INTRODUCTION INFORMATION SYSTEM Basically an Information System handles the flow and maintenance of information that supports a business or some other operation. It contains information about significant people, places and things within the organization or in the environment surrounding it. Information is derived from meaningful interpretation of data. Data consists of the raw facts representing events occurring in the organization before they are organized into an understandable and useful form for humans.             An Information System can be defined technically as a set of interrelated components that collect (or retrieve), process, store and distribute information to support decision making and control in an organization. Another definition of an Information system (by Buckingham et al (1987b) is :             A system which assembles, stores, processes, and delivers information relevant to an organization (or to a society), in such a way that the information is accessible and useful to those who wish to use it, including managers, staff, clients and citizens. An information system is a human activity (social) system, which may or may not involve the use of computer systems. Also, in addition to supporting decision-making, information systems help workers and managers to analyze complex problems, to develop new products and to integrate the various modules and departments. Moreover the 'transmission losses'n inter-departmental communication are reduced considerably leading to better coordination and improved transparency (information sharing) within the organization as a whole.             Three activities provide the information that organizations need. These activities are Input, Processing and Output. 'Input' consists of acquisition of the 'raw data', which is transformed into more meaningful packets of 'Information' by means of 'Processing'. The processed information now flows to the users or activities also called as 'Output'. The shortcomings are analyzed and the information is sent back to the appropriate members of the organization to help them evaluate and refine the input. This is termed as 'feedback'.             Examples of 'Information Inputs' would be Transactions, events which would undergo 'processing' in the form of sorting, listing, merging and updating resulting in 'outputs' such as detailed reports, lists and summaries. Another example would be in the manufacturing environment with 'information inputs' such as design specs material requirements and the SOPs (standard operating procedures). These would be 'processed' by the information system by modeling and simulation techniques and would result in standard production models along with the overall cost of the production process which is calculated by the information system from the knowledge base containing material costs, hourly labor costs and other indirect costs. Hence almost totally eliminating a distinct costing function in the scheme of things.

 

                However an information system cannot just be broadly described as an Input-Process-output mechanism in vacuum. It is required to provide major organizational solutions to challenges and problems posed in the business environment. Hence a manager needs to be not just computer-literate but also have a good idea of the organizational structure and functions as a whole. This concept is illustrated in the figure on the opening page.             Also, at the heart of the issue Information systems should not be confused with information technology. They exist independent of each other and irrespective of whether they are implemented well. Information systems use computers (or Information Technology) as tools for the storing and rapid processing of information leading to analysis, decision-making and better coordination and control. Hence information technology forms the basis of modern information systems.Different Kinds of SystemsInformation systems support different types of decisions at different levels of the organizational hierarchy. While operational managers mostly make structured decisions, senior managers deal with unstructured decisions; middle managers are often faced with semistructured decisions. For each functional area in the organization, four levels of organizational hierarchy depending on the author, can be identified: the operational level, knowledge level, management level and strategic level. Each of these levels is served by different types of information systems.

FOUR GENERAL KINDS OF IS

Operational-level systemsSupport operational managers by monitoring the day-to-day’s elementary activities and transactions of the organization. e.g. TPS. Knowledge-level systems

KINDS OF INFORMATION SYSTEMS

SALES & MANUFACTURING FINANCE ACCOUNTING HUMAN

KIND OF SYSTEM GROUPS SERVED

STRATEGIC LEVEL SENIOR MANAGERS

MANAGEMENT LEVEL MIDDLE MANAGERS

KNOWLEDGE LEVEL KNOWLEDGE &

RESOURCESMARKETING & ENGINEERING

Support knowledge and data workers in designing products, distributing information, and coping with paperwork in an organization. e.g. KWS, OAS Management-level systemsSupport the monitoring, controlling, decision-making, and administrative activities of middle managers. e.g. MIS, DSS Strategic-level systemsSupport long-range planning activities of senior management. e.g. ESS

MAJOR TYPES OF SYSTEMS• Executive Support Systems (ESS)• Management Information Systems (MIS)• Decision Support Systems (DSS)• Knowledge Work Systems (KWS)• Office Automation Systems (OAS)• Transaction Processing Systems (TPS

Transaction Processing Systems (TPS) record daily routine transactions such as sales orders from customers, or bank deposits and withdrawals. TPS are vital for the organization, as they gather all the input necessary for other types of systems. Think about how one could generate a monthly sales report for middle management or critical marketing information to senior managers without TPS. TPS provide the basic input to the company's database. A failure in the TPS often means disaster for the organization. Imagine what happens when the reservation system at Turkish Airlines fails: all operations stop, no transactions can be carried out until the system is up again. Long queues form in front of ATMs and tellers when a bank's TPS crashes.

• TYPE: Operational-level• INPUTS: transactions, events• PROCESSING: updating• OUTPUTS: detailed reports

A Symbolic Representation for a payroll TPS

Knowledge Work Systems (KWS) support highly skilled knowledge workers in the creation and integration of new knowledge into the company. Computer Aided Design (CAD) systems used by product designers not only allow them to easily make modifications without having to redraw the entire object (just like word processors

for documents), but also enable them to test the product without having to build physical prototypes. Three dimensional graphical simulation systems like GRASP (Graphical Robotics Applications Simulation Package) are used by British Aerospace and Rolls Royce for evaluating and programming industrial robots. Architects use CAD software to create, modify, evaluate and test their designs; such systems can generate photo realistic pictures, simulating the lighting in rooms at different times of the day, perform calculations, for instance on theamount of paint required. Surgeons use sophisticated CAD systems to design operations. Financial institutions are using knowledge work systems to support trading and portfolio management with powerful high-end PC's. These allow managers to get instantaneous analysed results on huge amounts of financial data and provide access to external databases.• TYPE: Knowledge-level• INPUTS: design specifications • PROCESSING: modelling• OUTPUTS: designs, graphics• USERS: technical staff; professionals

EXAMPLE: Engineering workstations

Office Automation Systems (OAS) support general office work for handling and managing documents and facilitating communication. Text and image processing systems evolved from word processors to desktoppublishing, enabling the creation of professional documents with graphics and special layout features. Spreadsheets, presentation packages like PowerPoint, personal database systems and note-taking systems (appointment book, notepad, cardfile) are part of OAS. In addition OAS includes communication systems for transmitting messages and documents (e-mail) and teleconferencing capabilities.• TYPE: Knowledge-level• INPUTS: documents, schedules• PROCESSING: document management, scheduling, communication • OUTPUTS: documents; schedules• USERS: clerical workers

EXAMPLE: document imaging system

Management Information Systems (MIS) generate information for monitoring performance (e.g. productivity information) and maintaining coordination (e.g. between purchasing and accounts payable). MIS extract process and summarize data from the TPS and provide periodic (weekly, monthly, quarterly) reports to managers.Today MIS are becoming more flexible by providing access to information whenever needed (rather than pre-specified reports on a periodic basis). Users can often generate more customised reports by selecting subsets of data (such as listing the products with 2% increase in sales over the past month), using different sorting options (by sales region, by salesperson, by highest volume of sales) and different display choices (graphical, tabular).Characteristics of Management information SystemsMIS support structured decisions at the operational and management control levels. However, they are also useful for planning purposes of senior management staff.MIS are generally reporting and control oriented. They are designed to report on existing operations and therefore to help provide day-to-day control of operations. MIS rely an existing corporate data-and data flows. MIS have little analytical capability. MIS generally aid in decision making using past and present data. MIS are relatively inflexible. MIS have an internal rather than an external orientation.

Decision Support Systems (DSS) support analytical work in semistructured or unstructured situations. They enable managers to answer "What if?" questions by providing powerful models and tools (simulation,

optimisation) to evaluate alternatives (e.g. evaluating alternative marketing plans). DSS are user-friendly and highly interactive. Although they use data from the TPS and MIS, they also allow the inclusion of new data, often from external sources, such as current share prices or prices of competitors.• TYPE: Management-level• INPUTS: low volume data• PROCESSING: simulations, analysis • OUTPUTS: decision analysis• USERS: professionals, staff managers• DECISION-MAKING: semi-structured

EXAMPLE: sales region analysisCharacteristics of Decision-Support SystemsDSS offer users flexibility, adaptability, and a quick response. DSS operate with little or no assistance from professional programmers. DSS provide support for decisions and problems whose solutions cannot be specified in advance.DSS use sophisticated data analysis and modelling tools.Executive Support Systems (ESS) or Executive Information Systems (EIS) provide a generalized computing and communication environment to senior managers to support strategic decisions. They draw data from the MIS and allow communication with external sources of information. But unlike DSS, they are not designed to use analytical models for specific problem solving. ESS is designed to facilitate senior managers' access to information quickly and effectively. ESS have menu driven user friendly interfaces, interactive graphics to help visualization of the situation, and communication capabilities that link the senior executive to the external databases he requires. TYPE: Strategic level• INPUTS: aggregate data; internal and external• PROCESSING: interactive• OUTPUTS: projections• USERS: senior managers• DECISION-MAKING: highly unstructured

EXAMPLE: 5 year operating plan

Model of a Typical Executive Support System

Major Types of Information Systems

Classification of IS by Organizational Structure

Departmental Information SystemsEnterprise Information SystemInter-organizational Systems

Classification of IS by Functional AreaThe accounting information systemThe finance information systemThe manufacturing (operations, production) information systemThe marketing information systemThe human resources information system

Sales & Marketing SystemsSystems that help the firm identify customers for the firm’s products or services, develop products and services to meet customer’s needs, promote products and services, sell the products and services, and provide ongoing customer support.

Manufacturing and Production SystemsSystems that deal with the planning, development, and production of products and services and with controlling the flow of production

Finance and Accounting SystemsSystems that keep track of the firm’s financial assets and fund flows

Human Resources SystemsSystems that maintain employee records; Track employee skills, job performance, and training; and support planning for employee compensation and career development.

Examples of Business Processes

Customer Relationship ManagementCustomer relationship management Business and technology discipline to coordinate alt of the business processes for dealing with customers.

Customer Relationship ManagementSupply chain management Integration of supplier, distributor, and customer logistics requirements into one cohesive process.Supply chain Network of facilities for procuring materials, transforming raw materials into finished products,' and distributing finished produce to customers

HOW INFORMATION SYSTEMS CAN FACILITATE SUPPLY CHAIN MANAGEMENTInformation systems can help participants in the supply chain:Decide when and what to produce, store, and move

Rapidly communicate orders Track the status of ordersCheck inventory availability and monitor inventory levelsTrack shipmentsPlan production based on actual customer demandRapidly communicate changes in product designProvide product specificationsShare information about defect rates and returns

Enterprise SystemsFirm wide information systems that integrate key business processes so that information can flow freely between different parts of the firmTraditional View of Systems

Enterprise Systems

Benefits and Challenges of Enterprise Systems BenefitsFirm structure and organization: One Organization

Management: Firm wide Knowledge-based Management Processes Technology: Unified PlatformBusiness: More Efficient Operations and Customer-driven Business Processes ChallengesDaunting ImplementationHigh Up-front Costs and Future BenefitsInflexibility

Positive and Negative Impacts of Information SystemsBenefits of Information Systems Negative Impact Information system can perform calculations or process paperwork much faster than people.

By automating activities that were previously performed by people, information systems may eliminate jobs

Information systems can help companies learn more about the purchase patterns and the preferences of the customers.

Information systems may allow organizations to collect personal details about people that violate their privacy

Information systems provide new efficiencies through services such as automated teller machines (ATMs), telephone systems, or computer controlled airplanes and air terminals

Information systems are used in so many aspects of everyday life that system outages can cause shutdowns of businesses or transportation services, paralyzing communities.

Information systems have made possible new medical advances in surgery, radiology, and patient monitoring

Heavy uses of information systems may suffer repetitive stress injury, techno stress, and other health problems

The internet distributes information instantly to millions of people across the world.

The internet can be used to distribute illegal copies of software, books, articles, and other intellectual property.

Management's focus must continually change to take advantage of new opportunities. Changes should take place throughout the organization. They require lots of attention and planning for smooth execution.

Ecommerce definition and types of ecommerce

Ecommerce (e-commerce) or electronic commerce, a subset of e-business, is the purchasing, selling, and exchanging of goods and services over computer networks (such as the Internet) through which transactions or terms of sale are performed electronically. Contrary to popular belief, ecommerce is not just on the Web. In fact, ecommerce was alive and well in business to business transactions before the Web back in the 70s via EDI (Electronic Data Interchange) through VANs (Value-Added Networks). Ecommerce can be broken into three main categories: B2B, B2C and C2C. B2B (Business-to-Business)Companies doing business with each other such as manufacturers selling to distributors and wholesalers selling to retailers. Pricing is based on quantity of order and is often negotiable.Example B2B - Intel selling micro processors to DellHeinz selling ketchup to Mc Donald’s

B2C (Business-to-Consumer)Businesses selling to the general public typically through catalogs utilizing shopping cart software. By dollar volume, B2B takes the prize, however B2C is really what the average Joe has in mind with regards to ecommerce as a whole.Example B2C - Dell selling me a laptop - Mc Donald’s selling me a Big Mac

Having a hard time finding a book? Need to purchase a custom, high-end computer system? How about a first class, all-inclusive trip to a tropical island? With the advent ecommerce, all three things can be purchased literally in minutes without human interaction. Oh how far we've come!

C2C (Consumer-to-Consumer)There are many sites offering free classifieds, auctions, and forums where individuals can buy and sell thanks to online payment systems like PayPal where people can send and receive money online with ease. eBay's auction service is a great example of where person-to-person transactions take place everyday since 1995. Companies using internal networks to offer their employees products and services online--not necessarily online on the Web--are engaging in B2E (Business-to-Employee) ecommerce.

Example c2c - Mary buying an iPod from Tom on eBay - Me selling a car to my neighborAdvantages /Benefits of E-Commerce

24*7 operations.Reduced costs to buyers from increased competition in procurement, as more suppliers are able to compete in an E-market.Reduced costs to suppliers by electronically accessing online databases of bid opportunitiesReduced errors, time and overhead costsGlobal reach.Reduced time to complete business transactionBetter quality of goods for specification with standards.Creations of new markets.Easier entry into new marketsNew business opportunities.

Disintermediation.Knowledge of customer behavior.Optimization of resource selection.Increased access to client base.Improved product analysis.Network economics.Customer controls the interaction.Improved market analysis.Wider access to assistance and to advance from experts and peers.Rapid inter personal communication.Cost effective document transfer.

Why e-commerce is so effective in marketing

The use of e-commerce in setting up an online business provides a wide range of marketing benefits and opportunities. Starting an online business can be as simple as setting up a basic shop on eBay to sell a few wholesale items, to coming up with a completely new online concept with a novel way of monetising it.

The beauty of the online business is that it’s suited to just about anyone. You don’t need to be an MBA graduate based in London to succeed. You can start your operation from anywhere, as long as you’ve got access to an internet connection and a bit of business acumen. E-commerce is ideal for start-up and small businesses!

There are three basic marketing models for an online business:

E-commerce - the most closely aligned to the traditional business model of marketing. With an e-commerce site you sell a product or service. Customers buy directly from the site, and the products are then either delivered to them or downloaded.

Advertising – with this type of site, the aim is to get as many visitors as possible, increasing the amount of customers the advertisers reach. Content on this kind of site is usually completely free for the site user, providing them either with information or entertainment.

Subscription – similar to the advertising model subscription sites generally provide information or entertainment, but the difference is the user pays to access all or part of that content. Of course, some online businesses combine two or three of the above.Customer-centric retailing (CCR) is the key to mastering the retail challenge.

CCR is a new retail approach that aims to help retailers understand their customers better, identify the right target segments for their business and address these segments more effectively. It improves their customer focus and offers new insights into customer behavior. Essentially, it puts the customer back at the heart of organizational strategy, underpinning all market-related activities. This requires a new dimension in customer understanding.

CCR offers this new dimension. Specifically, it capitalizes on the potential of loyalty card transaction data, using this data to derive customer segments based on actual purchase behavior rather than just socio-demographic characteristics. It is the key to achieving a comprehensive understanding of customers' purchase behavior and needs.

CCR is more than just a tool for category optimization, however: it is a holistic management approach. To fully leverage its potential, retailers must apply CCR on all levels of the organization and in all functions, backing it up with a systematic change process. A number of major retailers such as Metro, Tesco and Carrefour have already done this and achieved a successful transition to a truly customer-centered organization.Disintermediation- The removal of intermediaries such as distributors or brokers that formerly linked to company its customers.

Disintermediation of a Consumer Distribution Channel (CDC)Showing (a) the original situation, (b) disintermediation omitting the wholesaler, and (c) disintermediation

omitting both wholesaler and retailer.

The CDC and its ability to generate profit for any manufacturer of goods is at the core of its business model

and is therefore absolutely vital in determining the success or failure of that manufacturer’s operations.

Changes in the CDC such as ‘cutting out the middle-man’ (disintermediation) or the introduction of new

‘middle-men’ (reintermediation) can have significant effects on a firm’s competitive advantage and

ultimately, its future. Therefore it is of high importance to manufacturers that they understand the critical

issues involved so that they can utilise the opportunities created by e-business to their advantage.

The concept of doing away with the ‘middle-men’ in the CDC certainly has its incentives. King (1999)

suggests that higher profit margins and access to valuable customer information are the main drivers for

disintermediation. It has also been suggested that pressures to reduce costs in highly competitive industries

are forcing companies to find ways to reduce payments to intermediaries (McCubbrey & Taylor, 2005)

whereas complete disintermediation would cause payments to intermediaries to disappear altogether. Also,

manufacturers could benefit greatly from direct access to customer information, potentially enabling them to

better meet customer requirements and improve customer satisfaction. These two factors alone (cost saving

and access to customer information) have the potential to significantly improve a firm’s competitive

advantage. Furthermore, success stories such as Dell’s (Kraemer, 2000) build confidence that such a

business model can bring high levels of success.

Dell has discovered that it can better meet customer needs through direct contact with customers and even

offers customers the option of customising their products during the order process (Kraemer et al, 2000).

This is a step further than simply obtaining customer information. In fact, Dell’s customers are able to

actually dictate a product’s specifications prior to its assembly. This would be a very expensive and

complicated service to offer if intermediaries were involved. Using this model, Dell has differentiated itself

from the competition and become a clear market leader in the PC industry.

Reintermediation:-business has created many opportunities for new intermediaries, as well as enabling

existing intermediaries to become better-managed and more efficient (Rosenbloom, 2007). Services such as

supplier search, product evaluation (Chaffey, 2009) and price comparison websites are proving very

attractive to customers therefore firms whose products are not included on these sites or on the sites of

leading online retailers such as Amazon are at a disadvantage.

Amazon (originally an online book retailer) has used e-business to quickly develop a customer base which

far exceeds that of any book publisher. This is because consumers were (and still are) drawn by the value-

adding services provided by Amazon. Nowadays, Amazon sells a huge variety of products and any

manufacturer who opts not to sell its products through intermediaries such as Amazon will considerably limit

their sales opportunities. Using such intermediaries enables manufacturers to reach a much wider audience

with their products and offer customers a ‘value-added’ experience.

Manufacturers can also take advantage of the marketing opportunities created by e-business. For example,

they can set up ‘affiliate marketing’ programs online which enable their products to be promoted and sold by

almost anyone for a commission. This way products can be widely marketed, only costing the manufacturer

when a sale is made. This model of inviting an unlimited number of intermediaries to sell a product is

attractive because it means that money is not wasted on marketing that does not bring sales.

If the use of intermediaries is the most cost-effective and efficient way to take advantage of all that e-business

has to offer, it could be argued that now is the time to introduce more intermediaries than ever before. Any

intermediary that adds more value to a product than it charges for the service is worth considering and so too

are those intermediaries that will enable a product to be more widely marketed or efficiently distributed than

it is currently being. Rosenbloom (2007), Agrawal (2006), Gigalis (et al, 2002) and King (1999) all suggest

that reintermediation has just as much, if not more potential to create competitive advantage which may

explain Palvia(et al)’s (1999) findings that it is the more popular model in reality.

A successful e-business Web site gives special treatment to its repeat visitors who buy. Does yours? If it

doesn't, you know it needs to. If it already does, you know it can do better. And even if it's pretty good, it

could be faster. Providing special treatment in the form of information and applications matched to a

visitor's interests, roles, and needs is known as personalization. A personalized e-business site is more likely

to attract and retain visitors and to build sales. Personalized sites for employees improve their productivity by

simplifying access to information and applications. Overall customer satisfaction is increased when less time

is required to locate account information, and service is personalized to the customer's needs. Two common

reasons for personalizing a site are to make the site easier to use and to increase sales.

Personalization is a process of gathering and storing information about site visitors, analyzing the

information, and, based on the analysis, delivering the right information to each visitor at the right time. A

number of personalization techniques, with more on the way, can enable your site to target advertising,

promote products, personalize news feeds, recommend documents, make appropriate advice, and target e-

mail.

Providing personalization for real-time applications affects the system performance. How personalization is

deployed is thus important and needs to be integrated into the overall system design. This is especially true

for high-volume Web sites. As described in "Design for scalability" (see Resource 1), your selection of

personalization techniques should be directed by your Web site type. In our work with high-volume Web

sites, IBM determined there are generally five types of sites, distinguished by workload pattern:

publish/subscribe, online shopping, customer self-service, trading, and business-to-business. Regardless of

type, Web sites look increasingly to the use of personalization to increase repeat business.

This paper introduces personalization and describes some current techniques. It also explains how

personalization affects the system performance and introduces techniques such as content caching, also

called intelligent content distribution, for implementing appropriate, effective personalization while still

meeting the performance requirements of high-volume e-business sites. Finally, the paper suggests what we

believe to be the most effective personalization techniques for each type of Web site.

The information contained in this document has not been submitted to any formal IBM test and is distributed

as is. The use of this information or the implementation of any of these techniques is a customer

responsibility and depends on the customer's ability to evaluate and integrate the techniques into the

customer's operational environment. While each item may have been reviewed by IBM for accuracy in a

specific situation, there is no guarantee that the same or similar results will be obtained elsewhere.

Customers attempting to adapt these techniques to their own environments do so at their own risk.

Web site Personalization is a process of gathering and storing information about site visitors, analyzing the

information, and, based on the analysis, delivering the right information to each visitor at the right time. It is

a key technology needed in various e-business applications, such as:

Managing customer relationships

Targeting advertisements and promoting products

Managing marketing campaigns

Managing Web site content

Managing knowledge

Managing personalized portals and channels

Although each application area may need tailoring, especially in the areas of user interface and data

collection, the core techniques for personalization, depicted in Figure 1, are quite similar.

Figure 1. Elements of a personalization system

Hardware and SoftwareHardware

Business information system (BIS) can be defined as system which purpose is to convert data into information. Computer system: Interrelated components including hardware and software that work together

with the aim of converting data into information. Hardware: The physical components of a computer system: input devices, memory, central processing unit, output devices and storage devices. For example, data are input, then processed according to software instructions, then output to the screen, as a information.

The main components of hardware can be divided as follow:Input device: Hardware used to enter data, information or instructions into a computer-based information system. For example, mouse, keyboard and etc.,

Central processing unit (CPU): The processor found in a computer system that controls all of the computer’s main functions and enables users to execute programs or process data. Memory: A temporary means of storing data awaiting processing, instructions used to process data or control the computer system, and data or information that has been processed. Memory is used to store;1. Data awaiting processing2. Instructions loaded from software which are used to process data or control the computer system,3. Data or information that has been proceedStorage devices: A permanent means of storing data and programs until they are required. For instance, a program can be stored on a hard disk drive until it is needed. When the program is activated, it is transferred from storage device into the computer’s memory.Output devices: Translate the results of processing – output – into a human readable form. As an example, the results of calculation or other information might be displayed on a screen or sent to a printer.

Input devicesToday modern computers make use of a wide variety of input devices since data flowing in to the organizations. It should be noted that the choice of input devices depends upon the quantity of data to be entered. For example, a small scale data is normally carried out by mouse or keyboard, while large scale data input may require the use of more specialized input devices. In order to select input devices, there are some key issues which must be considered in organization:• Volume• Speed• Accuracy• Cost• Data complexity• Frequency of data entry

There are a wide variety of types of input devices which organizations are using:Keyboard. The keyboard remains the most common input device and its basic design has remained largely unchanged more than a century. And Natural keyboard have keys are arranged so that users can locate them more quickly and easily in a way that makes prolonged use more comfortable. For example, in any organizations or businesses like airline, library, supermarkets and ect, keyboard is key input devise which help to enter data clearly.Pointing device: An input device that allows the user to control the movement of a small pointer displayed on the screen that is used to select options. For these pointing devises, a graphical user interface (GUI) is one of the required devices which allow the user to control the operation of a computer program using these pointed devices like mouse and etc. Mouse: A pointing device found on most modern personal computers. For instance, in order to select items or menu mouse is very helpful and commonly used in small organization and businesses. Lightpen: A pointing device used to control applications by pointing to items on the screen. Besides, today, lightpens are also used for applications involving graphics like drawing packages, since images can be drawn directly onto the screen. Trackball: A trackball is a pointing device that is controlled by rotating a small ball with the fingertips or palm of the hand. And buttons are used to select items as a mouse.

Optical scanner. An input device used to capture graphics and text from printed documents. Besides, OS can also be used to perform data entry by converting printed documents into text files that can be used by word processing packages and other programs. There are some examples of OS devices like OCR and OMR. Optical character recognition (OCR): Software that attempts to recognize individual characters. In OCR, a file can be changed or edited by a word processor because of OCR is not 100% accurate. For example, today OCR is used in processing checks, archiving library material, and letter sorting by the postal office. Optical mark recognition (OMR): Detection and recognition of simple marks made on a document. Many of today's OMR applications involve people filling in specialized forms. These forms are optimized for computer scanning, with careful registration in the printing, and careful design so that ambiguity is reduced to the minimum possible. Due to its extremely low error rate, low cost and ease-of-use, OMR is a popular method of tallying votes. There are many other applications for OMR, for example, In the process of institutional research, Community surveys, Consumer surveys, Tests/assessments, Evaluations/Feedback, Data compilation, Product evaluation, Time sheets/Inventory counts, Membership subscription forms, Lotteries/Voting, Geocoding (e.g. postal codes), mortgage loan, Banking and Insurance Applications. Bar code reader measures the intensity of a light beam reflected from a printed bar code to identify the digits making up a unique identification number. The most common example of this device in industry is the supermarket checkout. Besides, bar code reader also used in inventory control systems, identification of patients in hospital, and in sales in order to monitor trends as well as plan possible promotions. Biometric scanner is one of the most useful input devices with highly accuracy and used in following areas:1. Small and big offices make use of a fingerprint biometric scanner to keep a record of employee attendance.2. Government offices, where access control is required to avoid information leakage and other criminal activities, also employ fingerprint reader3. These devices are also used for accessing computers, especially when it becomes difficult to remember a number of passwords. Moreover, a biometric fingerprint reader can keep away unauthorized users from accessing your computers and laptops.4. E-passports are relatively new applications of fingerprint scanners and readers. The fingerprints of passport holders are stored on the documents in the form of chips, which later on help in verifying the authorized passport holders.5. Fingerprint reader door locks are also becoming popular to provide security to houses and garagesThe advantages of biometric scanner are in terms of speed, low cost comparing to other security devices and accuracy. Magnetic Ink Character Recognition (MICR) involves capturing data that have been printed using a special magnetic ink. This technology is normally associated with the banking industry, especially cheque processing. The advantages of a MICR scanner is that it can read the magnetic characters through ink and other things that can normally obscure reading the data visually and it can be done quickly with high accuracy. Smart Card reader. A card reader is a data input device that reads data from a card-shaped storage medium. More modern card readers are electronic devices that use plastic cards imprinted with barcodes, magnetic strips, computer chips or other storage medium. Today, this device is used mostly payments with credit or debit cards. And affordable in restaurants, supermarkets, shops and banks in order to offer more payment options.

Touch sreen: A transparent, pressure-sensitive covering that is attached to the screen of the monitor. Users make selections and control programs by pressing onto the screen. Common applications for touch screen are interactive kiosks and booking systems. An interactive kiosk allows a user to purchase items or browse through the given list. For example, today in many banks, music store, supermarkets and large catalogue stores

are using touch screens. Besides, in many booking systems like airlines, theatres and travel agents also make use of touch screens.Graphics tablet: Used in the same way as a writing pad; a stylus is used to draw images on a rigid pad located near to the computer. Although this input device can be used to control programs and select items shown on the screen, they are most often used for professional graphics applications.Video capture card: The video capture card records and stores video sequences (motion video). Video capture is the process of converting an analog video signal—such as that produced by a video camera or DVD player—to digital video. A playback device, for example, a video cassette recorder, is connected to the video capture card and special software is used to capture, edit and manipulate video sequences. Once a motion video sequence has been processed, it can then be output to a television, video cassette recorder or other device.Microphone/ Sound Card. A sound card allows a personal computer to play speech, music and other sounds. A sound card can also be used to capture sound, music and speech from a variety of sources. Benefits of microphone may be seen in many businesses, supermarkets, airports, immigration and etc. for announcing special events.

Voice recognition: The facility to control a computer program or carry out data entry through spoken commands via a microphone connected to a sound card. A business application is the use of voice recognition software to dictate text directly into a word processing document. For example, Automatic translation, Automotive speech recognition , Court reporting (Realtime Voice Writing), Home automation, Interactive voice response, Mobile telephony, including mobile email, Multimodal interaction, Pronunciation evaluation in computer-aided language learning applications and Robotics.Digital Camera captures and stores still images. Images are held in the camera’s memory or stored on memory or stored on memory cards until they can be transferred to a personal computer. Digital video cameras capture high-quality motion video and used in many areas. For example, over past decade, this technology has become popular in film industry.

Output devicesAn output device is any piece of computer hardware equipment used to communicate the results of data processing carried out by an information processing system (such as a computer) to the outside world. Translate the results of processing – output – into a human readable form. As an example, the results of calculation or other information might be displayed on a screen or sent to a printer. The output produced by some devices is temporary in nature. A display shown on a monitor, for example, is lost when a new image is shown or the computer system is switched off. On the other hand, a report produced on a printer is more permanent and may last for many years. Some forms of output may be used as the input for another process. Photographs, sounds and video sequences, for example, might be combined during the production of training package or demonstration programme Business organizations have a wide range of requirements in terms of the form of the information they produce. These requirements mean that there are a large variety of special output devices available. A computer-based information system will seldom make use of only single output devices. Even a typical personal computer will often feature several different output devices, such as monitor, sound card and printer.

Display Devices Monitor

The most common output device is almost certainly the Monitor, sometimes referred to as the Visual display unit (VDU). VDU is a monitor connected to a computer system, traditionally used to describe character-based terminals. The monitor has several advantages over other forms of output device in terms of speed. Here in addition, the monitor is one of only a small number of devices that allows users to view the progress of an activity as it occurs.Secondly, in terms of purchasing, as standard computers of a computer system, monitor are relatively inexpensive to purchase, repair or replace.Thirdly, the cost of using the monitor as an output device is very low. Unlike printer, for example, a monitor does not require consumables, like paper.Today, monitors are used almost in every businesses organization like restaurants, supermarkets and etc.

Sound Output Computers also produce sound output, ranging from simple beeps alerting the user, to impressive game sound effects, to concert quality music. The circuitry to produce sound may be included on the motherboard, but high quality audio output from a PC usually requires a sound card in one of the expansion slots, connected to a set of good quality external speakers or headphones.Speaker is most useful sound output device which in immigration, airports, supermarkets and etc. in order to announced something important to people.

PrintersLaser printer: A laser is used to charge sections of a rotating drum which is then used to print using toner powder, achieving a combination of speed with high print quality. There are some advantages of laser printer: Print quality. Laser printer are capable of producing at a quality appreciate for business correspondence. Speed. A typical laser printer will be able to print at a rate of 12 pages per minute or more. This compares well against other printer methods, for example a typical inkjet printer may only be capable of printer 4-6 pages per minute. Volume. Laser printers are normally capable of dealing with large volumes of work. For example, a dot-matrix printer may be suitable for a workload of 500 pages per month, whereas laser printer is capable of a workload of 5000 pages.Inkjet printer: An inkjet printer uses a print-head containing 50 or more small nozzles that squirt ink onto paper by varying electrostatic charges produced by the printer. Some advantages of inkjet printers include: Cost. Inkjet printers can be purchased at low cost and are relatively inexpensive to operate. Reliability. Since inkjet printers have very few moving parts, they are considered reliable and robust. Colour printing. Inkjet printers provide a relatively inexpensive means of printing in colour at an acceptable quality. Versatility. Inkjet printer are able to produce a variety of different documents, including overhead transparencies, cards, labels and envelopes. Noise. Inkjet printers are almost completely silent in operation.

Dot-matrix printer: A character is transferred to the paper by striking pins against an ink ribbon. This form of printing is known as impact printing. Dot-matrix printing is now only commonly used when carbon copies of a document need to be created.

Selecting output devices – key issuesSome of the factors that should be considered when selecting an output device include appropriateness, permanence, speed, response time and cost.• Appropriateness. An output device should be appropriate to the type of information produced as the result of a business process. A plotter, for example, provides an efficient means of producing large technical diagrams, but would not be an appropriate way of printing a business letter.• Permanence. It is often necessary to make a permanent record of the results of a given activity, for example an organization will normally retain a copy of a business letter sent to a client.• Response time. • Speed• Cost

SoftwareSoftware. A series of detailed instructions that control the operation of a computer system. Software exists as programs that are developed by computer programmers. Software can divide in two main categories: Systems software Applications software

Systems software This form of software manages and controls the operation of the computer system as it performs tasks on behalf of the user. Systems software consists of three basic categories: 1. Operating systems2. Developments programs 3. Utility programs

Operating system (OS)This form of software interacts with the hardware of the computer in order to manage and direct the computer’s resources. The operating systems function as an intermediary between the function the users needs to perform, for example, spreadsheet calculation, and how these translate to and from the hardware in the of responding to mouse clicks and displaying information on the screen.The basic function of the operating system include: allocating and managing system resources, scheduling the use of resources and monitoring the activities of the computer system. And OS can be controlled by either a text based or a graphical interface.• Command line interpreter (CLI): Passes instructions from a user to a computer program as instructions from a user in the form of brief statements entered via the keyboard.• Graphical user interface (GUI): Provides a means for a user to control a computer program using a mouse to issue instructions using menus and icons.• WIMP: WIMP (windows, icons, mouse and pull-down menus) is often used to describe a GUI environment.

Network operating system (NOS)Network operating system (NOS) describes the software needed to operate and manage a network system. In general, NOS used by an organization will provide the majority of facilities required to support workgroup computing. For example, the NOS will allow a network manager to define a group of users as belonging to a particular workgroup.

Utility programsUtility programs provide a range of tools that support the operation and management of a computer system. For example, programs that monitor system performance or provide security controls.

Development programsDevelopment programs allow users to develop their own software in order to carry out processing tasks using programming languages.

Applications softwareApplications software: A set of programs that enable users to perform specific information-processing activities. Application software can be divided into two broad categories: general-purpose application-specific.

General-purpose applicationGeneral-purpose applications are programs that can be used to carry out a wide range of common tasks.

A word processor, for example, is capable of producing a variety of documents that are suitable for many purposes.

Document production and graphics software. This involves the creation of various internal and external documents including letters and etc. Spreadsheet- software for processing numerical information. Database- software for storage and retrieval of information. Multimedia software. Multimedia involves the user interacting with a computer using media such as text, sound, animation and video. Software for using internet. Management application of productivity software. Software for personal information management and team working.

Application-specific softwareApplication-specific software comprises programs intended to serve a specific purpose or carry out a clearly defined information processing task. Software designed to carry out payroll processing or manage accounts is an example of an application-specific program.

OPERATING SYSTEM (OS) CONTROLS AND COORDINATES THE USE OF THE HARDWARE AMONG THE VARIOUS APPLICATION PROGRAMS FOR THE VARIOUS USERS The most important program that runs on a computer. Every general-purpose computer must have an operating system to run other programs. Operating systems perform basic tasks, such as recognizing input from the keyboard, sending output to the display screen, keeping track of files and directories on the disk, and controlling peripheral devices such as disk drives and printers.For large systems, the operating system has even greater responsibilities and powers. It is like a traffic cop -- it makes sure that different programs and users running at the same time do not interfere with each other. The operating system is also responsible for security, ensuring that unauthorized users do not access the system.Operating system

COMPUTER SYSTEM COMPONENTS: HARDWARE OPERATING SYSTEM APPLICATIONS PROGRAMS USERS

TypesGUI - Short for Graphical User Interface, a GUI Operating System contains graphics and icons and is commonly navigated by using a computer mouse. See the GUI definition for a complete definition. Below are some examples of GUI Operating Systems. System 7.xWindows 98Windows CEMulti-user - A multi-user operating system allows for multiple users to use the same computer at the same time and different times. See the multi-user definition for a complete definition for a complete definition. Below are some examples of multi-user operating systems.LinuxUnixWindows 2000Multiprocessing - An operating system capable of supporting and utilizing more than one computer processor. Below are some examples of multiprocessing operating systems.LinuxUnixWindows 2000Multitasking - An operating system that is capable of allowing multiple software processes to run at the same time. Below are some examples of multitasking operating systems.UnixWindows 2000Multithreading - Operating systems that allow different parts of a software program to run concurrently. Operating systems that would fall into this category are:LinuxUnixWindows 2000\

Characteristics of InformationInformation comes in all shapes and sizes. Knowing some of its characteristics will help you better identify your information need and evaluate what you are receiving.Good information is that which is used and which creates value. Experience and research shows that good information has numerous qualities. Good information is relevant for its purpose, sufficiently accurate for its purpose, complete enough for the problem, reliable and targeted to the right person.  It is also communicated in time for its purpose, contains the right level of detail and is communicated by an appropriate channel, i.e. one that is understandable to the user.

Further details of these characteristics related to organizational information for decision-making follows.Availability/accessibility Information should be easy to obtain or access.  Information kept in a book of some kind is only available and easy to access if you have the book to hand.  A good example of availability is a telephone directory, as every home has one for its local area.  It is probably the first place you look for a local number. But nobody keeps the whole country’s telephone books so for numbers further afield you probably phone a directory enquiry number.  For business premises, say for a hotel in London, you would probably use the Internet. Reliability or objectivity Reliability deals with the truth of information or the objectivity with which it is presented.  You can only really use information confidently if you are sure of its reliability and objectivity. When researching for an essay in any subject, we might make straight for the library to find a suitable book.  We are reasonably confident that the information found in a book, especially one that the library has purchased, is reliable and (in the case of factual information) objective.  The book has been written and the author’s name is usually printed for all to see.  The publisher should have employed an editor and an expert in the field to edit the book and question any factual doubts they may have.  In short, much time and energy goes into publishing a book and for that reason we can be reasonably confident that the information is reliable and objective.

Relevance/appropriateness Information should be relevant to the purpose for which it is required. It must be suitable.  What is relevant for one manager may not be relevant for another.Completeness Information should contain all the details required by the user. Otherwise, it may not be useful as the basis for making a decision. For example, if an organisation is supplied with information regarding the costs of supplying a fleet of cars for the sales force, and servicing and maintenance costs are not included, then a costing based on the information supplied will be considerably underestimated. Timing Information must be on time for the purpose for which it is required. Information received too late will be irrelevant. For example, if you receive a brochure from a theatre and notice there was a concert by your favourite band yesterday, then the information is too late to be of use.

E – threats & security measures

Managing information security:1. Introduction 2. Common threats to information3. Control strategies4. Types of controls 5. Control approaches6. Malware 7. Internet related threats8. Conclusion

1. Introduction

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Governments, military, corporations, financial institutions, hospitals, and private businesses amass a great deal of confidential information about their employees, customers, products, research, and financial status. Most of this information is now collected, processed and stored on electronic computers and transmitted across networks to other computers. The field of information security has grown and evolved significantly in recent years. There are many ways of gaining entry into the field as a career. It offers many areas for specialization including: securing network(s) and allied infrastructure, securing applications and databases, security testing, information systems auditing, business continuity planning and digital forensics science.

2. Common threats to information

There are many information security threats that we need to be constantly aware of and protect against in order to ensure our sensitive information remains secure:

1. Accidents2. Natural disaster3. Sabotage4. Theft

5. Unauthorized use6. Computer viruses

1. Accidents A number of estimates suggest that 40-65 per cent of all damage caused to information system or corporate data arises as a result of human error. The DTI’s Information Breaches Survey 2004, for example, states that: “Human error rather than flawed technology is the root cause of most security breaches”. Some example of ways in which human errors occur include: Inaccurate data entry. As an example, consider a typical rational database management system, where update queries are used to change records, tables and reports. If the contents of the query are incorrect, errors might be produced within all of the manipulated by the query. Although extreme, significant problems might be caused by adding or removing even a single character to a query. Attempts to carry out tasks beyond the ability of the employee. In smaller computer-based information systems, a common cause of accidental damage involves user’s attempting to install new hardware items or software applications. In the case of software applications, existing data may be lost when the program is installed or the program may fail to operate as expected. Failure to comply with procedures for the use of organizational information systems. Where organizational procedures are unclear or fail to anticipate potential problems, users may often ignore established methods, act on their own initiative or perform tasks correctly. Failure to carry out backup procedures or verify data backups. In addition to carrying out regular backups of important business data, it is necessary to verify that any backup copies made are accurate and free from errors.

A survey from the Computing Technology Industry Association found that in more than 63 per cent of IT security breaches that human error played a role. Technological failures accounted for only 8 per cent of security problems.

2. Natural disaster When human lives rely on the proper operation of an information system, this is usually known as a safety-critical system. Perhaps a better way of describing a critical system is to suggest that it is an information system that must not fail. A good example of a critical system is an air traffic control system. All information systems are susceptible to damage caused by natural phenomena, such as storms, lighting strikes, floods and earthquakes. In Japan and the United States, for example, great care is taken to protect critical information systems from the effects of earthquakes. Although such hazards are of less concern in much of Europe, properly designed systems will make allowance for unexpected natural disaster.

3. Sabotage With regard to information systems, sabotage mat be deliberate or unintentional and carried out on an individual basis or as an act of industrial sabotage.

Individual sabotage Individual sabotage is typically carried out by a disgruntled employee who wishes to exact some form of revenge upon their employer. The logic bomb (sometimes known as a “time bomb”) is a well-known example of how an employee may cause deliberate damage to the organization’s information systems. A logic bomb is a destructive program that activates at a certain time or in reaction a specific event.

Another well known example is known as a back door. The back door is a section of program code that allows a user to circumvent security procedures in order to gain full access to an information system. Although back doors have legitimate uses, such as for program testing, they can also be used as an instrument of sabotage. It should be noted, however, that individual sabotage is becoming more infrequent due to legislation such as the Computer Misuse Act.

Industrial sabotage Industrial sabotage is considered rare, although there have been a number of well publicized cases over the past few years. Industrial sabotage tends to be carried out for some kind of competitive or financial gain. Industrial sabotage is considered more serious than individual sabotage since, although occurrences are relatively few, the losses suffered tend to be extremely high. A well-known example concerns the legal battle between British Airways and Richard Branson’s Virgin during the 1990s, where it was alleged that BA gained access to Virgin’s customer databases and used this information to “poach” Virgin’s customers.

Unintentional sabotage An intent to cause loss or damage need not be present for sabotage to occur. Imagine the case of an organization introducing a new information system at short notice and without proper consultation with staff. Employees may feel threatened by the new system and may wish to avoid making use of it. A typical reaction might be to enter data incorrectly in an attempt to discredit the new system. Alternatively, the employee might continue to carry out tasks manually (or with the older system), claiming that this is a more efficient way of working. In such cases, the employee’s primary motivation is to safeguard their position – the damage or loss caused to the organization’s information systems is incidental to this goal. Vandalism Deliberate damage caused to hardware, software and data is considered a serious threat to information system security. The threats from vandalism lies in the fact that the organization os temporarily denied access to some of its sources. Even relatively minor damage to parts of a system can have a significant effect on the organization as whole. In a small network system, for example, damage to a server or shared storage device might effectively stop the work of all those connected to the network. In larger systems, a reduced flow of work through one part of the organization can create bottlenecks, reducing the overall productivity of the entire organization. In recent years, vandalism has been extended to the Internet. A number of incidents have occurred where company web sites have been defaced.

4. Theft As with vandalism, the lost of important hardware, software or data can have significant effects on an organization’s effectiveness. Theft can be divided into two basic categories: physical theft and data theft. Physical theft, as the term implies, involves the theft of hardware and software. It is worth nothing that physical theft is not restricted to computer systems alone; components are often targeted by criminals because of their small size and relatively high value. For instance, between 1999 and 2003 there ere 25 reported thefts in the UK involving large quantities of computer processors. Data theft normally involves making copies of important files without causing any harm to the originals. However, if the original files are destroyed or damaged, then the value of copied data is automatically increased. Both data theft and physical theft can take a number of different forms. As an example, there has been growing concern over the theft of customer information, such as credit card details, from company web sites.

5. Unauthorized use One of the most common security risks in relation to computerized information systems is the danger of unauthorized access to confidential data. Most security breaches involving confidential data can be attributed to the employees of the organizations. In many cases, breaches are accidental in that employees are unaware that particular sets of information are restricted. Deliberate breaches are typically the result of an employee’s wishing to gain some personal benefit from using the information obtained. A good example concerns the common myth of the police officer using the Police national Computer to check up on a car they wish to buy. In reality strict guidelines cover the use of the Police National Computer and a log is kept of every enquiry made. It should be considered that the threat posed by hackers is starting to increase as more organizations make use of the Internet for business purpose. In addition, it should be considered that even a relatively small number of hacking incidents can account for significant losses to industry. As an example, Datamonitor estimates that security breaches related to web sites cost more than £10 billion per year in repair costs and lost revenue.

6. Computer viruses While some methods, such as logic bombs, are beginning to decline, others are becoming more common. The release of the “virus construction kits” and “virus mutation engines” places the construction of a new computer virus within the hands of most users. Additionally, whilst methods such as virus scanning provide a degree of protection against virus infection, no completely secure prevention technique has yet been found. 3. Control strategies

In general, there are four major approaches that can be taken to ensure the integrity of an information system. These are 1. Containment 2. Deterrence 3. Obfuscation 4. Recovery Although each strategy is discussed separately, it is important to note that an effective security policy will draw upon a variety of concepts and techniques.

1. Containment

The strategy of containment attempts to control access to an information system. One approach involves making potential targets as unattractive as possible. This can be achieved in several ways but a common method involves creating the impression that the target information system contains data of little or no value. It would be pointless, for example, attempting to steal data that had been encrypted – the data would effectively be useless to anyone except the owner. A second technique involves creating an effective series of defences against potential threats. If the expense, time and effort required to gain access to the information system is greater than any benefits derived from gaining access, then intrusion becomes less likely. However, defences must be continually improved and upgraded in order to keep up with advances in technology and the increasing sophistication of hackers.

A third approach involves removing the target information system from potential threats. Typical ways in which this might be achieved include distributing assets across a large geographical area, distributing important data across the entire organization or isolating important systems.

2. Deterrence

A strategy based upon deterrence uses the threats of punishment to discourage potential intruders. The overall approach is one of anticipating and countering the motives of those most likely to threaten the security of the system. A common method involves constantly advertising and reinforcing the penalties for unauthorized access. It is not uncommon, for example, to dismiss an employee for gaining access to confidential data. Similarly, it is not uncommon for organizations to bring private prosecutions against those who have caused damage or loss to important information systems. Attempts to breach the security of the information system are discouraged by publicizing successful actions against employees or other parties. A second approach involves attempting to detect potential threats as clearly as possible, for example by monitoring patterns of information system usage and investigating all anomalies. However, although such a technique can prevent some attacks and reduce the damage caused by others, it can be expensive in terms of organizational resources. The third technique used commonly involves predicting likely areas of attack and then implementing appropriate defences or countermeasures. If an organization feels, for example, that is particularly vulnerable to computer viruses, it might install virus-scanning software across the entire organizations.

3. Obfuscation

Obfuscation concerns itself with hiding or distributing assets so that any damage caused can be limited. One means by which such a strategy can be implemented is by monitoring all of the organization’s activities, not just those related to the use of its information systems. This provides a more comprehensive approach to security than containment or deterrence since it also provides a measure of protection against theft and other threats. A second methods involves carrying out regular audits of data, hardware, software and security measures. In this way, the organization has a more complete overview of its information systems and can access threats more accurately. A regular software audit, for example, might result in reduction in the use of illegal software.4. Recovery

Such a strategy is largely concerned with ensuring that the normal operation of the information system is restored as quickly as possible, with as little disruption to the organization as possible. The most aspect of a strategy based upon recovery involves careful organizational planning. The development of emergency procedures that deal with a number of contingencies is essential if a successful recovery is to take place. The process of developing and maintaining these procedures s often called business continuity planning. In anticipating damage or loss, a great deal of emphasis is placed upon backup procedures and recovery measures. In large organizations, a backup site might be created, so that data processing can be switched to a

secondary site immediately in the event of an emergency. Smaller organizations might be make use of other measures, such as RAID facilities or data warehousing services.

4. Types of controls

There are five major categories of controls that can be applied to information systems. These are: 1. Physical protection2. Biometric controls3. Telecommunications controls4. Failure controls5. Auditing 1. Physical protection Physical protection involves the use of physical barriers intended to protect against theft and unauthorized access. The reasoning behind such an approach is extremely simple: if access to rooms and equipment is restricted, risks of theft and vandalism are reduced. Furthermore, by preventing access to equipment, it is likely that an unauthorized user can gain access to confidential information. Locks, barriers and security chains are examples of this form of control.2. Biometric control These controls make use of the unique characteristics of individuals in order to restrict access to sensitive information or equipment. Scanners that check fingerprints, voice prints or even retinal patterns are examples of biometric controls. Until relatively recently, the expense associated with biometric control systems placed them out of reach of all but the largest organizations. In addition, many organizations held reservations concerning the accuracy of the recognition methods used to identify specific individuals. However, with the introduction of more sophisticated hardware and software, both of these problems have been largely resolved. Many organizations have now begun to look at ways in which biometric control systems can be used to reduce instances of fraud. Within five years, for example, banks are expected to introduce automated teller machines (ATMs) that use fingerprints and retinal patterns to identify customers.

3. Telecommunications controls These controls help to verify the identity of a particular user. Common types of communications controls include passwords and users validation routines. As an example, when a new network account is created for a given user, they may be asked to supply several pieces of personal information, such as the name of their spouse or their data of birth. When the user attempts to connect to the network system from outside of the organization, they are asked to confirm their identity by providing some of the information given when the account was created.

4. Failure controls Failure controls attempt to limit or avoid damage caused by the failure of an information system. Typical examples include recovery procedures and regular backups of a data. Backups are explained in more detail later on.

5. Auditing Auditing involves taking stock of procedures, hardware, software and data at regular intervals.

With regard to software and data, audits can be carried out automatically with an appropriate program. Auditing software works by scanning the hard disk drives of any computers, terminals and servers attached to a network system. As each hard disk drive is scanned, the names of any programs found are added to a log. This log can then be compared to a list of the program that are legitimately owned by the organizations. Since the log contains information concerning the whereabouts of each program found, it is relatively simple to determine the location of any unauthorized programs. In many organizations, auditing programs are also used to keep track of software licences and allow companies to ensure that they are operating within the terms of their licence agreements.

5. Control approaches

Some of the most common techniques used to control computer-based information systems are:1. Formal security policies2. Passwords3. File encryption4. Organizational procedures governing the use of computer-based information systems5. User validation techniques6. Backups procedures

1. Formal security policies Perhaps the simplest and most effective control is the formulation of a comprehensive policy on security. Amongst a wide variety of items, such a policy will outline:1. what is considered to be acceptable use of the information system2. what is considered unacceptable use of the information system3. the sanctions available in the event that an employee does not comply with the security policy4. details of the controls in place, including their form and function and plans for developing these further

Once a policy has been formulated, it must be published in order for it to become effective. In addition, the support of management is essential in order to ensure that employees adhere to the guidelines contained within the policy.

2. Passwords The password represents one of the most common forms of protection for computer based information systems. In addition to providing a simple, inexpensive means of restricting access to equipment and sensitive data, passwords also provide a number of other benefits. Amongst these are the following:Access to the system can be divided into levels by issuing different passwords to employees based on their positions and the work they carry out.The actions of an employee can be regulated and supervised by monitoring the use of their password.If a password is discovered or stolen by an external party, it should be possibleto limit any damage arising as a result.The use of passwords can encourage employees to take some of the responsibility for the overall security of the system.

3. Encryption

An additional layer of protection for sensitive data can be provided by making use of encryption techniques. Modern encryption methods rely upon the use of one or more keys. Without encryption the correct key, any encrypted data is meaningless – and there fore of no value – to a potential thief.

4. Procedures Under normal circumstances, a set of procedures for the use of an information system will arise from the creation of a formal security policy. Such procedures should describe in detail the correct operation of the system and the responsibilities of users. Additionally, the procedures should highlight issues related to security, should explain some of the reasoning behind them and should also describe the penalties for failing to comply with instructions.

5. User validation Of relevance communication is the use of user validation techniques. It is necessary to verify the identity of users attempting to access the system from outside of the organization. A password is insufficient to identify the user since it might have been stolen or accidentally revealed to others. However, by asking for a date of birth, National Insurance number or other personal information, the identity of the users can be confirmed. Alternatively, if the location of the user is known, the system can attempt to call the user back at their current location. If the user is genuine, the call will be connected correctly and the user can then access the system. Although such methods do not offer total security, the risk of unauthorized a access can be reduced dramatically.

6. Backup procedures In information technology, a backup or the process of backing up is making copies of data which may be used to restore the original after a data loss event. Backups have two distinct purposes. The primary purpose is to recover data after its loss, be it by data deletion or corruption. Data loss is a very common experience of computer users. 67% of internet users have suffered serious data loss. The secondary purpose of backups is to recover data from an earlier time, according to a user-defined data retention policy, typically configured within a backup application for how long copies of data are required. In order to reduce the time taken to create backup copies, many organizations make us e of software that allows the production of incremental backups. Initially, a backup copy of all data files is made and care is taken to ensure the accuracy of the copy. This initial, complete backup is normally referred to as a full backup.

6. Malware

The term “malware” (malicious software) is generic term for software intended to gather confidential information from a computer system, or cause harm to valuable data. In general, malware can be broken down into a number of categories:

1. computer viruses2. trojans and key loggers3. spyware

1. Computer viruses

There are several different types of computer viruses, for example parasitic viruses (sometime known as ”file infectors”) insert copies of themselves into legitimate programs, such as operating system files, often making little effort to disguise their presence. In this way, each time the program file is run, so too is the virus. In recent years, a great deal of attention has been paid to the emergence of macro viruses (sometimes called “script viruses”). These programs are created using the high level programming languages found in e-mail packages, web browsers and applications software, such as word processors. Technically, such viruses are extremely crude but are capable of causing a great deal of damage. The term computer virus is used for a program that has infected some executable software and, when run, causes the virus to spread to other executables. Viruses may also contain a payload that performs other actions, often malicious.

2. Trojans A Trojan Horse is full of as much trickery as the mythological Trojan Horse it was named after. The Trojan Horse, at first glance will appear to be useful software but will actually do damage once installed or run on your computer.  Those on the receiving end of a Trojan Horse are usually tricked into opening them because they appear to be receiving legitimate software or files from a legitimate source. When a Trojan is activated on your computer, the results can vary. Some Trojans are designed to be more annoying than malicious (like changing your desktop, adding silly active desktop icons) or they can cause serious damage by deleting files and destroying information on your system. Trojans are also known to create a backdoor on your computer that gives malicious users access to your system, possibly allowing confidential or personal information to be compromised. Unlike viruses and worms, Trojans do not reproduce by infecting other files nor do they self-replicate. Most of the Trojans encountered by business organizations are designed to gather information and transmit regular reports back to the owner. Typically Trojan will incorporate a key logging facility to capture all key board input from a given computer. Capturing keyboard data allows the owner of the Trojan to gather great deal of information, such as passwords and the contents of all outgoing e-mail messages.

Computer worm A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, even if only by consuming bandwidth, whereas viruses almost always corrupt or modify files on a targeted computer.

Many worms that have been created are only designed to spread, and don't attempt to alter the systems they pass through. However, as the Morris worm and My doom showed, even these "payload free" worms can cause major disruption by increasing network traffic and other unintended effects. A "payload" is code in the worm designed to do more than spread the worm–it might delete files on a host system (e.g., the Explore Zip worm), encrypt files in a crypto viral extortion attack, or send documents via e-mail. A very common payload for worms is to install a backdoor in the infected computer to allow the creation of a "zombie" computer under control of the worm author. Networks of such machines are often referred to as botnets and are very commonly used by spam senders for sending junk email or to cloak their website's address.[1] Spammers are therefore thought to be a source of funding for the creation of such worms,[2][3] and the worm writers have been caught

selling lists of IP addresses of infected machines.[4] Others try to blackmail companies with threatened DoS attacks.[5]

Backdoors can be exploited by other malware, including worms.

3. Spyware Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user's personal computer. Sometimes, however, spywares such as key loggers are installed by the owner of a shared, corporate, or public computer on purpose in order to secretly monitor other users. While the term spyware suggests software that secretly monitors the user's computing, the functions of spyware extend well beyond simple monitoring. Spyware programs can collect various types of personal information, such as Internet surfing habits and sites that have been visited, but can also interfere with user control of the computer in other ways, such as installing additional software and redirecting Web browser activity. Spyware is known to change computer settings, resulting in slow connection speeds, different home pages, and/or loss of Internet connection or functionality of other programs. In an attempt to increase the understanding of spyware, a more formal classification of its included software types is provided by the term privacy-invasive software. In response to the emergence of spyware, a small industry has sprung up dealing in anti-spyware software. Running anti-spyware software has become a widely recognized element of computer security practices for computers, especially those running Microsoft Windows. A number of jurisdictions have passed anti-spyware laws, which usually target any software that is surreptitiously installed to control a user's computer.

Unlike viruses and worms, spyware does not usually self-replicate. Like many recent viruses, however, spyware—by design—exploits infected computers for commercial gain. Typical tactics include delivery of unsolicited pop-up advertisements, theft of personal information (including financial information such as credit card numbers), monitoring of Web-browsing activity for marketing purposes, and routing of HTTP requests to advertising sites.However, spyware can be dropped as a payload by a worm.