BADM 350 Exam 2 Study Guide
3.13 Recognize data mining functions and key areas where businesses are leveraging them
*A* *Mining Frequent Patterns, Associations, and Correlations* (ex: Amazon; which products customers buy together) *C* *Classification and Regression for Predictive Analysis* (ex: determining which customers are likely to leave, and what tactics can help the firm avoid unwanted defections) *C* *Cluster Analysis* (ex: Example: Customer segmentation i.e. figuring out which customers are alike and then identify the clusters (or segments) that are the most valuable to a firm) *O* *Outlier Analysis* (ex: fraud detection)
3.3 Understand the difference between data and information a) Data b) Information c) Knowledge
*Data*: Raw facts and figures *Information*: Data presented in a context so that it can answer a question or support decision making *Knowledge*: Insight derived from experience and expertise
5.13 Recognize technology threats for security compromise (malware)
*Malware* = seeks to compromise a computing system without permission. Malware threatens nearly any connected system running software, including mobile phones, embedded devices, ATMs, point-of-sale equipment, and a firm's networking equipment Methods of malware infection: i. *Viruses*: Programs that infect other software or files and require an executable tospread. ii. *Worms*: Programs that take advantage of security vulnerability to automatically spread. iii. *Trojans*: Exploits that try to sneak in masquerading as something they are not Examples of malware include: iv. *Botnets or zombie networks*: Botnets are used in crimes where controlling many difficult-to-identify PCs is useful, such as registering accounts that use CAPTCHAs (those scrambled character images meant to thwart things like automated account setup or ticket buying). v. *Malicious adware*: Programs installed without full user consent or knowledge vi. *Spyware*: Software that surreptitiously monitors user actions, network traffic, orscans for files. vii. *Keylogger*: Type of spyware that records user keystrokes. viii. *Screen capture*: Variant of the keylogger approach. ix. *Card Skimmer*: Software that secretly captures data from a swipe-card's magnetic strip. x. *RAM Scraping or Storage Scanning Software*: Malicious code that scans computing memory for data, looking for patterns like credit card or social security numbers. xi. *Ransomware*: Malware that encrypts a user's files (perhaps threatening to delete them), with demands that a user pay to regain control of their data and/or device. xii. *Blended threats*: Attacks combining multiple malware or hacking exploits. xiii. *SQL injection*: put zeros in on a sloppy programming practice where software developers don't validate user input. Web sites that don't verify user entries and instead just blindly pass along entered data are vulnerable to attack. SQL injection and other application weaknesses are problematic because there's not a commercial software patch or easily deployed piece of security software that can protect a firm
3.10 Understand what Hadoop is and its advantages
- Roughly 80 percent of corporate data is messy and unstructured, and it is not stored in conventional, relational formats...Hadoop was created to analyze massive amounts of raw information better than traditional, highly- structured databases - Hadoop is an open source project overseen by the Apache Software Foundation. Hadoop is made up of some half-dozen separate software pieces and requires the integration of these pieces to work. *Hadoop is basically a distributed file system (HDFS) - it lets you store large amount of file data on a cloud of machines* - There are four primary advantages to Hadoop: flexibility, scalability, cost effectiveness, and fault tolerance: - Flexibility - Fault tolerance - Cost effectiveness - Scalability
4.11 Understand the implications of ethical issues in social media such as "sock puppetry" and "astroturfing" and provide examples and outcomes of firms and managers who used social media as a vehicle for dishonesty
- The practice of lining comment and feedback forums with positive feedback is known as *astroturfing* - Fake personas set up to sing one's own praises are known as *sock puppets* among the digerati. - harp-tongued comments can shred a firm's reputation and staff might be tempted to make anonymous posts defending or promoting the firm
4.10 List and describe key components that should be included in any firm's social media policy
-- The employees who don't understand the impact of social media on the firm can do serious damage to their employers and their careers -- Many experts suggest that a good social media policy needs to be three things: *"short, simple, and clear"* -- 3 Rs: 1) Representation: Employees need clear and explicit guidelines on expectations for social media engagement 2) Responsibility: Employees need to take responsibility for their online actions 3) Respect: Sure customer service is a tough task and every rep has a story about an unreasonable client 4) Reputation -- Micromanaging employees is not the answer
4.7 List the criteria necessary for a crowd to be smart
Diversity Independent (each person focuses on what they know) Decentralized (nobody has overarching authority) Offer collective verdict (summarizes participant opinions)
5.1 What is IT governance?
It's putting structure around how organizations align IT strategy with business strategy, ensuring that companies stay on track to achieve their strategies and goals, and implementing good ways to measure IT's performance. It makes sure that all stakeholders' interests are taken into account and that processes provide measurable results. An IT governance framework should answer some key questions, such as how the IT department is functioning overall, what key metrics management needs and what return IT is giving back to the business from the investment it's making
5.10 Recognize that information security breaches are on the rise and can have a potentially damaging impact on organizations
Target Case
3.1 Firms and how they are leveraging data: Uber, Netflix, Spotify, Walmart, Amazon, and Zara
Uber: Netflix: Spotify: Clustering...testing similarity with other songs. Recommendations of songs you may like. Walmart: Basket analysis (one of first companies), predict inventory, integrating sources of data with their own, using Hadoop Amazon: Zara:
4.14 Explain the weaknesses of display ads as an online marketing strategy
a. Internet users are conditioned to ignore display ads b. The ongoing costs are not directly link to their impact c. Management of display advertising campaigns is complicated d. Designing display ads entails substantial fixed costs
4.13 Understand issues involved in establishing a social media presence
a. Firms hoping to get in on the online conversation should make it easy for their customers to find them. b. Many firms take an *embassy approach* to social media, establishing presence at various services with a consistent name. Firms should try to ensure that all embassies carry consistent design elements, so users see familiar visual cues that underscore they are now at a destination associated with the organization. c. Firms engaging online should be prepared to deal with feedback that's not all positive. i. Firms are entirely within their right to screen out offensive and inappropriate comments. However, firms engaged in curating their forums to present only positive messages should be prepared for the community to rebel and for embarrassing cries of censorship to be disclosed. ii. By contrast, if one's firm isn't prepared to be open or if one's products and services are notoriously sub-par and their firm is inattentive to customer feedback, then establishing a brand-tarring social media beachhead might not make sense. d. It is considered bad practice to outsource the management of a social media presence to a third-party agency. The voice of the firm should come from the firm. e. Having an effective social media presence offers 'four Ms' of engagement: i. It's a *megaphone* allowing for outbound communication ii. It's a *magnet* drawing communities inward for conversation iii. It allows for *monitoring* and *mediation* of existing conversations f. Escalation procedures should also include methods to flag noteworthy posts, good ideas, and opportunities that the social media team should be paying attention to. g. A firm's social media policy should also make it clear how employees who spot a crisis might "pull the alarm" and mobilize the crisis response team. h. In the event of an incident, silence can be deadly. Consumers expect a response to major events, even if it's just "we're listening, we're aware, and we intend to fix things."
5.16 Identify critical steps to improve your organizational information security
a. Frameworks, Standards, and Compliance i. The *best known security frameworks come from the International Organization for Standards (ISO), and is broadly referred to as ISO27k or the ISO 27000 series*. This set of ISO standards provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System. ii. Firms may face compliance requirements. However, compliance does not equal security. iii. The goal of security frameworks is taking all appropriate measures to ensure that a firm is secure for its customers, employees, shareholders, and others. b. Education, Audit, and Enforcement i. The security function requires multiple levels of expertise: operations, R&D, and governance. ii. These efforts should include representatives from specialized security and broader technology and infrastructure functions. iii. Employees need to know a firm's policies, be regularly trained, and understand that they will face strict penalties if they fail to meet their obligations. iv. A firm's technology development and deployment processes must integrate with the security team to ensure that systems are implemented with security in mind. c. Technology's Role i. *Patch*: Firms must pay attention to security bulletins and install software updates that plug existing holes, often referred to as patches. Some organizations have legitimate concerns about testing whether a patch will break their system, and whether the new technology contains a change that will cause problems down the road. ii. *Lock down hardware*: Firms range widely in the security regimes used to govern purchase through disposal system use. Some firms allow employees to select their own hardware while others issue standard systems. Hardware lock-down methods might include reimaging the hard drive of end-user PCs, disabling the boot capability of removable media, preventing Wi-Fi use, and requiring VPN encryption for network transmissions. iii. *Lock down the network*: Network monitoring is a critical part of security, and a host of technical tools can help: firewalls, intrusion detection systems, honeypots, blacklists, and whitelists. Network monitoring technologies can be applied to specific applications, screening for certain kinds of apps, malware signatures, and hunting for anomalous patterns. iv. *Lock down partners*: Firms should insist that partner firms are compliant with security guidelines and audit them to ensure this is the case. v. *Lock down systems*: A firm's security team must constantly scan for exploits such as SQL injection and then probe its systems to see if it's susceptible, advising and enforcing action if problems are uncovered. Access controls can compartmentalize data access on a need-to-know basis. Audit trails are used for deterring, identifying, and investigating exploits. Recording, monitoring, and auditing access allows firms to hunt for patterns of abuse. vi. Have failure and recovery plans: While firms work to prevent infiltration attempts, they should also have provisions in place that plan for the worst. Have failure and recovery plans that employ recovery mechanisms to regain control if key administrators are incapacitated or uncooperative, broad awareness of infiltration reduces organizational stigma in coming forward, and share knowledge on techniques used by cybercrooks with technology partners
5.2 Explain the benefits of implementing IT governance frameworks
a. They are a way to ensure that the IT function sustains the organization's strategies and objectives b. Organizations today are subject to many regulations governing data retention, confidential information, financial accountability and recovery from disasters. While none of these regulations requires an IT governance framework, many have found it tobe an excellent way to ensure regulatory compliance. c. Greater efficiency d. Accountability e. Reduced risk
4.3 Know what wikis are; suggest opportunities where wikis would be useful and when they would pose risks
~ A wiki is a Website anyone can edit directly within a Web browser. Several key features are common to most wikis: all changes are attributed, a complete revision history is maintained, there is automatic notification and monitoring of updates, all pages are searchable, and specific pages can be classified under an organized tagging scheme ~ Jump-starting a wiki can be a challenge and an underused wiki can be a ghost town of orphan, out-of-date, and inaccurate content ~ Some organizations employ wikimasters to "garden" community content: "prune" excessive posts, "transplant" commentary to the best location, and "weed" as necessary ~ The larger and more active a wiki community, the more likely it is that content will be up to date and that errors or vandalism will be quickly corrected. At Wikipedia, for example, griefers (trolls) and partisans regularly alter pages ~ Several studies have shown that large community wiki entries are as or more accurate than professional publication counterparts ~ Wikis can make workers more productive and informed, and kill corporate time-wasters ~ At Disney's Pixar, wikis are used to improve meeting efficiency, with agendas and key materials distributed in advance. Posting corrections, comments, goals, deadlines, and completion keeps everyone involved and aware of expectations and progress
4.8 Understand the value of crowdsourcing
*Crowdsourcing*: the act of taking a job traditionally performed by a designated agent (usually an employee) and outsourcing it to an undefined, generally large group of people in the form of an open call (Dalmaso and his Github account) There are several public markets for leveraging crowdsourcing for innovation, or as an alternative to standard means of production Not all crowdsourcers are financially motivated. Some benefit by helping to create a better service Several firms run third-party crowdsourcing forums *Examples of organizations that are taking advantage of crowdsourcing*
3.12 Understand the different steps in the data mining process
*Exploring, Cleaning, and Integration*: Comprises verifying that the data are in a good condition for analysis. Includes handling missing data, ensure consistency in data formats, unit, etc., and data visualization *Selection and Transformation*: Includes tasks such as transforming variables, reducing data, and eliminating variables *Selecting the Data Mining Function*: Involves selecting the function and the specific model to be used *Evaluation and Presentation*: Includes assessing model performance, comparing with other models, and fitting the final model *Knowledge Discovery*: Involves finding and presenting insights about the problem undertaken
3.8 List the benefits of a data warehouse
*I* Improved knowledge of relationships among products and services and their performances *C* Competitive advantage *I* Increases productivity, decreases computing costs *T* Trend reports keep upper management fully informed *E* Enhances user's access to data
5.13 Recognize technology threats for security compromise (others)
*Push-Button hacking*: Hackers have created tools to make it easy for the criminally inclined to automate attacks. There are tools available on the Internet that probe systems for the latest vulnerabilities, and then launch appropriate attacks. The barrier of entry is becoming so low that literally anyone can carry out these attacks. *Network threats*: If a firm doesn't regularly monitor its premises, its network, and its network traffic, it may fall victim to a hacker. DNS cache poisoning exploits can redirect Internet address to IP address mapping and the consequences are huge.
4.9 Recognize the skills and issues involved in creating and staffing an effective social media awareness and response team (SMART)
+ Firms need to treat social media engagement as a key corporate function with clear and recognizable leadership within the organization + Organizations with a clearly established leadership role for social media can help create consistency in firm dialog; develop and communicate policy; create and share institutional knowledge; provide training, guidance and suggestions; offer a place to escalate issues in the event of a crisis or opportunity; and catch conflicts that might arise if different divisions engage without coordination + The social media team needs support from public relations, marketing, customer support, HR, legal, IT, and other groups, all while acknowledging that what's happening in the social media space is distinct from traditional roles in these disciplines + Many firms find that the social media team is key for coordination and supervision, but the dynamics of specific engagement still belong with the folks who know products, services and customers best
3.1 Understand how increasingly standardized data, access to third-party data sets, cheap, fast computing and easier-to-use software are collectively enabling a new age of decision making
- Amount of data created by users + organizations doubling every two years; data on corporate hard drives doubling every six months *(i.e. data is increasing in volume exponentially)* - Companies ranked in the top third of their industry in the use of data-driven decision making were on average five percent more productive and six percent more profitable than competitors *(i.e. companies using data most effectively proved to be more profitable)* - Increasingly standardized corporate data, and access to rich, third-party datasets —all leveraged by cheap, fast computing and easier-to-use software (e.g. cash registers, web browsers, fitness trackers, smartphone apps, radio frequency identification (RFID)) —are collectively enabling a new age of data-driven, fact-based decision making *(i.e. technology is allowing companies to make decisions based off of fact rather than hunches about consumer behavior)*
3.6 Know and be able to list the reasons why many organizations have data that can't be converted to actionable information
- incompatible systems: can be a big problem for firms that have legacy systems, outdated information systems that were not designed to share data, aren't compatible with newer technologies, and aren't aligned with the firm's current business needs...can be worsened by mergers and acquisitions - Operational data can't always be queried: most transactional databases aren't set up to be simultaneously accessed for reporting and analysis. If a manager asks a database to analyze historic sales trends showing the most and least profitable products over time, they may be asking a computer to look at thousands of transaction records, comparing results, and neatly ordering findings. That's not a quick in-and-out task, and it may very well require significant processing to come up with the request
4.2 Know what blog are, and understand the benefits and risks for corporations that blog
1) Blogs (web logs), online journal entries made in reverse chronological order 2) Blogs are: immediate and unfiltered publication, ease of use, comment threads, reverse chronology, persistence, searchability, tags, (citation links back to the original blog post), and blog rolls (a list of a blogger's favorite sites i.e. a sort of shout-out to blogging peers) 3) As of early 2015, Tumblr reported hosting nearly 228 million sites. WordPress is said to power nearly a quarter of Internet sites. This is clearly a long tail phenomenon, loaded with niche content that remains "discoverable" through search engines and that is often shared via other social media like Facebook and Twitter 4) Corporate blogs can be published directly to the public, skipping what bloggers call the mainstream media (MSM) and presenting their words without a journalist filtering their comments or an editor cutting out key points they'd hoped to make 5) Senior executives use blogs for business purposes, including marketing, sharing ideas, gathering feedback, press response, image shaping, and reaching consumers directly without press filtering 6) Blogging has certain downsides: blog comments can be a hothouse for spam and the disgruntled, employee blogging can be difficult to control, public postings can "live" forever in the bowels of an Internet search engine, and ham-handed corporate efforts (such as poor response to public criticism or bogus "praise posts") have been ridiculed
3.7 Understand what data warehouses and data marts are and the purpose they serve
1) Firms cannot query its transactional databases because running analytics against transactional data can bog down a system, and since firms need to combine data from multiple sources and reformat, firms typically need to create separate data repositories (data marts and data warehouses) for reporting and analytics specifically 2) Data warehouse is a set of databases designed to support decision making...data warehouses may aggregate enormous amounts of data from many different operational systems 3) A data warehouse is subject-oriented: it is organized around major subjects, such as customer, product, and sales; providing a simple and concise view (i.e filter out what isn't important) 4) Data warehouse is integrated: it is constructed by integrating multiple, heterogeneous data sources: relational databases, flat files, on-line transaction records. Therefore, data cleaning and data integration techniques are applied to ensure consistency in naming conventions, encoding structures, attribute measures, etc. among different data sources 5) A data warehouse is time variant: the time horizon for the data warehouse is significantly longer than that of operational systems 6) A data warehouse is nonvolatile: operational update of data does not occur in the data warehouse environment, therefore, it does not require transaction processing, recovery, and concurrency control mechanisms 7) A *data mart* is a database focused on addressing the concerns of a specific problem (e.g., increasing customer retention, improving product quality) or business unit (e.g., marketing, engineering) 8) They contain huge volumes of data... a firm may not need to keep large amounts of historical point-of-sale or transaction data in its operational systems, but it might want past data in its data mart so that managers can hunt for patterns and trends that occur over time
4.5 Understand how organizations use Twitter for organic as well as paid promotion
1) Organizations have found Twitter useful for real-time promotions, time-sensitive information, scheduling and yield management, customer engagement and support, promotion, intelligence gathering, idea sourcing, and as a sales channel 2) Organizations are well advised to monitor Twitter activity related to the firm, as it can act as a sort of canary-in-a-coal mine uncovering emerging events 3) Users are using the service as a way to form flash protest crowds
3.11 Understand the differences between Hadoop and relational databases
1) Traditional relational databases requires you to define a schema when you want to load the data; Hadoop you can have schema on read i.e. structure will only be applied when you read the data. 2) Relational databases store information in tables defined by a schema, whereas Hadoop uses key-value pairs as its fundamental unit 3) With relational databases, users obtain the data they want by SQL queries. Hadoop uses MapReduce, a distributed computing algorithm 4) Relational databases typically scale by adding lots of horsepower (RAM and CPU) to a single or small set of database-class servers. Hadoop databases scale by adding far more (often hundreds) - but lower power - machines that work in parallel
3.9 Know the issues that need to be addressed in order to design, develop, deploy, and maintain data warehouses and data marts
DG: Data governance (What rules and processes are needed to manage data from its creation through its retirement? Are there operational issues (backup, disaster recovery)? Legal issues? Privacy issues? How should the firm handle security and access?) DH: Data hosting (Where will the systems be housed? What are the hardware and networking requirements for the effort?) DQ: Data quantity DQ: Data quality (Can our data be trusted as accurate? Is it clean, complete, and reasonably free of errors? How can the data be made more accurate and valuable for analysis? Will we need to "scrub," calculate, and consolidate data so that it can be used?) DR: Data relevance DS: Data sourcing (Can we even get the data we'll need? Where can this data be obtained from? Is it available via our internal systems? Via third-party data aggregators? Via suppliers or sales partners? Do we need to set up new systems, surveys, and other collection efforts to acquire the data we need?)
5.17 Understand what a Denial of Service (DoS) attack is and recognize the differences between a DoS attack and an intrusion
Imagine stopping for fast food along a highway only to find that a full tour bus has unloaded there just prior to your arrival. For a period of time, the fast food restaurant is overwhelmed with people from the tour bus. What happens to a web site in a DoS attack is like what happened to the restaurant, only worse. If the restaurant example were like a DoS attack, then none of the people from the tour bus would never purchase any food from the restaurant. They would stand in line, interact with the cashier upon reaching the front of the line, and then decide not to buy anything, customers really intending to buy food would be struck back in the line. (iPremier Case example)
3.2 Provide examples of why data is oftentimes considered a defensible source of competitive advantage (Know examples)
a) Anyone can acquire technology—but data is oftentimes considered a defensible source of competitive advantage b) The data a firm can leverage is a true strategic asset when it's rare, valuable, imperfectly imitable, and lacking in substitutes (RV II LIS) c) If more data brings more accurate modeling, moving early to capture this rare asset can be the difference between a dominating firm and an also-ran d) Advantages based on capabilities and data that others can acquire will be short-lived e) Differentiation will be the key in distinguishing operationally effective data use from those efforts that can yield true strategic positioning
4.1 Recognize the unexpected rise and impact of social media and peer production systems, and understand how these services differ from prior generation tools (Web 1.0 vs Web 2.0)
a) Originally grouped under the umbrella term "Web 2.0," these new services are targeted at harnessing the power of the Internet to empower users to collaborate, create resources, and share information in a distinctly different way than the static Web sites and transaction-focused storefronts that characterized so many failures in the dot-com bubble. b) Peer production and social media fall under the Web 2.0 umbrella. Social media efforts refer to technologies that support the creation of user-generated content, as well as content editing, commenting, curation, and sharing. Social media efforts include blogs, wikis, social networks, Twitter, and photo and video sharing sites. c) The rise of mobile computing has also coincided with the rise of mobile phones— meaning the worldwide Internet conversation is always in your pocket. Mobile and social also work together to fuel local discovery for everything from potential dates to regional gossip to a good place to get a bite to eat d) The peer production leveraged by collaborating users isn't only used to create social media; it can be used to create services, too, and these are also considered to be part of Web 2.0 e) Web 2.0 efforts enables firms to build brand on the cheap with little conventional advertising, and each owes their hyper-growth and high valuation to their ability to harness the network effect
4.4 Know what social networks are and recognize benefits and downsides
a) Social networks allow you to set up a profile, share content, comment on what others have shared, and follow the updates of particular users, groups, firms, and brands that may also be part of those networks b) Typical features of a social network include support for the following: detailed personal profiles, affiliations (with groups, individuals, products, firms, and other organizations), private messaging and public discussions, media sharing, discovery-fueling feeds of recent activity among members, and the ability to install and use third-party applications tailored to the service c) Many firms are choosing to implement their own, internal social network platforms that they hope are more secure and tailored to firm needs. These networks can be useful in maintaining contacts for future business leads, rehiring former employees, or recruiting retired staff to serve as contractors when labor is tight d) Maintaining such networks will be critical in industries like IT and health care that are likely to be plagued by worker shortages for years to come. Social networking can also be important for organizations like IBM, where some 42 percent of employees regularly work from home or client locations
3.4 Understand various internal and external sources for enterprise data a) Transaction Processing Systems (TPS) b) Loyalty Cards c) Enterprise Systems d) Surveys e) External Sources
a) Transaction Processing Systems (TPS): For most organizations that sell directly to their customers, transaction processing systems (TPS) represent a fountain of potentially insightful data. Every time a consumer uses a point-of-sale system, an ATM, or a service desk, there's a transaction (some kind of business exchange) occurring, representing an event that's likely worth tracking. b) Loyalty Cards: Grocers and retailers can tie a customer to cash transactions if they can convince him to use a loyalty card. The explosion in retailer cards is directly related to each firm's desire to learn more about customers, and to turn him into a more loyal and satisfied customer. c) Enterprise Systems: CRM or customer relationship management systems are often used to empower employees to track and record data at nearly every point of customer contact. Enterprise software includes not just CRM systems but also categories that touch every aspect of the value chain, including Supply Chain Management (SCM) and Enterprise Resource Planning (ERP) systems. d) Surveys: Sometimes firms can supplement operational data with additional input from surveys and focus groups. Many CRM products also have survey capabilities that allow for additional data gathering at all points of customer contact e) External Sources: Sometimes it makes sense to combine a firm's data with bits brought in from the outside. Many firms, for example, don't sell directly to consumers (this includes most drug companies and packaged goods firms). If your firm has partners that sell products for you, then you'll likely rely heavily on data collected by others. Data obtained from outside sources, when combined with a firm's internal data assets, can give the firm a competitive edge
4.15. Explain the weaknesses of interactive content as an online marketing strategy
a. "Every click kills" b. Developing interactive guides could be costly c. Interactive content might only viewed by users who have already found the website
5.12 Recognize the user and administrator threats for security
a. *Bad Apples*: Rogue employees can steal secrets, install malware, or hold a firm hostage. b. *Social Engineering*: Con games that trick employees into revealing information or performing other tasks can be used to compromise a firm's security. c. *Phishing attacks*: refers to cons executed through technology. The goal of phishing is to leverage the reputation of a trusted firm or friend to trick the victim into performing an action or revealing information such as: reset passwords, download dangerous software (malware), spear phishing attacks specifically target a given organization or group of users. d. *Spoofed*: Email transmissions and packets that have been altered to forge or disguise their origin or identity e. *Zero-day exploits*: New attacks that haven't been clearly identified and haven't made it into security screening systems because users are not aware of them yet. f. *Passwords*: Most users employ inefficient and insecure password systems
5.4 Recognize the major IT governance frameworks: CoBIT, ITIL, and CMMi
a. *CoBIT*: This framework, from the Information Systems Audit and Control Association (ISACA), is probably the most popular. Basically, it's a set of guidelines and supporting toolset for IT governance that is accepted worldwide. It's used by auditors and companies as a way to integrate technology to implement controls and meet specific business objectives. The latest version, released in May 2007, is CoBIT 4.1. CoBIT is well- suited to organizations focused on risk management and mitigation. b. *ITIL*: The Information Technology Infrastructure Library (ITIL) from the government of the United Kingdom runs a close second to CoBIT. It offers eight sets of management procedures in eight books: service delivery, service support, service management, ICT infrastructure management, software asset management, business perspective, security management and application management. ITIL is a good fit for organizations concerned about operations. c. *CMMi*: The Capability Maturity Model Integration method, created by a group from government, industry and Carnegie-Mellon's Software Engineering Institute, is a process improvement approach that contains 22 process areas. It is divided into appraisal, evaluation and structure. CMMI is particularly well-suited to organizations that need help with application development, lifecycle issues and improving the delivery of products throughout the lifecycle.
5.8 Know the factors that contribute to the rent, buy, or make decision
a. *Competitive advantage*—do we rely on unique processes, procedures, or technologies the factors that must be considered when making the make, buy, or rent decision; that create vital, differentiating competitive advantage? b. *Security*—are there unacceptable risks associated with using the packaged software, OSS, cloud solution, or an outsourcing vendor? c. *Legal and compliance*—is our firm prohibited outright from using technologies? Are there specific legal and compliance requirements related to deploying our products or services? d. *Skill, Expertise, and Available Labor*—can we build it? The firm may have skilled technologists, but they may not be sufficiently experienced with a new technology. e. *Cost*—is this a cost-effective choice for our firm? The costs to build, host, maintain, and support an ongoing effort involve labor (software development, quality assurance, ongoing support, training, and maintenance), consulting, security, operations, licensing, energy, and real estate. f. *Time*—do we have the time to build, test, and deploy the system? g. *Vendor issues*—is the vendor reputable and in a sound financial position? Can the vendor guarantee the service levels and reliability we need? What provisions are in place in case the vendor fails or is acquired? Is the vendor certified via the Carnegie Mellon Software Institute or other standards organizations in a way that conveys quality, trust, and reliability?
5.14 Recognize the physical threats for security compromise.
a. *Dumpster diving*: Sifting through trash in an effort to uncover valuable data or insights that can be stolen or used to launch a security attack. b. *Shoulder surfing*: Looking over someone's shoulder to glean a password or see other proprietary information that might be displayed on a worker's screen. c. *Eavesdropping*: Efforts to listen into or record conversations, transmissions, or keystrokes. d. *Brute-force attacks*: Exhausts all possible password combinations to break into an account
5.3 List the major focus areas that make up IT governance
a. *Strategic alignment*: Linking business and IT so they work well together. Typically, the lightning rod is the planning process, and true alignment can occur only when the corporate side of the business communicates effectively with line-of-business leaders and IT leaders about costs, reporting and impacts. b. *Value delivery*: Making sure that the IT department does what's necessary to deliver the benefits promised at the beginning of a project or investment. The best way to get a handle on everything is by developing a process to ensure that certain functions are accelerated when the value proposition is growing, and eliminating functions when the value decreases. c. *Resource management*: One way to manage resources more effectively is to organize your staff more efficiently—for example, by skills instead of by line of business. This allows organizations to deploy employees to various lines of business on a demand basis. d. *Risk management*: Instituting a formal risk framework that puts some rigor around how IT measures, accepts and manages risk, as well as reporting on what IT is managing in terms of risk. e. *Performance measures*: Putting structure around measuring business performance. One popular method involves instituting an IT Balanced Scorecard, which examines where IT makes a contribution in terms of achieving business goals, being a responsible user of resources and developing people. It uses both qualitative and quantitative measures to get those answers.
5.15 Identify critical steps to improve your individual information security
a. *Surf smart* Think before clicking question links, enclosures, download requests, and the integrity of Web sites that one visits. b. *Stay vigilant* Be on guard for phishing attacks, social engineering con artists, and other attempts for letting in malware. c. *Stay updated* Turn on software update features for operating systems and applications. d. *Stay armed*. Install a full suite of security software Be settings smart. Do not turn on risky settings like unrestricted folder sharing. Hard drives should be encrypted. Register mobile devices for location identification or remote wiping. Turn off browser settings that auto-fill fields with prior entries. When using public hotspots, VPN software to encrypt transmission and hide from network eavesdroppers must be turned on. f. *Be password savvy*: Secure home networks with password protection and a firewall. Change default passwords on any new products. Update passwords regularly and choose passwords that are tough to guess, but easy for the user to remember. g. *Be disposal smart*: Shred personal documents and wipe hard drives with an industrial strength software tool. Destroy media such as CDs and DVDs and erase USB drives when they are no longer needed. h. *Back up*: Regularly back-up systems. i. *Check with your administrator*: Use the free security tools provided by your security administrator.
5.11 Understand the source and motivation of those initiating information security attacks
a. Account theft and illegal funds transfer: While some steal cash for their own use, some data harvesters sell their hacking take to cash-out fraudsters who buy (then resell) goods using stolen credit cards or create false accounts via identity theft. b. Stealing personal or financial data c. Compromising computing assets for use in other crimes such as: sending spam from thousands of difficult-to-shut-down accounts, launching tough-to-track click-fraud efforts, distributed denial of service (DDoS) attacks d. Extortionists might leverage botnets or hacked data to demand payment to avoid retribution. e. Intellectual property theft f. Corporate espionage might be performed by insiders, rivals, or even foreign governments. g. Cyberwarfare h. Terrorism i. Pranksters j. Protest hacking (hacktivism) k. Revenge (disgruntled employees)
5.6 List the reasons why technology development projects fail and the measures that can be taken to increase the probability of success Think about examples of this in "They Bought In" and Health.gov cases
a. An astonishing one in three technology development projects fail to be successfully deployed. b. Sometimes technology itself is to blame, other times it's a failure to test systems adequately, and sometimes it's a breakdown of process and procedures used to set specifications and manage projects. c. Projects fail due to a combination of technical, project management, and business decision blunders. The most common factors include the following: i. Unrealistic or unclear project goals ii. Poor project leadership and weak executive commitment iii. Inaccurate estimates of needed resources iv. Badly defined system requirements and allowing "feature creep" during development v. Poor reporting of the project's status vi. Poor communication among customers, developers, and users vii. Use of immature technology viii. Unmanaged risks ix. Inability to handle the project's complexity x. Sloppy development and testing practices xi. Poor project management xii. Stakeholder politics xiii. Commercial pressures d. Mechanisms for quality improvement include capability maturity model integration (CMMi), which gauge an organization's process maturity and capability in areas critical to technology projects, and provides a carefully chosen set of best practices and guidelines to assist quality and process improvement. e. Firms are also well served to leverage established project planning and software development methodologies that outline critical businesses processes and stages when executing large-scale software development projects.
3.5 Understand Big Data, Analytics, Data Mining, Business Intelligence, and Machine Learning concepts a. Big Data b. Analytics c. Machine Learning d. Data Mining e. Business Intelligence
a. Big Data: The collections, storage, and analysis of extremely large, complex, and often unstructured data sets that can be used by organizations to generate insights that would otherwise be impossible to make. 3 V's of data: velocity, volume, and variety b. Analytics: The extensive use of data, statistical and quantitative analysis, explanatory and predictive models, and fact-based management to drive decisions and actions c. Machine Learning: Leveraging massive amounts of data so that computers can act and improve on their own without additional programming d. Data Mining: Using computers to identify hidden patterns in large data sets and to build explanatory and predictive models from this data. Uses techniques from many disciplines (statistical and quantitative analysis, machine learning, and information retrieval, etc) e. Business Intelligence: Combines aspects of reporting, data exploration and ad hoc queries, and sophisticated data modeling and analysis (including analytics, data mining) to understand the commercial context of businesses
4.12 List and describe tools for monitoring social media activity relating to a firm, its brands, and staff
a. Concern over managing a firm's online image has led to the rise of an industry known as online reputation management. b. But social media monitoring is about more than managing one's reputation. It provides critical competitive intelligence; it can surface customer support issues, and it can uncover opportunities for innovation and improvement. c. Resources for monitoring social media are improving all the time, and a number of tools are available for free. d. Location-based services like Foursquare have also rolled out robust tools for monitoring how customers engage with firms in the brick-and-mortar world. e. Advanced commercial tools, such as SalesForce Radian6, HubSpot, and HootSuite, monitor a wide variety of social media mentions, provide metrics for ongoing campaigns and practices, and gauge sentiment and spot opportunities for sales leads or customer service. f. Monitoring should also not be limited to customers and competitors. Firms are leveraging social media both inside their firms, and via external services, and these spaces should also be on the SMART radar.
5.18 Identify human perceptions and tendencies that can be harmful in the context of an IT security crisis
a. Emotional responses: confusion, denial, fear, panic b. Wishful thinking c. Groupthink d. Political maneuvering e. Leaping to hypotheses or conclusions f. Perceptual bias in favor of evidence that confirm hypotheses
5.9 List criteria that should be taken into account when selecting a software vendor
a. Figure out what it is you really need. It's critical to determine the business requirements before you start interviewing software vendors. b. Check the software provider's credentials and certificates. c. What do other customers have to say? d. Can it scale? Check for hidden or additional fees. e. Who gets custody of your data in the case of "divorce"? f. Take a test drive. g. Agree to key performance indicators (KPIs) before signing a contract h. Will the software integrate easily with our existing systems? i. How easy is it to set up and train users? j. How will the vendor support our company after the sale? k. How are updates and upgrades managed?
5.7 Know the options managers have when determining how to satisfy the software needs of their companies
a. Managers have a whole host of options when seeking to fulfill the software needs of their firms. b. Technology decisions are not binary options for the whole organization in all situations. c. It's also important to keep in mind that these decisions need to be continuously reevaluated as markets and business needs change
5.5 List the different cost categories that comprise total cost of ownership
a. Managers should recognize that there are a whole host of costs that are associated with creating and supporting an organization's information systems. Of course, there are programming costs for custom software as well as purchase, configuration, and licensing costs for packaged software, but there's much, much more. b. There are costs associated with design and documentation (both for programmers and for users). There are also testing costs. New programs should be tested thoroughly across the various types of hardware the firm uses, and in conjunction with existing software and systems, before being deployed throughout the organization. Any errors that aren't caught can slow down a business or lead to costly mistakes that could ripple throughout an organization and its partners. Studies have shown that errors not caught before deployment could be one hundred times more costly to correct than if they were detected and corrected beforehand. c. Once a system is "turned on," the work doesn't end there. Firms need to constantly engage in a host of activities to support the system that may also include the following: i. providing training and end user support ii. collecting and relaying comments for system improvements iii. auditing systems to ensure compliance (i.e., that the system operates within the firm's legal constraints and industry obligations) iv. providing regular backup of critical data v. planning for redundancy and disaster recovery in case of an outage vi. vigilantly managing the moving target of computer security issues d. The price tag and complexity of these tasks can push some managers to think of technology as being a cost sink rather than a strategic resource. These tasks are often collectively referred to as the total cost of ownership (TCO) of an information system. Understanding TCO is critical when making technology investment decisions
4.16 Explain the weaknesses of sponsored search content as an online marketing strategy
a. Poor targeting b. Cannibalization (ad is clicked by a customer that was already looking for our product) c. Overly aggressive bidding d. Misleading analytics
4.17 Explain the weaknesses of online distributors as an online marketing strategy
a. Setup cost b. Processing cost e.g. backorders, returns c. Cannibalization d. Commissions limit this problem e. Lock-in (punishments if one tries to leave the online distributor store) f. Diversion (a customer shopping at Amazon has many similar products to choose from)
4.6 Understand the concept of the wisdom of crowds as it applies to social networking
~ *A group of individuals collectively has more insight than a single or small group of trained professionals* ~ The *crowd isn't always right*, but in many cases where topics are complex, problems are large, and outcomes are uncertain, a large, *diverse group may bring collective insight to problem solving that one smart guy or a professional committee lacks* ~ One technique for leveraging the wisdom of the crowds is a prediction market, where a diverse crowd is polled and opinions aggregated to form a forecast of an eventual outcome (skittles in class exercise)
