Lecture notes for lecture 1, 2, 4 and 5. Notes for lecture 3 and 6 are missing.

Lecture 1: Key ICT’s

In this course the following subjects will be discussed:

• Key ICT’s

• Company strategy and information systems strategy

• Changing business processes

• IT Project Management

• IT Security and Ethics

• IT governance

• Management and Leadership

Successful firms have an overriding business strategy driving both their organizational strategy and their information strategy. The firms organizational strategy and decisions regarding the information strategy are all driven by the firm’s business objectives, strategies and tactics. Therefore, the strategy a frim adopts determines the information system strategy they use, which in turn leads to a certain choice in information systems.

An information system consists of four components:

• people,

• the organizational structure,

• processes and,

• technology

In this lecture the aim is to understand how IT has changed the nature of work and learn the key concepts involved.

Real world example: Best Buy

Best Buy is a leading U.S. retailer in electronics who completely transformed it’s view of the ordinary workday. Before employees made long hours, with a directive boss checking their every move. When one day two employees came up with an idea, using technology to let employees perform their work from a variety of places. The new approach is called ROWE and allows for limitless flexibility when it comes to work hours. Employees can choose where and when they want to do their work as long as project goals are satisfied. As a result productivity soared and their voluntary turnover decreased significantly. Other firms, such as IBM and AT&T, started to adopt similar strategies.

A way to evaluate the effect of IT on the work done in a firm is to use the framework for work design, which asks the following questions:

• What work will be performed? Including an assessment of specific desired outcomes, inputs and the transportation needed to turn inputs into outputs.

• Who is going to be doing the work? Is it possible to automate the tasks at hand, or if a person is involved, what skills are needed?

• Where will the work be performed? Does it need to happen locally at a company office?

• When will the work be performed? Is it possible to use flexible schedules?

Additionally, the company should think about how IT could possibly increase the effectiveness of the workers doing the work. How can IT support collaboration?

Chapter 11: Business Analytics and Knowledge Management

In the book a case example is mentioned about a hotel doubling its revenues by analysing customer data. Through data mining management discovered the preferences of customers, resulting in a competitive advantage. Data mining stimulates business intelligence and is a process of analysing data warehouses for possible “gems” that can be used in management decision making. Using algorithms to find patterns in the customer data you would normally not detect. When an unusual pattern is detected, this information can be used to improve sales.

What is knowledge?

There are two types of knowledge, namely tacit and explicit knowledge. Tacit knowledge is knowledge collected through for instance experience, while conceptual knowledge is factual. The idea behind information systems is turning tacit knowledge into explicit knowledge as much as possible, as explicit knowledge can be articulated, codified and transferred with relative ease. Tacit knowledge, on the other hand, is the type of knowledge that individuals possess but find difficult to articulate.

Business intelligence (BI) is a group of technologies and processes that use data to understand and analyse business performance. Questions asked in business intelligence are for instance:

• What products get sent back more often?

• Which phone calls take longer?

And of course, why does this happen?

Customer relationship management (CRM) is the management of activities performed to obtain, enhance, and retain customers. It’s a coordinated set of activities revolving around the customer. CRM consists of two components, an analytical component and an operational component.

The operational component entails gathering information through both inbound and outbound touchpoints, such as:

The information gathered is stored in an operational data store and the knowledge is transferred to a data warehouse, the analytical component. These warehouses are often split up in several smaller data warehouses. They then analyse the data through several channels, which can be divided into two categories. Analytical tools, such as ad hoc query, reports, OLAP and data mining, and analytical applications, such as campaign management, churn analysis, propensity scoring and customer profitability analysis.

Big data is data on a huge scale. Large datasets are desirable because of the potential trends and analytics that can be extracted. However, big data also requires specialized computers and tools in order to mine data. Techniques and technologies that make it economical to deal with very large datasets at the extreme end of the scale.Big data is more common because of the rich, unstructured data streams that are created by social IT.

Enterprise Systems are systems offering a complete suite of integrated applications, one systems doing everything. Nevertheless, in real life it is often not quite feasible to have everything a firm needs in one system. An enterprise system is a single integrated database a firm can use instead of different databases for e.g. finance, controlling accounting, customer service, sales, marketing, human resources, engineering

Systems applications and processes (SAP), a transactional system gathering really boring transactional data, such as; who bought what, when and how much etc… These system applications and processes are hard to implement as they add business intelligence. SAP in combination with business intelligence means being able to mine and analyse data. Analysing in order to have a comparative advantage over a rivalling firm.

Cloud computing Is the delivery of computing as a service rather than a product, whereby shared resources, software and information are provided to computers and other devices as a utility over a network, typically the internet. Typically provided as a subscription service. There are several different types of cloud:

• Infrastructure as a service (servers, storage, and bandwidth)

• Platform as a service (platform for developing custom apps and software that integrates with existing apps

• Software as a service

• Private cloud

Lecture 2: Company strategy and information systems strategy

IT decisions made within a firm are no longer technical decisions. They influence the entire business and their strategy and are therefore business decisions. When a company is determining where to build an IT centre, for instance the trading floor of ABN AMRO, there are several factors that need to be kept in mind. Some examples are, the distance to the targeted market, networking possibilities and access to a skilled workforce.

Nowadays, information technology is continuously changing. While in the early days making information technology work took some incredibly smart people, at present we have the technology, however, are now trying to integrate all these different technologies. The question is: how do we adjust the existing technology to make it more efficient? People in our present society need to have a lot of different skills. Having one is no longer enough as it makes you very vulnerable to change. On the other hand, we need to excel in order to get a good job. In conclusion, we need to have a lot of different skills, but be very good at them at the same time.

People are flexible, IT is as well, but only to a certain extend. As a result IT is often the bottleneck of an organisation, we cannot increase the capabilities of technology endlessly. Therefore, it is important to try and identify the strategic triggers within an organisation, what are the limitations we need to take into account?

Example: ZARA

ZARA sends Spanish employees abroad as expatriates to become shop managers in their stores, while still communicating with the headquarters in Spain. As a result the ZARA stores are always big, as their shop managers are very expensive. Additionally, they have an enormous distribution centre in Spain, why Spain? Ridiculous location for a distribution centre, yet it works. 1 million items per day are distributed.

They make up for the costs of efficiency by bringing more items to the shops. They change their collection every two weeks, not coming in to the shop for a couple of weeks means missing an entire collection. As a result it took them a while to create a functioning web shop, as by the time they had put everything on the site, the collection changed, or they had already sold out. They use their shops as advertisement, not having to spend any money on other advertising options. This makes up for their inefficiencies, as everything is standardised.

In the book Porters ideas about how to gain a competitive advantage are explained, his concept consists of several components:

• A different value proposition

• A differentiated value chain

• Trade-offs

• Ft of activities

• Continuity + sustainable strategy

When applying Porters model to ZARA we get the following:

In comparison to similar kind of shops, ZARA has a different value proposition, the items they sell are more fashionable. They have a differentiated value chain, producing their products in another way, namely in their own region. Additionally, their value chain is extremely fast. Their Spanish shop managers communicate with headquarters in order to get a good insight in the demand in the shops. They accept their higher costs for manufacturing as manufacturing in their own region makes them faster than anybody else (trade-offs). And last, but not least, they have fit of activities and offer continuity. In the end, only the company that has the biggest market share will have any returns on IT. So try to differentiate. The strength of ZARA is its distribution centre. So try to distribute even more, make it even faster.

H&M vs. Zara

In order to compete H&M needed to come up with a new (high-end) concept, however, in order to compete you need to do exactly the same as your competitor. H&M tried to come up with a high end product but did not succeed, so instead they came up with a low-cost/low-end product and lost their market share. (Quote: Their attempts looked like Volvo’s, not fashionable. Nowadays they have a fashionable corner but it took them 10 years…)

Commanding a premium price

• How can you make your banking customers more enthusiastic about your product? Add more services.

• Allowing the buyer to enhance non-price value with its customers

Non-price value; e.g. Lacoste -> crocodile.

Everybody can do business everywhere, IT makes competition a lot tougher. The rules of strategy do not change but IT does complicate it. So always try to come up with a way to increase user satisfaction. For instance through adding a crocodile to your brand.

KLM vs. EasyJet

KLM can only compete with EasyJet by doing the same thing they are doing. However, KLM cannot lower their costs. E.g. business class tickets, waiting for business class people before taking off, offering meals and therefore, having to wait for meal catering etc…

EasyJet just flies, they have a 15 min window, the plane arrives, passengers get off, new passengers get on and they take off again. Passengers do not get a seat number, this also saves time, and they do not depend on external parties.

Question: Should Zara invest in China?

• If they want to sell in China, they have the same disadvantage H&M has in Europe. H&M produces in China and has to distribute their products to Europe, while Zara would have to transport their products to China.

• Yes they should, China is simply too big a market not to.

Lecture 4: IT Project Management

Definitions

What is a project?

A project is a temporary endeavour undertaken to create a unique product or service. A practical example of a project is for instance planning a party. When you plan a party your project has a beginning and an end. You start by planning the party, you buy drinks and snacks, you invite the people you want to come to your party and afterwards you clean up. A project has to distinct aspects. First of all, it’s temporary and secondly, it has a unique purpose. Which can either be creating an unique product or service or the development of a unique process.

In order to manage these projects adequately project managers need the following skills:

1. 1. Identifying requirements of the systems to be delivered.

   2. Defining the team’s structure, providing organizational integration.

   3. Assigning team members to projects.

   4. Managing risks and leveraging opportunities, when talking about risk think of unforeseen problems arising when planning your party (see example of a project).

   5. Measuring the project’s status, outcomes, and exception to provide project control.

   6. Making the project visible to general management and other stakeholders. Stakeholders are the people who have interest in the project’s outcome. An example of stakeholders is, for instance, when the university is setting up a new master’s program. There are several groups of stakeholders involved, namely, faculty employees, the university itself, organizations and companies wanting to hire students from the program, sponsors and even the parents of the new students sponsoring their children’s education.

   7. Measuring project status against the plan, often using project management software.

   8. Taking corrective action when necessary to get the project back on track.

   9. Project leadership.

A projects has a project manager who is responsible for the performance of the project team. Additionally the project team, managed by the project managers has a responsibility towards the different stakeholders involved in the project and last but not least the sponsors need to be satisfied at the end of the project. If not, funding will stop and resource availability will decrease.

Selecting a project manager

When selecting a project manager there are several skills to focus on. First of all, communication skills. A project manager needs to understand the projects he or she is working on, and really believe it to be a good thing. Additionally, it is important for a project manager to project his own enthusiasm on to the project team, thereby motivating and encouraging them. Secondly, the person selected should be someone with influence, most often a higher management employee is chosen. However, sometimes a middle management employee is very influential, charismatic, and qualifies for the job as well.

A project manager is responsible for the success of the IT project. Surprisingly enough, 70-80% of projects fail. A project is called successful when it meets the expectations of its stakeholders. Deadlines are met, both beginning and end times, and the project is running on schedule. Lastly, the project needs to stay within budget. The main reason for projects to fail is resistance. In general, people do not like change, they are scared of new technologies and with the lack of proper training resistance increases. Additionally, it happens quite often that people are not involved in the project early enough.

Not many people intend on becoming a people manager in IT, however, many IB students will in the end become IT experts. For example, you work as a middle manager for a firm, but a systems change need to take place. The manager will be closely engaged in the project, and unknowingly become an IT expert.

When deciding on whether or not a project was successful the project triangle can be used, consisting of:

1. Time (planning or schedule)

2. Budget

3. Scope = what does it need to look like? (Think of writing a paper, how many pages does it need to be? How do the questions need to be answered?)

When starting on a project it makes sense to start with making a plan, after which you’ll execute it and in the end you will evaluate the outcome. However, the process of planning, executing and controlling takes place continuously. In real life it often happens that the plans you make turn out to be unrealistic, unexpected problems might occur or you fall behind on schedule due to illness or pregnancy of one of the project team members. Therefore, this process is more of a circular chain of activities.

How to deal with challenges while managing a project?

First of all, it is important to understand what the client needs. This is actually way more difficult than it sounds. Often the client doesn’t even know himself. You start with a brainstorm session with the client about what the project needs to entail. Afterwards you make a plan and show it to the client. However, it often happens that once you show your plan, containing all the features you discussed together during your brainstorm session, it turns out the client wants something completely different. Meaning you have to readjust the entire plan. In order to minimize this risk it is important to have a very detailed planning session and write down the discussed requirements. It can be useful to run unfinished pilots with the client, so you know early on what he or she want and what not.

Secondly, control. As a project manager you need to control and control again. Think of group study assignments, when you agree to put several pieces together the day before the deadline and someone turns out to be sick, or simply does not show up you have a problem. As the manager of the group this problem, will be your responsibility. So in order to successfully finish the project it is very important to control constantly.

Thirdly, always communicate with the client. Clear communication can save you a lot of trouble.

Lastly, document all results and get the client to sign-off on it. If you document the things you discuss and agree on, and get the client to sign-off on it you have something to fall back on. It becomes official and people feel more responsible once they have signed something. People will be more likely to stick to agreements when you have actual evidence. Additionally, sometimes, even though you included all the agreed upon requirements in the project, the client is not satisfied. When you have documented all communication you can show the client you did what was asked. Meaning you cannot be held responsible for the client not knowing what he or she wanted.

Multiple stakeholders

When there are multiple stakeholders involved in a project it can be difficult to get things done and decisions made. So what do you do? The first step is showing them the possible benefits of the project. When giving a presentation keep it interactive and try to involve as many stakeholders as possible. When you make the final decision depends upon the enthusiasm of the people involved. Important is to do your ground work, work individually with everybody. Not via email or some other mass media platform, but talk to them personally, individually. Make your decision before the actual meeting and make sure to get everybody’s consent before the meeting.

Why not make the decision without the agreement of all individual stakeholder, you are the project manager in the end? Because you’ll soon learn that you have less authority than you might originally think. For instance, when a company has a matrix structure, different divisions for different activities, you, as a project manager, might need employees from several divisions. Entailing that you initially might not even know all the people you’ll be working with. Even if you do have formal authority, when you do not communicate with and will the team, your project might fail as they refuse to put in the effort.

Project elements

A project is made up of four essential project elements, which are necessary to assure a high probability of project success:

1. Project management. Every project needs it’s project sponsor and a project manager.

2. A project team. In order to work on a project successfully a project needs a project team.

3. A project cycle plan. Including the methodology, a schedule and the sequential steps of tracking and organizing the work of the team.

4. A common project vocabulary. In order to create effective communication you will need a common ‘language’. Different departments might use different acronyms. In order to communicate effectively you’ll need to be on the same page.

Project planning

When making a project planning it is important to distinguish big tasks from small tasks. Therefore, a big part of making a planning is identifying tasks. Once you have determined the different tasks, you generally order them, what comes first, and what comes next? What depends on what? Then you schedule the tasks, often starting at the end and working your way back to the beginning. In order to do so effectively you need to estimate the time you’ll approximately spend on each individual task. These estimates are generally based on previous experience. If you really have no idea how long a specific task will take you can always ask the person that will be executing the task. It might be handy to ask your team member anyway whether they believe something is missing from the schedule or in need of adjustment. You can even time yourself doing certain tasks if you want to be precise. Once the timeframe is finished you start assigning the resources, people and machines.

Identifying different tasks and breaking down the work that needs to be done can be difficult. Therefore, the work breakdown structure (WSB) is used. When breaking down tasks and dividing them risk is being reduced. Additionally, it provides a way to illustrate the component parts of single task.

Example of building a house

1. Develop plans

2. Obtain permits

3. Arrange subcontractors

4. Build foundation

5. Build walls

6. Build roof

7. Finish interior

   • Break every single task down into sub-tasks

Make a figure

1. Name of the project

   1. 1.0 task A

      1. 1.1 sub-task 1

      2. 1.2 sub-task 1

You do not need to break everything down to the same level, break it down as far as it makes sense.

Risk management – key elements

1. Identify the risks

2. Assessment of the risks

   1. Potential outcomes

   2. Chance

   3. Priorities

   4. Mitigation plan

3. Response

4. Documentation

   1. The original plan should be continuously updated

   2. Raise issues and communicate clearly, if something changes, talk about it with your boss or manager.

Once the project is over there are two important things to do. First of all, throw a party to celebrate your success and show you appreciation for the project team. Secondly, ‘lessons learned’, get together with the team and talk about what you did, what went well and what didn’t. Document this conversation and save it. Maybe transfer it to someone else doing a similar kind of project. Evaluation does not only take place once implementation is finished but also in a few years. How did the project turn out, look at for instance financial savings as a result of the project or other intangible benefits resulting from it. What is the return on investment, have we gained enough. Sometimes you plan a new project in order to make your first project more efficient/better.

For example: sometimes a new project makes a process less efficient and more steps need to be taken in order to accomplish the same result. However, overall the project might still be more efficient.

Lecture 5: IT Governance

Contemporary Issues in IT security

When thinking about it, IT security if a pretty scary field as there are a lot of incidents. For instance, somebody hacked into Zuckerberg’s Facebook account. Or somebody was able to infect American Drones. All anti-virus companies have been hacked, they are of course an obvious target, but still. You can even find a clip on YouTube explaining step by step how to hack into any cell phone on the planet. Resulting in anybody being able to hack into for instance Merkel’s phone. However, with some ‘personal hygiene’ it is still possible to be relatively safe.

It is important in the IT field to always remain careful as IT people love hacking and will always continue to do so. There are three categories of hackers which you will need to keep in mind.

1. Proprietary staff, be careful with your own staff.

2. (young) hackers, they might not really know what they are doing but there are a lot of them.

3. Professional criminals (including governments).

In order to protect yourself make sure you have tested layers of defence. Think of old castles having a moat, resulting in the fact that only people who could swim could get through the first layer of defence.

There are three types of controls, namely:

• Preventive controls

• Detective controls

• Corrective controls

At the moment when a new computer program is made, 50% of the entire program is made up of controls.

Preventive controls

Examples of preventive controls are for instance user access controls (authentication and authorization) or physical access controls such as locks and guards. Additionally, we use network access controls such as firewalls that are able to differentiate between messages intended for the computer and messages not intended for the computer, or intrusion detection system preventing others from entering your PC. Device and software hardening controls (configuration options) are also preventive controls.

Not immediately updating your software I very risky and one of the ways young hackers succeed in hacking PC’s. Once a new software update is available lists of known problems with the old software version are put online. All a young hacker needs to do is find these lists stating how you can get in and take advantage of these known problems.

Another risk is the fact that we make a distinction between one person and the next when it comes to access to certain facilities. This is a very labour intensive way of providing limited access to individuals. For instance, and American doctor comes to Groningen to work at the UMCG. His task description is very broad and on Monday morning he decides to see some patients. However, he does not have access to the right wing of the hospital. Another doctor, therefore, offers him to use his ID card to get in and get access. This way the hospital can no trace which doctor saw what patients. How do we even know he is a doctor?

Passwords

The process of information storage consists of the following elements:

Input -> transport -> processing -> storage -> reporting

It is always possible to follow the system and find the problem, no matter in what stage of the process the problem is. However, some areas are more problem prone than others. For instance, input. An example is unlimited password trials, as it will only be a matter of seconds before a hacker gets into your account, depending on the number of digits of your password. Advise: have a password of at least 9 digits. Nowadays there are robots available just for cracking the passwords of mobile phones. Another risk, is when you have a website or a device remember your passwords and usernames. It might be convenient, but also very risky.

How to get a safe password you can still remember?

Example:

I want to graduate as soon as possible in 2017

Wnttgradtssnspssbln2017

Detective controls

How do you know you have been hacked? Detective controls detect hacks. One way to do so is by doing a log analysis. Which is the process of examining logs in order to identify evidence of possible hacks. Additionally, you can use intrusion detection. Sensors and a central monitoring unit that create logs of networking traffic that was permitted to pass the firewall. After which these logs are analysed for signs of attempted of successful intrusions. Lastly, managerial reports and security testing is used to detect possible hacks in time to control them.

Transport

Messages that are being transported can be detected and thereby, everything that is not encrypted can be read by others. The internet is a network, and all the messages send, pass by this network. These messages look like a real envelope, consisting of both a heading and a message. Sniffling is simple and encryption is still never a 100% secure but makes transport a lot safer. Additionally, it can be wise to add or remove data. Big companies have more to spend on protection, however, they need to spend more as they are a more logical target.

Corrective controls

Once you have evidence of the fact that you have been hacked you need to control the situation. Corrective controls can be seen as the army you hire in order to protect yourself when there is a problem. There are several corrective controls that can be used:

1. Computer Incident Response Team

2. Chief Information Security Officer (CISO), who is independently responsible for the information security of a certain employee at senior level

3. Patch Management ( a patch is another word for a fix)

4. Back-up facilities (cold or warm sites)

These days there is zero tolerance for computer failure. Imagine what would happen and how people would react is Google were to fail to operate for even 3 days. Top Performers at the moment are Google and Apple.

Suggestions for internet safety

• Refrain from password usage for financial services. As the only reason why some ING mobile banking users have not been hacked yet, is because they are not an interesting enough target.

• Try to apply two-way identification

• Use a pseudonym, abbreviations or multiple identities

• Try and take a look at your own risk exposure (what is on my PC that could be really problematic?)

• Make sure you have virus protection and update it when an update is available. This counts for system software updates as well, best is to assure automatic updating.

• Make sure you have a back-up, nowadays it is possible to have this done automatically (for instance on an Apple PC).

• Even though Apple is more secure than others, it is still not entirely safe. Always use virus protection.

Sarbanes-Oxley Act of 2002

The Sarbanes-Oxley Act of 2002, in the US, states that the CEO and CFO of a company are responsible to certify that the financial statements of the firm fairly represent the results of the company’s activities. As the accuracy of the organization’s financial statements depends heavily upon the reliability of the company’s information systems the CEO and CFO are indirectly held responsible for the information systems of the company.

However, the act only states that the information systems need to have ‘adequate controls’ (see the book for the Cobit framework). But not what adequate controls entail.

Privacy in Europe vs. US

The privacy laws differ per country, however, there are some generally accepted privacy principles (for a more detailed description see the book), namely:

1. Management

2. Notice

3. Choice and Consent

4. Collection

5. Use and Retention

6. Access

7. Disclosure to 3^rd parties

8. Security

Pay attention: it was mentioned in the lecture that is was very possible there would be a question about these principles in the exam. For instance, which one is not a general accepted privacy principle?

The main difference between the privacy laws in the US and the privacy laws in Europe is that, in the US they hold the believe that as long as customers by your products you are not crossing any lines. An example is Google. If rules were broken, customers would simply stop buying/using your products. In Europe, on the other hand it is more like (quote): “I see a car driving through my street taking pictures, I do not like this. Google is crossing a line.”

Summary

• Be aware of the fact that anybody can read you unencrypted messages online.

• Use Vasco Reader when using financial systems.

• Use unique passwords for every service, with a minimum of 9 characters.

• Acquaintances do not necessarily have to be acquaintances online, you can send messages to any recipient. However, the recipient will be the one receiving the response.

• Make sure you can read both the sender and recipient information before opening a message.

• Be aware of the fact that mobile networks these days are very insecure.