MIST Exam 3
Transaction Cost Economics (TCE)
- Markets have lower production costs (the costs of making goods and services) Ex. Jetha wants 100 widgets, can go to the market, find cheapest supplier and buy them Cheaper than investing in equipment to make widgets and making them internally - Hierarchies have lower coordination costs (the costs of setting up production and keeping it running) As coordination costs go down, markets become more and more attractive** Firms become less useful, can go outside the firm to the market Make or buy - can go out of the firm to buy instead of staying in the market to make Coordination costs are going down due to technology What if we could write better (more complete) contracts? Ex. Smart contracts
How to lead in this age - concrete ideas
1. Egalitarianism—especially of ideas Any idea that comes to the table should be evaluated on its own merits Idea should not be based on who is bringing it in All ideas are worth the same amount 2. Transparency of information If you want good ideas from your team, you must explain situation, give information Will get ideas from a broad number of sources, might be more effective at finding the right solutions
conventional approaches to IT Security - Monitoring and Anomaly Detection
Intrusion detection (ex. Flagged account after numerous failed login attempts) Ex. ELC flagging Intrusion prevention (ex. Blocked access to critical systems from international IP addresses) Asking user to verify that you actually logged into something
data model - relationships
Once we have entities, need to identify how they are related (via relationships) For now - we have three choices for relationships between two entities (this will become more complicated as you move into data management classes) 1. One to one 2. One to many 3. Many to many
AIC Triad - at the heart of information security AKA "Cia Triad"
Three concepts that commonly applied to all information systems Availability, Integrity, Confidentiality Often the basis of security policies, rules of corporate governance, etc
MIS Median salary reported (and other employment statistics)
$65,000 92% employed full time at graduation 2% seeking employment Remainder includes self employed and graduate school (6%) $5300 signing bonus Compared to other Terry majors... Management - $49000 Marketing - $49500 RMIN - $52700 Accounting - $53000 Finance - $60000 Jobs for hired graduates include - consulting, business analyst, database, project manager, information security (risk management / forensics), software developer, business process analyst
What is the corporation for? Organizing labor. What if we don't need this anymore?
1. DAO (Decentralized Autonomous Organization) Investment fund that would invest in projects to gain returns Problems in decentralized voting process Anonymous hacker stole ⅓ of the total fund Hacked voting process 2. Bitcoin / Blockchain Goal is to be decentralized and free In reality - Governance problems: system controlled by a handful of people Difference in opinions about how to handle growth Consolidation of power in China China owns such a big part of blockchain that the consolidation of power has detracted from original goal of keeping it a free system free of monetary policy of an individual nation state
How do we solve this problem - we have uncontrolled info and members behaving in hurtful ways?
1. Hierarchical structures 2. Non Hierarchical Structures - Markets - Self organizing
Three reasons why providing social skills as managers is more relevant today:
1. The world is complex and fast-changing; coordination is more important today than ever before 2. Most of us don't find algorithms persuasive; we need a good story or anecdote 3. Humans are social creatures and want to work together ^Reminiscent of things from first module
Equifax Breach
Attackers entered Equifax systems using a vulnerability in a web-based app in mid-May 2017 A software patch that would have fixed this vulnerability was available in March 2017 Security software that they didn't download - security people missed the boat Equifax reported breach on Sept 7, 2017 Breach has cost Equifax almost $1.5 billion Settlement to consumers of at least $650 mill Over $5 bill in market value lost Share price on 9/6 = $141.39 Share price on 9/15: $92.98 Market value - not real money in the sense you can spend it, but it's market cap Lost $50 / share in a week
Jetha's Problem with BTC
Because it takes a lot of computational resources, it is very difficult to scale up Tension that will exist for a lot longer Despite of this, big companies are investing in blockchains
encryption of data
Encryption: technical solution that says whenever data is being read, it requires an encryption key Ex. Hacker downloads someone's user files, if they try to open when encrypted, it shows up jumbled With an encryption key, the files make sense If data is grabbed, key is separated from data rendering it useless
conventional approaches to IT Security - Routine patching of newly discovered vulnerabilities
Ex. Software updates
Karim R Lakhani - Harvard Business School professor
Friends with Mac and B IS professor Gave talk about blockchains in 2017 - Harvard Business Review Facebook Able to ask a question - The benefits of blockchain comes from scaling it up to stakeholders in an ecosystem - if the way the blockchain works is by mining and completing hard computational problems, there is tension, value comes from scaling up but problems become harder to solve, how do you resolve this tension? Jetha doesn't think he had a good answer Believes this is where the problem of Bitcoin is
How to take advantage of the crowd? (3)
Labor Information Other resources
Crows feet
Lines on an entity-relationship diagram that indicate relationships
Linux Example - self organizing
Linux: operating system (similar to windows and mac iOS) Not commonly used on personal computers or consumer devices It does run the majority of the servers that form the backbone of the internet Also forms backbone of the Android operating system Open source and essentially free Developed by Linus Torrevald Sent out email to his buddies saying "hi i'm developing an operating system, if you want to join me please do" Example of organizing a crowd (all of the people who participated in development of operating system) took example of 6 characteristics of self organizing structures
Cost of Poor Organization Information Security - can be very high
On average a single corporate IT security breach costs firms about $4 million Takes firms on average 5 months before they even realize they've been hacked Security breaches can impact many customers 2007 TJ Maxx breach: approx 94m customer records 2013 Target breach: aprox 40 mill customer records 2017 Equifax breach: aprox 145 m individual records Weren't able to give people money, forced people to do free credit monitoring No one got compensated for the fact that they're data was stolen Firms widely underreport breaches because of liability, negative publicity, and the inability to prosecute criminals across national borders When things go bad on info security bad - they go really bad and get very expensive
Best Practices - Employees
Rotation of duties Mandatory vacations Great for employees The idea is that if there is one person in a firm with ALL knowledge about a system, then no one can check up on it With vacation, other employees checking on system and there is no longer a monopoly over knowledge Split knowledge (separation of duties concept) Dual control : two or more people perform the same action Ex. Two people have to turn the key to launch the missile Strict procedure for employee termination Thinking of HR managing security as well
Database Management System (DBMS)
Software application that lets you create and work with a database Lets you build database, organize structure, etc
Relational Data Model Example
Start with people - linked to courses One person can be linked to many courses, each course can link to many people - "many to many" Each course owned by one department Each department can have many courses Each course has course ID, title, credit Each Department has name, budget, administrator Goes into columns for each record Record: department Attribute: department ID, Name. Budget, etc Entity: department entity
Types of Security Controls
The following "controls" should be utilized to achieve security management directions 1. Administrative Controls : policies, standards, procedures, guidelines, personnel screening, training Ex. UGA staff goes through admin training, how to know phishing email 2. Technical Controls (logical controls): authentication, encryption, firewalls, biometrics Ex. MFA 3. Physical Controls : locks, monitoring, mantraps, environmental controls Mantraps: entryway with two doors, only open one side, they buzz you in, then go in the other side
The Relational Database Mode (most common)
The most popular set of standard rules for database organization In the relational database model... - Data is stored in one or more tables corresponding to entities Ex. Actors table, films table, production company table - Entities are connected through relationships Ex. Name related to foreign key - multiple foreign key linked to the single primary key - Database needs to know who the cars belong to - need one number to be unique on one side - Tables consist of records which correspond to rows in the tables Ex. Car record 1, car record 2 - Records store data on a single instance of an entity Each record is for a single car and the record consists of one of more fields - Field are often referred to as attributes and correspond to columns of the tables Fields: attributes
Primary Key - Foreign Key Relationship
There's another especial field (attribute) that we need to add to some tables - foriegn key A foreign key in one table is always the primary key in another table The use of primary keys from one table and foreign keys in another is the primary way to store relationships in the data Ex With cars and owners Primary key = customer ID in customer table Foriegn key = customer ID in car table Multiple cars can be linked to the same customer ID
data model - entities
Things and concepts for which you wish to store data in the database As we will see, once you have identified the entities, you can effectively list most of the tables that will be used to organize you data in the database Ex. Backend database for IMDB Entities - movies, actors, production company Each entity has attributes
movie database - SQL Query example
Trying to get every movie released in 1996 Select mov_tiel From Movie Where mov_year = 1996 ^^Will pull the data you want Happening behind the scenes on the website - when you click a button it performs a query that does this (if dynamic) Want star wars movies Select mov_title From Movie Where mov_title LIKE "starwars" *Where statements - multiple *First where statement is saying primary key (movie ID) = forieng key (character ID) Select every movie title from movie title where there is a character named "Skywalker" Doing the = between the two movie IDs relates the tables Select mov_title From Movie Where Movie.movie_id = character.movie_id AND char_name = "skywalker" SQL is a useful tool to accessing data Not that difficult but can get complex There is an upper limit to how tricky these get In a database class, you can learn everything in ⅔ of an semester - would give you skill set necessary to make a career or use it
Controls vs Convenience - Tradeoff
Underprotection makes your firm's IT assets vulnerable and over protection can be inconvenience your employees and customers by forcing them to jump through too many hoops If doing business with you firm is a constant inconvenience these customers may take their business to an industry rival BUT if you lose your customer's trust, you're toast The decision point lies in balancing the protection of sensitive data and the risk of irking users with excessive security This is a business decision - not exclusively a technical one IT managers and non IT managers should work together to understand the level of risk and impacts of controls used Thinking about balancing under and over protection Ex. Not everyone uses MFA, but we have decided to use it because people are familiar with it Could already have one for the bank, school accounts, easy to add
What is Big Data?
Volume Variety *Remember that certain times of data needs certain processing or pre processing to fit into a database Velocity
What do good managers do in this world?
We know that the economics of the firm are shifting Less reasons to have large firms, these are unwieldy, market is good for acquisitions How to lead in the environment Important for us, we are business students, we will hopefully be managing teams
relationships - one to one
When an instance of one entity can have a relationship with one and only one instance of the other entity Ex. Relationship between Nation and Capital city - each nation has one capital city, each capital city has one nation Relatively rare
relationships - many to many
When instances of each entity can be related to one or more instances to the other entity Ex. Each course can have many students, each student can be associated with many courses More common
value of the crowd - massively marginal
contains a bunch of people that are smart, but also smart and lazy, experienced and lazy May be something else in the crowd less smart, but more motivated and tenacious Both of these types of people can contribute Intelligent lazy person can say - go down this path Less intelligent motivated person - take the idea and run with it When they run into problems, they go to ask experts to point them in the right direction Only contributing in ways they want to Everyone has a little bit of intelligence, motivation, tenacity - contribute to the extent you want to or would like to
Organizational Security Framework
organization's suite of security controls Is made up of many entities, protection mechanisms, processes, and procedures that all work together and rely on each other to protect the company Number of different functions within them Each organization will create its own security model which will have many entities, protection mechanisms, logical, administrative and physical components, procedures, and business processes that all support the end goal
when to AVOID looking to crowd
products for which safety and quality is around (medical devices) Newest addition - need to make sure you avoid things for which safety is paramount, legal liability Potentially medical devices Ex of medical devices that might work - prosthetics example
AIC Triad - confidentiality
the property that information is not disclosed to or otherwise made available to individuals, entities, or processes THIS IS NOT PRIVACY Confidentiality is a component of privacy that is specific to unauthorized viewers of information Ex. Privacy interest in grades, federal law that protects grades as private information However professors can see grades for the class because they are authorized as users to see the grades Confidentiality threats include... - Shoulder surfing (low tech) Looking over someone's shoulder to see what they're doing - Social engineering Lots of ways to hack in and gain access to unauthorized information Safety measures include... Access controls Encryption of data (at rest, in transit) Encryption: technical solution that says whenever data is being read, it requires an encryption key Ex. Hacker downloads someone's user files, if they try to open when encrypted, it shows up jumbled With an encryption key, the files make sense If data is grabbed, key is separated from data rendering it useless
Information Economics - Illustration: Prediction markets
"Events with final share prices of about $0.70 tend to actually happen about 70% of the time, making these prices pretty accurate probability estimates." Predictit.org - can buy shares in events Ex. Event that says X candidate will win an election, share price is 40c Means that on average, that event will happen 40% of the time Practical matter - buy one share at 40 c and if this candidate wins, you get $1 at the end, if candidate loses you get $0 Shares are liquid, can buy and sell shares at any time Ex. Candidate's shares at 40%, then go up in the polls Debate in which candidate does well - people might buy shares, raising the price - then you could sell shares and dump them Idea - every person participating in prediction market is bringing information about what they believe to be true Aggregation of this information is net result of something that is quite accurate Are Galton's four conditions met? Can organize ideas of the crowd using a market
How we ensure BTC doesn't have properties of F,P,I
- Blockchain acts as a distributed/decentralized ledger system that logs transactions Blockchain: ledger system that keeps tracks of transactions so no one can spend BTCs they don't have - Blocks on the chain have to be "mined" by performing increasing challenging computational problems (miners are rewarded with bitcoins) Works like a database Instead of being stored in a single location (like a database often is) it is completely decentralized Stored among many nodes - this separation makes it secure - In order to add to the blockchain you have to "mine the blocks" Rewarded by receiving bitcoins How to mine blocks Perform increasingly computationally hard problem Get harder over time Require lots of resources Although BTC is one use for blockchain, it is interesting to think about other uses for the technology BTC and cryptocurrencies by themselves - we are familiar with Question: is there an organization use for bitcoin?
Functions of Security Controls
1. Deterrent : intended to discourage a potential attacker Ex. See mantrap, may deter someone from running in 2. Preventative : intended to avoid an incident from occurring Ex. passwords and authentication 3. Corrective: fixes components or systems after an incident has occurred Reparative 4. Recovery: intended to bring the environment back to regular operations Bringing back to normal operations 5. Detective: helps identify an incident's activities and potentially an intruder Ex. Audit logs 6. Compensating : controls that provide an alternative measure of control Want to think of building a layering of different security controls with different functions - creates security framework
MIS Areas of Emphasis
1. Data Analytics Doing data analytics things we have been talking about How to leverage data (big and small) to enable organizations to make more informed business decisions and derive business value Skills: big data management, data visualization, predictive analytics and data science technique Excel and beyond - ex. Tablo, data visualization tool that is easy to use More challenging analytics too 2. Information Security How information security preserves, protects, and creates business value for organizations Skills: information security management, security infrastructure, technical threat intelligence analysis and techniques (cryptography, network traffic analytics, digital forensics) More technical sides and also information security strategy Class with strategy - Working with people in consulting firms and presenting projects, problems with cutting edge solutions 3. Fintech Certificate Regulatory, strategic, and technical perspective on finance securities industry Less developed - fewer requirements (3 courses) ^ Core courses but there are also other electives
Data Model Steps Example - Backend Database for a company that stores information about movies
1. Entities & Relationships Entities: movies, actors, production company Relationships Crows feet: lines between entities - help us model relationship classifications Production company to movies - one to many Each production company can produce many movies, each movie only has one production company Characters & movies Many to many - character can be played by many actors, each actor can play in multiple movies Ex. Spiderman as a character has been played by Toby McGuire and Shila Buff - McGuire and Shila Buff have played many characters Movie & character Many to many - each movie has many characters, characters can play in multiple movies *Production company not directly linked to actors Can work through other links to get this relationship Relating tables to tables 2. Putting into the data model Have entities with relationships (3 for ours) Modeling attributes for each entity Movie attribute Movie ID (special number) - avoid confusion between movies with same name Movie Title Release date ^^Three columns worth of data (need 3 of these) Actor Actor ID * - asterisk symbolizes primary key Actor name Actor hometown Production company Name Address City ID **ONE column must be a primary key Database would breakdown if there were two of the same primary keys Database manager would have to fix these kinds of issues Primary Key Foriegn Key - relationship (we need to model foreign keys as well - don't need them in higher levels, you assume they are there) Primary key ** Foreign keys (FK) Ex. Actor in in character table is (FK) Ex. Movie ID in production company is (FK) Ex. Character ID in movie table (FK), movie ID if * - pull every character ID for the primary movie ID *
Conventional Technical Approaches to IT Security
1. Multifactor Authentication (MFA) 2. Monitoring and Anomaly Detection 3. Routine patching of newly discovered vulnerabilities
What makes databases more useful than some things than spreadsheets...
1. Security: administrator can grant each user a different level of access, ensuring that confidential information is not accessed by unauthorized parties Admin can grant users different levels of access Ex. someone can view and analyze data but cannot edit data Scope is of access details is much less sophisticated in excel 2. Elimination of redundant data via relational model *THE most important The thing the database allows you to capture that spreadsheet don't is relationship between data and datasets Ex. Target has you address, name, purchases - all in table about each customer Need to link or relate information about customers to information about items Once they link information, they can start to do interesting analytics 3. Data access: multiple types of users can query a single database simultaneously Can make copy past of a spreadsheet, but when it comes to being able to be used by multiple users at one - database is far superior tool 4. Big Data: databases can handle much larger datasets (and queries) on large datasets much faster than those on spreadsheets Computers can get bogged down by big datasets on spreadsheets Big data is talking about 50 million rows - cannot be done in excel
Shortfalls of the Conventional Technical Approach
1. Skilled hackers prefer social engineering attacks over brute force attacks Social engineering attacks - attacking a human Its easier to fool a human than a machine 2. Biometric authentication and MFA prevent attacks from outsiders but not from rogue insiders "Insider threats" include both negligent and malicious Motives for malicious attackers include financial gains, revenge These are common 3. Conventional technical approaches to IT security overemphasize identifiable risk as opposed to non identifiable risks
Redundant Data Internet Movie Database Example (IMDB)
Actors Personal info Photos Filmography Quotes Films Cost Genre Release date Production company Production Companies Films produced Address Contracts / representation In a spreadsheet... Column for actors Cell for Brad Pitt, each new cell for his information Column for films and info Column for production company When you try to combine these things... Things get tricky Ex. An actor can be associated with multiple films - relational issue between actors and films Messy table will be made Ex. Production companies can produce multiple films Spreadsheet illustration of what would happen if all the info is stored in a single spreadsheet Have three categories of information If you are interested in what films Brad Pitt has been in and put on one table (look down the row to see what films he's in) If you want to ask what genre of films he has been in, genre sell won't be on actor's table Genre falls into film category - actors have films - BUT films won't have genres on single table
The Magic of Markets
Authors look at a way to focus the information in the crowd They look to the idea of the market Market: idea where you have people exchanging goods and services with things of value Markets let people freely transact with each other without centralized control
Stop Behaving like Information - what is Bitcoin
Bitcoin is an information good Information goods have free, perfect and instant properties Thing about bitcoin is that it is essential that it NOT follow the characteristics of free perfect and instant economics of information good
Best Practices - Business Continuity Planning & Disaster Recovery - business continuity planning - hot vs cold sites
Business Continuity Planning: the tactical plan for quickly resuming your firm's business operations after a catastrophe (ex. Attack against availability) Could be disasters or intentional like DDOS Continuity planning typically relies on backup sites... Hot site: fully operational and instantaneously useable replica of the firm's mission-critical IT assets - very costly Ex. Up and running in 5 - 10 minutes Cold site: the opposite extreme, inexpensive but very slow to start up and resume business operations Ex. May take a few weeks to get back up and running Non IT managers should work with IT managers to determine which systems require which types of capabilities
"When things get really complex, don't look to the experts. Instead call in the outsiders" Ex. Genome sequencing of white blood cells
Competition with genetics experts trying to sequence genome Also had outside groups of non experts try to complete the same task Found a bunch of students with little to no bio background submitting work equal to or better than the experts Results of outsiders doing better than experts are typical for over 700 competitions they studied
Good Resume Items
Context, Action, Result Some people say to put numbers on resumes, some people put too many numbers and miss the big picture The big picture is that what you did had a result Great if it's quantifiable, OK if it's not Good resume item - fewer bullet points, lots of detail in each item 2-3 lines of text per bullet point Each bullet point should have context, action, and result
Review - crowd in non hierarchical, unfocused hierarchical route v non hierarchical route
Could go hierarchical route Ex. Military - when someone above you on the hierarchy says to do something, you do it or face discipline Bosses with bosses above them - must follow what boss says or face consequences Ex. Employment relationship inside the firm Could go non hierarchical organization A. Self organizing structures - allows us to organize labors as long as 6 characteristics are follows Ex. Wikipedia, Linux B. Can focus information flow using a market
A Sometimes Unruly Mob - problems
Crowd is 1) nonhierarchical and 2) messy Presents 2 problems 1. It can be hard to find what you're looking for in an ocean of uncontrolled information (The core can curate information, but there's just too much in the crowd) Information overload problem Too much to curate 2. Some of its members behave in hurtful ways (The core can evict bad actors, but that's hard to do on the web) All sorts of reasons why it is hard to evict bad actors Effective solutions will probably leverage machine learning AI technologies (see Module #1) BUT these are the two big problems of the crowd
Customer Info Example database v spreadsheet
Customer ID, have bday and gender Want to ask the question - what are the makes of cars Sally owns? In a single table, would need car ID, owned by Sally, birthday this Need car ID 2 , owned by Sally, birthday INSTEAD have two separate tables - one for cars, one for customers Each customer has ID number Can put ID number into the other table that will help us create a relationship between the two cars and the customer Don't need to duplicate information about Sally for those two rows Can join tables if needed, keep separate if needed Makes process of using database much faster, esp if you have complex set of relationships between tables in the database * if we didn't have relational tool w owner ID, then we would have to duplicate information and redundancy Really only need this information once
How do you manage data?
Database: organized collection of data Databases are at the heart of most useful IS Search engines ATM/Credit Transactions TPS: transaction processing systems Personal information management tools Databases are important (or essential) component in making tech work successfully
Jetha's thoughts - The Vanishing American Corporation - Gerald Davis
Former dean at U Michigan business school Says that we are seeing American corporations vanish - holding onto important things, shedding things that don't Example - Nike Nike is consolidating around design and marketing Less of manufacturing company - outsourcing this manufacturing Market costs - finding manufactures, Nike saying they can do that now Tension between Mac and B and other sources Jetha thinks it's fair to say Mac and B didn't look hard enough when they said "we don't see companies vanishing now" B and Mac says we are making Davis says were buying a lot Things are definitely changing
Economics of the Firm - where markets have lower costs - where markets have higher costs
Fundamental paper - The Nature of the Firm by HR Coase (1930s) IDEA - If markets are so great, why does so much happen inside companies? Why don't we all work as freelancers and trade our labor on the open market? Markets have lower costs - Cheaper production costs (benefits from economies of scale, can go to market and find producer and it will be cheaper than if a buyer tried to produce something on their own) Organization or market? Make or buy? Markets have higher cost in certain areas: - Costs of searching and discovering the correct prices Have to find someone with low costs - Costs of negotiating and making decisions How much products will cost - Costs of concluding a separate contract - Costs of monitoring and enforcing each contract Ensuring quality, will serve purpose
Unleashing the Wisdom of the Crowds - four criteria to make crowd based estimation effective
Gaulton published finding in big academic journal - need some cases to be true in order to unleash wisdom of the crowds 1. Independence The various guesses must be independent of one another; each person must guess without the knowledge of what other people have guessed One person can't know what another person's guess is Don't want to prime each other with high or low numbers 2. Diversity It is important to have a diverse set of guesses. (e.g., farmers, butchers, livestock experts, housewives etc.) Ex. All farmers dealing with livestock will be biased in one way or another All kinds of different expertise, completely non expert people, etc 3. Decentralization The people making the guesses should be able to draw on their private, local knowledge Not communal knowledge Idea is that if there is a bias, you don't want everyone in the sample to have the same bias Different biases will cancel out 4. Aggregation There must be some way of aggregating the guesses into a single collective guess (e.g. by taking the average) Easy in this case - use average When these conditions are met - you can often get value out of the average of all the guesses ^What wisdom of the crowd represents
The Core Wakes Up to the Crowd Examples
Get work done (Wikipedia, mturk, Topcoder) Labor Topcoder - software development Finding the right resource (Upwork, TaskRabbit) Conducting market research (GE, Veronica Mars) GE icemaker Veronica Marks movie Acquiring new customers (Lending Club, YouTube) Acquiring innovation (Facebook: WhatsApp/Insta) Trading (Quantitative finance) Company that was doing well trading stocks because of the way it opened up the platform to any kind of quant that wanted to join it
What Happens When You Dare Expert Hackers to Hack You?
Hackers are everywhere - affect celebrities, corporations, and institutions Inviting expert hackers to show where vulnerabilities are Defcon: biggest hacker convention in Las Vegas Hacking using social engineering - no code, just using phone and internet connections Testing vulnerabilities in people network Phishing: voice solicitation Using phone to extract data points used in a later attack Ex. Calling cell phone provider to get email attack Ex. Woman calling, gets email address (played baby noises) - cell phone company not protecting him Able to get a ton of stuff Able to set up her own account on someone else's account Got someone to change the password What can someone with intense technical skills do? Started with squarespace log, created bogus squarespace to click on link - downloaded something onto his computer, got him to input his passwords Once he got one password, he had access to all passwords Could get social security, taking pictures through webcam - could have messed up this man's life - "I could make you homeless" Has control of his digital life, financial, work, and personal information - could make him homeless Only thing he couldn't doctor - finger prints Ex. Nuclear power plant has big malfunction - could actually be a hacker Unskilled attacker could have large collateral damage Scariest is hacking the satellite By hacking a satellite system, can lose oil tankers, get planes to crash into each other - could be the warfare of the future and global conflict Need to know where flaws are so we can be safer - get them to help us rather than scare them away
Security Cost of Industry Varies by Industry
Healthcare most expensive Pharma Financial Retail Industrials Services **Multiply costs times the million numbers - it gets super expensive This is why information security people make lots of money
Info Security - Conclusion
Heart of info security is the CIA Triad Confidentiality, availability, integrity Conventional technical approach underemphasized insider threats and social engineering attacks Various administrative controls, technical controls, and physical controls are assembled into an organizational framework to deter and react to security risks Both technical and non technical roles within IT security management Non IT managers must contribute as well (tolerance of business risks, costs of protection, etc) Ensuring you are meeting different threats that exist in information securities
6 characteristics of self organizing structures
How can you organize a crowd? 1. Openness: Linus made initial request for contributions as broad as possible 2. Non Credentialism: diplomas, job titles, recommendation letters, experience, grades doesn't matter as long as work is good Doesn't matter if you're a highschool dropout 3. Verifiable and reversible contribution: contributors can't irreversibly break or worsen the software Each person can make contribution to code base, if community decides its a bad contribution, it can be rolled back Can also be kept in place 4. Clear outcomes: the people who worked on Linux knew what the end result of their work would be (directly and indirectly) 5. Self organization : People decided for themselves which aspects of Linux to work on No one assigning tasks 6. Geeky Leadership: : Linus was engaged and informed about the work
Nupedia vs Wikipedia Example
Jimmy Wales - founder of Wikipedia Before Wiki, tried to create Nupedia It would compete with other encyclopedias on market Ex. World Book (30 volumes), some people had encyclopedia in their homes Wales said that book encyclopedias aren't good quality Wanted to create high quality encyclopedia people would want to buy What they did... Recruited experts one by one - credentialism required, needed PhD etc Wanted to ensure quality was present Interesting about Nupedia 18 mo of work, $250,000 generating articles Only has 12 complete articles Wales realizing this is not working, too much to write about, not enoch time, money - too many editors Decided to open it up - let anyone write what they wanted What we know now... Systems with organization of the crowd - wikipedia could work well
Scenario where markets have certain costs - but they are decreasing over time, why don't we see organizations relying on the market, no companies?
Mac and B say "we don't see it happening" While theory says we could see deconstruction of the firm, we don't see it happening yet Jetha thinks they are not looking hard enough
What to do as managers...
Managers provide "social skills"... - coordination - negotiation - persuasion - social perceptiveness
Data Management Target Example
Managing data is important, specifically the relationships between pieces data or parts of a data set Target - How Companies Learn Your Secrets We know Target collects information about customers, items, and customer purchases Linkage between customer and items that gets purchased - need database to make this happen Why does target care about pregnancy? Old routines are in flux - buying habits fall apart If target can identify customers in 2nd trimester, there's a good chance they could capture them for years Because during that period of time, that is when habits change How does Target figure out when a customer is due (to advertise before the baby comes)? 25 item algorithm can predict due date Prenatal vitamin purchases - 20 weeks High quantities of unscented lotion - 2nd tri Extra large bags of cotton balls Algorithm can be supplemented with data from online cookies, purchased demographic data, home purchase data, care registration etc "Prediction Analytics Department"
Bureau of Labor Statistics: Information Security Analyst
Median Pay = $98,350 Job outlook - shows change in employment numbers to prediction in 2028 It's 32% which is well above average - shows that it is a growing field Jetha would feel comfortable going to info security knowing job outlook is good, so much growth in the field Number of jobs on the lower end Other analysts and consulting positions is higher, but they have smaller job outlooks
Data Modeling
Organizing the data in a database is not as easy as you might think - you can't just alphabetize it or put it into numerical order and call it organized The organization scheme must follow standard, consistent rules so that all the various applications that are built to use it can access the data Need DBMS to understand so it can access data effectively
The Wisdom of Crowds by James Surowiecki
Referenced in the Crowd module Main "crowd" book For a pop audience Main crowd example - Guess the Weight of the Ox Classic example of wisdom of the crowd In 1906, Francis Gaulton came across county fair competition where you had to guess the weight of the ox People bought raffle tickets, guessed weight, closest one kept the ox or kept the meat - won something Gaulton round that avg of the 787 guesses was 1,197 pounds Real weight of the ox was 1,198 pounds - averages only off by 1 pound from the actual weight of the ox
conventional approaches to IT Security - MFA
Something you know (ex. password) 1 factor multiplication Someone you have (ex. ATM card) Phone with duo mobile 2 factor authentication Something you are (ex. Your fingerprint) 3 factor authentication Ex. Duo Mobile Something highly secure might have 3 factors - harder to get in Ex. in Heist movies, need to make copy of fingerprint, have the phone, know the password
Beginners Beat Benchmarks in Biology - are the experts bad?
Tasks: Complex, multidisciplinary tasks with objective evaluations as to the potential solutions Are the experts truly bad? Not really, but a few things are happening New knowledge is being created in other fields and it is slow to enter the core Slow to enter the core because in order to become an expert in something, it takes time While being insulated in processed, you are siloed into the disciplinary boundaries that exist around the topic Many problems, opportunities, and projects benefit from different perspectives, people, and teams New knowledge being created
MIST 2090 Part A Context v Skillset
The Context: Computational power growing exponentially; enabling automation of nonroutine tasks "Free, perfect, instant" properties of digital goods and platform economics transforming the nature of market power Ubiquitous communication devices create new models to organize a messy crowd The Skillsets: What kinds of business models can take advantage of these changes? How can organizations take advantage of the data generated by these models? Predictive analytics! Transform business processes for efficiency How can organizations ensure that they don't stumble as they move into this future: IT Project Management Data Management Information Security
core vs crowd
The Core: Dominant organizations, institutions, groups, and processes of the pre-Internet era (p. 231) The Crowd: New participants and practices enabled by the net and its attendant technologies "Groups do not have to be dominated by exceptionally intelligent people in order to be smart" -Surowiecki From Here Comes Everybody Sets up idea of core vs crowd Group can be made of not smart people, but in aggregate if you can aggregate intelligence of the group, then the group can be intelligent ^^Foundational definitions of this module Can compare the best library in the world to the internet.... So much more going on online because of the crowd Problem with internet - crowd in non hierarchical and messy
relationships - attributes
Thinking about the data that we are going to store in the database about each entity For each entity, we list attributes that we want to store values for One special property is called the primary key Primary key: an attribute that must have a unique value for every instance (record) that you store in a table Ex. Social security number, student ID *MUST be unique Important because if we have a one to many relationship - need unique properties Ex. Could have two people named Sally Ensures that you have individual identifiers Ex. Every customer must have a unique customer ID (primary key) Foreign key
crowd aggregation
This example of aggregating a number of different guesses (as long as there is aggregation mechanism) the number is close Ex. Competition to guess jelly beans in a jar Averaging all different guesses, the average is close to the actual number as long as there is a sufficiently large number of guesses Seen on YouTube - averages are close to actual number Reason: some guesses will go high, some will go low - lows and high cancel each other out With large number of guesses, can get pretty accurate number
MIS Core Course Sequence
Two tracks... 1. Data Management 4610 - leads into technical sides (Computer Programming (intro to java) , Net App Development (weed out class), Sys Analysis Design (capstone) SQL class, SQL: programming language used to query databases 2. Business Process Management 5750 Entire semester on events, activities, flows, gateways Learn about modeling Then do simulations to see where you can create more efficiency in business models Then Project Management 5740 Methodologies of project management, strategic side Technical and non technical stuff - every one of these courses could be a career If you are not technical - there is lots of room for consulting If you are technical - there's lots of room for technical skills Diversity within major and field
Best Practices - Data Management
Unlink sensitive data from other data to minimize the damage if it is stolen (ex. Use internal customer ID number rather than a SSN in your main database) Systems with sensitive data should be "walled off" from the other systems in the data environment Anonymize sensitive data if you only need aggregates for analytics initiatives Encrypt data both in transit and in storage so that it is unreadable if it does fall into the wrong hands Encryption scrambles with all of the new raw data so that it released as gobbledygook without an "encryption key" (which is only available to authorized parties)
relationships - one to many
When an instance of the first entity can have a relationship with one or more instances of the second entity, but instances of the second entity can be related to only one instance of the first Ex. Parent and children - mother can have many children, child can only have one mother *All models are flawed, good models are useful - abstractions of reality More common
Most interesting in the module to Jetha - why do companies exist in the first place
Will get into economics We ask why companies should exist because we have the crowd that we want to do things Can have hierarchy but to get people to participate is by paying money Ex. UGA teachers teach classes that are assigned to them, incentive with paycheck, also will get fired if you don't teach Companies might be passe if we can organize the crowd without using a hierarchy or monetary incentive
Hayek: The data from which economic calculus starts are not given to a single mind
Wrote Road to Serfdom - political economy book We can't tell all of what we know (what we have, what we want, and what we value) to a centralized core (similar to Polyani's paradox) A market knows everything A single person doesn't necessarily know everything Have to make exchanges in piecemeal format free of centralized control - as a result what we do with transactions is building information Key: price is an information processing tool and information flow mechanism In studying markets, prices are all considered in different ways - in this sense they are drawing from information economics Using price as an information tool
Database vs Spreadsheets
You can store datasets as spreadsheets Can get quick large, thousands of rows Use Excel to work with these Really good for doing math stuff ex. Financial models *databases can be more useful than spreadsheets Underlying issue - they are different tools with different purposes Spreadsheet doesn't let you get into relational model stuff whereas databases can Entire careers based on databases - programming language used to query it
AIC Triad - integrity
maintaining and assuring the accuracy and reliability of the information and systems over its lifecycle This means that accidental or intentional modifications to data cannot occur undetected Integrity threats include... Data entry error (ex. Undercharging someone) Can solve by having system ask "Is this the correct discount?" and prompts user to fix it Incorrect modifications of data Safety measures include... Access/ change controls Audit trails : a list of every change that is made on a particular server or account Ex. ELC audit trails - grade changes, notation made that shows the students grade is changed by this person on this date, this is the IP address used - all logged If there was an issue with ELC hacking, there will be a log showing when it happens and who did it - doesn't mean notification will be immediate, but you can look at the audit trail Every enterprise or educational system has an audit trail
crowd review
new participants and practices enabled by the net and attendant technologies Example - GE - A Giant Reaches Out Potential customers needed to put down a deposit to be on the list to get the icemaker Why is a company with $280 bill market cap and $90 bill cash asking potential customers to commit to a preorder well in advance of availability? Don't need crowdfunding - don't really need money for product development What they wanted - crowd information, enthusiasm Opal Ice Maker Reviews "So, so, so sad to review this ice maker with only one star. Don't get me wrong... in the beginning this little machine made all my dreams come true. Perfect pebble ice by the cupful. But after two weeks it crushed my dreams." "At nearly $500 it should work longer than 6 weeks and we shouldn't have to jump through hoops when it breaks. Don't buy it! You will be held hostage by your love of nugget ice!" "I now pack this guy up to take on vacations... So there is that..." Reviews showing that the ice maker was prone to breaking after a few weeks What's interesting... GE correctly identified that this group was enthusiastic about pellet ice Pretty intense reviews Typically if you want market research you have to pay market research firm, put together a focus group In this case, GE was paid to market research Still had to produce ice maker but in this case they got people who were pellet ice experts to preorder the ice maker so that GE could take advantage of their enthusiasm, their information
Logical Data Model (Data Model)
organizational scheme chosen for a database Coming up with a data model is the first step in creating a database
AIC Triad - availability
the ability for authorized parties to access data and systems when necessary For any information systems to serve its purpose, the information must be available when it is needed by organizational decision makers High availability systems remain available virtually all times preventing service disruptions... - Natural disasters or power grid failures - Distributed denial of service attacks (DDOS) Attacks where a malicious actor may have access to a net or computers under their control Can get computers to ping a server and bring it down (may not be able to access server, but can bring the availability down) Hardware failures or service upgrade Safety measures include... (technical) Load balancing across systems Redundancy in balancing load Disk shadowing Redundancy in data