Preview Extract
This Document Contains Chapters 7 to 8 Chapter 7: Security Overview This chapter is new to the 6th edition, and begins with a melodramatic opening case that depicts a security breach from a “Hollywood” perspective: a physical breach was engineered to gain access to the computers of the Office of Personnel Management, and the perpetrators only had minutes to commit it before they were discovered. Designed to capture the students’ attention, the case ends with a statement that the breach indeed occurred, but that the story was completely false. The perpetrators had month (or years) to commit the breach and it took months to discover it. The story was inspired by a study commissioned by Verizon and the Secret Service, as well as statistics about how long it takes for breaches to be committed (sometimes months and years) and how long it takes to detect them (often months and years). In 2014, the median was 205 days (almost 7 months) and the record was 2,982 months (11 years)! The chapter reviews several frameworks that should enable students to make some sense out of what is often considered difficult and highly technical material. The chapter emphasizes the need for managers to realize that there are many behavioral issues involved in IT security, and that they must participate in making decisions about security. Discussion Opener: The first slide of this chapter provides discussion questions that cover the opening case on the Office of Personnel Management. After asking the questions, I ask students to “vote” on the likely answer to the multiple choice question on the second slide that contains material. The chart on the fifth slide debunks the “Hollywood” version of reality. Alternate Discussion Opener: You could make the following statement and ask for responses: “So, managers should count on IT people to make all the security decisions, right?” Then, depending on how the discussion goes, ask some or all of the following: (1) Why does a manager need to participate in security decisions? Aren’t those decisions too technical for managers to understand? (2) What kinds of decisions do general managers need to make versus the kinds of decisions that IT managers need to make? (3) How much impact can a manager make in such a technical area as IT security? Key Points in Chapter The IT Security Decision Framework in Figure 7.1 identifies the various decisions that need to be made about IT security, who must make them, what is the rationale, and what occurs if decision rights are not allocated properly. Figure 7.2 identifies how several well-known breaches occurred so that managers can be aware of the behavioral source of each one. Most were preventable, resulting from revealing a password or opening an email attachment. The chapter also reviews the cost of breaches, so that management will know the cost of not participating in security decisions. However, no computer system can be 100% secure, so management must also know that vigilance is necessary to increasingly fortify the firm’s protection. The second half of the chapter focuses on what management should do to help with that fortification. There are five areas in which management should participate: security strategy, infrastructure, policies, training, and investments. The middle three are explored in depth in the rest of the chapter. Tools listed in Figures 7.3 (infrastructure) and 7.4 (storage and transmission), provide the most technical information in the chapter using non-technical language. Managers will need to make investment decisions and should be familiar with the overall concepts involved with infrastructure and storage/transmission. Security policy areas are listed in 7.5, and the chapter concludes by reviewing considerations for SETA (security education, training, and awareness), summarized in Figure 7.6. Illustrative Answers to Discussion Questions 1. Did you change your shopping habits after hearing of the widespread breaches at Target, Home Depot, and dozens of other stores during 2013–2015? Why or why not? Answer: The discussion will depend largely on the experiences of students, but you should make sure they touch on the following issues: (a) likelihood (is it silly to be concerned with security when shopping?) (b) futility (is it a waste of time because there is no way to protect yourself?) (c) availability (can you feasibly find firms that have not been hacked?), and (d) justice (do the companies deserve a boycott?). My shopping habits did change after hearing about the widespread breaches at Target, Home Depot, and other stores during 2013-2015. The breaches raised awareness about the vulnerability of personal and financial information stored by retailers, leading me to become more cautious about where and how I made purchases. I started paying closer attention to security measures implemented by retailers, such as encryption and two-factor authentication, and opted to shop at stores with strong reputations for cybersecurity. Additionally, I became more vigilant about monitoring my financial accounts for any suspicious activity and regularly updated passwords to enhance security. While convenience remained a factor in my shopping decisions, I prioritized the protection of my personal information and financial security, adjusting my behavior accordingly. Ultimately, the breaches underscored the importance of cybersecurity in today's digital age and prompted me to take proactive measures to safeguard my sensitive data. 2. Evaluate your password habits and describe a plan for new ones. Explain why you chose the new habits and how they reduce the risk of compromising your system’s security. Answer: This will also depend on the students’ ideas. Some students will be reluctant to reveal their password habits so you might focus the discussion on the previous password habits rather than their new ones. Upon evaluating my password habits, I realized the need for stronger and more secure practices to enhance my system's security. As a result, I have devised a plan for new password habits that prioritize complexity, uniqueness, and regular updates. Firstly, I will use longer passwords consisting of a combination of uppercase and lowercase letters, numbers, and special characters to increase complexity and thwart brute-force attacks. Secondly, I will adopt a passphrase approach, creating memorable yet unique phrases for each account to minimize the risk of password reuse. Thirdly, I will implement multi-factor authentication wherever possible, adding an extra layer of security beyond just passwords. Additionally, I will utilize a password manager to securely store and generate strong passwords, reducing the need to memorize multiple complex passwords. Moreover, I will regularly update passwords, setting reminders to change them every few months to mitigate the risk of compromise due to password staleness. By adhering to these new habits, I aim to significantly reduce the likelihood of unauthorized access to my accounts and enhance overall cybersecurity. 3. Across all access tools listed in Figure 7.3 which have the most compelling advantages? What are the most concerning weaknesses? Provide support for your choices. Answer: Students should probably recognize that multi-factor authentication has the best promise for the future, and that passwords have some of the most concerning weaknesses. Among the access tools listed in Figure 7.3, biometric authentication stands out for its compelling advantages, offering a high level of security and convenience. Biometric identifiers such as fingerprints, facial recognition, or iris scans are unique to individuals, making them difficult to replicate or spoof, thereby enhancing authentication accuracy and reducing the risk of unauthorized access. Additionally, biometric authentication eliminates the need to remember complex passwords or carry physical tokens, streamlining the authentication process and improving user experience. Moreover, biometric authentication provides a seamless and frictionless user experience, enhancing user adoption and satisfaction. However, biometric authentication also has concerning weaknesses that warrant consideration. Firstly, biometric data, once compromised, cannot be easily changed like passwords, posing long-term security risks if breached. Secondly, privacy concerns arise from the collection and storage of sensitive biometric information, necessitating robust security measures and regulatory compliance to safeguard user privacy. Thirdly, biometric authentication may encounter accuracy issues due to environmental factors, such as poor lighting or variations in facial features, potentially leading to false positives or negatives. Lastly, there are ethical considerations surrounding the use of biometric data, including consent, transparency, and potential discrimination, which require careful management to maintain trust and compliance with ethical standards. 4. What is the likely future of access tools? Will they continue to be useful security measures? In your discussion, predict what you believe is the future of passwords. Answer: The likely future is multi-factor authentication, as they provide stronger protection than single-factor authentication. Many have said that the future of passwords is bleak, although multi-factor authentication often uses a password as at least one of the factors. The future of access tools is likely to see continued evolution and innovation to address emerging security threats and enhance user experience. While traditional access tools such as passwords will remain relevant for the foreseeable future, there will be a shift towards more secure and convenient authentication methods, including biometrics, multi-factor authentication, and adaptive authentication. Biometric authentication, in particular, is expected to gain widespread adoption due to its unique identifiers and seamless user experience, though challenges related to privacy and accuracy will need to be addressed. Multi-factor authentication will become standard practice, combining multiple authentication factors to provide stronger security against unauthorized access. Additionally, adaptive authentication, leveraging machine learning and contextual factors, will play a crucial role in dynamically adjusting authentication requirements based on risk levels and user behavior. However, passwords will likely continue to be used in conjunction with other authentication methods, albeit in a diminished role, as they remain susceptible to vulnerabilities such as phishing and brute-force attacks. As technology advances, the future of access tools will prioritize a balance between security, usability, and privacy to meet the evolving needs and expectations of users and organizations. 5. What is an evil twin WiFi connection? What should you do to increase your security in a coffee shop the next time you want to connect? Answer: An evil twin WiFi connection is a fake access point that mimics the name of one that you expect to be present in a particular location. Two ways to protect yourself is to avoid using a coffee shop connection altogether, or to use a VPN. Avoiding a coffee shop connection might mean using your smartphone as a tether (using a program such as FoxFi) that provides your own secure connection. 6. Name three commonly used management security policy areas and describe an example policy for each area. Answer: The areas listed in Figure 7.5 should be the focus here. Refer to the table for possible topics to discuss. Three commonly used management security policy areas include data protection, access control, and incident response. An example policy for data protection may include guidelines on encryption protocols for sensitive information, specifying that all data must be encrypted both at rest and in transit using approved encryption algorithms and key management practices to prevent unauthorized access. For access control, an example policy could outline procedures for granting and revoking access privileges to systems and data based on role-based access control principles, specifying that access rights should be reviewed and updated regularly to ensure compliance with least privilege principles. Lastly, an example policy for incident response might detail procedures for detecting, reporting, and responding to security incidents, including steps for containment, investigation, remediation, and communication with relevant stakeholders to minimize the impact of breaches or incidents on organizational assets and operations. These policies provide clear guidelines and standards for employees to follow, helping to mitigate security risks and maintain the integrity, confidentiality, and availability of organizational data and resources. 7. Create an outline for a training session to help your team avoid phishing. What would you include in that training session? What are some typical signs that an e-mail might be fraudulent? Answer: A reasonable outline might include the following: (I) Potential damage from security breaches resulting from phishing; (II) What phishing messages can do (a) spoof an existing friend (b) use numeric addresses (c) lead to dangerous sites (d) request logging into a counterfeit site; (III) How to recognize a phishing message (a) examples of phishing messages, (b) common threads in those messages (see the bulleted list on pg. 161 for examples), (c) what to do about phishing messages. Cases Case Study 7-1: ACARS (Aircraft Communications Addressing and Reporting System) 6. Which of the two aircraft breaches is more serious: the breach described here or the breach created by the hacker (described earlier in the chapter) who took control of a plane’s throttle briefly through the entertainment system and then tweeted about it? Why? Answer: Much of this depends on the students’ opinions, as they are both quite serious. Taking control of a plane’s throttle can endanger the lives of passengers immediately, and changing the flight plan could switch the destination of a plane to a hostile territory or even to an area that could result in a crash as well. Fortunately, the hack described in the chapter can be prevented by passenger or flight attendant vigilance in the short term, and by redesigning the in-flight passenger entertainment systems so that (a) they would require a special tool to open and (b) the flight navigation systems would be separated from the entertainment system. That is, if the unit is somehow opened, a breach there would not have any access to flight navigation systems. 7. Which of the access controls and storage/transmission controls would be most helpful for the ACARS problem? The entertainment system problem? Why? Answer: Encryption would assist in the ACARS situation, and physical controls and separation of unrelated systems would help in the entertainment system situation. For the ACARS problem, access controls such as role-based access control (RBAC) and mandatory access control (MAC) would be most helpful. RBAC would ensure that only authorized personnel, such as pilots and air traffic controllers, have access to the ACARS system, reducing the risk of unauthorized manipulation or interference. MAC would enforce strict access restrictions based on predefined security policies, further enhancing control over who can access and modify critical aviation data. For the entertainment system problem, storage/transmission controls such as encryption and data loss prevention (DLP) would be most helpful. Encryption would protect sensitive content stored on the entertainment system, ensuring that it remains confidential and secure even if the device is compromised or accessed by unauthorized parties. DLP would prevent unauthorized transmission of sensitive data, such as passenger information or flight details, over insecure networks or channels, reducing the risk of data breaches or privacy violations. Overall, implementing these access controls and storage/transmission controls would enhance the security posture of both the ACARS and entertainment systems, mitigating risks and vulnerabilities associated with unauthorized access, data breaches, and cyber threats. 8. If password control is used to solve the ACARS weakness, what might hackers do next? Answer: Hackers could try to either guess the password or fool a pilot into revealing it. If password control is implemented to address the ACARS weakness, hackers may resort to various tactics to bypass or compromise the system. Firstly, they may employ brute force attacks or dictionary attacks to guess or crack passwords, exploiting weak or easily guessable credentials. Secondly, hackers could use social engineering techniques to trick authorized users into revealing their passwords or granting access to sensitive systems. Additionally, they may target password recovery mechanisms or exploit vulnerabilities in password management processes to gain unauthorized access. Furthermore, hackers might employ phishing attacks to trick users into disclosing their credentials through fake login pages or malicious emails. Moreover, they may exploit vulnerabilities in the authentication process or intercept login credentials through man-in-the-middle attacks. Furthermore, hackers might target password databases or credential stores to steal or compromise stored passwords, enabling unauthorized access to the system. Additionally, they may exploit weak or outdated password policies, such as lack of multi-factor authentication or insufficient password complexity requirements. Finally, hackers could leverage insider threats or compromised accounts to gain unauthorized access to the ACARS system, circumventing password controls altogether. Overall, while password control can enhance security, it is essential to implement additional layers of protection and employ best practices to mitigate the risk of unauthorized access and potential exploitation by hackers. Case Study 7-2: Sony Pictures: The Criminals Won 1. Setting aside the political issues between North Korea and the United States, is there a reasonable way to respond to an anonymous threat found on the Internet somewhere? What elements would you require before canceling the film if you were CEO of Sony? If you were CEO of a chain of theaters? Answer: This is a very difficult issue. While it is easy to state that some kind of proof is required to take a threat seriously, such proof might require someone’s loss of life or limb (as an example). Rather than proof, each should be investigated as to the credibility of the threat. Some tools that can be used include (a) tracing the communications to find the source, (b) identifying other corroborating messages referring to the threat, or (c) identifying information that only a true attacker would have. The difficulties faced by the CEO of Sony would center around policy issues (“do we respond to threats?”, while the theater chain would be most concerned with damage to people and/or property in their actual theaters (“do we endanger customers?). 2. What access and data protection controls would you recommend Sony use to provide better security for unreleased digital films and e-mails? Answer: Strengthen access controls or disconnect their intellectual property from Internet access until it is absolutely necessary to transmit it to theaters. Use multi-factor authentication and employ more than two factors for authenticating. Regarding email, many firms could employ screening to reject emails that are unconfirmed as to source. Some email packages and vendors allow a tool that requires the sender to confirm that he/she is not a robot before the email is accepted into the inbox. 3. If you were a hacker, what approach would you have used to break into Sony’s system? What do you think the most important SETA elements would be to prevent future hacker attacks against Sony or other media firms? Answer: I would have used phishing to break into Sony’s system, as it is one of the easiest forms of attack. It is likely that higher security objects would have rules as to password formats (no using “12345” or “must be at least 8 characters with one or more special characters”), so guessing the password would not be as likely. The most important SETA elements from Figure 7.6 would perhaps be vigilance, but access tools could arguably be as important. Supplemental Cases: The iPremiere Company (A): Denial of Service Attack (either the Graphic Novel Version: Harvard 609-092 from 2009 by Robert D. Austin and Alan Short; or the text version 601-114 from 2001 by Robert D. Austin, Larry Leibrock, and Alan Murray). This case is one of the “most popular” according to the Harvard Publishing site. The graphic novel version is a student favorite, and provides rich information even though there are many fewer words. I use only the A case, and tell students verbally what happens in the very short B and C cases. Alternatively, (and for greatest impact), the instructor can hand out the B case during class discussion and ask students what they think. Then the instructor can hand out the C case and reveal what really happened. Caregroup. F. Warren McFarlan; Robert D. Austin. January 2003. Harvard case 303097. This is another “most popular” case from Harvard. It follows the strategy and decisions taken by John Halamka, CIO, and other IT personnel at Caregroup, a major hospital group in Boston, MA, which led to a collapse in their information systems. Useful supplements not discussed by the Teaching Note include an interesting column written by Halamka that provides quite a bit of illumination about the “leading edge” CIO at http://www.computerworld.com.au/article/138814/opinion_my_wired_world/ as well as a video available from Harvard where Halamka describes the Board’s reaction to his advice for sophisticated and very expensive recovery protection: They say “We accept the risk.” This provides rich fodder for discussion and debate about who’s fault is the collapse. The SANS Reading Room offers several cases free of charge at https://www.sans.org/reading-room/whitepapers/casestudies. Notable cases include a case study devoted to the Home Depot, Sony, Target, and other breaches, as well as a more technical case entitled “Case Study in Information Security: Securing The Enterprise,” which describes protections that were applied to an unnamed, unprotected insurance company. Secom: Managing Information Security in a Risky World, F. Warren McFarlan; Robert D. Austin; Robert O. Austin; Harvard Case 308015, July 31, 2007. Covers security in an Internet company. Involves a 20-person Japanese e-commerce company making decisions about security products to buy. 21 p. Supplemental Readings/Articles Boss, S., Galletta, D.F., Lowry, P.B., Moody, G., and Polak, P. What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors in Users, MIS Quarterly, December, 2015. Rebollo, O., Mellado, D., Fernández-Medina, E., & Mouratidis, H. (2015). Empirical evaluation of a cloud computing information security governance framework. Information and Software Technology, 58, 44-57. Garba, A. B., Armarego, J., Murray, D., & Kenworthy, W. (2015). Review of the information security and privacy challenges in Bring Your Own Device (BYOD) environments. Journal of Information Privacy and Security, 11(1), 38-54. Mishra, S., Snehlata, S., & Srivastava, A. (2014). Information Security Behavioral Model: Towards Employees’ Knowledge and Attitude. Journal of Telematics and Informatics, 2(1). Lin, Z., & Wei, Z. (2014). Research on computer network information security and protection strategy. Network Security Technology & Application, 3, 105. Yoo, J. (2014). Comparison of Information Security Controls by Leadership of Top Management. Journal of Society for e-Business Studies, 19(1). Siponen, M., Mahmood, M. A., & Pahnila, S. (2014). Employees’ adherence to information security policies: An exploratory field study. Information & Management, 51(2), 217-224. Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security (TISSEC), 5(4), 438-457. Anderson, R. (2001, December). Why information security is hard-an economic perspective. In Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual (pp. 358-365). IEEE. Baskerville, R. (1993). Information systems security design methods: implications for information systems development. ACM Computing Surveys (CSUR), 25(4), 375-414. Books: Rao, Umesh Hodeghatta, and Umesha Nayak. The InfoSec Handbook: An Introduction to Information Security. Apress, 2014. Smith, Richard E. Elementary information security. Jones & Bartlett Publishers, 2011. Whitman, Michael, and Herbert Mattord. Management of information security. Cengage Learning, 2013. Taylor, R. W., Fritsch, E. J., & Liederbach, J. (2014). Digital crime and digital terrorism. Prentice Hall Press. Andress, J. (2014). The basics of information security: understanding the fundamentals of InfoSec in theory and practice. Syngress. Merkow, M. S., & Breithaupt, J. (2014). Information security: Principles and practices. Pearson Education. Lopes, I., & Oliveira, P. (2014). Understanding information security culture: a survey in small and medium sized enterprises. In New Perspectives in Information Systems and Technologies, Volume 1 (pp. 277-286). Springer International Publishing. Websites: https://www.sans.org/information-security/ SANS provides a variety of information security resources. http://searchsecurity.techtarget.com/ TechTarget provides news and trending topics in security. https://www.securityforum.org/ is offered by the Security Forum, and provides links to security research, forums, tools, products/services, events, and news. News November 16, 2015: A recent article in Computerworld describes security weaknesses in thousands of mobile apps, according to a recent study. Have students read the article at http://www.computerworld.com/article/3005462/security/millions-of-sensitive-records-exposed-by-mobile-apps-leaking-back-end-credentials.html and ask the following: (1) State as best you can in plain language this "BaaS access key" issue. (2) What did the researchers find they could access by exploiting the access key problem? (3) What kind of information could be revealed? (4) What do more skilled developers do to avoid such problems? April 28, 2015: Malware is said to be morphing into new forms, according to an article by Computerworld at http://www.computerworld.com/article/2915958/security0/malware-remodeled-new-tricks-new-suits-slamming-enterprise-resources.html?phint=newt%3Dcomputerworld_security&phint=idg_eid%3De906f93e1376704f5965bd3462b84e93#tk.CTWNLE_nlt_security_2015-04-29. After students read the article, perhaps many of them will not understand many of the terms and will become more afraid. Ask them to answer the following in a discussion: (1) How many of you are very pessimistic about your on-line safety? Why? (2) How many of you are optimistic about your own on-line safety? Why? (3) How many of you don't use an anti-virus program? Why? (4) How does putting virus signatures in the cloud help users and anti-virus vendors? Chapter 8: The Business of IT Overview IT serves a variety of customers. This chapter introduces the business-IT maturity model and applies that framework to typical activities expected of the IT department. The purpose of this chapter is to introduce managerial students to using the language of business, financials, and metrics to manage IT. The chapter begins with a discussion about what the IT organization does and does not do and how the leadership within the IT organization ensures that the IT organization’s activities are conducted efficiently and effectively, both domestically and globally. The reader is introduced to the basic elements of a business case, IT portfolio management, and valuing and monitoring IT investments. The remainder of the chapter focuses on funding models and total cost of ownership. New to this edition is an opening case from an interview with Kevin Horner, former CIO of Alcoa, a Fortune 50 company, showing how he developed into a valuable and respected CIO. Discussion Opener: Questions from the Horner interview are provided on the first PowerPoint slide of the chapter, with answers in the notes to the slide. Alternative Discussion Opener: What is the relationship between business strategy and architecture design? How does a company move from architecture design to infrastructure design? Key Points in Chapter This chapter begins with a discussion of how Kevin Horner, former CIO of Alcoa, needed to transform from a technology-minded to a business-minded executive. His initial trouble yielded to great success in his career at the firm. The key point is that success in business requires IT managers to speak the language of business, and that is a language based in accounting and finance. The business-IT maturity model framework identifies characteristics that define the level of maturity for both demand (business needs) and supply of IT services. Ideally, business and IT are at the same level of maturity in order to be more effective. Managers need to know what to expect from the IS organization. This section was included to explicitly discuss how general managers and IT organizations might work together. The IT organization activities are grouped by their related levels of maturity. Activities related to cost reduction (level 1 – order taker view) are developing and maintaining systems, managing supplier relationships, managing data, information and knowledge, managing Internet and network systems, managing human resources, operating the data center, providing general support, and planning for business discontinuities. Business effectiveness (level 2 solutions provider view) is the focus of innovating current processes, establishing architecture platforms and standards, and promoting enterprise security. At the highest level of maturity, innovation (level 3 business partner view) is the goal of the following IT activities: anticipating new technologies, participating in setting and implementing strategic goals, and integrating the use of social IT. IT outsourcing is increasingly employed to meet these organizational needs. (See Chapter 10 for a detailed discussion on sourcing issues.) Global considerations include time zones, language, and cultural differences. Managers must learn to adjust to ever-changing environments. General managers must learn to work with IT professionals, but they must not abandon their responsibilities and control over the processes. The core business processes and strategies must be retained by the business units. As always, the IT strategy must be aligned with the business strategy. The CIO is the chief information officer of a business. This person is an executive, not a day-to-day manager. He or she has the responsibility to help set strategic direction for the business and to help execute the strategic plans from the information systems perspective. A new term used to describe this role is business technology strategist. The historic evolution of the CIO role is explored, emphasizing the importance of executive and strategic positions within the organizational structure. Gartner published an article describing the skills needed for a CIO, and these are included in this chapter. Not all organizations have a CIO. Someone is responsible for running the computers in the business, but no one in particular is charged with helping the business understand the strategic use of IT. There may be no one on the executive team charged with these responsibilities. There are a number of other roles in the IS organization. Some IT organizations have such extensive web organizations that new jobs and roles are creeping up everywhere. In today’s business environment, two new positions are emerging: Chief mobility officer (CMO) and chief social media officer (CSMO). The skills required for these new positions necessitate keeping up with innovative technologies (IT maturity level 3) and determining new ways to create value. Business managers need to develop the critical skill of building a business case. A business case is a structured document where all relevant information needed to make a decision is laid out. It also provides a way to establish IT priorities and to determine which projects to invest in. Figure 8.4 lists the primary elements of a business case. It is critical to identify both costs and benefits (financial and non-financial). The business case is needed to justify the proposed investment. Figures 8.5 and 8.6, as well as the examples surrounding them, are new to this edition. Next, IT portfolio management is discussed. Managing the IT investment is similar to managing the financial investments, with the goal of balancing risks, complexities, and costs. Peter Weill and his colleagues have published extensively on this topic, and we share his framework for the IT portfolio in this section. As every manager knows, the value of an investment is very different than either the cost or the funding approach. The next section of this chapter raises the issue of valuing IT investments. Justifying costs by calculating potential revenue, payback, or budget impacts of IS projects is now the norm for almost all IT investments. The challenge comes from the fact that most benefits of IT investments are intangibles. They are “soft numbers,” such as the increased efficiency of a process or the new business to be gained with the new IS system. This section outlines valuation methods such as Return on Investment (ROI), Net Present Value, Economic value added, and several others. General managers are encouraged to carefully balance the general need for calculating the “hard numbers” with the business objectives and strategic value of “infrastructure investments” such as those typified by many IS investments. Monitoring IT investments is necessary to ensure that benefits are obtained and that costs are controlled. Setting up appropriate metrics and understanding how those metrics affect the perception of the value of the IT investment are critical skills for managers. Communicating the metrics of IT’s performance should not be solely focused on financial metrics. The balanced scorecard and IT dashboards help to communicate information that incorporates a variety of sources. The balanced scorecard, based on the concept by Kaplan and Norton (HBR, 1992) suggests that four perspectives (customer, internal business, innovation, and financial) are necessary to get a realistic picture of the IT organization. While scorecards offer a balanced picture of IT’s performance over a period of time, IT dashboards provide snapshots of the state of the IT function at a given time. Dashboards tend to be summarized using the familiar red-yellow-green indicators and are often electronically available with real-time information. An important feature of dashboards is the ability to “drill down” to investigate the underlying data that creates the aggregated indicator. Four types of dashboards are common: portfolio, business-IT, service, and improvement. The type of dashboard should be selected based on the decision-making purpose. New references and descriptions of IT dashboards are provided in this edition. This chapter provides basic instruction on three funding methods: chargeback, allocation, and corporate budget. Chargeback is when IT costs are recovered by charging the users directly for their consumption of IT products and services. Costs are distributed based on a unit cost, making them the most equitable approach to funding IT. Business managers like this approach because it gives them the most control over their IT costs. If they want to lower IT costs, they clearly understand they must consume less, and likewise, if they plan to increase their consumption, they know they will pay more. But chargeback systems are highly complex and difficult to manage. The difficulty begins with questions such as “what is the correct unit?” and “what is the unit cost?” And issuing a bill to users can be fraught with stress and complexity, depending on the answers to the unit and unit-cost questions. Some organizations produce highly detailed bills for their users, which in turn require audit and time for the users to understand. An additional disadvantage is that the IT expense is difficult to budget since it varies based on actual usage. The other two methods, allocation and corporate budget, alleviate the complexity of a chargeback system, but at the same time, do not distribute costs as equitably. Allocation simply lumps together all of the IT costs into a single charge, and based on a single unit of measure such as number of people in the organization, divides up the costs among the departments. Units that are high-IT-users pay less for their services, and expenses are subsidized by the units that use less. Corporate budget, on the other hand, combines all IT costs into a single budget item, usually at a managerial level distinct from any specific user. The expenses are treated as corporate overhead. The tradeoffs of each method are summarized in Figure 8.12 of the text. While funding approaches dictate the cost recovery mechanism of IT, calculating the actual costs is a completely different story. Three common IT cost calculation approaches are summing up all the expenses (i.e. hardware, software, network, and human labor), activity-based costing (ABC), and total cost of ownership (TCO). Each of these approaches has its place in the business discussion, and often all three are used depending on the accounting question to be answered by the cost calculation. It is important to thoroughly discuss TCO as more companies not only use TCO to determine IT investments, but many software and hardware vendors tout their TCO numbers in marketing. Figure 8.13 (Soft cost considerations) forms the foundation for a new, briefer explanation of TCO. TCO can also help managers understand how infrastructure costs break down: it provides the fullest picture of where managers spend their IT dollars as TCO results can be evaluated over time against industry standards; even without comparison data, the numbers that emerge from TCO studies assist in decisions about budgeting, resource allocation, and organizational structure. Students need to understand Total Cost of Ownership of any IT resource. Illustrative Answers to Discussion Questions 1. Using an organization with which you are familiar, describe the role of the most senior IS professional. Is that person a strategist or an operational manager? Answer: Most students have some work experience on which to formulate an answer to this question. Some students will be familiar with very large Fortune 500 companies, consulting firms, or service organizations, which usually have a CIO in the organizational chart. In that case, they will most likely describe an executive-type individual who is a strategist for the company. In other cases, the student will have worked for a company where the most senior information systems person is either the person running the data center or someone who makes sure all the PCs are running. In that case, the description will be of an operational manager, someone concerned with operations but not involved with the business strategy on a regular basis. Encourage students to provide specific descriptions of the roles of the senior IS professional. In the organization with which I'm familiar, the most senior IS professional, often titled Chief Information Officer (CIO), plays a strategic role in shaping the organization's overall information systems strategy and direction. As a strategist, the CIO collaborates closely with executive leadership to align IS initiatives with business objectives, leveraging technology to drive innovation, competitive advantage, and growth. The CIO is responsible for developing and implementing IT policies, standards, and procedures to ensure the security, reliability, and efficiency of information systems and infrastructure. Additionally, the CIO oversees the development and execution of strategic IT initiatives, such as digital transformation, cloud migration, and data analytics, to enhance operational effectiveness and meet evolving business needs. While the CIO may delegate operational tasks to subordinate managers and teams, their primary focus is on long-term planning, risk management, stakeholder engagement, and fostering a culture of innovation and continuous improvement within the organization. 2. What advantages does a CIO bring to a business? What might be the disadvantages of having a CIO? Answer: The CIO brings both a business perspective and a technical perspective to a business. He or she typically has a technical background (although not always) and a general business background. The CIO helps the senior executive team make decisions with information systems impacts in mind. Not having a CIO might mean that a business decision is made which either costs too much to implement or is technically infeasible. A disadvantage of having a CIO might be that this person is often expensive. Finding someone who understands the business side of the equation as well as the technical side is difficult, and for some organizations it is too costly. Another disadvantage is that in some cases, having a CIO is seen by other managers as a signal that they, themselves, do not have to understand or worry about information systems impacts. Their thinking goes like this: “If there is a CIO, then he/she is going to worry about the IT side of things, and I don’t have to.” But in an increasingly web-based marketplace, every manager must be knowledgeable about IT and understand the impacts as they are wide-reaching and devastating if problems occur. 3. Under what conditions would you recommend using each of these funding methods to pay for information systems expenses: allocation, chargeback, and corporate budget? Answer: The most astute students will identify that the funding method should reflect the corporate culture and governance structures. If most costs are typically charged back to business units, then IS will be expected to charge back. If most expenses are funded through the corporate budget process, then IS will be expected to be funded this way. Another way to think about these methods might be to consider the type of IS investment. Infrastructure investments, which are typically made to provide a foundation upon which other business applications will be built, might be funded through allocation (since everyone uses it and gains some benefits) or budget (since it is a ‘capital investment’ like the buildings, plants, or overhead). Specific business applications might be funded by chargeback, since they benefit a specific group or department in the organization (for example, the sales force automation system is to increase productivity of the sales force). And investments in studying future technologies might be funded through corporate budget since they are experimental and not clearly of benefit to anyone yet. The choice of funding method for information systems expenses depends on various factors such as organizational structure, cost allocation objectives, and budgetary constraints. Allocation, where IS expenses are distributed across departments or cost centers based on predetermined formulas or percentages, is suitable for organizations seeking to promote transparency and accountability while ensuring equitable distribution of costs. Chargeback, where IS expenses are directly billed to the departments or business units consuming IT services, is recommended when there is a need to incentivize cost-conscious behavior and align IT expenditures with actual usage. Corporate budgeting, where IS expenses are funded through a centralized budget managed by the organization, is preferable for strategic initiatives and investments that benefit the entire organization, such as enterprise-wide systems implementations or infrastructure upgrades. Each funding method has its advantages and limitations, and the choice should be based on factors such as cost visibility, cost recovery objectives, organizational culture, and the strategic importance of IS investments in driving business outcomes. 4. In the following table are comparative typical IT portfolio profiles for different business strategies from Weill and Broadbent’s study. Explain why infrastructure investments are higher and transactional and informational investments are lower for a firm with an agility focus than a firm with a cost focus. Also, how would you explain the similar values for strategic investments among the three profiles?
Transactional Investments Infrastructure Investments Informational Investments Strategic Investments
Average firm 25% 46% 18% 11%
Cost focus 27% 44% 18% 11%
Agility focus 24% 51% 15% 10%
Answer: Infrastructure investments are higher for a firm with an agility focus than a cost focus because there are fewer direct cost-savings results from infrastructure investments. Firms with a cost focus require immediate payoff. Likewise, transactional and informational investments are lower for an agility-focused firm (higher for a cost-focused firm) for the same reason. There is no obvious reason that strategic investments are similar for the two types of firms. Perhaps infrastructure is a main source of advantage for an agility-focused firm, so strategic investments are spread among the two categories for such a firm. 5. Describe the conditions under which ROI, payback period, NPV, and EVA are most appropriately applied to information systems investments. Answer: ROI is appropriate when there is a clear investment, a clear recipient of the benefits of that investment, and a clear set of metrics to measure that benefit. For example, if an application in an airline to automate the ticketing process will benefit the operations group by increasing throughput and decreasing agent and process costs, then an ROI calculation is appropriate (calculating the cost of the system, and the financial benefits to be gained). A payback period is appropriate when there are competing investments, both of which seem to have similar benefits. Understanding which one will be ‘covered’ more quickly is a useful piece of information. NPV is appropriate when there is a stream of benefits, and sometimes costs, to be considered over a period of time. For example, an application may have an initial investment and an ongoing maintenance cost, while at the same time, benefits may not start to be seen for several years, but increase annually after that. Comparing investments with different costs and benefit streams is most easily done with an NPV analysis. EVA is particularly appropriate for capital-intensive investments. 6. A new inventory management system for the ABC Company could be developed at a cost of $260,000. The estimated net operating costs and estimated net benefits over six years of operation would be:
Year Estimated Net Operating Costs Estimated Net Benefits Cumulative Costs Cumulative Benefits Benefits-Costs PV Factor NPV
0 $260,000 $ 0 $260,000 $0 -$260,000 1.000 -$260,000
1 7,000 42,000 267,000 42,000 35,000 0.870 30,450
2 9,400 78,000 276,400 120,000 68,600 0.756 51,862
3 11,000 82,000 287,400 202,000 71,000 0.657 46,647
4 14,000 115,000 301,400 317,000 101,000 0.572 57,772
5 15,000 120,000 316,400 437,000 105,000 0.497 52,185
6 25,000 140,000 341,400 577,000 115,000 0.432 49,680
Total $341,400 $577,000 - - $235,600 - $28,596
a. What would the payback period be for this investment? Would it be a good or bad investment? Why? b. What is the ROI for this investment? c. Assuming a 15 percent discount rate, what is this investment’s NPV? Answer: Note: the formula to calculate the PV factor is 1/(1+discount rate)year . This is somewhat confusing in Figure 7.10 (in the text). You do not multiply (1 + discount rate) by year. Rather, the year is used as an exponent. a. The year in which benefits will equal or exceed costs is Year 4. To calculate the time of the year when the cumulative costs equal the cumulative benefits, use the formula: 287,400 +14,000x = 202,000 + 115,000x. This yields the equation 85.4 =101x, or x = .85. The payback period for this investment is 3.85 years, and it is a good investment from this perspective, if there is enough cash to fund it through this period. Of course, the desired payback period is normally set by the firm. If this firm had a payback period of 4 years or less, then this is a good investment. It is likewise a good investment because the future benefits are significant compared to the expenses. b. If the operating costs and net benefits both went to 0 after year 6, the ROI, before considering any discount rate, is $235,600 (i.e., benefits of $577,000 less costs of $341,400). c. If we assume a 15 percent discount rate, the NPV is $28,596. The value of the NPV would be to use this calculation in comparison with an alternative project. The project with the higher NPV would be preferred, all things being equal. 7. Compare and contrast the IT scorecard and dashboard approaches. Which, if any, would be most useful to you, as a general manager? Please explain. Answer: The scorecard is a method for summarizing a balanced view of 4 key types of metrics: customer, financial, innovation, and internal business. This is typically a ‘report’ created based on results over a period of time (quarter, year, etc). The dashboard, on the other hand, is a useful snapshot tool, something that can be used to monitor the changes in key metrics on a frequent basis. Most people think of the ‘dashboard’ like the dashboard of a car or airplane cockpit, which relays real time data such as speed and fuel level. For an IT organization, it might be system reliability, throughput, daily expenses and costs, etc. In comparison, a scorecard might have metrics such as budget, number of employees or projects, and customer profitability or satisfaction. Many metrics lend themselves to either type of reporting mechanism, but the span of time covered in the reported metric varies: dashboards typically report real-time changes, and scorecards report periodic results. 8. TCO is one way to account for costs associated with a specific infrastructure. This method does not include additional costs such as disposal costs—the cost to get rid of the system when it is no longer of use. What other additional costs might be of importance in making total cost calculations? Answer: This is a difficult question given that TCO includes so many of the costs of the system. The goal of this question is to get students thinking beyond the obvious costs of purchasing hardware and software, and maintaining the system. The text suggests that TCO costs include technical support, administrative overhead, and training. Other costs might include integration of new systems with legacy systems, the cost to integrate with vendor or customer systems, physical space, site preparation for the equipment (a new desk, new chair, or even a new room), disposal costs (as mentioned in the question itself) that might be incurred when getting rid of the system, storage costs which might be incurred to store and hold the system when it is no longer of use, and process redesign costs that might be incurred in redesigning processes to fit with the new system. 9. Check out the US Federal government IT dashboard site at http://www.itdashboard.gov/portfolios . Based upon the site: a. Describe the portfolio for the Department of Justice. b. Which investments, if any, appear to be in trouble in the Department of Justice? Based on the information that is provided, can you estimate the status of those projects? Is there any additional information that you think a manager would like to see about the status of the project? Answer: The details provided on this website are likely to change over time. Students should report the current number of investments and the number of major investments. It is helpful for visitors to watch the overview available on the homepage (5 minutes in length). Instructors might choose to show this video in class. This would help students to appreciate the interactive functionality of the site. Currently (as of Aug 31, 2015), of the 21 projects reported in the pie charts evaluated by the CIO, 3 are in a cautionary status (yellow) and none are of concern (red). Project cost issues (in the second pie chart) appear to be steady over time (except for a blip in April-May 2014). According to the cost estimates, sixty projects are in good shape as to budget, but five projects are in the red and eight in the yellow in the current snapshot view. The figures are similar with respect to schedule (third pie chart). After clicking on the red portion of the second bar chart, three agencies are listed at the bottom. Clicking one of these, FBI Top Secret/Sensitive Compartmented Information Operational Network (SCION), reveals that NGSCION Deployment (scrolling to the bottom) is noted as suffering from cost but not schedule variance (red indicator). Other projects (investments) appear to be in good shape. Students should be encouraged to drill down into the data to conduct a thorough analysis of the information presented. However, the results do not adequately explain “why” the goals are unmet. Additional information that would be helpful includes: turnover (particularly of top personnel), external events (e.g. inclement weather), and what steps have been taken to remedy the situation. In some instances, more frequent updates of the data would be helpful (some are monthly, others are quarterly). Further Discussion Questions: 1. What is the essential value of building a business case to justify IT investments? (In your own words, explain the usefulness of this exercise.) Answer: The essential value of building a business case to justify IT investments lies in its ability to align technology initiatives with overarching business objectives and demonstrate the potential return on investment (ROI) to stakeholders. By thoroughly evaluating the costs, benefits, risks, and strategic impact of proposed IT projects, organizations can make informed decisions about resource allocation and prioritize initiatives that offer the greatest value and alignment with business priorities. Additionally, a well-constructed business case provides a clear rationale and justification for IT investments, facilitating buy-in and support from key decision-makers, executives, and other stakeholders. Moreover, the process of building a business case encourages collaboration and communication between IT and business units, fostering a shared understanding of objectives, requirements, and expectations. Furthermore, a robust business case enables organizations to assess alternative solutions, evaluate trade-offs, and make evidence-based decisions to optimize resource allocation and maximize ROI. Ultimately, building a business case helps mitigate risks, enhance project success rates, and ensure that IT investments deliver tangible business outcomes and value to the organization. 2. Many companies today are multi-national corporations. Select a specific industry and summarize the basic considerations companies have about global IT organizations. Answer: In multinational corporations within the banking industry, several key considerations arise regarding global IT organizations. Firstly, there is a need to ensure regulatory compliance and data security across different jurisdictions, navigating complex legal and regulatory frameworks governing financial services and data protection. Secondly, standardization and interoperability of IT systems and applications are essential to enable seamless operations and data exchange across diverse geographic locations. Thirdly, cultural and linguistic diversity must be addressed to promote effective communication and collaboration among global IT teams and stakeholders. Additionally, geopolitical factors such as trade policies, tariffs, and geopolitical tensions can impact IT infrastructure planning, sourcing strategies, and vendor relationships. Furthermore, talent management and skill development are critical to build a globally competent IT workforce capable of addressing diverse business needs and technological challenges. Moreover, establishing robust disaster recovery and business continuity plans is crucial to mitigate risks and ensure uninterrupted IT services in the event of natural disasters, cyberattacks, or geopolitical disruptions. Furthermore, fostering innovation and knowledge sharing across global IT teams can drive continuous improvement and competitive advantage in a rapidly evolving digital landscape. Lastly, strategic partnerships and alliances with local technology providers, government agencies, and industry associations can facilitate market entry and expansion strategies while navigating regulatory complexities and cultural nuances. 3. Discuss the importance of creating a balanced IT portfolio. Explain what might happen if the IT portfolio contained too many high risk projects. Answer: Creating a balanced IT portfolio is crucial for organizations to effectively manage risk, optimize resource allocation, and align IT investments with business objectives. A balanced portfolio typically includes a mix of projects spanning various risk profiles, such as low-risk maintenance initiatives, moderate-risk enhancements, and high-risk innovation projects. If the IT portfolio contained too many high-risk projects, several negative consequences could arise. Firstly, it could lead to increased exposure to financial, operational, and reputational risks, as high-risk projects are more prone to failure or cost overruns. Secondly, it could strain resources and capacity, diverting attention and resources away from other critical initiatives and day-to-day operations. Thirdly, it could hinder strategic agility and flexibility, as organizations become overly committed to risky endeavors with uncertain outcomes. Additionally, a high concentration of high-risk projects may erode stakeholder confidence and trust, jeopardizing support for future IT investments and initiatives. Furthermore, it could result in missed opportunities for incremental improvements and steady progress towards strategic goals, as resources are disproportionately allocated to high-risk endeavors. Moreover, excessive focus on high-risk projects may stifle innovation and experimentation, as failure becomes less tolerable and risk-averse culture prevails. Furthermore, it could strain relationships with external stakeholders, such as customers, partners, and regulators, if high-risk projects fail to deliver expected outcomes or meet regulatory requirements. Ultimately, an imbalanced IT portfolio increases the likelihood of project failures, cost overruns, and missed deadlines, undermining organizational performance and competitiveness in the long run. Cases Case Study 8-1: KLM Airlines (New to 6th edition) This is a short case study (new to this edition) on the airline’s decisions to appoint a new CIO from outside of the IT area to (a) examine outsourcing IT, (b) create a board of business and IT representatives, and (c) to share governance between IT and business units. Discussion Questions 1. What is likely to have led to increased trust for the IT organization? Answer: It is likely that both the perspective and communication are oriented towards business, not towards the technology. Hence, other business representatives likely feel more comfortable that their interests are represented, and can understand any communications from the IT department. 2. What might explain an item that is seemingly unrelated to IT (costs per kilometer flown) decreased as a result of the new CIO structure? Answer: KLM did not know what the real costs were before the new structure. Also, business cases must be made for any new technologies, virtually guaranteeing that cost and revenue structures would improve. The managerially-oriented committees are less likely to acquire technology for technology’s sake. 3. What maturity level did KLM appear to exhibit (a) in 2000? (b) in 2011? Why? Answer: There is no definite information about 2000, but it is possible that IT was positioned as an order taker or solutions provider. In 2011, IT appears to be a business partner. The reason for the change is the governance that became heavily business-oriented later on. 4. Why do you think that KLM requires its employees to use a standard business case template when they want to make an investment? Answer: KLM required the business case template to ensure that new system project investments have business impact, rather than simply exercises in adopting new technology for technology’s sake. Case Study 8-2: Balanced Scorecards at BIOCO This is a short case study on the global automaker’s investment in a cost management system. It cost less than $1 million but has generated millions of dollars in ideas. Discussion Questions 1. What benefits has BIOCO realized from its use of balanced scorecards? Answer: The BIOCO Way has led to better communication between units, focusing on a long term corporate strategic plan. Each business unit is able to determine how best to meet the strategic goals of the organization. Measurement makes sense, and progress can be reported with more accuracy. 2. Do you think the BIOCO approach was useful in helping the IT department align its goals with that of the company? Why or why not? Answer: The BIOCO approach did prove useful for IT alignment. The CIO stated that communication was enhanced, providing a “focal point and common language around the key drivers of the organization.” The IT department was able to provide better service to the business units once required needs were clearly outlined, relative to Balanced Scorecard performance indicators. 3. Do you think that the BIOCO approach could be implemented successfully in large companies? Why or why not? If so, what, if any, adjustments need to be made? Answer: Although it would take more coordination, this approach could be implemented in large companies. The common language and focal points would be even more relevant for improving communication. Executives should first determine whether or not the benefits of the method outweigh the costs (resources, time, communication). It is possible that the effort is too great, and it should be abandoned for another technique. It would require executive support and dedication. 4. BIOCO recently was sold and now has a new CEO. Do you think the BIOCO Way will be as successful under the new CEO? Why or why not? Answer: It is difficult to answer this question with certainty. The BIOCO Way depends, to a great extent, on the CEO’s commitment to the approach. If the new CEO does not support the previous approach, the departments will likely experience rapid decline in participation. It would be as if the corporate direction had been lost. Supplemental Cases The San Diego City Schools: Enterprise Resource Planning Return on Investment by Jeffery, M., Kellogg School of Management. KEL174, 18 pages, 2006 (setting: California) This case study evaluates the ROI on a complex ERP implementation in a non-profit context. The ROI calculation is based on two components: cost savings from retired legacy applications and productivity improvements. Some measurements are hard to quantify. Enterprise Resource Planning Software – Ongoing Maintenance Cost Benefit Analysis by Canniff, M., Richard Ivey School of Business, 906E12, 16 pages, 2006 (setting: USA) The acquisition of PeopleSoft by Oracle is explained, focusing on the financial benefits of the customer base. Students will critically analyze the advantages and disadvantages of large ERP implementations. Information Systems at FirstCaribbean: Choosing a Standard Operating Environment by Beaubien, L. & Mahon, S. Ivey School of Business, 12 pages, 2005 The Canadian Imperial Bank of Commerce and Barclays Bank PLC were in advanced negotiations regarding the potential merger of their respective retail, corporate, and offshore banking operations in the Caribbean. Currently there are four systems in operation in the region; all are carry-overs from the pre-merger operation of the bank. Each of the systems has different pros and cons consisting of degree of fit with the organization strategy, likely impact on organizational culture, and functionality. An Experiential Case Study in IT Project Management Planning: The Petroleum Engineering Economics Evaluation Software Imperative by Davis, C. K.; Idea Group Publishing; 2005 The case covers key issues in information technology dealing with developing a full set of project plans, including milestones, tasks, schedules, staffing, deliverables, and projected costs, for a complex software development project. Volkswagen of America: Managing IT Priorities by Austin, R.D., Ritchie, W., Garrett, G., Harvard Business School Publishing 2005, 19 pages Describes the efforts of Volkswagen of America, the U.S. subsidiary of Volkswagen AG, to arrive at a process for setting IT funding priorities so that they align with business priorities and the company's overall strategy. Recognizing Runaway IS Projects When they Occur: The Bank Consortium Case by Mann, J.C., Idea Publishing Group, IT5616, 8 pages (setting: USA) The case study describes a runaway project that occurred when several savings and loans formed a consortium to create a data center that would develop and operate basic transaction processing software for its members. The case highlights practical issues related to how runaways develop. Supplemental Readings/Articles Gold, R.S. “Follow the Money: IT Finance and Strategic Alignment.” Balanced Scorecard Report, Harvard Business School Publishing, 2004. Gold offers a prescription for overcoming the widespread mismatch between IT's responsibilities and IT funding practices to achieve strategic alignment between IT and the enterprise. Rangan, V. K. “Lofty Missions, Down-to-Earth Plans.” Harvard Business Review; 82(1). Most nonprofits make program decisions based on a mission rather than a strategy. This article outlines a four-step process for nonprofits for developing strategy. Russell, R.H. “The State of IT and Business Alignment—2003.” Balanced Scorecard Report, Harvard Business School Publishing, 2004. Alignment between IT and business strategy is generally improving. However, initiative/budget mismatch persists. This article examines: "How Does IT Funding Affect Alignment?" Seeing the Forest and the Trees: ABC and BSC at Finnforest U.K.HBR Publishing: Balanced Scorecard Report Article, March 15, 2001, article B0103B. When Finnforest Ltd., Europe's largest manufacturer and supplier of timber products, acquired Stantons in 1995, the latter enjoyed a large customer base and strong wholesale and retail relationships. The firm's then finance and information technology director chronicles Finnforest U.K.'s woes and its path to sound management and profitability. The remedy: a combination of activity-based costing and the Balanced Scorecard. Together, the two systems provided much-needed measurability and accountability. Emigh, J. “Total Cost of Ownership,” Computerworld, December 20, 1999. Gartenberg, M. “Myths behind TCO,” Computerworld, October 30, 2000. Liebmann, L. “TCO is a bad measurement tool; use this instead,” Computerworld, February 08, 1999. Billington, J. “The ABCs of ABC: Activity-Based Costing and Management.” Harvard Management Update, 4 (5) 1999. Kaplan, R. “Introduction to Activity-Based-Costing.” HBS Technical Note 9-197-076, 2001. Ross, J., Michael Vitale, and Cynthia Beath. “The Untapped Potential of IT Chargeback.” MIS Quarterly, June 1999, Pg. 215-237. Beath, C. and J. Ross. “Beyond the Business Case: New Approaches to IT Investment.” Sloan Management Review, 43(2) 2002, Pg. 51-59. Books Weill, Peter and Broadbent, Marianne. Leveraging the New Infrastructure: How Market Leaders Capitalize on Information Technology, HBS Press, June 1998. This book has a great model for thinking about IT as an investment portfolio, with infrastructure, transactional, strategic, and informational types of IT investments. Harvard Business Review on the Business Value of IT. HBS Press, Feb. 1999. This book is a compilation of a number of HBR articles related to managing the costs of IT, including outsourcing, planning, and strategic potential. Websites www.infoweek.com, www.computerworld.com These magazines have frequent articles on MIS organizations, CIOs in the news, and strategic business decisions made by information systems executives. www.CIO.com This magazine is devoted to issues of interest to CIOs and senior IS managers. It is a good site for finding current case studies and in-depth interviews with CIOs. www.hbr.harvard.edu This is the website for all Harvard Business School publications, including articles and case studies. www.gartner.com This is the website for Gartner Research. They have an extensive library of TCO, measuring business value, and IT investment portfolio reports. News November 8, 2015, New York Times, pages 6 & 7, There is an interesting article about physical cables can serve as security threats. Fiber cuts (i.e., cutting clumps of fiber optic cables) can bring down parts of the Internet. The physical cables which often are in unprotected, old buildings are frequently overlooked as security risks. Security experts, however, are especially concerned about them, especially where major networks converge at Internet Exchange Points, or I.X.Ps. I.X.Ps should be better protected and redundancy should be built into the system August 16, 2015: The box "Business Process Continuity" on pp. 250-251 describes the need for minimizing disruptions due to threats that would bring down systems. The Associated Press article on Aug. 16 at http://customwire.ap.org/dynamic/stories/U/US_FLIGHT_CONTROL_DELAYS?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT describes another threat--that of software upgrades. Have students read it and answer the following: (1) How many of you have found your IT departments to be slow in upgrading software? Do you have any good examples to tell the class? [if nobody mentions the issue of waiting for the first maintenance update, please mention this and ask if it is a good strategy] (2) Does the AP article seem to explain why that occurs? [Answer: threats from upgrading are another important issue to consider] (3) How might the IT department step up its upgrade schedule yet provide assurances of continuity? [Partial answer: testing thoroughly and promptly) March 12, 2015: There is a new CxO position: The Chief Data Officer. Ask students to read the short article at http://www.computerworld.com/article/2895077/tech-hotshots-the-rise-of-the-chief-data-officer.html and ask them the following: (1) How does the CDO's role differ from the CIO's role? (2) How is the CDO's role different from the CAO's role? (3) How extensive is the use of a CDO in various types of firms? March 9, 2015: The white house has announced an investment of $100 million for fast-track, boot-camp style training because of a need for 545,000 IT personnel in jobs. See http://www.computerworld.com/article/2894417/the-white-house-s-100m-h-1b-funded-tech-job-plan-comes-under-fire.html for the story. Ask students to read the article and to answer the following: (1) Who will pay for the training? (2) Do a little research to find out what is an H-1b visa. (3) What are the arguments against the need for 545,000 workers in the article? Provide the situation at California Edison and arguments of Matloff. (4) What is Janulaitis' estimate of the number of workers? Foote's? Why do you think there is such a disparity from the Obama Administration's estimate? Solution Manual for Managing and Using Information Systems: A Strategic Approach Keri E. Pearlson, Carol S. Saunders, Dennis F. Galletta 9781119244288, 9781118281734
