professionals consult while users perform application development.
User consultants may help with analysis, design, and installation.
Other support:
Application package training.
Hardware/software advice.
Help gaining access to organization databases.
Focus on IS Activities (End User Development)
End-user development should focus on:
Input.
Processing.
Output.
Storage.
Control.
Focus of End User Development
Input
What data are available, in what form?
Processing
What operations on the inputs are needed to produce the desired output?
What software can most effectively support those operations?
Output
What information is needed by end users and in what form should the output be presented?
Storage
Does the application use previously stored data?
Does it create data that must be stored for future use by this or other applications?
Control
What controls are needed to protect against accidental loss or damage.
Is there a need to control access to data used by the application?
Doing End User Development
Application development capabilities built into software packages make it easier for end users to develop their own solutions.
Encouraging End User Web Development
Look for tools that make sense.
Spur creativity through competition.
Set limits on what parts of a webpage/site can be changed and by whom.
Give managers responsibility for content.
Make users comfortable with training.
Implementing New Systems
Involves:
Hardware and software acquisition.
Software development.
Testing of programs and procedures.
Conversion of data resources.
Conversion alternatives.
Education/training of end users and specialists.
Implementation Process
Implementation Activities
Acquisition of Hardware,
Software, and Services
Software Development or
Modification
Data Conversion
End User Training
Conversion
Parallel
Pilot
Phased
Plunge
Sample Implementation Process
Sample Intranet Implementation Activities include acquiring/installing server hardware and software and training administrators.
Phases of Project Management
Five phases:
Initiating/Defining.
Planning.
Executing.
Controlling.
Closing.
Project Management Phases Explained
Initiating/Defining Phase
State the problem(s) and/or goal(s).
Identify the objectives.
Secure resources.
Explore costs/benefits in the feasibility study.
Planning Phase
Identify and sequence activities.
Identify the "critical path."
Estimate time and resources needed for project completion.
Write a detailed project plan.
Execution Phase
Commit resources to specific tasks.
Add additional resources/personnel if necessary.
Initiate work on the project.
Controlling Phase
Establish reporting obligations.
Create reporting tools.
Compare actual progress with baseline.
Initiate control interventions, if necessary.
Closing Phase
Install all deliverables.
Finalize all obligations and commitments.
Meet with stakeholders.
Release project resources.
Document the project.
Issue a final report.
Evaluating Hardware, Software, Services
Establish minimum physical/performance characteristics.
Formalize requirements in an RFP/RFQ.
Send RFQ to appropriate vendors.
Evaluate bids received.
All claims must be demonstrated.
Obtain recommendations from other users.
Search independent sources for evaluations.
Benchmark test programs and test data.
Hardware Evaluation Factors
Performance.
Cost.
Reliability.
Compatibility.
Technology.
Ergonomics.
Connectivity.
Scalability.
Software.
Support.
Software Evaluation Factors
All hardware evaluation factors apply +:
Quality.
Efficiency.
Flexibility.
Security.
Connectivity.
Maintenance.
Documentation.
Slow, hard-to-use, buggy, or poorly documented software is a bad choice at any price.
Evaluating IS Services
Examples:
Developing a company website.
Installation/conversion of hardware/software.
Employee training.
Hardware maintenance.
System design/integration.
Contract programming.
Consulting services.
IS Service Evaluation Factors
Performance.
Systems development.
Maintenance.
Conversion.
Training.
Backup facilities and services.
Accessibility to sales and support.
Business position and financial strength.
Hardware selection and compatibility.
Software packages offered.
Other Implementation Activities
Keys to successful implementation:
Testing.
Data conversion.
Documentation.
Training.
System Testing
May involve:
Testing and debugging software.
Testing website performance.
Testing new hardware.
Review of prototypes.
Data Conversion
Includes:
Converting data elements from the old database to the new database.
Correcting data errors.
Filtering out unwanted data.
Consolidating data from several databases.
Organizing data into new data subsets.
Improperly organized/formatted data is a major cause of implementation failures.
Documentation
User Documentation
Sample data entry screens, forms, reports.
System operating instructions.
Systems Documentation
Communication among developers, implementers, and maintainers.
Detailed record of the system design.
Important when diagnosing problems and making system changes.
Training
End-users must be trained, or the implementation will fail.
May involve data entry or comprehensive system use.
Managers/end-users must understand how the new technology impacts business operations.
System training should be supplemented with training related to hardware devices and software packages.
Major System Conversion Strategies
Parallel Conversion
Pilot Conversion
Phased Conversion
Direct Conversion
Direct Conversion
Simplest.
Most disruptive.
"Slam dunk" or "cold-turkey" strategy.
May be the only viable solution in emergencies or when old and new systems can't coexist.
Highest risk of failure.
Involves simply turning off the old system and turning on the new one.
Parallel Conversion
Old and new systems run simultaneously until everyone is satisfied.
Conversion can be a single cutover or phased.
Lowest risk but highest cost (can cost 4 times more).
Best choice when replacing a manual system with an automated one.
Pilot Conversion
Suited for scenarios with multiple business locations.
Advantages:
Can select a location that best represents organizational conditions.
Less risky in terms of lost time or delays.
Can be evaluated and changed before further installations.
Phased Conversion
A gradual conversion that takes advantage of both direct and parallel approaches.
Minimizes risks.
Allows the new system to be brought online as logically ordered functional components.
Disadvantages: Takes the most time and creates the most disruption over time.
Post-Implementation Activities
The single most costly activity.
Includes:
Correcting errors in the system.
Improving system performance.
Adapting the system to changes in the operating or business environment.
Requires more programmers than application development.
May exist for years.
Systems Maintenance
Four basic categories:
Corrective: fix bugs and logical errors.
Adaptive: add new functionality.
Perfective: improve performance.
Preventive: reduce chances of failure.
Post-Implementation Review
Ensures that the newly implemented system meets business objectives.
Errors must be corrected by the maintenance process.
Includes a periodic review/audit of the system as well as continuous monitoring.
IT Security, Ethics, and Society
IT has both beneficial and detrimental effects on society and people.
Manage work activities to minimize detrimental effects and optimize beneficial effects.
Business Ethics
Ethics questions managers confront include:
Equity.
Rights.
Honesty.
Exercise of corporate power.
Categories of Ethical Business Issues
Equity: Executive Salaries, Comparable Worth, Product Pricing, Intellectual Property Rights Noncompetitive Agreements
Rights: Corporate Due Process Employee Health Screening, Customer Privacy, Employee Privacy, Sexual Harassment, Affirmative Action, Equal Employment Opportunity, Shareholder Interests Employment at Will, Whistle-Blowing
Honesty: Employee Conflicts, Security of Company Info, Advertising Content Gov Contract Issues, Financial/Cash Mgmt. Questionable Business Practices
Corporate Power: Product Safety Environmental Issues Disinvestment Corporate Contributions, Social Issues Raised by Religious Organizations Plant, Workplace Safety
Corporate Social Responsibility Theories
Stockholder Theory
Managers are agents of the stockholders.
Their only ethical responsibility is to increase profits without violating the law or engaging in fraud.
Social Contract Theory
Companies have ethical responsibilities to all members of society who allow them to exist.
Stakeholder Theory
Managers have an ethical responsibility to manage a firm for the benefit of all its stakeholders.
Stakeholders are individuals/groups with a stake in the company.
Principles of Technology Ethics
Proportionality
The good achieved by the technology must outweigh the harm/risk.
No alternative achieves comparable benefits with less harm/risk.
Informed Consent
Those affected should understand and accept the risks.
Justice
Benefits and burdens should be distributed fairly.
Those who benefit should bear their fair share of risks.
Those who do not benefit should not suffer a significant increase in risk.
Minimized Risk
Even if acceptable by other guidelines, the technology must be implemented to avoid all unnecessary risk.
Responsible Professional Guidelines
Acts with integrity.
Increases personal competence.
Sets high standards of personal performance.
Accepts responsibility for work.
Advances the health, privacy, and general welfare of the public.
Computer Crime
Includes:
Unauthorized use, access, modification, or destruction of hardware, software, data, or network resources.
Unauthorized release of information.
Unauthorized copying of software.
Denying end-user access to their own resources.
Using computer/network resources illegally to obtain information/property.
Cybercrime Protection Measures
Security Technologies Used
Antivirus 96%
Virtual private networks 86%
Intrusion-detection systems 85%
Content filtering/monitoring 77%
Public-key infrastructure 45%
Smart cards 43%
Biometrics 19%
Security Management
Security is about 6 to 8% of the IT budget in developed countries.
63% currently have or plan to establish in the next two years the position of chief security officer or chief information security officer.
40% have a chief privacy officer and another 6% intend to appoint one within the next two years.
39% acknowledged that their systems had been compromised in some way within the past year.
24% have cyber risk insurance, and another 5% intend to acquire such coverage.
Hacking
Hacking is the obsessive use of computers and the unauthorized access/use of networked computer systems.
Electronic Breaking and Entering: Hacking into a computer system and reading files without stealing or damaging anything.
Cracker: A malicious/criminal hacker who maintains knowledge of vulnerabilities for private advantage.
Common Hacking Tactics
Denial of Service: Overwhelming a website with too many requests.
Scans: Probes of the Internet to determine computer types, services, and connections.
Sniffer: Programs that search individual data packets to capture passwords/content.
Spoofing: Faking an email address or Web page to trick users into passing critical information.
Trojan House: A program that, unknown to the user, contains instructions that exploit a known vulnerability in some software
Back Doors: A hidden point of entry to be used in case the original entry point is detected or blocked
Malicious Applets: Tiny Java programs that misuse your computer’s resources modify files on the hard disk send fake email or steal passwords
War Dialing: Programs that automatically dial thousands of telephone numbers in search of a way in through a modem connection
Logic Bombs: An instruction in a computer program that triggers a malicious act.
Common Hacking Tactics (Cont.)
Buffer Overflow: Crashing or gaining control by sending too much data to buffer memory
Password Crackers: Software to guess passwords.
Social Engineering: Gaining access by talking unsuspecting employees out of information.
Dumpster Diving: Sifting through a company's garbage to find information.
Cyber Theft
Many computer crimes involve money theft.
The majority are "inside jobs."
Many attacks occur through the Internet.
Most companies don't reveal they've been targets/victims.
Unauthorized Use at Work
Time and resource theft:
Private consulting.
Personal finances.
Playing video games.
Unauthorized use of the Internet or company networks.
Sniffers are used to monitor network traffic/capacity and find evidence of improper use.
Internet Abuses in the Workplace
General email abuses
Unauthorized usage and access
Copyright infringement/plagiarism
Newsgroup postings
Transmission of confidential data
Pornography
Hacking
Non-work-related download/upload
Leisure use of the Internet
Use of external ISPs
Moonlighting
Software Piracy
Unauthorized copying of computer programs.
Purchasing software is really a payment for a license for fair use.
Site license allows a certain number of copies.
A third of the software industry’s revenues are lost to piracy.
Theft of Intellectual Property
Copyrighted material (music, videos, images, articles, books, software).
Copyright infringement is illegal.
Peer-to-peer networking has made it easy to trade pirated material.
Publishers offer inexpensive online music which leads to declining illegal downloads.
Viruses and Worms
A virus needs to be inserted into another program to work while a worm can run unaided.
They copy routines and spread the virus and are transmitted through:
The Internet and online services
Email and file attachments
Disks from contaminated computers
Shareware
Top Five Virus Families of all Time
My Doom, 2004 Spread via email and over Kazaa file-sharing network installs a back door on infected computers.
Netsky, 2004 mass-mailing worm that spreads by emailing itself to all email addresses found on infected computers.
*SoBig, 2004 Mass-mailing email worm that arrives as an attachmentKlez, 2002 mass-mailing email worm that arrives with a randomly named attachment
Sasser, 2004 Exploits a Microsoft vulnerability to spread from computer to computer with no user intervention
The Cost of Viruses, Trojans, Worms
Nearly 115 million computers in 200 countries were infected in 2004.
Up to 11 million computers are believed to be permanently infected.
In 2004, total economic damage from virus proliferation was 166 to 202 billion.
Average damage per computer is between 277 and 366. Security and Ethical Challenges
Adware and Spyware
Adware: Software that purports to serve a useful purpose and allows advertisers to display pop-up and banner ads without consent.
Spyware: Adware that uses an Internet connection in the background without the user’s permission or knowledge to capture information.
Spyware Problems
Spyware can:
Steal private information.
Add advertising links to web pages.
Redirect affiliate payments.
Change user's home page and search settings.
Make a modem randomly call premium-rate phone numbers.
Leave security holes.
Degrade system performance.
Removal programs are often not completely successful.
Privacy Issues
IT's power to store and retrieve information can negatively affect privacy.
Personal information is collected with every website visit.
Confidential information has been stolen or misused.
Opt-in Versus Opt-out
Opt-In: You explicitly consent to allow data to be compiled about you (default in Europe).
Opt-Out: Data can be compiled unless you specifically request it not be (default in the U.S.).
Privacy Issues (Cont.)
Violation of Privacy: Accessing private emails/records, collecting/sharing information from website visits.
Computer Monitoring: Always knowing a person's location.
Computer Matching: Using customer information from many sources to market additional services.
Unauthorized Access of Personal Files: Collecting information to build customer profiles.
Protecting Your Privacy on the Internet
Ways to protect your privacy:
Encrypt email.
Send newsgroup postings through anonymous remailers.
Ask your ISP not to sell your information.
Don't reveal personal data on online profiles.
Privacy Laws
Electronic Communications Privacy Act and Computer Fraud and Abuse Act: Prohibit intercepting data communications, stealing/destroying data, or trespassing in federal computer systems.
U.S. Computer Matching and Privacy Act: Regulates matching data in federal files.
Other laws impacting privacy:
Sarbanes-Oxley.
Health Insurance Portability and Accountability Act (HIPAA).
Gramm-Leach-Bliley.
USA Patriot Act.
California Security Breach Law.
Securities and Exchange Commission rule 17a-4.
Computer Libel and Censorship
The opposite side of the privacy debate: Freedom of information, speech, and press.
Battlegrounds: Bulletin boards, email boxes, online files.
Weapons: Spamming, flame mail, libel laws, and censorship.
Spamming is indiscriminate, unsolicited email.
Flaming is sending critical, derogatory email messages to other users on the Internet.
Cyberlaw
Laws regulating activities over the Internet or via electronic communication devices.
Encompasses a wide variety of legal and political issues
Cyberlaw only began to emerge in 1996 Debate continues regarding legal principles
Other Challenges
Employment: IT creates new jobs but can also reduce job opportunities.
Computer Monitoring: Criticized as unethical and an invasion of privacy.
Working Conditions: Some skilled jobs have been replaced by routine tasks.
Individuality: Activities are dehumanized
Health Issues
Cumulative Trauma Disorders (CTDs) are disorders suffered by people who sit at a PC or terminal and do fast-paced repetitive keystroke jobs
Carpal Tunnel Syndrome
Painful, crippling ailment of the hand and wrist Typically requires surgery to cure
Ergonomics
Designing healthy work environments that are safe, comfortable, and pleasant Increases employee morale and productivity
Societal Solutions
Using IT to solve human and social problems.
The detrimental effects often caused by individuals/organizations not accepting ethical responsibility.
Security Management of IT
Internet was developed for inter-operability, not impenetrability
Managers and professionals are responsible for security, quality, and performance.
Hardware, software, networks, and data must be protected.
Security Management
The goal is the accuracy, integrity, and safety of all information system processes and resources.
Internetworked Security Defenses
Encryption Data is transmitted in scrambled form It is unscrambled by computer systems for authorized users only
The most widely used method uses a pair of public and private keys unique to each individual
Public/Private Key Encryption
You write an e-mail message, then use the recipient's public key to encrypt it.
The encryption process puts a kind of digital lock on the message. Even if someone intercepts it en route, the message's contents are inaccessible.
When the message arrives, the software uses the private key to verify that the recipient's public key was used for encryption.
Using the private key, the software unlocks the unique encryption scheme, decoding the message.
Internetworked Security Defenses
Firewalls protect networks from intrusion and important for individuals who connect to the Internet with DSL or cable modems
Firewall
Internet and Intranet Firewalls
External firewall keeps out unauthorized Internet users.
Internal firewall prevents users from accessing sensitive human resources or financial data.
Passwords and browser security features control access to specific intranet resources.
Intranet server features provide authentication and encryption where applicable.
Network interface software is carefully crafted to avoid creating security holes to back-end resources.
Denial of Service Attacks
Denial of service attacks depend on three layers of networked computer systems
The victim’s website
The victim’s Internet service provider
Zombie or slave computers that have been commandeered by the cybercriminals
Defending Against Denial of Service
At Zombie Machines:
Set and enforce security policies.
Scan for vulnerabilities.
At the ISP:
Monitor and block traffic spikes.
At the Victim’s Website:
Create backup servers and network connections
Internetworked Security Defenses
Email Monitoring Use of content monitoring software that scans for troublesome words that might compromise corporate security
Virus Defenses
Centralize the updating and distribution of antivirus software Use a security suite that integrates virus protection with firewalls web security and content blocking features
Other Security Measures
Security Codes Multilevel password system Encrypted passwords Smart cards with microprocessors
Backup Files Duplicate files of data or programs Security Monitors
Monitor the use of computers and networks Protects them from unauthorized use fraud and destruction Biometrics
Computer devices measure physical traits that make each individual unique
Voice recognition fingerprints retina scan Computer Failure Controls Prevents computer failures or minimizes its effects Preventive maintenance Arrange backups with a disaster recovery organization
Other Security Measures
Fail-over Capability shifts to back up components Fail-safe
Capability the system continues to operate at the same level Fail-soft
A disaster recovery plan contains formalized procedures to follow in the event of a disaster
Which employees will participate What their duties will be What hardware software and facilities will be used Priority of applications that will be processed Use of alternative facilities
Offsite storage of databases
#