CHAPTER I- INTRODUCTION

MANAGEMENT INFORMATION SYSTEM

INTRODUCTION

Information is the basis for every decision taken in an organization. The efficiency of
management depends upon the availability of regular and relevant information. Thus it is
essential that an effective and efficient reporting system be developed as part of accounting
system. The main object of management information is to obtain the required about the operating
results of an organization regularly in order to use them for future planning and control.

The old techniques like intuition, rule of thumb, personal whim and prestige, etc. are now
considered useless in the process of decision taking. Modern management is constantly on look
out for such quantitative and such information, which can help in analyzing the proposed
alternative actions and choosing one as its decision. Thus, modern management functions are
information-oriented more popularly known as “management by information”. And the system
through which information is communicated to the management is known as “management
information system (MIS)”. The management needs full information before taking any decision.
good decisions can minimize costs and optimize results. Management information system can be
helpful to the management in undertaking management decisions smoothly and effectively.

Management information system can be analyzed thus:

1. Management: management covers the planning, control, and administration of the

operations of a concern. The top management handles planning; the middle management
concentrates on controlling; and the lower management is concerned with actual
administration.

2. Information: information, in MIS, means the processed data that helps the management
in planning, controlling and operations. Data means all the facts arising out of the
operations of the concern. Data is processed i.e. recorded, summarized, compared and
finally presented to the management in the form of MIS report.

3. System: data is processed into information with the help of a system. a system is made up
of inputs, processing, output and feedback or control.

Thus MIS means a system for processing data in order to give proper information to the
management for performing its functions.
CONCEPTUAL VIEW OF MIS

The concept is a blend of principles, theories and practices of management, information and
system giving rise to a single product called MANAGEMENT INFORMATION SYSTEM.

The concept of management gives high regard to the individual and his ability to use the
information. MIS gives information through data analysis. While analyzing the information, it
relies on many academic disciplines like management science, OR, organization behavior,
psychology, etc.

The foundation of MIS is the principles of management and its practices. MIS uses the concept
of management control in its design and relies heavily on the fact that the decision maker is a
human being and is a human processor of information.

A MIS can be evolved for a specific objective it is evolved after systematic planning and design.
It calls for an analysis of business, management views and policies, organization culture and the
management style.

The MIS, therefore relies heavily on systems theory. The systems theory offers solutions to
handle complex situations of the input and output flows. it uses theory of communication which
helps to evolve a system design capable of handling data inputs, process, the outputs with the
least possible noise or distortion in transmitting the information from a source to destination
WHO ARE THE INFORMATION USERS?
• Managers
The idea of using the computer as a management information system was a breakthrough
because it recognized managers’ need for problem solving information. Embracing the MIS
concept made several firms develop applications specifically aimed at management support.
• Non-managers
Non-manages and staff specialists also use the MIS output.
• Persons & organizations in the firm’s environment
Users outside the company benefit from the MIS as well. They can be customers receiving
invoices, stockholders getting dividend checks, and the federal government checking tax reports.
Management Levels
Strategic Planning Level
The strategic planning level involves mangers at the top of the organizational hierarchy. The
term strategic indicates the long-term impact of top managers’ decisions on the entire
organization. The term executive is often used to describe a manager on the strategic planning
level.
Management Control Level
Middle-level managers include regional managers, product directors, and division heads. Their
level is called “management control level” due to their responsibility of putting plans into action
and ensuring the accomplishment of goals.
Operational Control Level
Lower level managers are persons responsible for carrying out the plans specified by managers
on upper levels. Their level is called the “operational control level” because this is where the
firm’s operations occur.
Influence of Management Level on Information Source and Form
When designing information systems, it is important to consider the manager’s level. Such levels
can influence both the source of information and how it is presented. Managers on the strategic
level place greater emphasis on environmental information than do managers on the lower levels.
Managers on the operational control level regard internal information as vital. The second figure
shows that strategic planning-level managers prefer information in a summary format, whereas
operational control-level managers prefer detail.
Business Areas
Managers are found in various business areas of the firm. The three traditional business areas are
marketing, manufacturing, and finance in addition to other two areas that have gained major
importance-human resources and information services.

What managers do
According the French management theorist, Henri Fayol, managers perform five major
functions.
• They plan what they are to do
• They organize to meet the plan.
• They staff their organization with the necessary resources.
• They direct the available resources to execute the plan.

• Finally, they control the resources, keeping them on course.

All managers perform these functions, however with varying emphasis as shown below.

Management Knowledge
• Computer literacy
This knowledge includes an understanding of computer terminology, a recognition of its
strengths and weaknesses, an ability to use the computer ..etc
• Information literacy
A manager should also have information literacy which consists of understanding how to use
information at each step of the problem solving process, where this information can be obtained
from, and how to share information with others.
Information literacy is not dependent on computer literacy. A manager can be information
literate but computer illiterate.

THE MANAGER AND SYSTEMS

System Components
A system is a group of elements that are integrated with the common purpose of achieving an
objective. Not all systems have the same combination of elements, but a basic configuration is
Illustrated in the figure below:
Input resources are transformed into output resources. The resources flow from the input
element, through the transformation element, and to the output element. A control mechanism
monitors the transformation process to ensure that the system meets its objectives. The control
mechanism is connected to the resource flow by means of a feedback loop, which obtains
information from the system output and makes it available to the control mechanism. The control
mechanism compares the feedback signals to the objectives and directs signals to the input
element when it is necessary to change the system operation.
Open Loop or Close Loop System

Open and Closed Systems

• Open system: Connected to its environment by means of resource flows (e.g., heating system)
• Closed system: Not connected to its environment. They usually exist in tightly controlled
laboratory systems.
What is a subsystem?
A subsystem is simply a system within a system. This means that systems exist on more than one
level and can be composed of subsystems or elemental parts.

Importance of MIS in Organizations

In today's scenario MIS plays a pivotal role in Organizations. Organizations worldwide makes
extensive use of MIS. Its designed by the top management of an organization, is a tool to
assembling & accumulating facts & figures of all the important business processes.
MIS is a very vast topic, its very difficult to cover the whole in one article. Thus here are some of
the major importance / advantages of MIS in organizations:

 The organization that uses MIS is able to record ,process, route & tabulate all important
business transactions. As & when need arises the organization is able to incorporate the
needed changes & improvements in the area of concern.
 MIS facilitates informed DECISION MAKING. It usually represents a number of options
from which one can choose the best.
 The top management ANALYSES whether its resources are being utillized optimally.
 A TWO WAY COMMUNICATION FLOW is greatly enhanced by the MIS. The
management freely tells the job v responsibilities to its employees. The employees in
return discuss their doubts & grievances.
 MIS supports the planning & controlling function of managers in the organization.
Managers use past/historical data as well as the current data to analyze the performance
& hence apply controlling measures.
  MIS encourages DECENTRALISATION in the organisation. Decentralizations possible
when there's a system to measure operations at the lower levels.
 It brings COORDINATION. It facilitates integration of specialized activities by keeping
each department aware of the problems & requirements of other departments. Hence, in
some way MIS keeps the organization binded.

CHAPTER -II----TYPES OF INFORMATION SYSTEM

Information systems differ in their business needs and the information varies depending upon
different levels in organization. information system can be broadly categorized into following :

 Transaction processing system

 Management Information System
 Decision support system
 Executive support system

The information needs are different at different organizational levels. Accordingly the
information can be categorized into following:

 Strategic information
 Managerial information
 Operational information.
Transaction Processing Systems

1. It processes business transaction of the organization. Transaction can be any activity of

the organization. For example, take a railway reservation system. Booking, canceling, etc
are all transactions. Any query made to it is a transaction.
2. This provides high speed and accurate processing of record keeping of basic operational
processes and include calculation, storage and retrieval.
3. Transaction processing systems provide speed and accuracy, and can be programmed to
follow routines functions of the organization.

Transaction Processing Systems

Systems that perform and record daily routine
transactions necessary for business
Operational-level Systems
Order tracking Machine control Securities trading Payroll Compensation

Order Plant scheduling Cash management Accounts Training and

processing payable development

Material movement Accounts Employee

and control receivable records

Sales and Manufacturing Finance Accounting Human

Marketing Resources
9

Management Information Systems

1. It assist lower management in problem solving and making decisions. They use the
results of transaction processing and some other information also.
 2. An important element of MIS is database.A database is a non-redundant collection of
interrelated data items that can be processed through application programs and available
to many users.

Management Information Systems

Systems that serve planning, control and decision-
making through routine summary and reports
Management-level Systems
Sales Inventory control Annual budgeting Capital Relocation
management investment analysis

Sales and Manufacturing Finance Accounting Human

Marketing Resources

12

Decision Support Systems

1. These systems assist higher management to make long term decisions. These type of
systems handle unstructured or semi structured decisions. A decision is considered
unstructured if there are no clear procedures for making the decision and if not all the
factors to be considered in the decision can be readily identified in advance.
2. A decision support system must very flexible.
3. The user should be able to produce customized reports by giving particular data and
format specific to particular situations.
 Decision-support Systems
Systems that combine data, models and analysis
tools for non-routine decision-making
Management-level Systems
Sales region Production Cost analysis Pricing / Contract cost
analysis scheduling profitability analysis
analysis
Sales and Manufacturing Finance Accounting Human
Marketing Resources

13

Executive Information System

Also known as an Executive Support System (ESS), it provides executives information in a

readily accessible, interactive format. They are a form of MIS intended for top-level executive
use. An EIS/ESS usually allows summary over the entire organisation and also allows drilling
down to specific levels of detail. They also use data produced by the ground-level TPS so the
executives can gain an overview of the entire organisation.

Used by top level (strategic) management. They are designed to the individual. They let the CEO
of an organisation tie in to all levels of the organisation. They are very expensive to run and
require extensive staff support to operate.

 
 Executive Support Systems
Systems that support non-routine decision-making
through advanced graphics and communications
Strategic-level Systems
5-year sales 5-year operating 5-year budget Profit Personnel
trend plan forecasting planning planning
forecasting
Sales and Manufacturing Finance Accounting Human
Marketing Resources

14

CHAPTER III- DETERMINING INFORMATION NEEDS FOR AN ORGANISATION/

INDIVIDUAL MANAGER

Organisations are increasingly aware of the potential of information in providing competitive

advantage and sustaining their success as evidenced in a number of published case studies and
commentaries. The descriptions of information as an asset and a resource (Burk & Horton, 1988;
Best, 1996) are no longer unusual. However, the origin of these descriptions in classical
economics ignores the place of information in the fabric of a political system or culture of an
organisation.

INFORMATION & INDIVIDUAL MANAGER

we need to know information needs of individuals in organisations. Because of the

responsibilities of managers in strategy development and implementation and in enabling
organisations to meet their goals it is appropriate to restrict ourselves to considering managers
rather than all individuals in organisations.

The work of managers

The classic view of managerial functions as planning, organising, communicating, coordinating

and controlling suggest a rational and ordered approach to management activities. Yet studies of
managers in their workplaces present a picture of an approach to managerial activities that is
quite different.

One study identified ten different roles for managers. The roles were categorised into three
groups to form an integrated view of what senior managers do. The interpersonal roles of
figurehead, leader and liaison stem from the manager's formal authority. The informational roles
of monitor, disseminator, and spokesman derive from the manager's interpersonal contacts. In
this role the manager emerges as the "nerve centre" of the organisational unit . The decisional
roles of entrepreneur, disturbance handler, resource handler and negotiator arise from the
manager as the formal authority of the organisational unit who can commit the unit to
action. This approach to managing acknowledges the action-oriented, outward-looking and
ritualistic aspects of managerial work as well as managers' strong preferences for verbal media in
finding information.

Another study of managers at work identified three major processes in which they are engaged (:
agenda setting, network building and implementing their agendas through networks. The key
challenges for general managers reflect the information and people oriented demands of these
three processes: "figuring out what to do (making decisions) in an environment characterised by
uncertainty, great diversity, and an enormous quantity of potentially relevant information" and
"getting things done (implementation) through a large and diverse group of people despite
having relatively little control over them" .

Networking is a feature of another view of managerial work . Three other categories of activity
developed from the research of managers and their subordinates were routine communication,
traditional management and human resources management. Networking includes interaction with
outsiders and socialising/politicking inside and outside the organisation; routine communication
activities include exchanging information and handling paperwork; traditional management
activities consist of planning, decision making and controlling; and human resource management
includes motivating/reinforcing, disciplining/ punishing, managing conflict, staffing and
training/developing. This study distinguished between successful and effective managers,
between those who are promoted and those who have "satisfied, committed subordinates and
produce organisational results". Networking had the strongest relationship with success, whereas
routine communication had the strongest with effectiveness. The type of activity with the
weakest relationship with success is human resource management and with effectiveness the
weakest is networking.

The final study considered here explores the work of middle managers. It suggests that managing
relationships, finding innovation, creating a mindset and facilitating learning are integral to
creating competitive advantage. The study of middle managers focussed on strategy formation, a
process that moves away from the overly rational, command and control model of strategy as a
two stage process of formulation and implementation and has "more to do with learning than
planning" . Four distinct roles for middle managers in strategy were identified: championing
strategic alternatives; synthesising information; facilitating adaptability; and implementing
deliberate strategy. By engaging in these roles, middle managers link strategic purpose and
organisational action.

These studies of managerial work range across managers at different levels in organisations from
senior management to middle management. They also span different kinds of organisational
structures from the more traditional hierarchies to post-entrepreneurial organisations with leaner,
flatter structures and participative, team-based work units.

DATA-FLOW DIAGRAMS

Specific elements included on data-flow diagrams (DFDs) include outside units such as customer
needs, inside units such as the employees who actually manipulate data, and whether a data
element inputs to an element or reads from an element. Data storage areas are also indicated on
DFDs. Data-flow diagrams can be designed to illustrate existing processes as well as to
document better and even ideal situations. Each type of element is denoted within a prescribed
symbol (e.g., rectangles signify outside units) so that a simple glance at the chart is enough to
differentiate each element.

DFDs are helpful in that they show exactly how data flow is initiated and by whom, who or
which system receives the data, and what they do to the data. Diagrams can also be annotated to
show the volume and frequency with which these changes occur. However, data-flow diagrams
do not show specific processing details, nor are they a helpful representation of how the process
fits onto a timeline.

Data flow Diagram- Banking organization

Data Flow Diagrams – The Rules

External Entities
It is normal for all the information represented within a system to have been obtained from,
and/or to be passed onto, an external source or recipient. These external entities may be
duplicated on a diagram, to avoid crossing data flow lines. Where they are duplicated a stripe is
drawn across the left hand corner, like this.

The addition of a lowercase letter to each entity on the diagram is a good way to uniquely
identify them.

Processes
When naming processes, avoid glossing over them, without really understanding their role.
Indications that this has been done are the use of vague terms in the descriptive title area - like
'process' or 'update'.

The most important thing to remember is that the description must be meaningful to whoever
will be using the diagram.

Data Flows
Double headed arrows can be used (to show two-way flows) on all but bottom level diagrams.
Furthermore, in common with most of the other symbols used, a data flow at a particular level of
a diagram may be decomposed to multiple data flows at lower levels.

Data Stores
Each store should be given a reference letter, followed by an arbitrary number. These reference
letters are allocated as follows:

'D' - indicates a permanent computer file

'M' - indicates a manual file
'T' - indicates a transient store, one that is deleted after
processing.

In order to avoid complex flows, the same data store may be drawn several times on a diagram.
Multiple instances of the same data store are indicated by a double vertical bar on their left hand
edge.

ANALYSIS OF INFORMATION FOR DECISION PROCESSES ETC

DECISION MAKING
Decision making is usually defined as a mental process, which involves judging multiple options
or alternatives, in order to select one, so as to best fulfill the aims or goals of the decision maker
Therefore, there are two main components involved in decision making: the set of alternatives,
judged by the decision maker, and the goals to be satisfied with the choice of one alternative.
The output of this process can be an action or an opinion of choice.
Decision making is a process. This means that in general it takes some time and effort until the
choice is made, involving several activities:
• identification of the decision problem;
• collecting and verifying relevant information;
• identifying decision alternatives;
• anticipating the consequences of decisions;
• making the decision;
. Informing concerned people and public of the decision and rationale;
• implementing the selected alternative;
• evaluating the consequences of the decision.
The key step of this process is making the decision itself, that is, choosing the most preferred
alternative using judgement based on available information. With the decision, we give
precedence to the selected alternative, assuming (and hoping) that this alternative will provide
the best (i.e., the easiest, most efficient, cheapest, safest, etc.) solution to our decision problem.
The decision is considered a conscious and deliberate act, what makes the decision maker
responsible for its consequences. The implementation of the decision often consumes resources,
such as time, energy, money and willpower, and is therefore irrevocable . The consequences of a
decision cannot be taken back; if necessary, they can only be affected by new decisions.
CLASSIFICATION OF DECISION PROBLEMS
Decision problems are incredibly diverse. On the one hand, we are faced with everyday
problems, which are usually simple and easy to solve: when to get up in the morning, what kind
of bread to buy, whether to stop at the red light or not, etc. On the other hand, there are difficult
problems which require large resources, affect many people and have important consequences:
which strategy to take on European market, how to organise public transportation in a capital
city, etc. Somewhere in between are important problems of individuals (what to study?), families
(where to live?) and organisations (how to survive in the economic crisis?).

In decision support, we are typically interested only in “sufficiently difficult” decision problems,
which are “worth” approaching in an organised and systematic manner and which have
sufficiently “important” consequences. In other words, it should make sense to collect
information about these problems, think and discuss about the possible solutions, and in general
support the process with some method, computer program or information system. It is also
important to understand that it is possible to effectively support only decision problems and
processes that are sufficiently well understood. When approaching a problem, we have to know
what exactly we are deciding about, what are the goals and what are the possible consequences
of the decision, we should at least partly know the alternatives and their properties, we have to be
aware of possible uncertainties, etc.

Decision problems can be classified along different dimension. One classification is into routine
and non-routine problems, which often implies a considerable difference in difficulty. Routine
decisions are taken frequently and repeatedly. The decision maker typically knows them well and
feels familiar with the problem. All key factors, consequences and uncertainties are well
understood and under control. Such decisions are usually easy. In contrary, non-routine decisions
tend to be more difficult, particularly because of the lack of knowledge and experience in taking
such decisions. Often, non-routine decisions are risky and have important consequences.
With respect to frequency, decision can be one-time or recurring. Although there is some overlap
with the previous classification, the frequency dimension is important because it largely
determines the focus of the decision-making process. With one-time decisions, the emphasis is
on the decision itself: the goal is to find and implement the best alternative. The process ends
when the alternative has been chosen (or implemented in some cases). From decision-support
perspective, this usually requires the use of methods for the evaluation and analysis of
alternatives, and the use of general-purpose decision support software. With recurring decisions,
the focus usually shifts to finding the most effective method or procedure for choosing
alternatives. Although it is still important to find the best alternative each time, it is often more
important to implement an effective decision-making process.

From decision-support perspective, this often requires to design and implement dedicated
decision support software. Another classification considers the number of criteria, which are
taken into account when assessing alternatives. Single-criterion (or single-attribute) methods
take into account only one criterion, most often some monetary value, such as profit or income.
Many well-known decision analysis tools, such as decision tables and decision trees in their
basic forms, consider only one criterion. However, most real-life decisions depend on multiple
criteria; for example, in addition to return of investment (a single criterion), we may also want to
consider the increase of market share and employment generated by the investment. The
corresponding decision analysis methods are called multi-criteria or multi-attribute. Uncertainty
refers to a state of limited knowledge or information so that something is unknown or is not
perfectly known [6]. Uncertainty occurs whenever there are external factors that influence the
decision, but are beyond the control of the decision maker and are unknown to the decision
maker at the time of decision. With respect to uncertainty, decision problems are classified in
decision theory into :
• Decisions under certainty: Here, the decision maker has all the necessary information about
alternatives and the consequences of decisions are certain and accurate.
• Decisions with risk: The decision maker does not know the true value of external factors
(“state of nature”) for certain, but he can quantify his uncertainty through a probability
distribution of possible outcomes.
• Decision under strict uncertainty: The decision maker feels that he can say nothing at all
about the true “state of nature”. In particular, he cannot quantify his uncertainty in any way.
Depending on the number and role of participants in the decision-making process, we distinguish
between individual and group decisions. Individual decision problems typically involve a single
decision maker. Alternatively, they can even involve more participants, provided that they have
the same goals and decide “as one”. In group decision-making processes, there are several
individuals or groups that have different and often conflicting goals. In the latter case, decision
support aims at resolving the conflict and finding the common solution, either by consensus or
leverage.
For decision support in organisations, there is a very important categorisation of decision
problems based on the nature of the decision to be made and the scope of the decision itself .
The nature of decision is represented with three categories referring to the level of structure
of decision problems (Figure 2):
• Structured decisions: These are all decisions for which a well-defined decision-making
procedure exists. This means that all inputs, outputs and internal procedures are known
and can be specified. Structured decisions can be left to a clerk or a computer.
• Semi-structured decisions: Here, the decision has some structured elements but cannot be
completely structured. We do not know how to specify at least one of the components (inputs,
outputs, internal procedures). Computers can provide a great deal of specific help. Most
organisational decisions are of this type.
• Unstructured decisions: Here, all decision components are unstructured. This may be because
the decision is so new, so complex or so rare that we have not studied them completely.
Computers can still help the decision maker, but only indirectly and with a low level of support.

Another dimension, scope, refers to the levels of management in an organisation (Figure 2):
• Strategic decisions affect the entire organisation, or a major part of it, for a long period of time.
In most cases, they are made at the upper level of organisational management.
Examples of strategic decisions are decisions about introducing a new product or service,
entering a new market, or reorganising the production.
• Tactical decisions affect a part of the organisation for a limited time into the future. Tactical
decisions are generally made by middle managers and take place in the context of previous
strategic decisions. Typical examples are related, for instance, to personnel management:
recruiting new employees and making expert teams.
• Operational decisions affects only current activities in an organisation; they have no or very
limited impact for a short period of time. Operational decisions are usually made by lower level
managers or non-managerial personnel. They are generally structured or semistructured.
Examples of operational decisions are whether to approve a loan to a client, or how to repair a
malfunctioned machine.
The scope of decisions importantly affects the characteristics of information required in the
process (Table 1). The understanding of information characteristics is an important factor for a
successful design and implementation of any decision support system.

Finally, let us mention single- and multi-stage decisions. In a single-stage decision process, there
is only one key decision to be made. In contrast, a multi-stage decision processes consist of
several related decisions, which can be taken sequentially or in parallel. Actually, the distinction
between sequential and parallel decisions is sometimes difficult, because any decision process,
even a single-stage one, consists of a series of other decisions. For example, when we encounter
a decision process, we have first to “decide” how to approach it: intuitively, impulsively, ad-hoc,
or in some organised way. We also have to “decide” which alternatives to take on board and
which goals to consider. Who are the decision makers and with whom to collaborate? Where to
get the relevant information? Which decision support method or computer program to use? And
finally, after we have chosen the alternative, we have to “decide” for action. Essentially, this
takes place as a decomposition of the decision process into a series of smaller and smaller
decision subprocesses. We seek for a sequence of decision subproblems that are sufficiently easy
to solve and can be combined together in order to solve the overall decision problem.
DECISION SUPPORT METHODS
In this section we present three typical approaches to decision support and illustrate them
through examples: decision analysis, operational research, and decision support systems.
DECISION ANALYSIS
Decision analysis is popularly known as “applied decision theory” It is the discipline comprising
the philosophy, theory, methodology, and professional practice necessary to address important
decisions in an organised and formal manner. Decision analysis approaches a decision problem
systematically by structuring and breaking it down into smaller and possibly more manageable
subproblems. In doing that, it explicitly considers the possible decision alternatives, available
information, uncertainties involved, and relevant preferences of the decision maker. It also
attempts to formally represent these components and combine them in a form of decision
models, which are used to assess, evaluate and analyse alternatives. In principle, rational
decisions are proposed in this way. In the case of missing information and other difficulties,
decision analysis tries to provide decisions which are not optimal but “satisfactory” or
“sufficiently good”.
Usually, the decision analysis process proceeds in stages, such as:
1. identification of the decision problem
2. identification of alternatives
3. problem decomposition and modelling
4. evaluation and analysis of alternatives
5. selection of the best alternative
6. implementation of the decision
If necessary, the stages can be intermixed or repeated. The most distinctive stages of decision
analysis are the third stage, in which a decision model is developed, and the fourth stage, in
which the model is used to evaluate and analyse alternatives. Usually, the model is developed by
the decision maker using one of the many decision modelling methods or tools. If necessary, the
decision maker can consult experts, who provide information and experience about the decision
problem, and/or decision analysts, who give methodological advice and may even coordinate the
whole process. Typical decision modelling techniques include decision trees, influence diagrams,
and multi-attribute models
Let us illustrate decision analysis concepts through a hypothetical decision problem. John is an
economist who has just finished his MBA studies. He got four job offers from four companies,
called A (a manufacturing company), B (banking), C (consulting), and D (information
technology). John wants to take into account four important factors: location, salary, relation to
management science (which he particularly likes), and long term prospects of the job. He wants
to formalize these factors and use them to assess each job offer.

Preference relations are conveniently represented in a comparison matrix (Table 2). In order
to avoid comparing each alternative with itself, and to compare each pair of alternatives only
once, more than half of the table is greyed-out and should be left empty. In the remaining
cells, we enter 1, 0, or –1. The number 1 indicates that we prefer the alternative written in the
first column over the alternative in the first row. The number –1 also indicates the strict
preference, but in the reverse order. The number 0 indicates indifference.
The next possible step is to look at job offers in more detail and consider their positive and
negative aspects. Table 3 illustrates a simple qualitative comparison method called pros and
cons analysis . In the table, good things (“pros”) and bad things (“cons”) are identified
about each alternative. Lists of the pros and cons are compared one to another for each
alternative. The alternative with the strongest pros and weakest cons is preferred. Pros and
cons analysis is subjective and is usually suitable for simple decisions with few alternatives
(2 to 4). It requires no mathematical skills and can be used without computers.

Assessment of job offer: on the basis of multi-criteria model

DECISION SUPPORT SYSTEMS
Decision support systems (DSS) are defined as interactive computer-based information systems
intended to help decision makers utilize data and models in order to identify and solve problems,
and make decisions. In contrast with decision analysis and operational research, where the
emphasis is on making and using decision models, DSS focus on providing information
technology for decision makers at various levels in organisations. The emphasis is on providing
relevant information and presenting it in a suitable form so as to improve the decision making
process and tasks.
The main characteristics of DSS are:
• DSS incorporate both data and models,
• They are designed to assist managers in their decision processes in semi-structured or
unstructured decision-making tasks,
• They support, rather than replace, managerial judgment,
• Their objective is to improve the quality and effectiveness (rather than efficiency) of decision
making.
DSS can support decision makers in a number of different ways. They can store data and provide
means to search for relevant data items. More advanced techniques include query languages and
data warehouses. Data can be viewed and analysed using pivot tables and other methods of on-
line analytical processing (OLAP). DSS can provide computational and statistical models, for
instance for trend analysis. With data mining algorithms, the decision maker can find interesting
patterns in data. The results can be presented in reports and tables, as well as graphically using
advanced visualisation techniques. DSS can incorporate all types of decision analysis and
operational research models presented above. Consequently, using these models, DSS can
evaluate and assess decision alternatives or find optimal solutions of mathematically formulated
problems. DSS can integrate data from different sources and of different types (relational data,
documents, video, etc.). Also, DSS can contain rules that guide specific decision processes. Last
but not least, DSS can provide communication and other means to support the collaboration of
decision makers. Taking into account all this variety and using the mode of assistance as the
criterion, DSS are differentiated into the following types :
• communication-driven DSS: support more than one person working on a shared task,
• data-driven DSS or data-oriented DSS: emphasize access to and manipulation of a time series
of internal company data and, sometimes, external data,
• document-driven DSS: manage, retrieve, and manipulate unstructured information in a variety
of electronic formats, knowledge-driven DSS: provide specialized problem-solving expertise
stored as facts, rules, procedures, or in similar structures,
• model-driven DSS: emphasize access to and manipulation of a statistical, financial, evaluation,
optimization, or simulation model.
DECISION SYSTEMS
For the final section, let us step from human to computer decision making – that is, from
decision sciences to decision systems (see Figure 1). Computer decision making is fundamentally
different from human decision making and has an advantage that we understand it very well.
Computers make decisions according to programmed procedures, which can be easily analysed,
modified and observed during their operation. Although we cannot really compare the
mechanisms of human and computer decision making, we can still observe and compare the
performance of the two.
The computer has to be programmed to carry out some given task. This means that the
programmer has to define a sequence of instructions that are executed by the computer. When
executing instructions (i.e., when the program is running), it is often necessary that the program
reacts differently in different situations. On the basis of data, this is available to the program, it
must “decide” which sequence of instructions to take for further execution.

For this reason, one of the fundamental characteristics of computer programs is their ability to
branch: programs contain instructions that “switch” between branches composed of other
sequential instructions. All instructions are (in principle) pre-defined by the programmer,
however the branching occurs while the program is running, depending on the current state
ofcthe program and data available to the program. In this way, the program dynamically chooses
between different courses of actions. Externally, this appears as an ability of the computer
tocadapt and makes decisions.
For example, let us consider a very simple mathematical operation: division of two numbers say
x/y. This operation makes sense only if y≠0. Therefore, even in this very simple case, the
computer must “decide” whether to carry out the division or not. Before each division, the
computer must check the value of y. If y=0, it should not make the calculation, but rather issue
some message to the user or perform some other corrective action. Otherwise, the division is
possible and the program should calculate the result. In a computer programming language, these
instructions may be formulated as follows:

Every computer program contains instructions like these. Even though instructions are explicitly
specified by the programmer and their execution is deterministic (fully predictable), we can
gradually add more and more instructions and combine them into complex branching sequences.
In this way, we can create computer programs that exhibit very complex behaviour, even to the
point that is often referred to as “intelligent”: intelligent control systems, intelligent agents, game
playing programs, etc. For example, chess-playing programs are already capable of
outperforming most human players, including the world chess champion Among “intelligent”
computer programs, there is a particularly interesting class of programs which are able to
“learn”. These programs either observe their own performance or monitor some data generated
through performance of other systems. Based on examples of successful or unsuccessful
performances, machine learning programs can find patterns that explain there a sons for such
behaviour, they can find rules that improve performance, or can even modify themselves (by
modifying their own operating instructions) to achieve better performance in the future. The
scientific discipline that is concerned with the design and development of algorithms that allow
computers to change behaviour based on data is called machine learning .

Autonomous vehicles provide good examples of advanced decision systems. In order to explore
the surface of Mars, two Mars Rover vehicles were sent by the USA to that planet. The distance
between Earth and Mars is so large that it takes 12 minutes in average for a signal to travel that
distance. This makes it almost impossible to steer the vehicle from Earth. Therefore, Mars
Rovers were designed as highly autonomous vehicles, which were receiving basic commands
from the Earth, but were also capable to navigate challenging and unknown terrain, investigate
targets, and detect scientific events.

Another example, which is currently at the borderline of decision systems, is related to the
DARPA Urban Challenge, a prize competition held in 2007. The requirements were to build a
fully autonomous vehicle, which must be entirely autonomous, using only the information it
detects with its sensors and public signals such as GPS, and which would be able to drive
autonomously between two given points in an urban area, obeying the driving laws. The main
event took place on November 3, 2007, on a course in California, which involved a 96 km urban
area course, to be completed in less than 6 hours. Six of 11 vehicles accomplished the mission,
what is considered a groundbreaking success.

CHAPTER IV- STRATEGIC USE OF INFORMATION & IS

The word “strategy” originates from the Greek word strategos, meaning “general.” In war, a
strategy is a plan to gain an advantage over the enemy. Other disciplines, especially business,
have borrowed the term. As you know from media coverage, corporate executives often discuss
actions in ways that make business competition sound like war. Businesspeople must devise
decisive courses of action to win—just as generals do. In business, a strategy is a plan designed
to help an organization outperform its competitors. Unlike battle plans, however, business
strategy often takes the form of creating new opportunities rather than beating rivals.
Although many information systems are built to solve problems, many others are built to
seize opportunities. And, as anyone in business can tell you, identifying a problem is easier than
creating an opportunity. Why? Because a problem already exists; it is an obstacle to a desired
mode of operation and, as such, calls attention to itself. An opportunity, on the other hand, is
less tangible. It takes a certain amount of imagination, creativity, and vision to identify an
opportunity, or to create one and seize it. Information systems that help seize opportunities are
often called strategic information systems (SISs). They can be developed from scratch, or
they can evolve from an organization’s existing ISs.

A Strategic Information System (SIS) is a system that helps companies change or otherwise alter
their business strategy and/or structure. It is typically utilized to streamline and quicken the
reaction time to environmental changes and aid it in achieving a competitive advantage.

Key features of the Strategic Information Systems are the following:

1) Decision support systems that enable to develop a strategic approach to align Information
Systems (IS) or Information Technologies (IT) with an organization's business strategies

2) Primarily Enterprise resource planning solutions that integrate/link the business processes to
meet the enterprise objectives for the optimization of the enterprise resources

3) Database systems with the "data mining" capabilities to make the best use of available
corporate information for marketing, production, promotion and innovation. The SIS systems
also facilitate identification of the data collection strategies to help optimize database marketing
opportunities.

4) The real-time information Systems that intend to maintain a rapid-response and the quality
indicators.

USE OF INFORMATION FOR CUSTOMER BONDING

Customer relationship management is a business concept as old as business itself. For a small
business servicing less than a thousand or so customers, it is feasible to build and maintain
customer relationships entirely through face-to-face interactions between the staff and the
customers. But as a business grows in size and number of customers, building and maintaining
customer relationships and managing customer information quickly become complicated tasks.
Add such factors as increased competition, a smaller available share of the customer's financial
resources, economic fluctuations, technological advances, employee turnover and limited
resources to invest in customer relationship management and a company can easily find that it
has lost the ability to positively influence customer relationships. The results are lost
opportunities to improve customer loyalty and to promote customer growth through the purchase
of additional products and services.

Maintaining control of customer relationships is possible only through consistent implementation

of classic, well-proven customer bonding techniques, such as individualized customer care
and communications, rewards for customer value and loyalty, special consideration for
high-value customers and customized products and services.

But as a company's number of customers increases, these time-honored techniques become

difficult to implement. Growth requires increasingly sophisticated technology to properly
implement the best practices in customer relationship management.
Corporate marketing departments, paired with information technology support, have made the
greatest contributions in developing customer relationship strategies that successfully leverage
information. In most cases, as one would expect, database marketing concepts and approaches
form the foundation for a corporation's CRM strategy. Database marketing drove the initial
design and development of data marts, or marketing data warehouses, fully focused on customer-
level data and marketing communications. Marketing data marts have enabled advanced analysis
of customer data to provide not only valuable customer profiles and segmentation capabilities,
but also the ability to predict critical patterns of customer behavior. Now, through integration of
the marketing data mart with advanced analysis techniques, marketing communications and
innovative customer acquisition, retention and growth strategies, "best-of-class" database
marketers have defined the basic requirements of campaign management. Database marketing
campaigns have effectively lowered customer attrition and bolstered acquisition and cross-sell
response rates in many companies and industries. Let’s understand from foll.giure how IT helps
to build customer loyalty.
Finally, a successful business nurtures an online community of customers, employees, and
business partners that builds great customer loyalty as it fosters cooperation to provide an
outstanding customer experience.

FOR KNOWLEDGE MANAGEMENT

In an economy where the only certainty is uncertainty, the one sure source of lasting competitive
advantage is knowledge. When markets shift, technologies proliferate, competitors multiply, and
products become obsolete almost overnight, successful companies are those that consistently
create new knowledge, disseminate it widely throughout the organization, and quickly embody it
in new technologies and products. These activities define the“knowledge-creating” company,
whose sole business is continuous innovation .
Many companies today can only realize lasting competitive advantage if they become
knowledge-creating companies or learning organizations. That means consistently creating new
business knowledge, disseminating it widely throughout the company, and quickly building the
new knowledge into their products and services.

Knowledge-creating companies exploit two kinds of knowledge. One is explicit knowledge ,

which is the data, documents, and things written down or stored on computers. The other kind is
tacit knowledge , or the “how-tos” of knowledge, which resides in workers. Tacit knowledge can
often represent some of the most important information within an organization. Long-time
employees of a company often “know” many things about how to manufacture a product, deliver
the service, deal with a particular vendor, or operate an essential piece of equipment. This tacit
knowledge is not recorded or codified anywhere because it has evolved in the employee’s mind
through years of experience. Furthermore, much of this tacit knowledge is never shared with
anyone who might be in a position to record it in a more formal way because there is often little
incentive to do so or simply, “Nobody ever asked.”

As illustrated in FOLL. Figure , successful knowledge management creates techniques,

technologies, systems, and rewards for getting employees to share what they know and make
better use of accumulated workplace and enterprise knowledge. In that way, employees of a
company are leveraging knowledge as they do their jobs.

Knowledge management can be viewed as three levels of techniques, technologies, and

systems that promote the collection, organization, access, sharing, and use of workplace
and enterprise knowledge.
Making personal knowledge available to others is the central activity of the knowledgecreating
company. It takes place continuously and at all levels of the organization . Knowledge
management has thus become one of the major strategic uses of information technology. Many
companies are building knowledge management systems (KMS) to manage organizational
learning and business know-how. The goal of such systems is to help knowledge workers create,
organize, and make available important business knowledge, wherever and whenever it’s needed
in an organization. This information includes processes, procedures, patents, reference works,
formulas, “best practices,” forecasts, and fixes. As you will see in Chapter 10, Internet and
intranet Web sites, groupware, data mining, knowledge bases, and online discussion groups are
some of the key technologies that may be used by a KMS.

Knowledge management systems also facilitate organizational learning and knowledge creation.
They are designed to provide rapid feedback to knowledge workers, encourage behavior changes
by employees, and significantly improve business performance. As the organizational learning
process continues and its knowledge base expands, the knowledge-creating company works to
integrate its knowledge into its business processes, products, and services. This integration helps
the company become a more innovative and agile provider of high-quality products and
customer services, as well as a formidable competitor in the marketplace. Now let’s close this
chapter with an example of knowledge management strategies from the real world.
It’s hard to place a value on knowledge management systems. Their ability to generate income is
often measured indirectly; their links to cost savings frequently seem tenuous. The return on
investment is hard to quantify. Too often, the case for implementing a system to leverage
intellectual capital and expertise rests mainly on intuition:
It seems like a good idea. But intuition wasn’t nearly enough to sell executives
at Intec Engineering Partnership Ltd., a company whose dedication to thrift is exceeded only by
its passion for sharing knowledge.

An engineering firm serving the oil and gas industry, Intec is headquartered in Houston with
offices throughout the world. As Intec grew through expansion and international acquisitions, it
became more difficult to keep track of and access information. In fact, according to KPMG
International, 6 out of 10 employees say difficulty in accessing undocumented knowledge is a
major problem. A group of Intec engineers volunteered to work on the problem of how to better
capture lessons learned and share knowledge among them. They diagrammed how they solved
engineering problems and envisioned an ideal process: An engineer with a question would go to
a knowledge database that would either provide an answer or refer him to an expert. All new
knowledge would be automatically captured and stored in the database. Intec shopped around
and selected software from AskMe Corp. as the product most likely to facilitate Intec’s problem-
solving model.

The pilot, called AskIntec, began in May 2002. Three months later, it had exceeded
all of the performance and user metrics, and ROI calculations projected an annual return
of 133 percent. After nearly a year, the system is paying off almost exactly as projected.
“Our numbers were pretty spot-on, but they’re going up,” says CIO Fran Steele, noting that the
company estimates payback of 50 percent more next year as nonengineering employees are
added and the system becomes embedded in the culture.
“Some of the return on information is not quantified just by how quickly you can do something,
but by the fact that you can do it at all,” says Steele. In the end, customers profit from Intec’s
knowledge management investment. “If we can cut weeks off a project and help them get their
facility ready earlier, they can get to market sooner and get that revenue earlier,” she says. That’s
the ultimate value. Source: Adapted from Kathleen Melymuka, “Knowledge Management Helps
Intec Get Smarter by the Hour,”

FOR INNOVATION
Introduce new products and services, put new features in existing products and services, or
develop new ways to produce them. Innovation is similar to differentiation except that the impact
is much more dramatic. Differentiation “tweaks” existing products and services to offer the
customer something special and different. Innovation implies something so new and different
that it changes the nature of the industry. A classic example is the introduction of automated
teller machines (ATM) by Citibank. The convenience and cost-cutting features of this innovation
gave Citibank a huge advantage over its competitors. Like many innovative products, the ATM
changed the nature of competition in the banking industry so that now an ATM network is a
competitive necessity for any bank. Eight ways that IT can introduce technological innovation
for competitive advantage are shown in foll. Table.

In the late 1990s innovation became almost synonymous with electronic commerce. The Internet,
especially, enabled dot-com entrepreneurs to create innovative Web-based business models, such
as Priceline’s name-your-ownprice model, Auto-by-Tel’s informediary model, and
Amazon.com’s affiliate program.
A key consideration in introducing innovation is the need to continually innovate. When one
company introduces a successful innovation, other companies in the industry need to respond to
the threat by attempting to duplicate or better that innovation. Especially in electronic commerce,
the visibility of technologies on the Web makes keeping innovations secret more difficult.

FOR MANAGING BUSINESS RISKS

Out of many possible interpretations of a strategy an organization adopts in business, it is found
that a majority is concerned with competition between corporations. Competition means
cultivating unique strengths and capabilities, and defending them against imitation by other
firms. Another alternative sees competition as a process linked to innovation in product, market,
or technology. Strategic information systems theory is concerned with the use of
information technology to supportor sharpen an enterprise's competitive strategy.
Competitive strategy is an enterprise's plan for achieving sustainable competitive
advantage over, or reducing the edge of, its adversaries. The performance of individual
corporations is determined by the extent to which they manage the following (as given by Porter)
–

a) the bargaining power of suppliers;

b) the bargaining power of buyer;
c) the threat of new entrants;
d) the threat of substitute products; and
e) rivalry among existing firms.
Porter's classic diagram representing these forces is indicated below.
Porter's Forces Driving Industry Competition (Porter 1980)
There are two basic factors which may be considered to be adopted by organization in their
strategies:
a) low cost
b) product differentiation
Enterprise can succeed relative to their competitors if they possess sustainable competitive
advantage in either of these two. Another important consideration in positioning is 'competitive
scope', or the breadth of the enterprise's target markets within its industry, i.e. the range of
product varieties it offers, the distribution channels it employs, the types of buyers it serves, the
geographic areas in which it sells, and the array of related industries in which it competes.
Under Porter's framework, enterprises have four generic strategies available to them whereby
they can attain above average performance.
They are:
a) cost leadership;
b) differentiation;
c) cost focus; and
d) focused differentiation.
Porter's representation of them is indicated below

Porter's
Four Generic Strategies (Porter 1980)
According to Porter, competitive advantage grows out of the way an enterprise organizes and
performs discrete activities. The operations of any enterprise can be divided into a series of
activities The ultimate value an enterprise creates is measured by the amount customers are
willing to pay for its product or services. A firm is profitable if this value exceeds the collective
cost of performing all of the required activities. To gain competitive advantage over its rivals, a
firm must either provide comparable value to the customer, but perform activities more
efficiently than its competitors (lower cost), or perform activities in a unique way that creates
greater buyer value and commands a premium price (differentiation).

As per Borden 1964, quoted in Wiseman 1988many differentiation bases can be classified as 4
P’s as given below:
· product (quality, features, options, style, brand name, packaging, sizes, services,
warranties,returns);
· price (list, discounts, allowances, payment period, credit terms);
· place (channels, coverage, locations, inventory, transport); and
· promotion (advertising, personal selling, sales promotion, publicity).
The various attributes listed above can be sharpened the firms product by the support of a
suitable information technology. such as salespeople making sales calls, service technicians
performing repairs, scientists in the laboratory designing products or processes, and treasurers
raising capital. By performing these activities, enterprises create value for their customers.
Product differentiation and Value Chain
Product differentiation is the degree to which buyers perceive products from alternative suppliers
to be different. It is expressed by economic theory, the degree to which buyers perceive
imperfections in product substitutability. The buyers of differentiated products may have to pay a
price when satisfying their preference for something special, in return for greater addedvalue.
The connection between the producer and buyers may be reinforced, at least to the level of
customer loyalty, and perhaps to the point of establishing a partnership between them. Such a
relationship imposes 'switching costs' on the buyer, because its internal processes become
adapted to the beneficial peculiarities of the particular factor of production, and use of an
alternative would force internal changes. Hence product differentiation also serves as an entry
barrier. In addition, a continuous process of product differentiation may produce an additional
cost advantage over competitors and potential entrants, through intellectual property protections,
such as patents, and the cost of imitation.

The activities performed by a particular enterprise can be analysed into primary activities, which
directly add value to the enterprise's factors of production, which are together referred to as the
'value chain', and supporting activities.

Porter's Enterprise ValueChain( Porter 1980)

Value addition activities like production, marketing delivery, and servicing of the product. These
activities are connected in a chain. Support activities include those providing purchased inputs,
technology, human resources, or overall infrastructure functions to support the primary activities.
It is possible to reduce the transaction cost by proper coordination of all the activities. It should
be possible to gather better information for various controls and also replace the same by less
costlier activities. It will also be possible to reduce the overall time required to complete an
activity. Therefore
coordination is very important to achieve competitive advantage. For this it is necessary to
manage the value chain as a system rather than as separate parts. An enterprise's value chain for
competing in a particular industry is embedded in a larger stream of activities. What Porter
termed as 'value system', may be referred to as the 'industry valuechain'.
This chain consists of mainly the suppliers and distribution channels. Any activity of an
organization is subjected to one or more of the following
  New technologies – Newer technologies changes the direction of the value chain.
 Shifting buyer needs
 The buyers have been increasing their demands to satisfy their needs in the form
convenience and better price and features. This demand influences a change in the related
market segments;
 Variation in industry segmentation – The value system undergoes a change depending
upon the existence of old and new systems and its components in the value chain.
Organizations, which fail to adjust will have to close down their business.
 Changes in the costs It is possible to gain competitive advantage by optimizing the
activities based on present conditions. Enterprises which continue to work on the older
approaches in outdated modes of operation suffer.
 changes in government regulations If there is a change in the standards of the product
of the enterprise, with respect to the environmental controls, restrictions on entry to the
market, and trade barriers then it affect the performance of the enterprise.
FOR CREATING NEW BUSINESS MODELS AND NEW BUSINESS REALITIES
A business model is a conceptual tool containing a set of objects, concepts and their relationships
with the objective to express the business logic of a specific firm. Therefore we must consider
which concepts and relationships allow a simplified description and representation of what value
is provided to customers, how this is done and with which financial consequences.The search
included several variations of the original term like "e-business model", "new business model" or
"Internet business model".

Part of the relationship between technology and business models stems from the business model
concept’s roots in transaction cost economics (TCE). The sharp rise in cheap information
technology, bandwidth, and communication possibilities made it much easier for companies to
work in so-called value webs because coordination and transaction costs fell substantially.
Companies, in some cases even competitors, jointly offer and commercialize value to their
customers. That is, the business design choices for managers increased substantially based on
cheap and available information technology. This cost decrese led to industry boundaries
becoming increasingly blurred. The business model concept is a candidate to replace the industry
as a unit of analysis.
Consider iTunes Software/Website of Apple Computer a successful music downloading service.
The main role of this service is not only to sell music, but to enhance the company's sales of
iPods, a portable digital music player. Thus, in terms of industry sectors, this website includes
the software, online, hardware, and music industriesIn terms of business models this website
forms a whole set of business design choices that reinforce one another.
In the literature, the expression business models stands for various things, such as parts of a
business model (e.g. auction model), types of business models (e.g. direct-to-customer model),
concrete real world instances of business models (e.g. the Dell model) or concepts (elements and
relationships of a model).
The development of the digital economy and its contribution in development of e-business
models ; value-adding activities; consumer behavior and strategies for competitive advantage
among others is vital in modern business. The development of e-business has forced a review of
the value of traditional business models and focused attention on how ICTs, including the
internet, can be used as a basis for creating new types of business models and the strategies that
are built around them.

Many e-business model definitions feature an architecture for information flows that underpin
value added product or service delivery and a source of revenue (subscription, advertising, etc.).
Key components of e-business models typically comprise strategy, structure, business processes,
value chain and core competencies. Technology is another key feature that should be included.
Crucially, an e-business model differs from traditional models by emphasizing the technology
driven interactivity of key actors along the supply chain as a means of adding value, increasing
efficiency, and building new relationships with suppliers and customers and creating
partnerships. However, the development of e-business models has not been without its critics.
Porter (2001) noted that the empirical use of the e-business model concept was unclear and
lacked theoretical rigour.

Another effect of the digital revolution has been the evident convergence of industries and
technologies. Where once, industries such as telecommunications, broadcasting and computing
were separate sectors, now they have converged to provide a range of products and services that
rely on the overlap of activities and attributes that characterize each. For example, media content
in the form of video, audio or text-based products can be distributed via the internet, satellite,
cable, compact disc and accessed through different platforms such as television, home computer,
mobile wireless phone or PDAs among others. The convergence has not only been evident in the
technologies that support these industries, but also in the firms that supply the products and
services. Collaboration and consolidation have been key features of the global multimedia
industry with more and more market share being vested in fewer firms. Firms such as News
Corporation and Google have become increasingly powerful as they acquire ever-greater
influence in the supply of media products and services around the world. Other industries have
also been radically changed by the digital revolution such as financial services, travel, retailing
and logistics and distribution. All have acquired the types of hardware and software that helps
deliver better quality products and services faster, and often cheaper than ever before. Key to the
success of competing firms in the digital world is the creation of effective strategies for
competitive advantage.

M-commerce business models- A key technological development affecting e-business is the

emergence of the mobile wireless internet. This technology provides another channel for
communications and transactions – mobile commerce (m-commerce). There are many
definitions of what constitutes m-commerce, but all feature the basic element of interactive
communication for undertaking business using mobile devices. For it to be termed m-commerce,
there has to be some economic or business element to the communication. Watson et al. (2002)
highlights how m-commerce has changed the business view of time and space. Key concepts
underpinning the m-commerce environment include ubiquity, universality, uniqueness and
unison. There are numerous types of technologies that can be installed in devices to facilitate m-
commerce including Short Message Service (SMS), Bluetooth, Wireless Application Protocol
(WAP) and 3G services.
Market penetration for mobile phones has been exponential in growth, fast paced and global in
scale. As mobile telephony services reached saturation in leading markets such as the USA,
Europe and Japan, so manufacturers sought competitive advantage by extending functionality
and differentiating through design. Whilst US consumers continue to use mobile phones
primarily for personal communication, Japanese and European customers have sought additional
functionality such as internet access, video streaming and photographic capability. Firms have
responded by developing new mobile technologies such as the i-mode (internet service) and
FOMA (3G mobile service) produced by leading Japanese communications company DoCoMo.
for communications by facilitating the exchange of information between mobile devices, PCs
and other devices.

CHAPTER – V- INFORMATION SECURITY

Information Security has three primary goals, known as the security triad:
● Confidentiality – Making sure that those who should not see your information, can not see it.
● Integrity – Making sure the information has not been changed from how it was intended to be.
● Availability – Making sure that the information is available for use when you need it.
As you can see, the security triad can be remembered as the letters CIA. These principals are
simplistic when broken down, but when you think about it more in depth, all steps taken within
security are to help complete one or more of these three security goals. When most people think
about Information Security, they will generally only think of the first item, Confidentiality,
and for good reason, since that's all the media seems to think security is about. Confidentiality is
also, ironically, the one of the three goals you most often do not need. A public web-site does not
want to be confidential, it would defeat the point of being public.

In order to promote Confidentiality, you have several tools at your disposal, depending on the
nature of the information. Encryption is the most commonly thought of method used to promote
Confidentiality, but other methods include Access Control Lists (ACLs) that keep people from
having access to information, using smart cards plus pin numbers to prevent unauthorized people
into your building and looking around, or even explaining to your employees what information
about the company they can and cannot disclose over the phone. When information is read or
copied by someone not authorized to do so, the result is known as loss of confidentiality. For
some types of information, confidentiality is a very important attribute. Examples include
research data, medical and insurance records, new product specifications, and corporate
investment strategies. In some locations, there may be a legal obligation to protect the privacy of
individuals. This is particularly true for banks and loan companies; debt collectors; businesses
that extend credit to their customers or issue credit cards; hospitals, doctors’ offices, and medical
testing laboratories; individuals or agencies that offer services such as psychological counseling
or drug treatment; and agencies that collect taxes.

Information can be corrupted when it is available on an insecure network. When information is

modified in unexpected ways, the result is known as loss of integrity. This means that
unauthorized changes are made to information, whether by human error or intentional tampering.
Integrity is particularly important for critical safety and financial data used for activities such as
electronic funds transfers, air traffic control, and financial accounting. Integrity is the part of the
triad that affects the most people in the IT world, but few seem to notice it, and fewer still think
of it as a security issue. The files on your operating system must maintain a high level of
integrity, but worms, viruses and trojans are a major issue in IT, and can also be a way that an
attacker can get information out of your network, or inject his own information into it. And
integrity is not just about malicious parties, it also covers items such as disk errors, or accidental
changes made to files by unauthorized users. Access control lists (ACLs), physical security, and
regular backups all fall under integrity (And sometimes confidentiality and availability. One fix
can solve multiple problems).

Information can be erased or become inaccessible, resulting in loss of availability. This means
that people who are authorized to get information cannot get what they need. Availability is often
the most important attribute in service-oriented businesses that depend on information (for
example, airline schedules and online inventory systems). Availability is the part of the triad
most administrators have to worry about at work, and with good reason. It's the most common,
and most visible, part of the security triad, and it is part of the job duties of just about every
administrator, even non-security based ones. It's mostly about system uptime for them, but it can
also cover subjects such as accidentally denying a user access to a resource they should have,
having a user locked out of the front door because the biometrics does not recognize his
fingerprints (False negative), or even major issues such as natural disasters, and how the
company should recover in case of one.

TYPES OF THREATS AND RISK

What Is Risk With Respect To Information Systems?

Risk is the potential harm that may arise from some current process or from some future event.
Risk is present in every aspect of our lives and many different disciplines focus on risk as it
applies to them. From the IT security perspective, risk management is the process of
understanding and responding to factors that may lead to a failure in the confidentiality, integrity
or availability of an information system. IT security risk is the harm to a process or the related
information resulting from some purposeful or accidental event that negatively impacts the
process or the related information.
Risk is a function of the likelihood of a given threat-source’s exercising a particular potential
vulnerability, and the resulting impact of that adverse event on the organization.

Threats
The potential for a threat source to exercise (accidentally trigger or intentionally exploit)
a specific vulnerability.
Threat-Source: Either (1) intent and method targeted at the intentional exploitation of a
vulnerability or (2) a situation and method that may accidentally trigger a vulnerability The
threat is merely the potential for the exercise of a particular vulnerability. Threats in
themselves are not actions. Threats must be coupled with threat-sources to become dangerous.
This is an important distinction when assessing and managing risks, since each threat-source may
be associated with a different likelihood, which, as will be demonstrated, affects risk assessment
and risk management. It is often expedient to incorporate threat sources into threats. The list
below shows some (but not all) of the possible threats to information systems.

Why Is It Important to Manage Risk?

The principle reason for managing risk in an organization is to protect the mission and assets of
the organization. Therefore, risk management must be a management function rather than a
technical function.
It is vital to manage risks to systems. Understanding risk, and in particular, understanding the
specific risks to a system allow the system owner to protect the information system
commensurate with its value to the organization. The fact is that all organizations have limited
resources and risk can never be reduced to zero. So, understanding risk, especially the magnitude
of the risk, allows organizations to prioritize scarce resources.
CONTROL ANALYSIS
The goal of this step is to analyze the controls that have been implemented, or are planned for
implementation, by the organization to minimize or eliminate the likelihood (or probability) of a
threat’s exercising a system vulnerability.
Control Methods
Security controls encompass the use of technical and nontechnical methods. Technical controls
are safeguards that are incorporated into computer hardware, software, or firmware (e.g., access
control mechanisms, identification and authentication mechanisms, encryption methods,
intrusion detection software). Nontechnical controls are management and operational controls,
such as security policies; operational procedures; and personnel, physical, and environmental
security.
The control categories for both technical and nontechnical control methods can be further
classified as either preventive or detective. These two subcategories are explained as follows:
• Preventive controls inhibit attempts to violate security policy and include such controls as
access control enforcement, encryption, and authentication.
• Detective controls warn of violations or attempted violations of security policy and include
such controls as audit trails, intrusion detection methods, and checksums.

Technical Security Controls

Technical security controls for risk mitigation can be configured to protect against given types of
threats. These controls may range from simple to complex measures and usually involve system
architectures; engineering disciplines; and security packages with a mix of hardware, software,
and firmware. All of these measures should work together to secure critical and sensitive data,
information, and IT system functions. Technical controls can be grouped into the following
major categories, according to primary purpose:
• Support - Supporting controls are generic and underlie most IT security capabilities. These
controls must be in place in order to implement other controls.
• Prevent - Preventive controls focus on preventing security breaches from occurring in the first
place.
• Detect and Recover - These controls focus on detecting and recovering from a security breach.

Supporting Technical Controls

Supporting controls are, by their very nature, pervasive and interrelated with many other
controls. The supporting controls are as follows:
• Identification. This control provides the ability to uniquely identify users, processes, and
information resources. To implement other security controls (e.g., discretionary access control
[DAC], mandatory access control [MAC], accountability), it is essential that both subjects and
objects be identifiable.
• Cryptographic Key Management. Cryptographic keys must be securely managed when
cryptographic functions are implemented in various other controls. Cryptographic key
management includes key generation, distribution, storage, and maintenance.
• Security Administration. The security features of an IT system must be configured
(e.g., enabled or disabled) to meet the needs of a specific installation and to account for changes
in the operational environment. System security can be built into operating system security or the
application. Commercial off-the-shelf add-on security products are available.
System Protections. Underlying a system’s various security functional capabilities is a base of
confidence in the technical implementation. This represents the quality of the implementation
from the perspective both of the design processes used and of the manner in which the
implementation was accomplished. Some examples of system protections are residual
information protection (also known as object reuse), least privilege (or “need to know”), process
separation, modularity, layering, and minimization of what needs to be trusted.
Preventive Technical Controls
These controls, which can inhibit attempts to violate security policy, include the following:
• Authentication. The authentication control provides the means of verifying the identity of a
subject to ensure that a claimed identity is valid. Authentication mechanisms include passwords,
personal identification numbers, or PINs, and emerging authentication technology that provides
strong authentication (e.g., token, smart card, digital certificate, Kerberos).
• Authorization. The authorization control enables specification and subsequent management of
the allowed actions for a given system (e.g., the information owner or the database administrator
determines who can update a shared file accessed by a group of online users).
• Access Control Enforcement. Data integrity and confidentiality are enforced by access
controls. When the subject requesting access has been authorized to access particular processes,
it is necessary to enforce the defined security policy (e.g., MAC or DAC). These policy-based
controls are enforced via access control mechanisms distributed throughout the system (e.g.,
MAC sensitivity labels; DAC file permission sets, access control lists, roles, user profiles). The
effectiveness and the strength of access control depend on the correctness of the access control
decisions (e.g., how the security rules are configured) and the strength of access control
enforcement (e.g., the design of software or hardware security).
• Nonrepudiation. System accountability depends on the ability to ensure that senders cannot
deny sending information and that receivers cannot deny receiving it. Nonrepudiation spans both
prevention and detection. It has been placed in the prevention category in this guide because the
mechanisms implemented prevent the successful repudiation of an action (e.g., the digital
certificate that contains the owner’s private key is known only to the owner). As a result, this
control is typically applied at the point of transmission or reception.
• Protected Communications. In a distributed system, the ability to accomplish security
objectives is highly dependent on trustworthy communications. The protected communications
control ensures the integrity, availability, and confidentiality of sensitive and critical information
while it is in transit. Protected communications use data encryption methods (e.g., virtual private
network, Internet Protocol Security [IPSEC] Protocol), and deployment of cryptographic
technologies (e.g., Data Encryption Standard [DES], Triple DES, RAS, MD4, MD5, secure hash
standard, and escrowed encryption algorithms such as Clipper) to minimize network threats such
as replay, interception, packet sniffing, wiretapping, or eavesdropping.
Transaction Privacy. Both government and private sector systems are increasingly required to
maintain the privacy of individuals. Transaction privacy controls (e.g., Secure Sockets Layer,
secure shell) protect against loss of privacy with respect to transactions performed by an
individual.
Detection and Recovery Technical Controls
Detection controls warn of violations or attempted violations of security policy and include such
controls as audit trails, intrusion detection methods, and checksums. Recovery controls can be
used to restore lost computing resources. They are needed as a complement to the supporting
and preventive technical measures, because none of the measures in these other areas is perfect.
Detection and recovery controls include—
• Audit. The auditing of security-relevant events and the monitoring and tracking of system
abnormalities are key elements in the after-the-fact detection of, and recovery from, security
breaches.
• Intrusion Detection and Containment. It is essential to detect security breaches (e.g., network
break-ins, suspicious activities) so that a response can occur in a timely manner. It is also of little
use to detect a security breach if no effective response can be initiated. The intrusion detection
and containment control provides these two capabilities.
• Proof of Wholeness. The proof-of-wholeness control (e.g., system integrity tool) analyzes
system integrity and irregularities and identifies exposures and potential threats. This control
does not prevent violations of security policy but detects violations and helps determine the type
of corrective action needed.
• Restore Secure State. This service enables a system to return to a state that is known to be
secure, after a security breach occurs.
• Virus Detection and Eradication. Virus detection and eradication software installed on
servers and user workstations detects, identifies, and removes software viruses to ensure system
and data integrity.
4.4.2 Management Security Controls
Management security controls, in conjunction with technical and operational controls, are
implemented to manage and reduce the risk of loss and to protect an organization’s mission.
Management controls focus on the stipulation of information protection policy, guidelines, and
standards, which are carried out through operational procedures to fulfill the organization’s goals
and missions.

Operational Security Controls

An organization’s security standards should establish a set of controls and guidelines to ensure
that security procedures governing the use of the organization’s IT assets and resources are
properly enforced and implemented in accordance with the organization’s goals and mission.
Management plays a vital role in overseeing policy implementation and in ensuring the
establishment of appropriate operational controls.